Last Friday, an unknown attacker accessed the computer systems of a water treatment facility in Oldsmar, Florida, and attempted to poison the city’s water supply by manipulating the chemical levels of sodium hydroxide.
This substance, commonly referred to as lye or caustic soda, is used across various industries and can be found in liquid drain cleaners, detergents and is also used to control water acidity. However, if ingested, it can cause spontaneous vomiting, chest and abdominal pain, difficulty swallowing with drooling, and corrosive injuries.
Speaking at a press conference about the attack, Pinellas County Sheriff Bob Gualtieri said that at about 8:00 AM on Friday a plant operator noticed that someone remotely accessed the system he was monitoring. Since the system is often accessed using specialized software by authorized personnel to troubleshoot problems remotely and for monitoring purposes, the operator didn’t give it much thought. The plant serves approximately 15,000 residents.
However, at approximately 1:30 PM local time the operator noticed that the system was being accessed again. This time the perpetrator accessed various functions that control the water being treated including part of the software that controls the levels of sodium hydroxide in the water. They then proceeded to change the levels from 100 parts per million to 11,100 parts per million, after which they exited the system.
RELATED READING: Protecting the water supply – hacker edition
“The plant operator immediately reduced the level back to the appropriate amount of 100 parts. Because the operator noticed the increase and lowered it right away, at no time was there a significant adverse effect on the water being treated. Importantly the public was never in danger,” said the sheriff.
While the name of the program used to access the system wasn’t specified, according to Reuters reporter Chris Bing, the hackers were able to infiltrate the systems through TeamViewer, widely used software for remote support and access.
Oldsmar mayor Eric Seidel said that the good news is that the monitoring protocols they have in place work. “Even had they not caught them, there’s redundancies in the system that would have caught the change in the pH level,” he added.
The Pinellas County Sheriff’s office is investigating the attack together with the Federal Bureau of Investigation (FBI) and the United States Secret Service. So far, no suspects have been identified and it’s unclear whether the attack originated from the US or abroad; however, they are following up on leads.
The breach of the water treatment plant has raised concerns about possible further attacks; all government authorities in the Tampa Bay area with critical infrastructure components were requested to actively review their computer security protocols.