Hacker’s chemical sabotage attempt on US water supply
US authorities say a hacker gained entry to the system controlling the water treatment plant of a Florida city of 15,000 and tried to taint the water supply with a caustic chemical.
The hacker who breached the system at the city of Oldsmar’s water treatment plant on Friday using a remote access program shared by plant workers briefly increased the amount of sodium hydroxide by a factor of one hundred – from 100 parts per million to 11,100 parts per million, Pinellas County Sheriff Bob Gualtieri said during a news conference on Monday.
Sodium hydroxide, also called lye, is used to treat water acidity but the compound is also found in cleaning supplies such as soaps and drain cleaners.
It can cause irritation, burns and other complications in larger quantities.
Fortunately, a supervisor saw the chemical being tampered with – as a mouse controlled by the intruder moved across the screen changing settings – and was able to intervene and immediately reverse it, Gualtieri said.
Oldsmar is about 25km northwest of Tampa.
Gualtieri said the public was never in danger.
But he did say the intruder took “the sodium hydroxide up to dangerous levels”.
Oldsmar officials have since disabled the remote-access system and say other safeguards were in place to prevent the increased chemical from getting into the water.
Officials warned other city leaders in the region – which was hosting the Super Bowl – about the incident and suggested they check their systems.
Experts say municipal water and other systems have the potential to be easy targets for hackers because local governments’ computer infrastructure tends to be underfunded.
A plant worker first noticed the unusual activity about 8am on Friday when someone briefly accessed the system but thought little of it because co-workers regularly accessed the system remotely, Gualtieri told reporters.
But at 1.30pm, someone accessed it again, took control of the mouse, directed it to the software that controls water treatment and increased the amount of sodium hydroxide.
The sheriff said the intruder was active for three to five minutes.
When they exited, the plant operator immediately restored the proper chemical mix, he said.
Other safeguards in place – including manual monitoring – likely would have caught the change in the 24 to 36 hours it took before it reached the water supply, the sheriff said.
Investigators said it wasn’t immediately clear where the attack came from – whether the hacker was domestic or foreign.
-AAP