A 5 February computer hack atttempting to poison water systems of a Florida, US community was averted in real time. The city of Oldsmar's water supply to approximately 15,000 people was not harmed but the hack is now being investigated by local and federal authorities, including FBI, Secret Service and other law enforcement agencies.
The incident occurred two days before American Football's Superbowl, this year hosted in Tampa Bay, Florida, only 15 km from Oldsmar.
A hacker was able to adjust the chemical controls, increasing the amount of sodium hydroxide from a safe and usual 100 parts per million to a very unsafe level of over 11,000 parts per million. Under normal circumstances the chemical, commonly referred to as lye, is used to control PH of water but in such high quantities is corrosive and dangerous to human health.
In normal quantities, lye is considered harmless. In very large quantities, sodium hydroxide can kill skin cells and cause hair loss, according to the National Centre for Biotechnology Information. Ingestion is very harmful and can be fatal.
Remote access, in and of itself, is not uncommon, as both operators and supervisors are granted remote access under normal operating conditions. In this instance, however, an operator observed the dangerous increase in chemical concentration and within minutes was able to reverse the action of the hacker by tracking an unexplained cursor on a screen.
There are, as yet, no details as to how the intruder broke into the operational technology network that controls physical water treatment equipment.
Had the hack not been reversed, it is estimated that it would have taken 24 to 36 hours for the poisoned water to reach the city's population. Authorities indicate that before that could happen, both manual and automated PH testing safeguards would have triggered an alarm and caught the change before anyone was harmed.
Investigators have have alerted other municipal agencies to redouble efforts to protect computer systems. The hacker could be anyone: local, state, foreign, a bored individual or a disgruntled former employee.
Cybersecurity experts continue to warn that municipal water, water treatment, sewer and infrastructure systems including hospitals, for example, have the potential to be very vulnerable because computer infrastructure and protection systems tend to be underfunded, particularly in smaller water provision systems.