Hacker breaches water treatment plant in Florida, tampers with chemical safety settings

Last week, someone breached the computer system of a water treatment plant in Florida. According to public officials, the hacker tampered with critical safety settings, making changes that could have released toxic chemicals into the water supply.

The Oldsmar water treatment plant hack

The incident occured in the city of Oldsmar, Florida, a small municipality (pop. 14,000) just outside of Tampa. According to a press release issued by the Pinellas County Sheriff’s Office, an unidentified hacker accessed the City of Oldsmar’s computer system twice on February 5.

The first intrusion was brief, and didn’t cause any concern, since the system normally allows remote access for supervisors who need to perform troubleshooting or monitoring functions while off site. The second intrusion, however, caught the attention of an alert plant operator, who noticed that someone was tampering with the chemical controls that regulate sodium hydroxide levels in the water. Sodium hydroxide is used in the water treatment process, but it’s the same chemical found in Drano and other liquid drain cleaners, and can be toxic at certain concentrations. The hacker attempted to increase the amount of sodium hydroxide in the water to over 100 times the normal concentration, which Pinellas County Sheriff Bob Gualtieri called “a significant and potentially dangerous increase”.

A close call?

It’s scary to think that hackers could poison a city’s water supply. But were Oldsmar residents in any real danger during last Friday’s attack?

County officials say no. For one thing, the plant operator who noticed the increase in sodium hydroxide took quick action to undo the damage. At a press conference on February 8, Gaultieri told reporters that because of this, “at no time was there a significant effect on the water being treated, and more importantly the public was never in danger”. He also noted that it takes anywhere from 24 to 36 hours for treated water to enter the city’s water supply, and that the system has other safeguards that would have detected hazardous chemical levels in the water before anyone was harmed.

Searching for answers

No one knows who was behind the hack, although digital forensics teams are investigating, and even the FBI has gotten involved. At this point, authorities don’t even know if the attack originated within the United States, or if overseas actors could be involved. 

One thing we do know is that the Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) have both been worried about attacks on critical infrastructure (CI) for some time now. Back in July, CISA and the NSA issued a special alert warning the public about an increased danger of cyberattacks targeting 16 different CI sectors, including water treatment facilities. The July alert made specific mention of “foreign powers attempting to do harm to U.S. interests or retaliate for perceived U.S. aggression”, which raises the possibility that nation-state actors could be involved in attacks like the one in Oldsmar.

What can you do?

It’s difficult to know how to keep yourself safe from critical infrastructure attacks, since defending against such attacks is (by definition) the work of large organizations and governments.

Nevertheless, there are some basic steps that you can take:

• Sign up for local emergency notifications. Many municipal and county governments have an alert system that can be used to warn residents about imminent dangers to health and safety. In the United States, for example, these can often be found by doing a quick web search for “[county name] county alert system”.
• Keep up with the overall threat landscape. Pay attention to what CISA and other national cybersecurity agencies are talking about; if you’re on Twitter, you can do this by following the official CISA account. For readers outside of the United States, the UK’s National Cyber Security Centre (NCSC) and the European Union Agency for Cybersecurity (ENISA) are excellent sources of information. 
• Learn more about cybersecurity threats that affect your community directly, such as threats to the healthcare industry and to local school districts, and look for opportunities to educate others about these issues.