A Tampa, Florida area water facility was recently hacked using a popular remote-access software tool.  The unidentified hacker also used the software to connect to an on-site computer and then used that computer to access the facility’s control panel.  Once there, the hacker programmed a 100x-increase in the levels of sodium hydroxide (lye) to be added to the water supply.  While small amounts of lye are used to control the acidity of water, at these massively-increased levels, lye is corrosive. Drinking the water could be like drinking liquid drain cleaner.

There are many valuable and legitimate uses of remote-access software. This software allows a user to take full control of another computer as if they were sitting in front of it. The particular brand of remote-access software involved in this incident is popular with consumers and businesses and has more than 200 million users globally. It can be used by individuals to remotely access and troubleshoot their family members’ computer issues.  However, there are now questions about whether remote-access software is appropriate to monitor and change controls at critical infrastructure facilities.

There are alternative approaches. Some critical infrastructure facilities permit remote-access software, but only to monitor the facility systems.  Any changes must be completed on site from computers not connected to external systems or software.  Some in the critical infrastructure industry recommend requiring a secure VPN to remotely access the internal network.  After using the VPN, any additional access by the remote user would be done via a secured login with mandatory, multi-factor authentication.  Some recommend a second secure login inside the network that controls the critical infrastructure.

Industry members are quick to point out that critical infrastructure systems often have multiple safeguards to prevent extreme manipulation of the systems.  For example, many water treatment facilities have physical size restriction limits on the quantities of chemicals that can be introduced into the system over any given period. This type of safeguard could restrict the speed and/or amount of chemicals that would actually be pumped into a system, even if programmed to do so. But if a hacker can remotely access the system controls to program changes in quantity, could they possibly program other changes, such as changes to these safeguards?

In the case of the Florida water facility, any possible crisis was averted because an attentive employee saw the controls being changed, and notified the company, which notified the police. The increases in sodium hydroxide were quickly reversed.

The incident remains under investigation by the FBI and Secret Service, as well as local law enforcement officials.

See: https://www.tampabay.com/news/pinellas/2021/02/08/someone-tried-to-poison-oldsmars-water-supply-during-hack-sheriff-says/

Photo of Kathleen Porter Kathleen Porter

Kathy Porter’s practice straddles the areas of intellectual property, business transactions, trade regulation, and Internet law and includes import/export control issues, such as compliance and enforcement, competition, privacy, and data security. She counsels businesses on the development and implementation of data security and…

Kathy Porter’s practice straddles the areas of intellectual property, business transactions, trade regulation, and Internet law and includes import/export control issues, such as compliance and enforcement, competition, privacy, and data security. She counsels businesses on the development and implementation of data security and privacy practices to comply with the patchwork of laws and rules applicable to the collection, use, safeguarding, sharing, and transfer of protected or personal data. She regularly structures arrangements with promoters, marketers, website exchanges, and other third parties for the purchase, sale, sharing, and safeguarding of personal data. Kathy prepares and negotiates representations, warranties, and indemnities regarding personal or protected data and privacy and data practices. She also assists clients with privacy audits and works with third-party certification organizations to obtain certification of companies’ privacy practices. She guides clients through internal investigations to assess and address notice and other obligations regarding privacy breaches. Kathy often works closely with our litigation attorneys to manage external investigations such as those by federal or state regulators. Read her rc.com bio here.