- A Florida town of 15,000 people was the target of a cyberattack at the local water treatment plant.
- The hacker tried to raise the amount of sodium hydroxide, also known as lye, in the water by 11,000%.
- A plant operator noticed the breach and quickly reversed it; now an investigation is underway.
- Visit the Business section of Insider for more stories.
The FBI, US Secret Service, and local authorities are investigating the source of a cyberattack that targeted the water supply in a Florida town about 17 miles northwest of Tampa, the Pinellas County Sheriff Bob Gualtieri said.
The water treatment system in Oldsmar, a town of just 15,000, was remotely accessed by an unknown individual on February 5. According to Gualtieri, the hacker attempted to change the sodium hydroxide content in the system from 100 to 11,100 parts per million – a 11,000% increase.
“This is obviously a significant and potentially dangerous increase. Sodium hydroxide, also known as lye, is the main ingredient in liquid drain cleaners,” Gualtieri said.
Water treatment facilities use sodium hydroxide to counteract highly-acidic water levels that usually come from regions with high amounts of limestone. The chemical is safe in small, controlled amounts but can result in rashes and burns if highly concentrated amounts make contact with the skin.
Gualtieri said an operator at the Oldsmar facility recognized the security breach early in the morning when they noticed a remote user was accessing a part of the water treatment system. This was not entirely surprising as supervisors are known to troubleshoot problems from remote locations, authorities said.
But around 1:30 p.m., the operator noticed that the system was once again being accessed remotely – this time, the employee said they watched the unknown remote user open the water treatment software and increase the sodium hydroxide levels in the system.
The employee who witnessed the change immediately reverted the levels back to normal before any damage could be done.
“At no time was there a significant adverse effect on the water being treated,” Gualtieri said. “Importantly, the public was never in danger.”
Gualtieri said that if the attack had not been noticed, it would have taken 24 to 36 hours for the hacker’s changes to fully take effect, but the sheriff, mayor, and city manager each made a point to say there are protocols in place that would have prevented a catastrophe.
“Even had they not caught them, those redundancies have alarms in the systems that would have caught the change in the pH level anyway,” said Oldsmar Mayor Eric Seidel.
As of Monday, investigators were not yet able to identify the hacker and do not know if the attack originated in the US.