OLDSMAR, Fla. -- A hacker remotely gained access to a Florida city’s water treatment plant in an unsuccessful attempt to fill the water supply with a potentially harmful chemical, authorities said.
An unknown suspect breached a computer system for the city of Oldsmar's water treatment plant on Friday and briefly increased the amount of sodium hydroxide from 100 parts per million to 11,100 parts per million, Pinellas County Sheriff Bob Gualtieri said during a news conference Monday.
Sodium hydroxide, also called lye, is used to treat water acidity but the compound is also found in cleaning supplies such as soaps and drain cleaners. It can cause irritation, burns and other complications in larger quantities.
A supervisor saw the chemical being tampered with and was able to intervene and reverse it. Oldsmar is about 15 miles (24 kilometers) northwest of Tampa and the city’s 15,000 residents were not at risk, officials said.
“At no time was there a significant adverse effect on the water being treated,” Gualtieri said. “Importantly, the public was never in danger.”
Oldsmar officials have since disabled the remote-access system, and say there were other safeguards to prevent the increased chemical from getting into the water. Officials told other city leaders in the region about the incident and suggested they check their systems.
Experts say municipal water and other systems have the potential to be easy targets for hackers because local governments’ computer infrastructure tends to be underfunded.
Robert M. Lee, CEO of Dragos Security, and a specialist in industrial control system vulnerabilities, said remote access to industrial control systems such as those running water treatment plants has become increasingly common.
“As industries become more digitally connected we will continue to see more states and criminals target these sites for the impact they have on society,” Lee said.
Tarah Wheeler, a Harvard Kennedy School Belfer Center Cybersecurity Fellow, said communities should take every precaution possible when using remote access technology on something as critical as a water supply.
“The systems administrators in charge of major civilian infrastructure like a water treatment facility should be securing that plant like they’re securing the water in their own kitchens,” Wheeler told the Associated Press in an email. “Sometimes when people set up local networks, they don’t understand the danger of an improperly configured and secured series of internet-connected devices. It is not necessarily wrong or insecure to set up a system for remote access and monitoring.”
A plant worker first noticed the unusual activity at around 8 a.m. Friday when someone briefly accessed the system. At about 1:30 p.m., someone accessed it again, took control of the mouse, directed it to the software that controls water treatment and increased the amount of sodium hydroxide, The Tampa Bay Times reported.
Officials said other safeguards in place likely would have caught the change before it reached the water supply.
Investigators said it wasn’t immediately clear where the attack came from. The FBI, along with the Secret Service and the Pinellas County Sheriff’s Office are investigating the case.