On Friday, 5 February, an unnamed technician working at the Oldsmar Water Plant in Florida saw the curser moving by itself on his computer screen. He was six feet away from his desk. It didn’t bother him much, because the TeamViewer program allows his bosses to remotely view his computer. In pandemic times, much work was managed remotely. In the afternoon, the curser started moving again. This time, the technician noticed the curser went to the Sodium Hydroxide (NaOH) levels and started giving commands.
NaOH is the main ingredient in drain cleaners. In
small quantities, it controls the acidity of drinking water. On the screen, the
invisible hand changed its level from 100 parts per million to 11,100 parts per
million. In the best case, people drinking water with that level of NaOH are
likely to suffer burns, skin irritation and other complications.
The shocked technician re-set the level, called his
colleagues from IT, and let the management know about the cyberattack. Yesterday,
in a televised press conference, the Oldsmar Sheriff said, “this is dangerous
stuff.” Florida senator Marco Rubio asked the incident to be treated as a
matter of national security.
*****
Cyberattacks on power grids, water plants, oil
pipelines, industrial facilities, traffic lights, aviation control are a
nightmare scenario for modern governments.
The attacks can be carried out by bored teenagers, disgruntled
employees or State actors. Not known who carried last week’s amateurish attack.
It lacked sophistication.
In April 2020, Iranian hackers tried to change the
level of chlorine in a water plant in central Israel. Yigal Unna, head of
Israel’s national security said, “Cyber winter is coming even faster than I
expected. We will remember this as a changing point in the history of modern
cyber warfare.” Israel counterattacked an Iranian port.
In 2007, USA and Israel had joined hands in a project
codenamed “Olympic Games.” The aim was to sabotage Iran’s nuclear program. The
project succeeded in using the malicious computer worm Stuxnet to target
the Siemens control system and tricked Iranian centrifuges to self-destruct.
More recently, in 2016, Russia was suspected of using
the same Stuxnet to disrupt Ukraine’s power grid, and throw most of Kiev
into darkness and cold in the middle of a harsh winter.
America and Russia have started the Cyber cold war.
Both have reportedly entered each other’s networks, and parked malware and
bugs. They are willing to be patient for years. At the right time, if required,
the power in an enemy city can be switched off, or drinking water can be
poisoned by changing the levels of chemicals.
*****
America, presumed to be a developed country, has its
water supply made of 70,000 separate, independent utilities. It is hard to have
uniform security standards across them. Experts acknowledge USA is ill-prepared
to defend itself against cyberattacks on water plants.
Ideally, these facilities should not have remote
access at all. But the world in which we live, this is difficult. With the
pandemic on, remote work has become even more widespread. Most public utilities,
the local municipalities, have low budgets, little cash, old computers and not
enough attention to cyber security. (I am attaching a 56-page booklet called Cybersecurity
fundamentals for water utilities. It may be useful for any place.
And by the way, if you have TeamViewer on your computer, and you don’t use it or
don’t know how to use it, please uninstall it immediately).
*****
The incident at Florida’s water plant last week is a wake-up
call for every public utility in the world. In times of remote working, the
cybersecurity must be even tighter. Always working remotely, hackers are
capable of causing devastation.
Ravi