OLDSMAR, Fla. (WFLA) — A hacker was able to successfully alter the levels of chemicals in Oldsmar’s water supply to ‘potentially damaging’ levels Friday, officials said.
Pinellas County Sheriff Bob Gualtieri said on Friday morning a plant operator at Oldsmar’s water treatment facility noticed someone remotely accessed the computer system he was monitoring.
The computers are set up for allowing remote access to select people to troubleshoot problems, so the operator didn’t think much about the incident.
It happened again that afternoon, however, as the operator could see the mouse moving on the computer screen, opening various software functions that controlled the water being treated in the system.
Gualtieri said the hacker increased the sodium hydroxide levels in the city’s water from 100 parts per million to 11,100 parts per million.
“This is obviously a significant and potentially dangerous increase,” Gualtieri said. “Sodium hydroxide is the main ingredient in liquid drain cleaners. It’s also used to control water acidity and remove metals from drinking water in the water treatment plants.”
Gualtieri said the hacker then exited the system and the operator immediately stabilized the levels back down in the water.
“The public was never in danger,” the sheriff said. “Even if the plant operator had not quickly reversed the increased amount of sodium hydroxide, it would’ve taken between 24 and 36 hours for that water to hit the water supply system.”
Even then, the sheriff said there are redundancies in place where the water would be checked before it was released to the public.
The sheriff’s office does not have a suspect, but Gualtieri said they have a few leads. The FBI and U.S. Secret Service are assisting in the investigation.
8 On Your Side reached out to city officials for additional details about the computer system connected to the alleged hack and why there’s remote access. Oldsmar Mayor Eric Seidel told us the operating system is approximately eight years old.
“Remote access has been allowed because it allows Plant personnel to access the system while out in the field, and the consultant needs access in order to assist the staff in making programming adjustments/changes quickly, if necessary,” Seidel said in an email.
The mayor added that after the hack, the city is re-evaluating its policy on the continued need for remote access.
8 On Your Side also reached out to Tampa Bay Water about the hack in Oldsmar. A representative told us Tampa Bay Water elevated its cybersecurity threat level after the alleged hack and is closely monitoring operational activities. It’s also reviewing security protocols to ensure the safety of the water supply system, the spokesperson said.
“Like most of the utilities in this region, Tampa Bay Water uses a Supervisory Control and Data Acquisition (SCADA) system to control the water supply system,” the spokesperson said in an emailed statement. “We have been using this system for 25+ years and upgrade both the hardware and software to keep up-to-date. The hardware was updated in 2019 and the software is up-to-date with the latest version.”
The representative noted that Tampa Bay Water has “robust security and protections” to prevent something like what happened in Oldsmar. The measures include running its system on a private network with no internet access and regularly testing the vulnerability of its systems.