Hacker breaches Oldsmar water treatment plant

Oldsmar Mayor Eric Seidel, right, looks on as Pinellas County Sheriff Bob Gualtieri speaks Feb. 8 during a news conference explaining the “unlawful intrusion” at the Oldsmar water treatment facility.

OLDSMAR — An unknown hacker last week intruded into the software program at Oldsmar’s water treatment facility, attempting to dramatically increase the amount of sodium hydroxide — commonly known as lye — in the city’s water system.

Pinellas County Sheriff Bob Gualtieri held a Feb. 8 press conference along with Oldsmar Mayor Eric Seidel and City Manager Al Braithwaite explaining the “unlawful intrusion” that occurred on Friday, Feb. 5. Gualtieri said “a plant operator at the Oldsmar water treatment facility noticed that someone remotely accessed the computer system that he was monitoring,” adding the system controlled the chemicals and the other operations of the water treatment plant.

After noting the system was set up for remote access in order to allow offsite troubleshooting, Gualtieri said the operator ignored a “brief” interruption at around 8 a.m. Friday, believing it was a supervisor, when someone again remotely accessed the computer system later that afternoon. It appeared up on the operator’s screen as a mouse being moved about, opening various software functions that control the water being treated being treated in the system.

The hacker remotely accessed the system for about three to five minutes, opening various functions on the screen, Gualtieri said. One of those functions controlled the amount of sodium hydroxide in the water, with the hacker changing it “from about 100 parts per million to 11,100 parts per million.” Gualtieri said the change represented “obviously a significant and potentially dangerous increase.” He said sodium hydroxide, also known as lye, “is the main ingredient in liquid drain cleaners. It’s also used to control water acidity and remove metals from drinking water in water treatment plants.”

Gualtieri noted that water treatment plants, like other public utility systems, “are part of the nation’s critical infrastructure and can be vulnerable targets when someone tries to adversely affect public safety.”

After making the change, the intruder exited the system and the plant operator immediately reduced the level back to the appropriate amount of 100, Gualtieri said. Because the operator noticed the increase and lowered it right away, “at no time was there a significant adverse effect on the water being treated. Importantly, the public was never in danger.”

The sheriff added that “even if the plant operator had not quickly reversed the increased amount of sodium hydroxide, it would’ve taken between 24 and 36 hours for that water to hit the water supply system, and there are redundancies in place where the water had been checked before it was released.”

The sheriff said that the plant operator reported the incident to his supervisor, and steps were taken to deny further access to the system. At that point staffers called the Sheriff’s Office, which Gualtieri said “began a criminal investigation along with our federal partners at the FBI and the U.S. Secret Service.”

Gualtieri said the Sheriff’s Office digital forensics unit had been “working all weekend to try and determine exactly how the breach occurred and the identity of the person or persons responsible,” noting at the time they do not have a suspect, but they do have leads they are following.

“We don’t know right now whether the breach originated from within the United States or outside the country,” Gualtieri said. “We also don’t know why the Oldsmar system was targeted, and we have no knowledge of any other systems being unlawfully accessed.”

He asked all governmental entities within the Tampa Bay area that have critical infrastructure components to actively review their computer security protocols and make any necessary updates that are consistent with the most up-to-date practices.

Seidel said the monitoring protocols in place at the plant worked. “That’s the good news. Even had they not caught them, there’s redundancies that have alarms in the system that would have caught the change in the pH level, anyhow,” he said.

The mayor added “the important thing is to put everyone on notice” and to “make sure that everyone realizes these kinds of bad actors are out there, it’s happening, so really take a hard look at what you have in place.”

Shortly after the press conference, the mayor spoke about the incident that has put Oldsmar under a national spotlight. He said he planned to hold a conference call with other municipalities “to discuss it and reinforce it and let them know they should be vigilant.”

After reiterating that “at no time were the water tanks compromised” during the software breach, Seidel praised the plant’s staff as well as the safety protocols that prevented a potentially dangerous incident from occurring. “I’m really happy with that, and I’m happy that people did their job well,” he told Tampa Bay Newspapers.

When asked if he felt the incident had anything to do with the Super Bowl being held just a few miles away from his city, Seidel said, “I don’t think they’ve drawn that conclusion because it happened on Friday,” adding, “We’re still not sure where it came from. But whoever was doing it, they did have bad intentions.”