An apparent cyber attack on a water treatment plant on Florida’s gulf coast nearly sent dangerous amounts of a caustic chemical into the public drinking supply, police said amid a federal probe into the incident.
The breach on the water facility in Oldsmar, Florida boosted levels of sodium hydroxide in the system by nearly a hundredfold late last week, Pinellas County Sheriff Bob Gualtieri told reporters on Monday, calling it an “awful intrusion.”
“The hacker changed the sodium hydroxide from about 100 parts per million to 11,100 parts per million. This is obviously a significant and potentially dangerous increase,” Gualtieri said, adding “It’s not just an accident when you’re taking it from 100 parts per million to 11,100 parts per million with a caustic substance. It’s potentially serious.”
This was somebody who is trying, it appears on the surface, to do something bad. It’s a bad act. It’s a bad actor.
Perhaps better known as lye, sodium hydroxide is the caustic main ingredient in many liquid drain cleaners and is poisonous to consume in large quantities. In minute amounts, it is also used to reduce acidity in drinking water.
The sheriff said a plant operator first noticed that somebody had remotely accessed the facility’s computer system on Friday morning, but didn’t make much of it, as it is common for other plant employees to enter and exit the system to troubleshoot technical issues. However, when the network was accessed again later in the afternoon, the operator noticed the person was accessing programs through his own computer, including functions that control the level of treatment chemicals in the water.
After breaching the network for about five minutes, “the intruder exited the system and a plant operator immediately reduced the level back to the appropriate amount of 100,” Gualtieri said, noting that because the chemical was quickly brought back to its normal amount, “the public was never in danger” and there was no “significant adverse effect” on the drinking supply.
While local authorities currently have no suspect and aren’t sure whether the hack was carried out from within the United States or abroad, Gualtieri said both the FBI and Secret Service are investigating alongside police. It remains unclear why the plant was targeted, or if any other nearby facilities were also breached
However, both Gualtieri and Oldsmar Mayor Eric Seidel stressed that even if the plant operator hadn’t noticed the intrusion in real time, there are fail safes in place that likely would have spotted the noxious levels of lye in the system before the contaminated water reached the public.
“The reality of it is that the redundancies we have in place – they work,” Seidel said. “But, everybody should be on notice. We certainly feel like we’re taking a hard look at what we can upgrade to prevent it from happening again.”
That lye would have never made it through the process to someone’s tap. The systems are set up to catch it.
The apparent cyber intrusion in Oldsmar is not the first of its kind. A similar breach at a water plant in New York in 2016 also saw hackers tinker with treatment chemicals, though the company was able to catch and reverse the potentially dangerous changes before they could affect the water supply. The same hack also targeted the plant’s online payment application, with the perpetrators’ IP addresses linked to previous “hacktivist attacks” on other facilities.
Another suspected hack on an Illinois water treatment facility in 2011 briefly triggered alarm and was initially blamed on “Russian hackers” by US intelligence agencies. However, it was later determined that a pump at the plant merely malfunctioned, and that a contractor had remotely accessed the system for routine work while vacationing in Russia, leading investigators to mistakenly link the two. Both the FBI and the Department of Homeland Security later clarified that they had seen no evidence of a hack at the facility.
Like this story? Share it with a friend!