Two days before Super Bowl LV in Tampa, FL, a hacker attempted to taint the water supply of Oldsmar, FL, a small city just 12 miles from the stadium. The attacker increased the amount of sodium hydroxide (also known as lye) from 100 parts per million (ppm) to 11,100 ppm.
The potential threat for this type of attack has been known for several years. This narrowly escaped disaster should be a warning to other such water treatment plants as well as all other critical infrastructure facilities that they should take heed and evaluate their own cyber security measures.
This also reveals the reality that many smaller communities, with fewer resources, overlook or minimize the need for security in their industrial control systems. Clearly, all critical infrastructure owners and operators MUST prioritize security because their communities depend on them for public health and safety as well as their local economy.
The fact that this attempt was not successful is actually a stroke of luck. A facility operator happened to notice the mouse cursor moving on the screen and was able to undo what the hacker had done within minutes. Imagine how different the result would have been had that operator not noticed that anomaly. Ideally, such facilities should incorporate more automated monitoring of their systems.