OLDSMAR, Fla. (WFLA) — A hacker altered the levels of chemicals in the water supply of a Florida city to “potentially damaging” levels Friday, officials said.
Pinellas County Sheriff Bob Gualtieri said a plant operator at a water treatment facility in Oldsmar noticed someone had remotely accessed the computer system he was monitoring Friday morning.
The computers allow remote access to select people to troubleshoot problems, so the operator didn’t think much about the incident.
It happened again that afternoon, however. The operator could see the mouse moving on the computer screen, opening various software functions that controlled the water treated in the system.
Gualtieri said the hacker increased the sodium hydroxide levels in the city’s water from 100 parts per million to 11,100 parts per million.
“This is obviously a significant and potentially dangerous increase,” Gualtieri said. “Sodium hydroxide, also known as lye, is the main ingredient in liquid drain cleaners. It’s also used to control water acidity and remove metals from drinking water in the water treatment plants.”
Gualtieri said the operator immediately stabilized the water levels back down after the hacker exited the system. He said the hacker was active for three to five minutes.
“The public was never in danger,” the sheriff said. “Even if the plant operator had not quickly reversed the increased amount of sodium hydroxide, it would’ve taken between 24 and 36 hours for that water to hit the water supply system.”
Even then, the sheriff said, there are redundancies in place to make sure the water would be checked before it was released to the public.
The sheriff’s office does not have a suspect, but Gualtieri said they have a few leads. The FBI and U.S. Secret Service are assisting in the investigation.
Oldsmar Mayor Eric Seidel, who said the operating system is approximately eight years old, explained why there is remote access.
“Remote access has been allowed because it allows Plant personnel to access the system while out in the field, and the consultant needs access in order to assist the staff in making programming adjustments/changes quickly, if necessary,” Seidel said in an email.
The mayor added that the city is now re-evaluating its policy on the continued need for remote access.
A spokesperson at Tampa Bay Water said the utility company elevated its cybersecurity threat level after the alleged hack and is closely monitoring operational activities. It’s also reviewing security protocols to ensure the safety of the water supply system, the spokesperson said.
“Like most of the utilities in this region, Tampa Bay Water uses a Supervisory Control and Data Acquisition (SCADA) system to control the water supply system,” the spokesperson said in an emailed statement. “We have been using this system for 25+ years and upgrade both the hardware and software to keep up-to-date. The hardware was updated in 2019 and the software is up-to-date with the latest version.”
The spokesperson noted that Tampa Bay Water has “robust security and protections” to prevent something like the Oldsmar hacking. The measures include running its system on a private network with no internet access and regularly testing the vulnerability of its systems.