Read more.Unknown attacker increased Sodium Hydroxide level from 100 to 11,100 ppm.
Read more.Unknown attacker increased Sodium Hydroxide level from 100 to 11,100 ppm.
So probably a teamviewer vulnerability?
after a search it's hard to find info on safe levels of NaOH
I've found 500mg/kg injested is a lethal dose for a rabbit
Aerosol 2mg/m3 is minimum safe levels for no more than 8hours
and 10mg/m3 is rated as "immediately dangerous to life or health"
but nothing about drinking water safety levels
so 1mg per kg = 1 part per million
so it was changed from 100mg to 11100mg or a 1% solution
Looks like it would of been very bad
Last edited by Pob255; 09-02-2021 at 03:02 PM.
[rem IMG]https://i69.photobucket.com/albums/i45/pob_aka_robg/Spork/project_spork.jpg[rem /IMG] [rem IMG]https://i69.photobucket.com/albums/i45/pob_aka_robg/dichotomy/dichotomy_footer_zps1c040519.jpg[rem /IMG]
Pob's new mod, Soviet Pob Propaganda style Laptop.
"Are you suggesting that I can't punch an entire dimension into submission?" - Flying squirrel - The Red Panda Adventures
Sorry photobucket links broken
In a sane world, this "wake-up call regarding cyber-security" would result in the complete removal of online control and an increase in the staff budget to always have a plural number of staff physically on site at all times.
But I bet they give multiple millions to a software company instead, to add new protections that the plant owners won't understand and won't be able to evaluate.
Nothing on NaOH but the drinking water standards do specify maximum levels of Na at 200mg/l https://www.legislation.gov.uk/uksi/...chedule/1/made
Perhaps NaOH would be captured in that.
This is the problem - you can setup really good security but for 'convenience' someone can stick teamviewer on and bust straight through. Security is only as good as the lowest paid operator. (The sad thing is decent secure remote desktop is possible but it needs an expert to install it correctly and that's expensive.)
I suspect this firm doesn't even have a proper IT security team (or basic unsecured teamviewer would have never been used!).
Jeez, they're still allowing TeamViewer on their system? Why does this not surprise me. I remember a while back some other company got hacked through their internet connected network printer (a functionality that particular printer didn't need to work). Guess stories like this is going to get more and more as more things that don't need to be connected to the internet, have that functionality. And IT security is not taken seriously. I've worked with IT managers who were totally clueless, but are still managers.
"Arrogance and stupidity all in the same package. How efficient of you!" - Ambassador Londo Mollari
"Never interrupt your enemy when he is making a mistake." - A General
were they still using XP by any chance?
I don't think so - I haven't done chemistry since A Levels but I believe there is a big difference between Sodium ions in the water and caustic soda (Which would presumably dissolve into Na + OH with the OH being the bad alkali part). (Of course I could just be talking rubbish)
again, only A-levels, but with adding sodium hydroxide the issue is less the Na+ ions but the introduction of lots of OH- ions smashing the PH upwards into strongly alkaline territory. It'll burn you like bleach will. Its addition in small amounts is that it will mop-up any H+ /H3O+ ions (the functioning part of acids) making water and sodium salts, but crank the quantity too high and the equilibrium pulls right over into a strong alkaline solution. That is bad.
Last edited by ik9000; 09-02-2021 at 04:14 PM.
That someone thought having remote access to a water treatment plant via teamviewer of all things boggles the mind, it's the sort of thing you'd expect in a Hollywood film plot.
Remote access during lockdown or other hazardous conditions saves someone having to go out there in person, and potentially never come home again.
There's been a big safety drive throughout the industry in recent years, not helped by things like the recent explosion in Bristol.
Choice of software is determined by business prices that fit the budget, which is dictated by the regulator, who pander to what (they think) the customer wants.
_______________________________________________________________________
Originally Posted by Mark Tyson
Thanks for the explanations. In that case, the indicator parameters include maximum levels of conductivity and hydrogen ions (as measured by pH) https://www.legislation.gov.uk/uksi/...chedule/2/made which should capture this? (To answer Pob's query)
For sure, but you'd expect someone to be there just to confirm a change to a system that could kill (i assume) loads of people.
Maybe I'm just old but i would've thought something like this would be: Boss or person phones in and tells technician or whoever to change such and such to whatever and for such calls to be logged with the person making the request and the person who took and actioned the request.
Depends on the site.
In the UK alone, there are many many small sites that are completely unstaffed as standard. A large works will be, but small pumping stations and the like just do not need crew and the cost of staffing them, providing for their safety and wellbeing, amenities, security, parking, facilities, etc... well, we'd easily treble our head count and likely more.
I'm sure the software logs it too...
But you're looking at the wrong end - Who looks over the shoulder of the technician actually actioning the change, verifies that s/he has authorisation and... most importantly... carries it out correctly?
Moreover, who is there to stop the change before it goes wrong? Logs only hold people accountable after the fact. They do nothing to prevent the disaster from happening.
_______________________________________________________________________
Originally Posted by Mark Tyson
There are currently 1 users browsing this thread. (0 members and 1 guests)