The sheriff of a small city in Florida warned on Monday that hackers had tried to poison its water.
Pinellas County Sheriff Bob Gualtieri said Oldsmar's water treatment system, which serves roughly 15,000 people, was broken into by someone, via the internet, who had hoped to flood the supply with levels of sodium hydroxide more than 100 times the normal amount.
The miscreant gained access through remote-control software TeamViewer that was running on a PC at the plant, the sheriff told Reuters, and used that machine to ultimately attempt to jack up the levels of sodium hydroxide.
In small amounts, the chemical – better known as lye – helps raise the pH of the water, reducing its acidity, and minimize the amount of lead and other heavy metals dissolving into the water. In higher concentrations, it can cause, in mild cases, skin and eye irritation; in more severe cases, burns and scarring.
Fortunately, a staffer who was also working remotely spotted the concentration of the chemical being increased, we're told, and immediately reversed the change. The city's water supply was not affected and the contamination attempt was thwarted.
The cyber-break-in did worry officials enough to call a press conference, where they outlined the information they currently have while stressing that there are other safeguards that would have prevented high levels of sodium hydroxide from entering the main water supply.
It would have taken more than a day for the adulterated water to enter the public’s water system, we're told, during which time the plant would have caught the disparity. “The public was never in danger,” Sheriff Gualtieri said. Remote access on the PC has been disabled.
The officials didn’t have a lot of info beyond that, except that they do not have a suspect yet though they do have some leads. There was no specific intelligence as to why Oldsmar’s water supply was targeted, they don’t know if the hacker was based inside or outside the US, and other cities have been told about the hack and advised to check their installations for insecure or poorly secured remote access. Oldsmar’s water treatment plant itself was set up to only allow authorized users to access it remotely, the sheriff insisted.
TeamViewer: So sorry we blamed you after your PC was hackedREAD MORE
Here's how it all went down, apparently: an operator logging into a PC at the facility early on Friday morning said he had noticed the system had been accessed but had assumed it was his supervisor and thought nothing of it. Several hours later, however, the same operator lost control of the computer's mouse and watched as it navigated the control software.
Over the course of several minutes, the hacker increased sodium hydroxide from 100 parts per million to 11,100 parts per million and then left. As soon as they had quit, the operator changed it back to the original setting and alerted his supervisor.
“The protocols that we have in place, monitoring protocols, they work – that’s the good news,” said Oldsmar Mayor Eric Seidel. “The important thing is to put everyone on notice. There’s a bad actor out there.”
The FBI and Secret Service are investigating. ®