Wednesday, 24 February 2021 22:52

Reflections on the recent Florida water 'hack'

By
Reflections on the recent Florida water 'hack' Image by Mohamed Hassan from Pixabay

This has been something of a beat-up.

Surely everyone has been made aware of the recent 'hacker intrusion' at the Oldsmar, Florida water treatment facility. As some background, this is a small plant that sources water from a bore field and delivers potable water to around 15,000 households (and presumably some businesses as well, based on a cursory inspection on a mapping site).

Here's the basic scenario.

Early on the morning of Friday February 5th, the plant operator was watching the system management screen and noticed the mouse move - it wasn't him. Nothing else happened. Later that morning, they again saw the mouse move, and this time, the cursor was placed in the NaOH (Sodium Hydroxide) field and the one key was pressed twice at the front of the field.

The local Sherriff, Mayor and City Manager held a press conference where they insisted that the act was caught quickly and since the 'pipeline' from adding Sodium Hydroxide to the water to it reaching homes was at least a couple of days, and there were multiple testing points along that path, the public was never in danger.

Having worked in industrial control systems for around 13 years, MUCH of this reads like a beat-up to me.

It has been widely reported that the intruder made use of a TeamViewer client running on the control computer so that plant managers could check the status from outside the building (perhaps from home, who knows). This is stupid! Do they not trust the operators? Further, most SCADA (Supervisory Control And Data Acquisition) systems permit the configuration of read-only clients that will display system status, but cannot accept modifications. If all else fails, point a webcam at the screen and have the managers connect to that!

Having read widely on this topic and been privy to some 'off-the-record' discussions amongst SCADA security experts, here's what I can glean.

It seems that the TeamViewer access details had been posted on a 'compromised credentials' web site only a few days earlier and (I haven't checked but) I expect the site to also appear in the SHODAN database.

In most SCADA-based systems, key variables would be configured with range limits that the system would not be able to exceed. This is entirely normal practice when configuring a SCADA client.

As I see it, the intruder was probably little more than a 'script kiddie' who once gaining access, put the cursor in the NaOH field and bashed the '1' key a couple of times to see if he had read/write access. If he'd pressed 'enter' the change would almost certainly not have been written to the control system.

Note that (as mentioned in the preamble) this treatment plant draws its source water from a bore field, where the chemistry barely changes over a weeks-long timeframe - they could have shut the SCADA system down and allowed the PLCs etc to run with current value for weeks on end with no ill-effect to the quality of the water distributed to residents.

Overall, I'm not hugely bothered by this incident and I rather suspect it has been beaten up into something more than it needed to be to create a salutary lesson to other operators.

Your mileage may vary, of course.

Read 3111 times

Please join our community here and become a VIP.

Subscribe to ITWIRE UPDATE Newsletter here
JOIN our iTWireTV our YouTube Community here
BACK TO LATEST NEWS here

GET READY FOR XCONF AUSTRALIA 2022

Thoughtworks presents XConf Australia, back in-person in three cities, bringing together people who care deeply about software and its impact on the world.

In its fifth year, XConf is our annual technology event created by technologists for technologists.

Participate in a robust agenda of talks as local thought leaders and Thoughtworks technologists share first-hand experiences and exchange new ways to empower teams, deliver quality software and drive innovation for responsible tech.

Explore how at Thoughtworks, we are making tech better, together.

Tickets are now available and all proceeds will be donated to Indigitek, a not-for-profit organisation that aims to create technology employment pathways for First Nations Peoples.


Click the button below to register and get your ticket for the Melbourne, Sydney or Brisbane event

GET YOUR TICKET!

PROMOTE YOUR WEBINAR ON ITWIRE

It's all about Webinars.

Marketing budgets are now focused on Webinars combined with Lead Generation.

If you wish to promote a Webinar we recommend at least a 3 to 4 week campaign prior to your event.

The iTWire campaign will include extensive adverts on our News Site itwire.com and prominent Newsletter promotion https://itwire.com/itwire-update.html and Promotional News & Editorial. Plus a video interview of the key speaker on iTWire TV https://www.youtube.com/c/iTWireTV/videos which will be used in Promotional Posts on the iTWire Home Page.

Now we are coming out of Lockdown iTWire will be focussed to assisting with your webinars and campaigns and assistance via part payments and extended terms, a Webinar Business Booster Pack and other supportive programs. We can also create your adverts and written content plus coordinate your video interview.

We look forward to discussing your campaign goals with you. Please click the button below.

MORE INFO HERE!

BACK TO HOME PAGE
David Heath

David Heath has had a long and varied career in the IT industry having worked as a Pre-sales Network Engineer (remember Novell NetWare?), General Manager of IT&T for the TV Shopping Network, as a Technical manager in the Biometrics industry, and as a Technical Trainer and Instructional Designer in the industrial control sector. In all aspects, security has been a driving focus. Throughout his career, David has sought to inform and educate people and has done that through his writings and in more formal educational environments.

More in this category: « How 'smart' is my country
Share News tips for the iTWire Journalists? Your tip will be anonymous