As a town of 15,000 people just outside of Tampa Bay, Oldsmar, Florida, does not seem like a likely target for an act of terrorism. Yet on Monday, officials from the sleepy city announced that hackers managed to remotely gain access to its water treatment plant and change the levels of chemicals in the water. The attack was stopped before the manipulated water could reach the drinking supply — which would have potentially poisoned thousands of people — but the hack presents terrifying possibilities for future attacks.
The breach of the city's water treatment system occurred Friday morning and was noticed almost immediately by a city employee, according to The New York Times. The worker saw someone had taken remote control of his computer, but he reportedly did not think anything of it, as the city's software allows for supervisors to access employee machines remotely. But hours after the breach occurred, the employee noticed troubling activity; specifically, programs that would not typically be used were open and the level of lye in the water treatment plant had been changed.
Lye is a caustic alkaline chemical also known as sodium hydroxide. In its concentrated form, it can be very destructive, damaging any surface that it comes into contact with. (Sodium hydroxide is the main ingredient in drain cleaner, to give you a better idea of what the chemical compound is typically used for.) When diluted, lye can help with water purification by raising pH levels, making water less corrosive to pipes and plumbing and thus reducing the amount of lead and other toxic metals that are dissolved into the drinking water.
The sodium hydroxide level in Oldsmar's water supply is typically 100 parts per million. According to the Times, the hacker changed those levels to 11,100 parts per million.
The hacker had access to the water supply plant's controls for a total of three to five minutes, according to authorities. "At no time was there a significant adverse effect on the water being treated," Pinellas County Sheriff Bob Gualtieri said Monday during a press conference. "Importantly, the public was never in danger." But the county's top cop did not mince words when it came to the potential harm that could have occurred: "This is dangerous stuff," he said. "It's a bad act. It's a bad actor. It's not just a little chlorine or a little fluoride."
While Oldsmar may not seem like the prime target for an attack like this, the fact that it is a small town is part of what makes it so susceptible to this type of violation. Increasingly, critical infrastructure operators have embraced digital systems that enable employees to remotely access controls, a change driven in part by the coronavirus pandemic. But that same shift has opened up a new vector for hackers to target, and smaller communities are typically understaffed and underprepared for such an attack.
In July, the Cybersecurity and Infrastructure Security Agency warned that infrastructure like water and power plants, along with emergency services, are "attractive targets" for attackers "attempting to do harm to U.S. interests or retaliate for perceived U.S. aggression." So far, there is no indication as to who breached the system and attempted to poison the water. But the fact that it happened once is cause enough for concern.