Hacker Distorts FL Drinking Water


On Friday (Feb. 5), a water treatment plant in Oldsmar, Florida, reported that a hacker had breached its computer networks and changed the level of sodium hydroxide from 100 parts per million to 11,000 per million.

Sodium hydroxide—also known as lye—is commonly used at water treatment plants to control the acidity of drinking water and remove metals. However, too much of the chemical can make the water dangerous to drink.

Water Hack

According to Pinellas County Sheriff Bob Gaultieri, around 8 a.m. on Feb. 5, an online attacker broke into the water treatment plant’s computer system for a short period.

“The access was brief, and the operator didn’t think much of it, because his supervisor and others will remotely access his computer screen to monitor the system at various times,” Gualtieri said at a press conference earlier this week.

While nothing was changed during the first visit, the hacker returned around 1:30 p.m. for a period of three to five minutes. During that time, the treatment plant operator watched as the hacker moved the mouse on their screen, opening a variety of software functions that control the water being treated in the system. Specifically, the hacker increased the levels of lye slated to be added to the system.

After it appeared that the hacker had left the system, the operator immediately returned the sodium hydroxide to the previous levels, ensuring that no harm would come to the public or the drinking water. However, to put local residents at ease, Gaultieri noted that even if the operator hadn’t been present, the issue would have been caught during a secondary chemical check when the water is moved to holding tanks.

Since the incident, Oldsmar local authorities alongside the Federal Bureau of Investigation and the U.S. Secret Service have begun investigating the hack. Currently, investigators are unsure if the hacker originates within the U.S. or somewhere outside of the country.

“This is dangerous stuff,” Gualtieri said. “This is somebody who is trying, as it appears on the surface, to do something bad.”

In the meantime, officials are urging authorities in the entire Tampa Bay area to keep eyes on all critical infrastructure systems and conduct any necessary reviews or updates to their security systems.

In the past year, American cybersecurity firm Mandiant told Bloomberg that hacker attacks against industrial systems have increased, with hackers mostly engaging in limited-impact operations.

“Many of the victims appear to have been selected arbitrarily, such as small critical infrastructure asset owners and operators who serve a limited population set,” said Daniel Kapellmann Zafra, Manager of Analysis at Mandiant Threat Intelligence. “We believe that the increasing interest of low sophisticated actors in industrial control systems is the result of the increased availability of tools and resources that allow malicious actors to learn about interact with these systems.”

Due to the incident, attention has also been refocused on the fact that so many of the nation’s water plants are underfunded, leaving them vulnerable to attacks by more sophisticated intruders.

“In the industry, we were all expecting this to happen,” said Lesley Carhart, Principal Incident Responder at Dragos Security, which specializes in industrial control systems. “We have known for a long time that municipal water utilities are extremely underfunded and under-resourced, and that makes them a soft target for cyber attacks.”

Carhart continued, “I deal with a lot of municipal water utilities for small, medium and large-sized cities. And in a lot of cases, all of them have a very small IT staff. Some of them have no dedicated security staff at all.”

According to The Associated Press, the 151,000 public water systems in the U.S. fail to have to same financial fortification as corporate owners of nuclear power plants and electrical utilities.

In an effort to mitigate these issues, President Joe Biden has already noted on increasing cybersecurity. Since the start of the year, the Department of Homeland Security has already issued 25 advisories listing various industrial control systems that could be vulnerable to hacking.


Tagged categories: Construction chemicals; Government; Infrastructure; NA; North America; potable water; Program/Project Management; Water/Wastewater

Join the Conversation:

Sign in to our community to add your comments.