Feb 10, 2021 - Technology

What a hair-raising incident says about U.S. cyber risk

Illustration of a house with cursor arrows lodged in and around it.

Illustration: Aïda Amer/Axios

The would-be mass poisoning that a small town in Florida dodged last week is a chilling reminder that cybersecurity — often conceived in the popular imagination as purely an abstract province of ones and zeroes — can be a matter of life or death.

Why it matters: The fact that attackers were (if only briefly) able to access the control system for a municipal water supply should be a wake-up call for U.S. officials regarding the digital insecurity of many key pieces of infrastructure.

Driving the news: Hackers used TeamViewer, a remote-access software program, to tamper with a water-treatment facility in Oldsmar, Florida, a town of roughly 15,000 people outside Tampa, officials said Monday.

  • They briefly gained access to system controls for the plant and tried to massively raise the levels of lye in the water supply from 100 parts per million to more than 11,000. (Lye, commonly used to treat drinking water, is nontoxic when diluted but poisonous at higher concentrations.)
  • Plant operators quickly discovered the tampering attempt, prevented the alteration of lye levels, and shut out the hackers from their systems.

What they’re saying: “At no time was there a significant adverse effect on the water being treated,” said Bob Gualtieri, Pinellas County sheriff. “Importantly, the public was never in danger.”

Yes, but: The incident still underscores the potential for enormous damage that lies dormant within many pieces of internet-connected infrastructure in the country.

  • It's a real concern, particularly as more critical infrastructure comes online and more international crime and nation-state conflict moves into the cyber realm.

In this case, while the FBI and Secret Service are investigating the breach, we don't know if the incident was an attempted terrorist attack, unsophisticated but malicious nation-state activity, or “merely” the work of a deranged individual.

  • There is a chasm between a serious operation to poison an entire town’s water supply as an act of either state-sponsored sabotage or non-state terrorism and a half-baked, foolish — if malign and potentially deadly — gambit by some group of individuals who may not have even fully conceived of the seriousness of their actions.
  • The continuum is broad, and we don’t know precisely where this event fits yet.

Of note: The “noisy” and haphazard nature of the hackers' work and the ease with which they got in — a worrying data point on its own — seem to point to something less than a well-thought-out operation conducted by a determined, top-tier nation-state adversary, say experts.

  • While incidents like Oldsmar “are concerning given adversary brazenness ... they also are incredibly unsophisticated in nature — representing a burglar opening an unlocked door more than a thief penetrating a well-resourced security system,” writes Joe Slowik, a senior threat researcher at DomainTools.
  • Slowik suggested the incident may more than anything else echo a series of seemingly simplistic breaches by hackers of water infrastructure in Israel last year, “where insecure systems were remotely accessible and entities simply took advantage of circumstances.”

The catch: Crude as the operation may have been, the hackers appeared to be trying to sicken or even kill Oldsmar residents — a rare instance of a known cyberattack targeting an industrial control system within the U.S. where the aim of the operation seemed to be lethal in intent.

Go deeper