They remotely raised the sodium hydroxide level 111 times the normal amount.
A hacker attempted to poison an entire Florida city after gaining access to its water supply system.
Pinellas County Sheriff Bob Gualtieri revealed at a press conference on Monday that an unauthorized person had hacked into the City of Oldsmar’s treatment plant, and increased the levels of sodium hydroxide to toxic amounts.
The cyber attack occurred on Friday, when the unknown suspect remotely logged in at 8AM, and again at 1:30PM.
As the system is set up to allow authorized users log in remotely to troubleshoot, the first brief intrusion initially did not raise any flags.
But when the person logged in a second time, a plant operator watched as the user began accessing various functions in the system that control the amount of sodium hydroxide in the water.
Also known as lye, the highly caustic base, which can cause severe chemical burns, is used in drinking water treatment — in highly diluted amounts — to control water acidity and remove metals.
The hacker increased the levels from 100 parts per million, to 11,100 parts per million — 111 times the safe amount.
“This is obviously a significant and potentially dangerous increase,” Sheriff Gualtieri said, pointing out that sodium hydroxide is also the main ingredient in liquid drain cleaner.
The operator who witnessed the hack immediately reduced the levels back down to the proper amount, before alerting the authorities.
The city manager assured citizens that at no time were they in any danger; had the switch not been noticed in real time, it would have taken the poisonous water 24-36 hours to get through the system, by which time sensors would have detected the change and triggered the alarm.
However the attempted attack has raised serious concerns. Digital forensics teams are still trying to find out how they got in, and who they even are. There are currently no suspects; Sheriff Gualtieri admitted they do not even know if the attack came from within or outside the US, or why Oldsmar was specifically targeted.
“This is someone that was trying, as it appears on the surface, to do something bad. It was a bad actor,” Gualtieri added, warning that other systems could be targeted, and advised other cities to be on alert.