U.S. federal authorities are investigating a supervillain-style plot to poison a city’s water supply in Florida, in a frightening hack that was foiled by one observant employee.
An unknown actor seized control of the water treatment plant’s controls in Oldsmar, Fla., last Friday and cranked up the settings to dump vast amounts of poisonous lye into the reservoir, police said. An operator spotted the change and immediately reversed it, thereby protecting the local water supply.
Water plants typically inject a tiny amount of lye, a.k.a. sodium hydroxide, into the reservoir to control the water’s acidity, but the hacker — still unidentified — ratcheted up the concentration to 11,000 per cent above normal, which likely would have had serious effects on the 15,000 people who rely on the plant for their water.
“Sodium hydroxide, also known as lye, is the main ingredient in liquid drain cleaners,” Pinellas County Sheriff Bob Gualtieri said during a news conference Monday. “This is obviously a significant and potentially dangerous increase.”
Lye is very corrosive and can cause nausea, vomiting, diarrhea and chest or abdominal pain if ingested in large quantities, according to the U.S. Centers for Disease Control and Prevention (CDC). It can also cause temporary hair loss, eye and skin burns or irritation to the eyes, skin and mucous membrane.
“I’m not a chemist,” Gualtieri said. “But I can tell you what I do know is … if you put that amount of that substance into the drinking water, it’s not a good thing.”
Authorities say the hacker took control of the computer’s mouse via TeamViewer, a remote access program that allows screen sharing for IT purposes.
An operator first noticed unusual activity on the computer on Friday morning, officials said. He didn’t think much of it until that same afternoon, when someone used the mouse to make dangerous changes to the lye settings in front of his very eyes.
The operator immediately switched the lye concentration back to a safe level and informed his supervisor.
“At no time was there a significant adverse effect on the water being treated,” Gualtieri said. “The public was never in danger.”
The Secret Service and the FBI are now probing the case to determine whether the hack originated in the United States or abroad.
“There’s a bad actor out there,” Oldsmar Mayor Eric Seidel said.
Hackers in the past have held entire towns for ransom by locking up their municipal computer systems. State-backed hackers have also meddled with the U.S. power grid and tampered with a dam in New York.
Robert M. Lee, CEO of Dragos Security and a specialist in industrial control system vulnerabilities, said remote access to industrial control systems such as those running water treatment plants has become increasingly common.
“As industries become more digitally connected we will continue to see more states and criminals target these sites for the impact they have on society,” Lee told The Associated Press.
The plant has disabled remote access to its computers while the investigation plays out.
— With files from The Associated Press
Comments