For a few minutes on Friday, an operator at the Water Division for the town on Oldsmar, Florida, watched as the cursor on his computer moved across the screen, opening windows and clicking buttons.
He at first assumed that another technician for the water treatment plant had taken control of the software remotely. But when the remote user raised the level of a caustic chemical known as sodium hydroxide—often referred to as lye—by a factor of 111, the operator realized that an intruder had compromised the system. He quickly reversed the changes and then alerted authorities, local officials said during a press conference on Monday.
Most likely, redundant checks on chemical composition of water exiting the system would have caught the changes, but it should not get to that point: utilities need to raise their cyber resilience, says Austin Berglas, former head of cyber for the FBI’s New York office and currently the global head of professional services at cybersecurity firm BlueVoyant. The actors were unsophisticated—they likely used stolen credentials to log into…
