On Monday officials from Pinellas County in Florida announced that a hacker penetrated their secure systems and remotely accesses controls for the city of Oldsmar’s water treatment system. The hacker changed settings that drastically increased the amount of sodium hydroxide in the water supply.
During a press conference this afternoon, Pinellas County Sheriff Bob Gualtieri said that a water treatment operator saw the changes happening in real time and quickly reversed it, but stated that the hacking attempt was a serious threat to the city’s water supply. Sodium hydroxide is also known as lye and can be deadly if ingested in large amounts.
“The hacker changed the sodium hydroxide from about one hundred parts per million, to 11,100 parts per million,” Gualtieri said, adding that these were “dangerous” levels. When asked if this should be considered an attempt at bioterrorism, Gualtieri said, “What it is is someone hacked into the system not just once but twice … opened the program and changed the levels from 100 to 11,100 parts per million with a caustic substance. So, you label it however you want, those are the facts.”
“This should be treated as a matter of national security,” U.S. Marco Rubio, R-Florida, tweeted
This should be treated as a matter of national security.
— Marco Rubio (@marcorubio) February 8, 2021
The news highlights something we have reported on for years, how easy it is for bad actors to penetrate our infrastructure. Most people mistakenly assume our public water utilities are safe; shockingly, they are one of the most vulnerable parts of our nation’s infrastructure.
The vulnerability of our nation’s water supplies, to disruption and contamination by potential terrorist, has been well documented.
“The person who remotely accessed the system for about three to five minutes, opening various functions on the screen,” Gualtieri said during the press conference. “One of the functions opened by the person hacking into the system was one that controls the amount of sodium hydroxide in the water.”
The system was deliberately set up with a piece of remote access software so that “authorized users could troubleshoot system problems from other locations,” Gualtieri added.
That instance of remote access was brief, but then it happened again at 1:30 p.m., and the hacker changed the sodium hydroxide levels, Gualtieri said.
“The intruder exited the system, and the plant operator immediately reduced the level back to the appropriate amount of one hundred,” Gualtieri added. Gualtieri said that steps were taken to “stop further remote access to the system” and that there are other safeguards to protect the water integrity in place.
The County Sheriff’s office has started a criminal investigation along with the FBI and the Secret Service, Gualtieri said.