Digital forensics experts in Florida’s Pinellas County are investigating a software hack of the City of Oldsmar’s water treatment plant computer system.
On February 5, an operator at the treatment plant, which serves some 15,000 people, witnessed two attempts to breach the plant’s software. During the second remote access, the hacker significantly raised the levels of sodium hydroxide in the facility’s water, local officials said.
The plant’s sodium hydroxide was originally set at 100 ppm to control the water’s pH levels and prevent pipe corrosion, but the hacker tried to boost those levels to 11,100 ppm. The operator immediately reversed the effort, a press conference revealed.
Had the hack gone undetected, the spiked sodium hydroxide levels, or lye, could have caused skin damage or very severe gastrointestinal symptoms. It can even be deadly if ingested in large amounts.
The plant operator noticed the unusual remote access to the system even though his supervisors would regularly take over his screen to make necessary adjustments or troubleshoot, explained Pinellas County Sheriff Bob Gualtieri, who noted that the hacker was in the system for three to five minutes.
Had the plant operator not noticed the hack, Sheriff Gualtieri said it could have taken between 24 to 36 hours before the new sodium hydroxide levels entered the system.
The plant’s remote access system was altered as soon as possible to prevent further hacks, said Gualtieri.
“Because of this security breach we are asking that all governmental entities within the Tampa Bay area with critical infrastructure components actively review their computer security protocols and make any necessary updates that are consistent with the most up-to-date practices,” Gualtieri told a news conference.
While law enforcement officials do have some leads in the hacking investigation, no suspect or motive has yet been identified. The County Sheriff’s office has started a criminal investigation along with the FBI and the Secret Service, Gualtieri said.