The scenario described by Pinellas Sheriff Bob Gualtieri is disconcerting, an attacker attempted to raise levels of sodium hydroxide, also known as lye, by a factor of more than 100, in Oldsmar’s water supply.
The ingestion of water with high level of sodium hydroxide can be fatal.
The incident took place on Friday and local authorities, along with the FBI and the Secret Service, are still investigating the hack. The attackers gained access to the city’s water treatment system and altered the amount of sodium hydroxide, also known as lye.
The city’s water supply was not affected because a remote supervisor noticed the anomalous change in the concentration of the chemical substance and reverted it. Gualtieri pointed out that the water supply chain is also protected by other safeguards that prevent any manipulation and they’ve disabled the remote-access system used in the attack.
“Someone remotely accessed a computer for the city’s water treatment system and briefly increased the amount of sodium hydroxide, also known as lye, by a factor of more than 100, Gualtieri said at a news conference Monday. The chemical is used in small amounts to control the acidity of water but it’s also a corrosive compound commonly found in household cleaning supplies such as liquid drain cleaners.” reported the Tampa Bay Times.
“The city’s water supply was not affected. A supervisor working remotely saw the concentration being changed on his computer screen and immediately reverted it, Gualtieri said. City officials on Monday emphasized that several other safeguards are in place to prevent contaminated water from entering the water supply and said they’ve disabled the remote-access system used in the attack.”
The Pinellas County Sheriff’s Office is investigating, along with the FBI and the Secret Service, Gualtieri said.
It is not clear why attackers have chosen the City of Oldsmar, but authorities have already alerted other municipalities of the risk of similar attacks on water treatment systems and other critical infrastructure.
An operator at the water facility noticed access to the control systems about 8 a.m. Friday, but it did not throw an alert because the supervisor remotely accessed the system regularly.
But at about 1:30 p.m. something strange has happened, someone accessed the system, took control of the mouse, and used the software that controls water treatment for three to five minutes. The intruder increased the amount of sodium hydroxide from 100 parts per million to 11,100 parts per million.
The plant operator noticed the manipulation and reverted it immediately.
“Importantly, the public was never in danger.” sheriff added.
“The protocols that we have in place, monitoring protocols, they work — that’s the good news,” said Oldsmar Mayor Eric Seidel. “Even had they not caught them, there’s redundancies in the system that would have caught the change in the pH level.“
“The important thing is to put everyone on notice,” he said. “There’s a bad actor out there.”
If you want to receive the weekly Security Affairs Newsletter for free subscribe here.
(SecurityAffairs – hacking, water supply)