On Monday officials from Pinellas County in Florida announced that an unidentified hacker remotely gained access to a panel that controls the City of Oldsmar's water treatment system, and changed a setting that would have drastically increased the amount of sodium hydroxide in the water supply.
During a press conference, Pinellas County Sheriff Bob Gualtieri said that a legitimate operator saw the change and quickly reversed it, but signaled that the hacking attempt was a serious threat to the city's water supply. Sodium hydroxide is also known as lye and can be deadly if ingested in large amounts.
"The hacker changed the sodium hydroxide from about one hundred parts per million, to 11,100 parts per million," Gualtieri said, adding that these were "dangerous" levels. When asked if this should be considered an attempt at bioterrorism, Gualtieri said, "What it is is someone hacked into the system not just once but twice ... opened the program and changed the levels from 100 to 11,100 parts per million with a caustic substance. So, you label it however you want, those are the facts."
Did you know anything else about this breach? We'd love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, OTR chat on email@example.com, or email firstname.lastname@example.org.
In smaller quantities, sodium hydroxide can cause severe skin burns and eye damage. Small amounts of sodium hydroxide are put in some cities' drinking water supplies to prevent corrosion to pipes and to bring the pH up (it is a strong base).
The news highlights what could be a serious cyber and physical security breach, and raises questions about how secure access to such a sensitive system really was.
"The person who remotely accessed the system for about three to five minutes, opening various functions on the screen," Gualtieri said during the press conference. "One of the functions opened by the person hacking into the system was one that controls the amount of sodium hydroxide in the water."
Gualtieri said that on Friday at 8am a plant operator at the Oldmar's water treatment facility noticed someone remotely accessing the system that he was monitoring. The system was deliberately set up with a piece of remote access software so that "authorized users could troubleshoot system problems from other locations," Gualtieri added.
That instance of remote access was brief, but then it happened again at 1:30 p.m., and the hacker changed the sodium hydroxide levels, Gualtieri said.
"The intruder exited the system, and the plant operator immediately reduced the level back to the appropriate amount of one hundred," Gualtieri added. Gualtieri said that steps were taken to "stop further remote access to the system" and that there are other safeguards to protect the water integrity in place.
The County Sheriff's office has started a criminal investigation along with the FBI and the Secret Service, Gualtieri said.
Gualtieri did not say whether authorized access usually requires a password or not to access the system. The system accessed by the hacker did require a password to be controlled remotely, Felicia Donnelly, the assistant city manager in Oldsmar, Florida, told Motherboard in an email.
Jessica Mackesy from the Pinellas County Sheriff’s Office told Motherboard in an email that the remote access software used was TeamViewer. TeamViewer is a common piece of software that organizations use to remote control computers.
Reuters first reported the use of TeamViewer in an interview with Gualtieri.
Lorenzo Franceschi-Bicchierai contributed reporting.
Updated: This piece has been updated to include a quote from Felicia Donnelly, the assistant city manager in Oldsmar, Florida, and information about TeamViewer.
Subscribe to our cybersecurity podcast CYBER, here.