The hacker breached the system at the city of Oldsmar’s water treatment plant last Friday using a remote access program shared by plant workers.
It exposed a danger cybersecurity experts say has grown as systems become both more computerized and accessible via the internet.
Authorities did not have a suspect as of Tuesday but said they were continuing to follow leads.
Investigators say it wasn’t immediately clear whether the hacker was domestic or foreign.
The hacker breached the system at the city of Oldsmar’s water treatment plant in Florida last Friday using a remote access program shared by plant workers. Image courtesy of
The hacker tried to load it with ‘dangerous levels’ of a chemical found in drain cleaner
White House Press Secretary Jen Psaki addressed the hacking incident on Tuesday during her briefing, acknowledging the Secret Service’s involvement and saying cybersecurity was a main focus of the Biden administration.
‘As was announced earlier today, the FBI and Secret Service are undergoing an investigation,’ she said.
‘That’s something we’d certainly defer to them on their specific findings of that investigation. I will say broadly speaking that the president, the vice president and members of our national security team are focused on elevating cybersecurity as a threat that has only increased over the past several years.’
Florida senator Marco Rubio has called on the FBI to treat the investigation as a matter of national security.
The hacker who breached the system managed to briefly increase the amount of sodium hydroxide by a factor of one hundred (from 100 parts per million to 11,100 parts per million), according to Pinellas County Sheriff Bob Gualtieri.
Sodium hydroxide, also called lye, is used to treat water acidity but the compound is also found in cleaning supplies such as soaps and drain cleaners.
It can cause irritation, burns and other complications in larger quantities.
Authorities say a supervisor saw the chemical being tampered with and was able to intervene and immediately reverse it.
Gualtieri insists the public was never in danger but admitted the intruder took ‘the sodium hydroxide up to dangerous levels’.
The city of Oldsmar, which has a population of about 15,000, is located about 15 miles from Tampa.
Pinellas County Sheriff Bob Gualtieri (right) and Mayor Eric Seidel (left) announced news of the hack on Monday. Gualtieri insists the public was never in danger but admitted the intruder took ‘the sodium hydroxide up to dangerous levels’
The sheriff said the intruder was active for three to five minutes. When they exited, the plant operator immediately restored the proper chemical mix
A plant worker had first noticed the unusual activity at around 8am on Friday when someone briefly accessed the system – named TeamViewer – but thought little of it because co-workers regularly accessed the system remotely, Gualtieri said.
But at about 1.30pm, someone accessed it again, took control of the mouse, directed it to the software that controls water treatment and increased the amount of sodium hydroxide.
The sheriff said the intruder was active for three to five minutes. When they exited, the plant operator immediately restored the proper chemical mix.
‘The guy was sitting there monitoring the computer as he’s supposed to and all of a sudden he sees a window pop up that the computer has been accessed,’ Gualtieri said.
‘The next thing you know someone is dragging the mouse and clicking around and opening programs and manipulating the system.’
Other safeguards in place – including manual monitoring – likely would have caught the change in the 24 to 36 hours it took before it reached the water supply, the sheriff said.
Oldsmar officials have since disabled the remote-access system and say other safeguards were in place to prevent the increased chemical from getting into the water.
Officials warned other city leaders in the region – which was hosting the Super Bowl – about the incident and suggested they check their systems.
Experts say municipal water and other systems have the potential to be easy targets for hackers because local governments’ computer infrastructure tends to be underfunded.
Florida senator Marco Rubio called the FBI to treat the investigator as a matter of national security
Robert M. Lee, CEO of Dragos Security, and a specialist in industrial control system vulnerabilities, said remote access to industrial control systems such as those running water treatment plants has become increasingly common.
‘As industries become more digitally connected we will continue to see more states and criminals target these sites for the impact they have on society,’ Lee said.
The leading cybersecurity firm FireEye attributed an uptick in hacking attempts it has seen in the last year mostly to novices seeking to learn about remotely accessible industrial systems.
Many victims appear to have been selected arbitrarily and no serious damage was caused in any of the cases – in part because of safety mechanisms and professional monitoring, FireEye analyst Daniel Kapellmann Zafra said in a statement.
‘While the (Oldsmar) incident does not appear to be particularly complex, it highlights the need to strengthen the cybersecurity capabilities across the water and wastewater industry,’ he said.
What concerns experts most is the potential for state-backed hackers intent on doing serious harm targeting water supplies, power grids and other vital services.
In May, Israel’s cyber chief said the country had thwarted a major cyber attack a month earlier against its water systems, an assault widely attributed to its archenemy Iran. Had Israel not detected the attack in real time, he said chlorine or other chemicals could have entered the water, leading to a ‘disastrous’ outcome.
Tarah Wheeler, a Harvard Cybersecurity Fellow, said communities should take every precaution possible when using remote access technology on something as critical as a water supply.
‘The systems administrators in charge of major civilian infrastructure like a water treatment facility should be securing that plant like they´re securing the water in their own kitchens,’ Wheeler told the Associated Press via email.
‘Sometimes when people set up local networks, they don’t understand the danger of an improperly configured and secured series of internet-connected devices.’