Is your water supply safe? Other things?

[maddmaxx 29,516]

https://www.nytimes.com/2021/02/08/us/oldsmar-florida-water-supply-hack.html

A hacker attempted to poison a water treatment plant in FL by upping the addition of sodium hydroxide (lye) by a huge factor that would have rendered the water capable of blinding a shower taker or seriously damaging someone who drank it.  A human operator noticed the change and corrected it.  After a second attempt by the same (or other) hacker the remote computer system that allowed one person to make the change without the approval of anyone else was disconnected from the system.

In this day and age one has to ask if such a remote system was necessary or safe in the first place.  We are going to have to rethink this internet thing as a country before it's too late.

[bikeman564™ 14,914]

I don't understand why water treatment needs to be on the internet. Water can be treated w/o this.

[maddmaxx 29,516]

24 minutes ago, bikeman564™ said:

I don't understand why water treatment needs to be on the internet. Water can be treated w/o this.

Lots of things can be done without this.  Womaxx as the school bookkeeper and controller of the student accounts (about a quarter of a mil) used to have a stand alone program on her computer in her office subject to auditing at a moments notice.  The new town school administration had everything put on line.  No one knows why.  It isn't accessed by anyone else.  As a country we are doing far too much of this and hackers, Ransomeers and Pirates of all ilk are having a great time.

[bikeman564™ 14,914]

2 minutes ago, maddmaxx said:

Lots of things can be done without this. 

Like refrigerators. Why the f some wants their fridge online so you can see what's inside is stupid. Also TVs, and them remotes you talk into. None of which I have.

[maddmaxx 29,516]

I don't mind the small things.  If some asshole wants to see what I'm watching or listen to inane conversations through Alexa or screw with my lights that's a minor detail.  I do think that power plants, water systems and other major infrastructure needs to be offline on dedicated networks.  Even that is not totally secure as Stuxnet demonstrated.  At least one of the DARPA projects that I worked on was loaded on a single computer inside a coded door room with our receptionist sitting outside.  No connection to the outside world other than the power cord.  Authorized people went in, recorded data from their lab notebooks and left.  No electronic media allowed in.  There were only 4 people in the company allowed in that room. (not me).  I did however work on other even more classified programs in other companies that were less well protected.

We trust our banks.  Hopefully they have the best in security systems and good backups.  That has proven to be misplaced trust in the past.  We trust our healthcare system to provide the proper medications.  Perhaps we shouldn't be so trusting.

[shootingstar 3,931]

I can only assume this hacker news alerted the wastewater treatment plant services engineering sector world-wide. Pretty scary.  

Now with severe municipal budget pressures particularily in the big cities,  certain remote systems monitoring by staff, might look attractive. So don't bitch too much about your property taxes being raised...you want staff to actually be on-site for some of your critical municipal services. Ask this out of your local municipal services.  You want them for this critical service ...to do field site inspections also.  There is a point where human beings are required.

 

 

[Razors Edge 14,641]

THE CLOUD!!!! We need EVERYTHING in the CLOUD!!!!  DO NOT RESIST! 

Thank you.

[maddmaxx 29,516]

21 minutes ago, Razors Edge said:

THE CLOUD!!!! We need EVERYTHING in the CLOUD!!!!  DO NOT RESIST! 

Thank you.

See other thread.  there are such people.

[Longjohn 37,153]

I realize municipal water systems are a necessity for towns and cities but I have never trusted them. I have never lived anywhere that I had city water. The closest thing was when I was the maintenance supervisor at a large Methodist camp and retreat center. We had our own water and sewage systems that I was in charge of. We used a combination of spring water and many wells all tied together. I tested the drinking water for proper chlorination and sent samples to a lab for further testing on a regular basis. I could have accidentally screwed up and made the water bad but luckily I never did. Our pump house was kept locked but anyone wanting to poison our system could have broke in and we would all be dead before we knew it. 

[Dirtyhip 23,204]

We are tapped into a huge underground body of water with my own personal tap.  I am not too concerned about safety for my water.

You can't even easily get onto our property.  We also have a locking gate.  

26 minutes ago, Longjohn said:

I realize municipal water systems are a necessity for towns and cities but I have never trusted them. I have never lived anywhere that I had city water. The closest thing was when I was the maintenance supervisor at a large Methodist camp and retreat center. We had our own water and sewage systems that I was in charge of. We used a combination of spring water and many wells all tied together. I tested the drinking water for proper chlorination and sent samples to a lab for further testing on a regular basis. I could have accidentally screwed up and made the water bad but luckily I never did. Our pump house was kept locked but anyone wanting to poison our system could have broke in and we would all be dead before we knew it. 

Most wells are tapped into huge underground sources. A wrongdoer would need a hellof a lot of poison.  Enough to poison an entire river is a lot for someone to just dump in.  

 

[ChrisL 13,306]

Infrastructure security has been a a long standing concern for my industry for years and I’m surprised it hasn’t happened more.  Protection of water supplies, electrical grids, highway management systems, subways, dams & waterways and much more has the potential to be hacked and manipulated to put people at risk.

Due to budget pressure & lack of oversight municipal systems are considered the most vulnerable to hacking.

[Razors Edge 14,641]

19 minutes ago, Dirtyhip said:

We are tapped into a huge underground body of water with my own personal tap.  I am not too concerned about safety for my water.

You can't even easily get onto our property.  We also have a locking gate.  

Most wells are tapped into huge underground sources. A wrongdoer would need a hellof a lot of poison.  Enough to poison an entire river is a lot for someone to just dump in.  

 

I think someone like @Longjohn has fracking wells to consider when testing his well water.  That part of PA has a lot of fracking, and with it, potential for pollution from spills.  Oregon isn't in the same boat.

[donkpow 7,445]

[Dirtyhip 23,204]

1 hour ago, Razors Edge said:

I think someone like @Longjohn has fracking wells to consider when testing his well water.  That part of PA has a lot of fracking, and with it, potential for pollution from spills.  Oregon isn't in the same boat.

My goodness.  The states should not allow that shit, and if they do it should come with heavy restrictions and they should limit what these companies can do to extract the gas.  

One of the main reasons that I enjoy living in Oregon, is that we are a very environmentally focused state.  

[Razors Edge 14,641]

3 minutes ago, Dirtyhip said:

The states should not allow that shit, and if they do it should come with heavy restrictions and they should limit what these companies can do to extract the gas.  

There are restrictions.  Whether they are sufficient or not might remain to be seen, but it does warrant regular testing of a water source.

[BR46 10,454]

If something would happen to our water I always have this in our yard to fall back on 

[12string 3,928]

Doesn't the water system have some kind of alarms or shutoffs if too much lye ends up in the water?

And why lye in the first place?  Not just all the time, but the hacker would have been way funnier if he diverted the supply through a Sodastream

[Airehead 19,478]

Well water that is tested yearly-- so i guess I could die in between the tests but so far that hasnt happened.  Our water conditioning system inside the basement has UV and filter stages.  Our water is actually quite nice.

[Thaddeus Kosciuszko 11,952]

5 hours ago, maddmaxx said:

In this day and age one has to ask if such a remote system was necessary or safe in the first place.

Industrial or continuous process systems are often connected in this manner to improve quality control, record data points of critical systems, to allow remote trouble-shooting, or to comply with local/state/federal regulations.

For example, a water treatment plant has to follow guidelines for how much of any number of chemical, elements, or minerals can be in the drinking water.  An industrial processor follows a program to poll the sensors that record those readings.  The processor then reacts based upon those readings executing what's called a control loop. The readings area typically stored on site, but also uploaded to a remote site as well.  Other information such as alarms, warnings, and setting changes are often documented/recorded both on and off site.

A water treatment system is composed of many subsystems from different manufacturers.  These systems, if new, are under warranty; if out of warranty they are often under service contracts.  Rapid response to problems can be crucial with a water treatment facility.  Hence the remote links allow manufacturers and service companies to look in on the system, make immediate adjustments, and if that doesn't work they can get an idea of what the problem is and bring the necessary tools and equipment when they make the service call.

The problem is few owners, municipalities, and companies take security on these systems seriously.  Industrial processors often have several levels of security, with each level allowing greater latitude and control over the processor functions.  Passwords aren't often changed as employees leave, simply because very few people ever tried to hack systems like this.  ChrisL is spot-on about vulnerability of utility and municipal systems.  Once a hacker is in the system, they can make changes to the process and then reset alarms and limits so the hacked conditions never trigger any warnings.

[maddmaxx 29,516]

Perhaps it would be as easy as limiting off site connections to sensor data out put only with local human intervention required to change any inputs outside the scope of the control loop which would also have to be loaded locally.  Yes this would require manpower to be able to access a treatment plant quickly or in lieu of that constant supervision by a trained human.

Somewhere we might run into a malicious human, but they would have access to one facility only.  Hackers can work on gaining access to many facilities and save that access for a combined attack.

[12string 3,928]

OK, so if I'm reading Ted and Max correctly, he couldn't have done the Sodastream thing?

[Razors Edge 14,641]

2 minutes ago, 12string said:

OK, so if I'm reading Ted and Max correctly, he couldn't have done the Sodastream thing?

Just need better hackers!  Clearly, this Florida guy was a n00b!

[jsharr 46,321]

 

[donkpow 7,445]

2 hours ago, 12string said:

And why lye in the first place?

Adjusts pH.

[shootingstar 3,931]

hmm. I know security to our water treatment plants are tight...to even other employees.

It is rather interesting how much money budget-wise the dept. for water supply and water treatment can obtain...without much public debate at all.  The biggest ongoing public debate is whether orn not our local water should have fluoride.  We don't have it our water.... too much public outcry.  Whereas in other cities, where I've lived, they have it.

They have some interesting projects...even combined with art.  Whereas other depts. face alot more questions, fire from politicians and public  --roads, construction of community centres, etc. 

I visited a water treatment facility to meet another employee.  Underground to link another building 1 km. away, there were 2 simple bikes to bike down the wide hallway in between.

[Longjohn 37,153]

12 hours ago, donkpow said:

Adjusts pH.

I used soda ash, it takes more to change the ph but probably won’t cause blindness.

[Prophet Zacharia 5,958]

13 hours ago, donkpow said:

Adjusts pH.

Makes water into pHater?

 

16 hours ago, Dirtyhip said:

The states should not allow that shit, and if they do it should come with heavy restrictions and they should limit what these companies can do to extract the gas.  

Ha. Our state politicians mostly want to increase fracking for the jobs, even offering sweetheart tax deals to lure new drilling. Our national election was nearly decided by one party wanting (primarily) to eliminate new fracking on Federal land and the other wanting fewer restrictions.

My water comes from the Allegheny river, pumped out at Aspinwall, PA.

[MickinMD 6,047]

On 2/9/2021 at 7:39 AM, maddmaxx said:

https://www.nytimes.com/2021/02/08/us/oldsmar-florida-water-supply-hack.html

A hacker attempted to poison a water treatment plant in FL by upping the addition of sodium hydroxide (lye) by a huge factor that would have rendered the water capable of blinding a shower taker or seriously damaging someone who drank it.  A human operator noticed the change and corrected it.  After a second attempt by the same (or other) hacker the remote computer system that allowed one person to make the change without the approval of anyone else was disconnected from the system.

In this day and age one has to ask if such a remote system was necessary or safe in the first place.  We are going to have to rethink this internet thing as a country before it's too late.

Ralph Pollack, who was a chemistry professor then Dean of Science at UMBC, once told me that when he was a post-doc at U.C. Berkeley, a strong base was spilled on him.  He was rushed to a shower, was washed off thoroughly several times, and given some clothes to wear home.  When he got there, the clothes were disintegrating.  He bathed again over and over and the clothes and bed sheets he was in contact while sleeping were damaged by the time he woke up in the morning.

The human skin is a marvel!

[MickinMD 6,047]

It would seem to me you'd need tons of NaOH to poison Baltimore's drinking water, which comes from a few very large lake reservoirs.

There is also a large pipeline for fresh water that connects to the Susquehanna River, miles away at the north end of the Chesapeake Bay, but I don't know how close that is to operating condition if it was needed in an emergency.

[jdc2000 1,275]

A unsecured TeamViewer session was what the hacker used.  Time of day was 8:00 am and again at 10 or 11 am, so an operator noticed immediately.  Fortunately, it did not happen at 2:00 am.

 

[Longjohn 37,153]

17 hours ago, Prophet Zacharia said:

My water comes from the Allegheny river, pumped out at Aspinwall, PA

Did you know fish pee in that river?

[JerrySTL 9,585]

I recently read "The Poisoned City: Flint's Water and the American Urban Tragedy". The government and water treatment people made things worse in Flint than a hacker could have done.

[JerrySTL 9,585]

11 minutes ago, Longjohn said:

Did you know fish pee in that river?

Screw in it to.

[Bikeguy 2,611]

57 minutes ago, Longjohn said:

Did you know fish pee in that river?

When I was working, I was at the Pontiac (IL) sewage treatment plant.  They discharge into the Vermilion River.    26 miles downstream, there is a dam where the water company takes water for Streator.  

That year there was a drought.  I told the manager of the sewage treatment plant, 'You should tell everyone in Pontiac to flush their toilet twice, rather than just once.'  He asked why?   I told him we need the water in Streator.  

Now we have well water, from a shallow 75 foot well, and a RO filter for drinking water.  

[Allen 2,710]

I have a very deep well. 

[Longjohn 37,153]

The fracking wells go horizontal underground and cover an amazing area from where they were started. We don’t have any of those close to our property. The Wells that we could see from our house were the traditional gas Wells that went straight down. We didn’t experience any changes in our water after they drilled the wells.

[Prophet Zacharia 5,958]

6 hours ago, Bikeguy said:

They discharge into the Vermilion River.    26 miles downstream, there is a dam where the water company takes water for Streator.  

Our sewage treatment plant empties into the Ohio River. Our gift to the Midwest.