Within the last few years, Iranian hackers, I think it was, got into a dam control system and removed the final failsafe locks. Luckily it was a very small dam and the hack was detected.
The interview on Maddow tonight was with Nicole Perlroth, who has been tracking cyber attacks on infrastructure for years. She said that we had as many attacks in the final 6 months last year as we’d had the previous 2 years combined and that the US, feeling itself secure against cyber attack because in the past we have been the pre-eminent cyber power, has not bothered to harden infrastructure against cyber attacks.
The Maddow show said it would have taken about 24 hours before the tainted water hit the public water supply. It probably would have been detected, but there’s no guarantee, especially if the hacker knew enough to turn off sensors and failsafes. Apparently all they did was just check to see if they could get in and mess with something. Early days yet on that.
That’s not the kind of thing that would succeed. You can’t just increase the flow of a chemical by 100 times and expect it to happen. Pumps, valves, piping will all be sized for the appropriate volumes.
If you think about it, the water treatment facility treats on the order of 80 million gallons per day. To add 100 ppm NaOH to that would take less than 7.5 gpm of 50% NaOH solution, and any engineer worth a fart in a whirlwind would size the valve to be in the range of 30% to 70% open. 50% caustic has a high viscosity so I’d go with a fairly large line size, but to get to a 11,100 ppm concentration would take something like 750 gallons per minute.
They wouldn’t have installed a 10" line and control valve just in case someone wanted to do this, and they wouldn’t have sized the pump to operate in the range of 5 gpm to 1000 gpm, That’s a ludicrous application.
Certainly the hacker should be treated as though it were a viable method of doing harm. If someone added ground glass to the food in a restaurant thinking it would kill patrons they shouldn’t get a pass simply because ground glass isn’t as toxic as all that, and I think this is an analogous situation.
Also… it’s apparently IT amateur hour there. Working in IT for a municipality and having some contact with the water dept’s setup, I can say that the control systems should be walled off in their own secure private network- both for security, and for speed. You don’t want your control systems on the general network- then any sort of congestion issues might affect your ability to control things, and it makes them quite a bit more vulnerable in terms of security.
Across all the states, counties, municipalities, villages, utility districts, dam operators, Mom & Pop phone companies, and small factories handling potentially dangerous materials, IT amateur hour is probably more common than not.
Back in the day the small fry could assume they’d be ignored. The big guys had to plan for being attacked by the few real physical saboteur nutbags out there.
The internet changed all that and now it’s practical for a bad guy to simply port scan across the whole internet until finding whichever amateur hour IT shop left the back door (or front door!) ajar. There’s always gonna be one and that’s all the bad guy needs. One.
Our whole country, from DoD to your next door neighbor’s aged MIL, is still learning that the worst of the worst of bad actors, crooks, anarchists, and hostile governments can be, and might well be, rattling your front door every couple hours looking to see if you’ve left it unlocked. We collectively just don’t get it yet.
Apparently the hack did work but an alert worker noticed the change and fixed things within ten minutes.
From what I heard on the news today with an FBI mouthpiece that hack wasn’t “sophisticated” but part of the problem is that small municipalities lack resources and safeguards that a major city like, say, New York City would have.
A quick google leads me to believe that the IF the hack had worked as intended it would have resulted in a 1% concentration of sodium hydroxide in the water and that is sufficient to cause skin and eye damage, and presumably would not be something you’d want to drink. I’m not 100% sure on that, though, and folks are welcome to check my math on that.
I do question if the system would have sufficient reserves of lye to actually raise it to that level in the water.
Absolutely not. But when I question if we should put everything on the internet I get accused of being a Luddite.
Yeah, it’s probably something in the wa— um… nevermind…
As I said - by my very rough not-a-professional 10 minutes of research 11,100 ppm is around 1% concentration and a bit more googling said that yes, that’s concentrated enough to cause damage.
But as I also said - did the system have enough actual lye to be able to dump sufficient quantities into the water to actually achieve that? I don’t know. I don’t expect anyone in authority to tell us.
I just Googled “1% solution of sodium hydroxide” and it says that the pH of that is 13. Nope, wouldn’t want to drink that or get it anywhere near my body either. It would be extremely caustic.
When I was taking organic chemistry, I was working at a restaurant and the manager was pouring something into a drain while wearing gloves and a mask. Someone asked what he was doing, and he said, “I’m just pouring some acid in here.” The jar was labeled “Sodium hydroxide - NaOH” and I almost started to explain that this wasn’t acid, but decided not to say anything.
That’s a fair observation; it might have thwarted this attack as much as did the alertness of the operator. One might speculate that water-system hackers might choose to concentrate on removing additives needed to keep water from being dangerous (e.g. those that prevent typhoid-causing bacteria from multiplying), rather than adding unusual quantities of additives (such as the lye in the Florida case). The results might not be as dramatic as quickly as the ‘drinking lye’ would have been, but they would serve a terrorist’s purpose even so.
Cutting something from being added is fully workable, as compared with massively increasing an additive.
\
Not by me. If my ship came in and I had the ability to buy a shiny new mansion, I would, no doubt, be put to the expense of tearing out all the Internet-connected appliances and AC/heating system and security wiring and whatever else today’s home builders have decided to make Internet-connected, as a (supposed) selling point.
Didja ever run a packet tracker on your computer, like WireShark or similar? Just sit there and watch all the unsolicited packets roll in, looking for open ports. They’re a nearly steady stream, with IP addresses that seem to come from all over the world.
That would be the key element, trying to do what is possible rather than what is dramatic. I’ve got a Bluetooth and WiFi enabled Anova Culinary sous vide device. A hacker could conceivable hack it and change my cooking temperatures, but it wouldn’t accept an input of 1,000 degrees F, and if it did accept the input it couldn’t possibly reach that temperature and set fire to my kitchen. If someone did try it I suppose a headline of “Hacker tried to set fire to Bill Door’s kitchen” would get clicks, whereas the headline “Hacker tried to make Bill Door’s ribeye steak too well done” would not.
I’d say that would actually be worse in that it might go undetected for a while, and only come up as some sort of contaminated water issue that would destroy trust in the public utility and by extension the government in charge of it. While trust would be eroded in the case of adding too much of an additive, it’s more trust in the IT department, not trust in the normal, everyday product of the water department like would happen if terrorists decreased the amount of whatever disinfectant is used such that people started getting sick from the water over a longer period.
Never say never, but I very much doubt it would work. Even putting aside such issues as pumps/piping and chemical capacity, pH sensors are de rigueur in any sort of water system, often multiple ones at different points in the process and for something like drinking water have alarm limits set in a very narrow range. It would be highly unlikely for those not to trip early in any massive overdosing situation. Not to mention there should also be high flow alarms, maxed pump speed alarms, etc. You’d have to have some sort of serious compound failure - successful hack (and any sizeable utility will generally have the control systems that are completely isolated from outside interference, you’d have to be an insider), really large chemical supply, oversized pumps/piping from shitty design to allow the possibility of huge overdosing, an unmanned system where no operator can catch his distributed control system trends going wonky, then probably multiple sensor/alarm dialer failures. Pretty unlikely series of circumstances.
But being an idiot of a terrorist is still being a terrorist. Hunt them down and prosecute to the hilt.
That makes sense. I suspect that what the hacker did was the equivalent of setting your house thermostat to 2,000 degrees. Its going to make things uncomfortably warm but it isn’t going to melt steel.
