Hackers successfully infiltrated the computer system controlling a water treatment facility in the city of Oldsmar, Florida, according to a report from the Tampa Bay Times. In doing so, the hackers were able to remotely control a computer to change the chemical levels of the water supply, increasing the amount of sodium hydroxide before a supervisor was able to catch the act in real time and revert the changes.
“At no time was there a significant adverse effect on the water being treated,” Pinellas County Sheriff Bob Gualtieri said during a press conference on Monday, which was later posted to YouTube. “Importantly, the public was never in danger.” Sodium hydroxide, commonly known as lye, is used in water to regulate acidity levels, the Tampa Bay Times reports, but in excess it can be dangerous to human beings because it’s the same inorganic compound used in corrosive household cleaners like Drano.
Hackers tried to increase the amount of lye in the water supply
Although no one was injured, the incident is a disturbing example of hackers taking aim at public infrastructure with unclear intentions. Pinellas County is currently investigating the hack alongside the FBI and the Secret Service. Other nearby cities and towns have also been alerted to the potential threat.
It is not the first incident of water supplies being targeted — a water utility in Illinois was targeted by suspected Russian hackers in November of last year, while an attempted cyberattack on Israel last year that intelligence officials have linked to Iran involved attempts to manipulate the water supply, The Washington Post reported.
The Tampa Bay Times has a rather chilling anecdote in its report detailing the moment the remote plant operator noticed something was terribly wrong, when his mouse started moving on-screen without him touching it:
A plant operator was monitoring the system at about 8 a.m. Friday and noticed that someone briefly accessed it. He didn’t find this unusual, Gualtieri said, because his supervisor remotely accessed the system regularly.
But at about 1:30 p.m. the same day, Gualtieri said, someone accessed the system again. This time, he said, the operator watched as someone took control of the mouse, directed it to the software that controls water treatment, worked inside it for three to five minutes and increased the amount of sodium hydroxide from 100 parts per million to 11,100 parts per million.
The attacker left the system, Gualtieri said, and the operator immediately changed the concentration back to 100 parts per million.
The county says there are other safeguards in place that would have prevented direct harm to the 15,000 or so residents that rely on the Oldsmar plant for drinking water. For one, the water would have taken more than a day to enter the water supply, the sheriff says, meaning ample public warnings could have been issued in that time. There are also “redundancies in the system” that would have caught changes to the acidity of the water supply, the sheriff says.