Authorities in Oldsmar, Fla., are investigating after someone hijacked the computer system at the city’s water treatment facility and tried to drive up the water’s sodium hydroxide content to poisonous levels. The targeted plant is the primary source of drinking water for the city’s businesses and its 15,000 residents.
During a press conference Monday, Pinellas County Sheriff Bob Gualtieri said that a hacker gained access to the plant’s control systems last Friday—not once but twice. Many water facilities now use internet-connected remote access programs that allow operators to monitor and manipulate water systems from afar. The hacker initially broke into this system Friday morning, but the activity wasn’t flagged as suspicious because supervisors regularly access the system remotely and it was assumed that this is what had occurred, officials said.
During a second intrusion later that afternoon, however, an on-duty plant operator witnessed the hacker “opening various functions in the system that control the amount of sodium hydroxide in the water.” Sodium hydroxide (also known as lye), is a corrosive element commonly used in small doses to ward off pipe decay in water systems. In high doses, lye leads to very serious health problems like blindness and death. The hacker, whoever they were, was essentially trying to turn the city’s water supply into Drano.
“The hacker changed the sodium hydroxide [levels] from 100 parts per million to 11,100 parts per million. This is obviously a significant and dangerous increase,” Gualtieri said during his remarks. The on-duty operator who witnessed this immediately reduced “the levels to their appropriate amount” and then notified his supervisor of the incident, after which “steps were taken to prevent further remote access to the system,” said Gualtieri. All told, the hacker was active within the system for 3 to 5 minutes, he said.
“At no time was there a significant effect on the water being treated, and more importantly the public was never in danger,” Gualtieri claimed, while adding that officials did not yet have a suspect for the incident. Investigators do have some leads and the FBI and the U.S. Secret Service are assisting, he said.
“We don’t know right now whether the breach originated from within the United States or outside the country. We also do not know why the Oldsmar system was targeted and we have no knowledge of any other systems being unlawfully accessed. Because of this security breach, we are asking that all governmental entities within the Tampa Bay area with critical infrastructure components actively review their computer security protocols,” the sheriff said.
It’s a very bizarre incident, not least of which because cybersecurity experts have long hypothesized about how utility systems could be hijacked to commit acts of terrorism. There have been scant real-world examples of it until now, however. Indeed, cyberattacks on operational technology have typically involved financially motivated crime—such as the ongoing series of ransomware attacks involving large shipping companies. There are few incidents in which operational systems were sabotaged for the sake of sabotage.
Let’s also consider the fact that the U.S.’s water systems are already in deep enough trouble without adding terroristic cyberattacks to the mix. Aging infrastructure and pollution mean that America basically does a fine job of poisoning itself, without the help of rogue hackers. Ironically, this is part of the reason that sodium hydroxide is even in water systems in the first place.