skip to main content
X

UHY Consulting

Cybersecurity & Risk

UHY Consulting provides Cybersecurity capabilities, including Privacy and PCI Compliance, Vulnerability Assessments, Penetration Testing (Pen Testing), Risk Assessments, and Environmental, Social, and Governance (ESG).

How a Cyber Attacker Almost Contaminated a Town's Water Supply

How a Cyber Attacker Almost Contaminated a Town's Water Supply

On Friday, February 8, an unknown cyber attacker was able to use a common remote control and viewing software called TeamViewer to modify the sodium hydroxide (aka lye) levels for the water treatment system serving Oldsmar, Florida.

The Super Bowl was being played two days later in Raymond James Stadium in Tampa Bay, only 13 miles away from Oldsmar. Now a paranoid cybersecurity person might immediately think this is the work of a sophisticated terrorist organization or state-sponsored attacker. The water system at the stadium will be compromised and all the unsuspecting people attending the game will be in peril. But the cybersecurity savvy might have a different opinion. It turns out the Oldsmar water treatment facility does not service the stadium in any way and the cyber-attack hardly looks to be sophisticated or well-planned.

However, it still could have been catastrophic for the 15,000 people who live in Oldsmar. Thankfully, the attacker modified the sodium hydroxide levels during the day, right in front of an observant operator and secondary controls were in place to stop the process before the water supply was contaminated.

The cyber-attack looks like an opportunistic attack for an insecure or weakly protected TeamViewer account. The sodium hydroxide level was changed from an acceptable level of 100 parts per million up to 11,100 parts per million – the simple addition of two numerals making the modification excessive. The attacker did not alter the operator’s view of the system, which would lead the operator to believe everything is okay when it’s not. And it took place at 1:00 pm EST, right in the middle of the day. While not all the details have been released and the investigation is ongoing, it looks to be the work of a technically unsophisticated adversary.

Even so, this should be another wake-up call for businesses. This attack was attempted and could have succeeded. It underscores that even opportunistic and simple attacks can have disastrous effects. It illustrates how quickly and easily an attacker could secure your password and use your own tools against you.

Are you aware of your internet security posture? Is TeamViewer running in your environment (or others as there are dozens of remote access programs)? What could a simple attack do to your infrastructure or business? Don’t delay, use this example as motivation to get started on your company’s cybersecurity.

UHY Consulting’s Cybersecurity specialists address cybersecurity as an enterprise business risk. We take a facilitated approach to determine the optimal assessment type, and we tailor each cybersecurity assessment engagement to the individual needs of our clients. Simply put, we translate IT risks into business risks and provide meaningful insight to your stakeholders – from the boardroom to the security engineer.

It is time to learn more about your current security posture. Please contact us at 630-288-6992 or cyber@uhy-us.com.

 

 

Download Our Whitepaper

Please complete this form to download our whitepaper immediately

 

Hide Firm Disclaimer

©2023 UHY LLP. ALL RIGHTS RESERVED.

UHY LLP is a licensed independent CPA firm that performs attest services in an alternative practice structure with UHY Advisors, Inc., and its subsidiary entities. UHY Advisors, Inc.’s subsidiaries, including UHY Consulting, Inc., provide tax and business consulting services through wholly owned subsidiary entities that operate under the name of “UHY Advisors” and “UHY Consulting”. UHY Advisors, Inc., and its subsidiary entities are not licensed CPA firms. UHY LLP, UHY Advisors, Inc. and UHY Consulting are U.S. members of Urbach Hacker Young International Limited, a UK company, and form part of the international UHY network of legally independent accounting and consulting firms. “UHY” is the brand name for the UHY international network. Any services described herein are provided by UHY LLP, UHY Advisors and/or UHY Consulting (as the case may be) and not by UHY or any other member firm of UHY. Neither UHY nor any member of UHY has any liability for services provided by other members.

On this website, (i) the term "our firm", "we" and terms of similar import, denote the alternative practice structure conducted by UHY LLP and UHY Advisors, Inc. and its subsidiary entities, and (ii) the term "UHYI" denotes the UHY international network, in each case as more fully described in the preceding paragraph.