On Monday officials from Pinellas County in Florida announced that an unidentified hacker remotely gained access to a panel that controls the City of Oldsmar’s water treatment system, and changed a setting that would have drastically increased the amount of sodium hydroxide in the water supply.
During a press conference, Pinellas County Sheriff Bob Gualtieri said that a legitimate operator saw the change and quickly reversed it, but signaled that the hacking attempt was a serious threat to the city’s water supply. Sodium hydroxide is also known as lye and can be deadly if ingested in large amounts.
Sounds like LogMeIn, RDP, or another service was installed/enabled on the system, as the plant operator saw what the hacker was accessing and what changes they were making as they did it. I’m not sure systems like this should be connected to the internet, but if they must be connected these kinds of remote services shouldn’t be installed and left running. What if that plant operator had been in the restroom or on a break or glanced at another screen when these changes were being made by the intruder?
Also, shouldn’t the ability to poison the water supply require some sort of admin password?