A hacker broke into a Florida water treatment plant and ordered it to increase the amount of lye to extremely dangerous levels, officials said Monday.
The plant operators noticed and remedied their systems before anyone was put in danger, but the event highlights the risks of internet-connected controls to civic infrastructure.
In a news conference Monday, Pinellas County Sheriff Bob Gualtieri said that on Friday morning an unknown hacker broke into a program designed to help the water treatment operators in Oldsmar, Florida, troubleshoot problems with the computerized parts of their treatment systems. The program in question is intended to give full, remote access to a plant computer, but only by authorized users.
Later that afternoon, the system was breached again. A hacker, who authorities believe to be the same one from the initial breach, took control of the computer and changed the acceptable level of sodium hydroxide — better known as lye, the main ingredient in many household drain cleaners — from 100 parts per million to 11,100 parts per million.
A water plant operator noticed immediately and corrected the change, Gualtieri said, adding that if the operator had missed it, and the change didn’t trigger some of the plant’s alarms, the lye could have seeped into the water supply in 24 to 36 hours.
“Because the operator noticed the increase and lowered it right away, at no time was there a significant adverse effect on the water being treated,” Gualtieri said.
Gualtieri added that he had no idea where the hacker was operating from, but that he’s working with the FBI and U.S. Secret Service to find out.
Al Braithwaite, Oldsmar’s city manager, said at the news conference that the system that enabled remote access to the plant’s computers had been disabled, and that the city planned to find a replacement.