Hacker breached Florida water facility to alter sodium hydroxide level, police say

An unidentified hacker on Feb. 5 broke into the computer system of a water treatment plant for a town outside of Tampa, Florida, and temporarily changed the plant’s sodium hydroxide setting to a potentially dangerous level, local authorities said Monday.

The attacker changed the level of sodium hydroxide in the water treatment plant in the town of Oldsmar from about 100 parts per million to 11,100 parts per million, said Bob Gualtieri, the sheriff of Pinellas County, Florida. Treatment plants use sodium hydroxide to make water drinkable, but it can be unsafe for people in large quantities.

The breach did not cause any harm to public health, but it is a stark reminder of the risks that come with increasingly digitized critical infrastructure.

“This is somebody that is trying, at least it appears on the surface, to do something bad … It’s a bad actor,” Gualtieri said at a press conference. “At no time was there a significant adverse effect on the water being treated. Importantly, the public was not in danger.”

No suspects have been identified and it is unclear if the perpetrator is in the U.S. or abroad, Gualtieri said. The FBI and U.S. Secret Service are aiding the investigation, he added.

The attacker broke into the Oldsmar Water Treatment Facility’s computer system twice on Feb. 5, according to Gualtieri, taking advantage of remote access software that operators use for maintenance. Not long after the intruder changed the sodium hydroxide level, a plant operator noticed and reversed the change, according to authorities.

It would have taken 24 to 36 hours before the altered water solution entered the water supply and there were redundancies in place to prevent that, according to Gualtieri and Oldsmar Mayor Eric Seidel.

Engineers at industrial plants often used remote software to monitor plant performance, a practice that has long opened up potential avenues for hackers. The incident at Oldsmar, a town of some 15,000 people, is bound to bring such security arrangements under fresh scrutiny.

“We’ve obviously disabled the program that enabled it to happen,” Oldsmar City Manager Al Braithwaite said at the press conference. “And we are going to make some upgrades to other parts of the system to try to ensure that it doesn’t happen again.”

An FBI spokesperson said the bureau’s Tampa office is “working with the city of Oldsmar and the Pinellas County Sheriff’s Office, offering resources and assistance in the investigation of this incident.”

The cybersecurity of the water sector hasn’t traditionally gotten the same level of attention as other industrial sectors such as electricity and oil and gas.

Hackers breached a water treatment facility in Israel in April 2020 in an incident that multiple media reports blamed on Iran.