FBI Called In After Hacker Tries To Poison Tampa-Area City's Water With Lye
It started with a cursor moving on its own, sliding across a computer screen at the water treatment plant in Oldsmar, Fla. Someone had taken remote control of a plant operator's machine – and in just a few minutes, they increased the level of sodium hydroxide in the city's drinking water by a factor of 100. After spiking the caustic substance to unsafe levels, the hacker immediately left the system.
The plant operator quickly reset the sodium hydroxide level back to normal parameters before the rogue action posed a threat to the water supply, officials say. But the incident, which took place Friday, is now being investigated by local authorities as well as the FBI and Secret Service, according to Pinellas County Sheriff Bob Gualtieri.
"The hacker changed the sodium hydroxide from about 100 parts per million to 11,100 parts per million," Gualtieri said on Monday, during a briefing about the attack. "This is obviously a significant and potentially dangerous increase. Sodium hydroxide, also known as lye, is the main ingredient in liquid drain cleaners. It's also used to control water acidity and remove metals from drinking water."
At one point in the briefing, Gualtieri was asked if he would call the incident an attempted bioterrorism attack.
"It is what it is," he replied. "Someone hacked into the system, not just once but twice," to take control of the system and change the water chemistry to unsafe levels.
If the person who conducted the hack is identified, Gualtieri said, they would likely face state felony charges, with the potential for federal charges depending on the circumstances, such as the place where the hack originated.
Oldsmar is a small city northwest of Tampa, roughly 12 miles away from Raymond James Stadium, which hosted the Super Bowl two days after the hacking attack. Oldsmar draws its water from wells; its system is separate from other nearby communities, the officials said.
The intruder broke into the system at least twice on Friday, taking control of a plant operator's computer through the same methods a supervisor or specialist might use. The hack didn't initially set off red flags, because remote access is sometimes used to monitor the system or trouble-shoot problems, Gualtieri said.
The first intrusion was fleeting and didn't cause concern. But hours later, the hacker returned. And as the operator looked on, the sodium hydroxide settings were moved to dangerous territory. After resetting the system to normal levels, the operator raised the alarm. The sheriff was called; soon, federal investigators were also involved.
"Obviously, these investigations are very complicated right now," Gualtieri said. "We do not have a suspect identified, but we do have leads that we're following. We don't know right now whether the breach originated from within the United States or outside the country."
The FBI's field office in Tampa confirms that its agents are working with the city and the sheriff's office to find the person responsible.
The hack was clearly the act of someone trying to harm others, the sheriff said. But he and officials in Oldsmar also stressed that while the hack was a serious intrusion, public health was never at risk. In addition to the plant operator's vigilance, they said, the water system has sensors that would have raised the alarm if pH levels suddenly skyrocketed. And it would have taken more than a day for the water to reach any customers, they added.
"We have pH alarms throughout the system," City Manager Al Braithwaite said. "So obviously if you change the alkalinity level, the pH changes. That would have been an alarm throughout the entire system. So, even if we hadn't noticed it right away, it would have alarmed to all our people to notice it quickly."
The remote-access program that allowed the change to be made is now disabled, Braithwaite said, and the city is making further upgrades to its systems. And he said the attack on Oldsmar's infrastructure didn't come as a complete surprise. "We talk about it, we think about it, we study it," he said.
The good news in the incident, said Mayor Eric Seidel, is that Oldsmar's safety and monitoring protocols worked as intended. But the message now, he added, is that they're needed – in his and other communities.
Everyone should realize "these kind of bad actors are out there, it's happening," Seidel said. "So really, take a hard look at what [safety measures] you have in place."
Copyright 2021 NPR. To see more, visit https://www.npr.org.