Officials in Florida say a hacker remotely gained access to a local water treatment plant, attempting to increase the amount of sodium hydroxide in the water to “potentially dangerous” levels.
Fortunately, no one was harmed by this cyber age equivalent of poisoning the well, and the problem was quickly resolved. However, police are still on the hunt for those responsible and remain unsure whether the attack came from within the US or beyond.
The attack occurred on Friday, February 5 at the water treatment plant of Oldsmar, a city of around 15,000 people found in the northern part of Tampa Bay, Florida. Speaking at a press conference on Monday, officials report that an operator for the city's water treatment system first saw an attempt to access the system on Friday morning, but assumed it was their supervisor who has remote access to the computer.
Another breach was made later that afternoon. At around 13:30, the operator said they noticed their mouse cursor moving about their screen, opening various bits of software on the computer. Although the hacker only had remote access to the computer system for less than five minutes, they managed to try to increase the levels of sodium hydroxide from about 100 parts per million to 11,100 parts per million.
“This is obviously a significant and potentially dangerous increase,” Bob Gualtieri, Pinellas County Sheriff, told media at the press conference.
Sodium hydroxide, also known as lye, is a chemical that’s used to control water acidity, but it’s also used for a number of industrial and manufacturer purposes, most notably as the main ingredient in liquid drain cleaners and oven cleaners. In higher concentrations, it can cause irritation to the eyes, skin, and mucous membranes, as well as temporary loss of hair.
“I'm not a chemist, but I can tell you what I do know... if you put that amount of that substance into the drinking water, it's not a good thing,” remarked Gualtieri.
Police, together with the FBI and intelligence agencies, are currently working on a criminal investigation to find the person or persons responsible for the security breaches. While they say they have some leads, they currently do not have a suspect identified. It's also unclear why Oldsmar's water treatment system was targeted.
However, Gualtieri stressed that the situation was instantly recognized and resolved by the operator, adding “the public was never in danger.” This is namely because it would have taken at least 24 hours before the water was released into the public drinking water supply, during which time it’s possible to fix the problem.
Authorities also highlighted that many public services could be at risk of similar cyberattacks, not just public waterworks. Last year in Germany, a woman died as a result of a serious cyberattack on Düsseldorf University Hospital that disabled computer systems.