Remote Hacker Caught Poisoning Florida City Water Supply
Hacker Remotely Increased Sodium Hydroxide Levels in Florida City’s Water from 100 Parts Per Million to 11,100 Parts Per Million.
U.S. law enforcement agencies are investigating a remote compromise of a Florida city’s water plant, warning that the hackers tried to poison the water supply serving approximately 15,000 residents.
The hack was spotted on February 5th — and neutralized — in real time by staff at the plant that supplies water to Oldsmar, a small city close to Tampa, Florida.
Local Sheriff Bob Gualtieri said an unknown adversary hacked into the plant remotely and attempted to elevate levels of levels of sodium hydroxide by a factor of more than 100.
Sodium hydroxide, also known as lye, controls the acidity in potable water but elevated levels maliciously added to water supply can cause physical harm to the public.
Details of the compromise are scarce but local officials made it clear the city’s water supply was never affected.
During an explanation on Monday, Sheriff Gualtieri said the hack was first spotted in real time earlier in the morning by a staffer who noticed the remote connection to the plant.
The Sheriff said the remote access itself wasn’t unusual but just after lunch on the same day Sheriff Gualtieri said the attacker returned and the plant operators watched as the hackers took control of the mouse and started operating the computer system.
The attacker spent about three to five minutes in the control software and jacked up the amount of lye from 100 parts per million to 11,100 parts per million.
Once the attacker left, the plant operators immediately reverted the change. “At no time was there a significant adverse effect on the water being treated. The public was never in danger,” he claimed.
Cybersecurity experts have long warned that hackers could cause serious damage to organizations by targeting exposed human-machine interfaces (HMIs), and the incident in Oldsmar is another reminder of how vulnerable such systems across the nation’s critical infrastructure can be.
In early 2020, the Israeli government issued an alert to organizations in the water sector following a series of cyberattacks aimed at water facilities, and advised water and energy firms to immediately change the passwords of internet-accessible control systems, reduce internet exposure, and ensure that all control system software is up to date. Just weeks later, a group of Iranian hackers posted a video showing how they managed to access an industrial control system at a water facility in Israel.
SecurityWeek will be update this article as more information becomes available.