Officials said Monday that a hacker had breached and attempted to poison the water supply for the city of Oldsmar, Fla., last week, but had been unsuccessful.
Pinellas County, Fla., Sheriff Bob Gualtieri announced at a press conference Monday that the hacker had gained control of the operating system at the city’s water treatment facility and had attempted to increase the amount of sodium hydroxide in the water from 100 parts per million to 11,100 parts per million.
“This is obviously a significant and potentially dangerous increase,” Gualtieri told reporters. “Sodium hydroxide, also known as lye, is the main ingredient in liquid drain cleaners. It is used to control water acidity and remove metals from drinking water in water treatment plants.”
The hack took place Friday, with one intrusion occurring early in the morning and a second in the afternoon.
Gualtieri stressed that the treatment center’s operator immediately noticed the increase, with the hacker hijacking the mouse and opening various applications to make the change. The operator on duty immediately reversed the changes made.
“At no time was there a significant adverse effect on the water being treated. Importantly, the public was never in danger,” Gualtieri said. “Even if the plant operator had not quickly reversed the increased amount of sodium hydroxide, it would have taken between 24 and 36 hours for that water to hit the water supply system, and there are redundancies in place where the water had been checked before it was released.”
The sheriff said that his office was working with the FBI and other federal partners to investigate the breach, alongside state and local authorities, and had warned other critical infrastructure groups over the weekend. Gualtieri said the hacker responsible could face state and federal felony charges if caught.
The breach took place two days before the Super Bowl, which took place this year in Tampa, Fla. The city of Oldsmar, which has a population of around 15,000, is located just outside Tampa.
Gualtieri said his office had warned other water treatment plants in the area to be vigilant for attempted cyberattacks but said there was no evidence any other critical systems had been breached in recent days.
“Right now we do not have a suspect identified, but we do have leads that we are following,” Gualtieri told reporters. “We don’t know right now whether the breach originated from within the United States or outside the country. We also do not know why the Oldsmar system was targeted, and have no knowledge of any other systems being unlawfully accessed.”
Oldsmar Mayor Eric Seidel said at the same press conference that while there were redundancies in the system that almost certainly would have caught the attempted poisoning even if the operator had not noticed the hack, it was critical to be aware of cyber risks.
“The important thing is to put everyone on notice, and I think that is really the purpose of today is to make sure that everyone realizes that these kinds of bad actors are out there, it’s happening, so really take a hard look at what you have in place,” Seidel said.
Cyberattacks on critical infrastructure groups have increased in recent years, with hospitals nationwide seeing a spike in attempted hacks during the COVID-19 pandemic and the recent hack of IT group SolarWinds by Russian operatives compromising much of the federal government for over a year.
The Cybersecurity and Infrastructure Security Agency and the National Security Agency put out a joint alert last year warning that foreign actors were targeting U.S. critical infrastructure in cyberspace, including water, gas and electricity systems.
This came months after CISA issued a separate alert warning of potential cyberattacks on critical infrastructure after a U.S. pipeline operator was targeted in 2019.
CISA, which is the key federal agency responsible for securing critical infrastructure, declined to comment to The Hill on if they are involved in the investigation in Oldsmar.