An unidentified hacker has accessed the computer systems for the water treatment facility in the city of Oldsmar, Florida, and has modified chemical levels to dangerous parameters.
News of the attack was disclosed today in a press conference by city officials.
The intrusion took place on Friday, February 5, when the hacker accessed a computer system that was set up to allow for the remote control of water treatment operations.
The hacker first accessed this system at 8 am, in the morning, and then again for a second and more prolonged intrusion at 1:30 pm, in the afternoon.
This second intrusion lasted for about five minutes and was detected right away by an operator who was monitoring the system and saw the hacker move the mouse cursor on the screen and access software responsible for water treatment.
Hacker modified lye levels
“Sodium hydroxide, also known as lye, is the main ingredient in liquid drain cleaners. It’s also used to control water acidity and remove metals from drinking water in the water treatment plant,” said Oldsmar Sheriff Bob Gualtieri.
“The hacker changed the sodium hydroxide from about 100 parts per million to 11,100 parts per million. This is obviously a significant and potentially dangerous increase.”
Oldsmar city staff said that no tainted water was delivered to local residents as the attack was caught in time before any lye levels could be deployed.
According to Sheriff Gualtieri, the hacker disconnected as soon as they modified the lye levels, and a human operator set the chemical level back to normal right away.
Officials didn’t attribute the attack to any specific hacker group or entity. The timing of the attack is also of note as the city of Oldsmar is located near the Tampa urban center, which hosted the Super Bowl LV game on Sunday.
Not the first time
This is the second incident of its kind where a hacker has accessed a water treatment facility and modified chemical levels.
A similar incident was reported back in 2015-2016 at an unnamed water treatment facility, but investigators said the intruders didn’t seem to know what they were doing, making random changes, and investigators classified the intrusion as an accident rather than an intentional attack.
Another set of attacks took place earlier this year, but without as dire consequences. In the spring and summer of 2020, Israeli officials reported attacks against local water treatment facilities, water pumps, and agricultural irrigation systems.
Tel Aviv officials, which blamed the attacks on the Iranian government, said hackers tried to access the management panels of several types of smart water management systems and asked local organizations to change their passwords.
None of the attacks were successful, officials and local media reported at the time.