Hacker Tried to Poison Water Supply of Florida City: Sheriff

February 9, 2021 Updated: February 10, 2021

Investigations are underway after an unknown culprit tried to poison the water supply of a city in Florida, officials said.

The water treatment system in the city of Oldsmar in Pinellas County was hacked remotely on Jan. 5, and the amount of sodium hydroxide, also known as lye, was increased to more than 100 times its normal levels, Pinellas County Sheriff Bob Gualtieri said at a Feb. 8 press conference.

Sodium hydroxide is used in small amounts to control acidity in water, but can be corrosive in larger amounts and is found in household cleaning supplies, including drain and oven cleaners.

“This is somebody who is trying, as it appears on the surface, to do something bad. It’s a bad act. It’s a bad actor,” he told reporters.

“This isn’t just, ‘Oh, we’re putting a little bit of chlorine or a little bit of fluoride, or a little bit of something,’ we’re basically talking about lye that you are taking from 100 parts per million to 11,100,” he added, noting that these were dangerous levels.

The targeted plant is the main source of drinking water for the city’s 15,000 residents.

According to a statement from the sheriff’s office, it was notified by the City of Oldsmar that their computer system was remotely accessed at 8 a.m. and 1:30 p.m. by an unknown suspect.

A plant operator who was remotely monitoring the city’s water supply said that he didn’t find it unusual about the remote access at 8 a.m. because his supervisor remotely accesses the system regularly. But at 1:30 p.m., the system was accessed again, and this time the operator saw the concentration was being manipulated to more than 100 times its usual levels.

“The person … remotely accessed the system for about 3 to 5 minutes, opening various functions on the screen,” Gualtieri told reporters.

Water Treatment Plant Hack
In this screen shot from a YouTube video posted by the Pinellas County Sheriff’s Office, Pinellas County Sheriff Bob Gualtieri speaks during a news conference as Oldsmar, Fla., Mayor Eric Seidel, left, listens, in Oldsmar, Fla., on Feb. 8, 2021. (Pinellas County Sheriff’s Office via AP)

“At no time was there a significant effect on the water being treated, and more importantly, the public was never in danger,” he stated, adding that even if the operator hadn’t caught the manipulation, it would have taken more than a day for the contaminated water to enter the city’s water supply.

The Pinellas County Sheriff’s Office, the FBI, and the Secret Service are investigating the situation. No one has been arrested. Gualtieri said it’s unclear why Oldsmar was targeted.

City officials told reporters at the conference that there are other safeguards in place that help stop contaminated water from entering the water supply. They also said they’ve disabled the remote-access system used in the attack.

An advisory that Massachusetts recently posted for its public water suppliers said the intruder entered through a remote-access program called TeamViewer. It was loaded on all computers used by plant personnel, all of which were connected to the plant’s control system, the advisory said as of Feb. 10, adding that all users shared the same password — ignoring cybersecurity best practices. Further, those computers “appeared to be connected directly to the Internet without any type of firewall protection installed.”

The Massachusetts advisory said the FBI and other agencies had issued a situational report on the incident. An FBI spokesperson declined to comment on the report when reached out by The Associated Press. Similarly, Oldsmar officials declined to questions from the AP about cybersecurity measures at the plant.

Sen. Marco Rubio (R-Fla.) on Twitter announced that the incident “should be treated as a matter of national security.”

Sodium hydroxide poisoning can cause breathing difficulties, severe abdominal pain, vision loss, a rapid drop in blood pressure, and even death, according to the University of Florida Health System. The onset of such effects depends on how much of the poison is present in the water.

“The long-term outcome depends on the extent of this damage. Damage to the esophagus and stomach continues to occur for several weeks after the poison was swallowed. Death may occur as long as a month later,” according to the university’s website.

The Associated Press contributed to this report.

Update: This article has been updated with further details of the water plant hack.

Follow Mimi on Twitter: @MimiNguyenLy