A water treatment plant in Oldsmar, Florida was hacked by a malicious party who tried to poison the city’s supply by raising its lye levels, said NPR. The hacker reportedly increased sodium hydroxide, also called lye levels, in the supply by 100 times.
According to reports, the hacker enters the facility’s system last week and caused a surge in the amount of lye, then immediately got out.
Fortunately, the treatment plant operator was able to catch the change and reset the lye levels back to the normal threshold before the affected supply reaches consumers, said city officials. Regardless, the Federal Bureau of Investigation and the Secret Service are involved.
Pinellas County Sheriff Bob Gualtieri said, “The hacker changed the sodium hydroxide from about 100 parts per million to 11,100 parts per million. This is obviously a significant and potentially dangerous increase.”
“Sodium hydroxide, also known as lye, is the main ingredient in liquid drain cleaners. It’s also used to control water acidity and remove metals from drinking water,” Gualtieri added.
According to an NBC News report, the hacker was able to control the plant’s cybersecurity system using TeamViewer, a program that can grant complete control of a system when logged into.
The operator was only able to correct the lye levels because of backup alarms to measure unsafe chemical levels.
With the danger posed by the malicious action, Gualtieri confirmed that he considered the incident an attempted bioterrorism attack. He said, “It is what it is. Someone hacked into the system, not just once but twice.”
The incident brought to light a huge gap in the cybersecurity systems of such treatment facilities noted NBC News.
Former chief cybersecurity official at the Department of Homeland Security Suzanne Spaulding said, “Water facilities are particularly problematic.”
“When I first came into DHS and started getting the sector-specific briefings, my team said, ‘here’s what you’ve got to know about water facilities: When you’ve seen one water facility, you’ve seen one water facility.’”
The NBC News report noted that around 54,000 of the country’s supply plants are independently-run by local government or small corporations. The implication of this is different facilities will have different security setups.
In addition, there is a lack of IT personnel in these facilities, according to Dragos cybersecurity analyst Lesley Carhart. Moreover, one or two IT experts are in charge of everything related to cybersecurity.