A hacker illegally gained access to a water treatment plant system, and attempted to poison the water supply for a Florida suburb with a high concentration of a chemical.
Local police in Oldsmar, Florida, said the hacker used a remote access programme used by the treatment plant workers to increase the amount of sodium hydroxide by a factor of one hundred (from 100 parts per million to 11,100 parts per million).
Sodium hydroxide, also called lye, is used to treat water acidity but the compound is also found in cleaning supplies such as soaps and drain cleaners. It can cause irritation, burns and other complications in larger quantities.
A supervisor noticed a cursor moving across a screen – the hacker in action, accessing the system remotely – and was able to reverse the action in time.
Pinellas County Sheriff Bob Gualtieri said during a news conference on Monday that the public was never in danger, but that the hacker did raise “the sodium hydroxide up to dangerous levels.”
Officials in the suburb of the city of Tampa have since disabled the remote-access system, and say other safeguards were in place to prevent an increased chemical concentration from getting into the water.
Officials warned other city leaders in the region — which was hosting the Super Bowl — about the incident and suggested they check their systems.
Experts say municipal water and other systems have the potential to be easy targets for hackers because local governments’ computer infrastructure tends to be underfunded.
Robert Lee, CEO of Dragos Security, and a specialist in industrial control system vulnerabilities, said remote access to industrial control systems such as those running water treatment plants has become increasingly common.
“As industries become more digitally connected we will continue to see more states and criminals target these sites for the impact they have on society,” Lee said.
What concerns experts most is the potential for state-backed hackers intent on doing serious harm targeting water supplies, power grids and other vital services.
In May, Israel’s cyber chief said the country had thwarted a major cyber attack a month earlier against its water systems, an assault widely attributed to its archenemy Iran.
Had Israel not detected the attack in real time, he said chlorine or other chemicals could have entered the water, leading to a “disastrous” outcome.
Tarah Wheeler, a Harvard Cybersecurity Fellow, said communities should take every precaution possible when using remote access technology on something as critical as a water supply.
“The systems administrators in charge of major civilian infrastructure like a water treatment facility should be securing that plant like they’re securing the water in their own kitchens,” Wheeler told the Associated Press via email. “Sometimes when people set up local networks, they don’t understand the danger of an improperly configured and secured series of internet-connected devices.”
Investigators said it wasn’t immediately clear where the attack came from — whether the hacker was domestic or foreign. The FBI, along with the Secret Service and the Pinellas County Sheriff’s Office are investigating the case.