A Tampa, Florida area water facility was recently hacked using a popular remote-access software tool. The unidentified hacker also used the software to connect to an on-site computer and then used that computer to access the facility’s control panel. Once there, the hacker programmed a 100x-increase in the levels of sodium hydroxide (lye) to be added to the water supply. While small amounts of lye are used to control the acidity of water, at these massively-increased levels, lye is corrosive. Drinking the water could be like drinking liquid drain cleaner.
There are many valuable and legitimate uses of remote-access software. This software allows a user to take full control of another computer as if they were sitting in front of it. The particular brand of remote-access software involved in this incident is popular with consumers and businesses and has more than 200 million users globally. It can be used by individuals to remotely access and troubleshoot their family members’ computer issues. However, there are now questions about whether remote-access software is appropriate to monitor and change controls at critical infrastructure facilities.
There are alternative approaches. Some critical infrastructure facilities permit remote-access software, but only to monitor the facility systems. Any changes must be completed on site from computers not connected to external systems or software. Some in the critical infrastructure industry recommend requiring a secure VPN to remotely access the internal network. After using the VPN, any additional access by the remote user would be done via a secured login with mandatory, multi-factor authentication. Some recommend a second secure login inside the network that controls the critical infrastructure.
Industry members are quick to point out that critical infrastructure systems often have multiple safeguards to prevent extreme manipulation of the systems. For example, many water treatment facilities have physical size restriction limits on the quantities of chemicals that can be introduced into the system over any given period. This type of safeguard could restrict the speed and/or amount of chemicals that would actually be pumped into a system, even if programmed to do so. But if a hacker can remotely access the system controls to program changes in quantity, could they possibly program other changes, such as changes to these safeguards?
In the case of the Florida water facility, any possible crisis was averted because an attentive employee saw the controls being changed, and notified the company, which notified the police. The increases in sodium hydroxide were quickly reversed.
The incident remains under investigation by the FBI and Secret Service, as well as local law enforcement officials.