FBI investigating after hacker adds chemicals to city water supply in Florida

Oldsmar, Florida is a small city west of Tampa. Last Friday, an unidentified hacker managed to gain entry to the computer system that controls Oldsmar’s water supply. The hacker changed the levels of lye added to the water to balance the ph to a degree that could have been dangerous to residents if it hadn’t been caught immediately by a city employee who saw the change happen in real time on his computer.

Someone remotely accessed a computer for the city’s water treatment system and briefly increased the amount of sodium hydroxide, also known as lye, by a factor of more than 100, Gualtieri said at a news conference Monday. The chemical is used in small amounts to control the acidity of water but it’s also a corrosive compound commonly found in household cleaning supplies such as liquid drain cleaners…

A plant operator was monitoring the system at about 8 a.m. Friday and noticed that someone briefly accessed it. He didn’t find this unusual, Gualtieri said, because his supervisor remotely accessed the system regularly.

But at about 1:30 p.m. the same day, Gualtieri said, someone accessed the system again. This time, he said, the operator watched as someone took control of the mouse, directed it to the software that controls water treatment, worked inside it for three to five minutes and increased the amount of sodium hydroxide from 100 parts per million to 11,100 parts per million.

As of today no one has been arrested but the FBI and the Secret Service are investigating the breach along with the local Sheriff’s Office. According to the Sheriff, no one was ever in any danger though it’s not completely clear if that’s because it was caught immediately. Obviously the scary part of this is thinking about might have happened if someone hadn’t witnessed the crime in progress. Vice reports the Sheriff didn’t call this bioterrorism but also didn’t reject that label:

When asked if this should be considered an attempt at bioterrorism, Gualtieri said, “What it is is someone hacked into the system not just once but twice … opened the program and changed the levels from 100 to 11,100 parts per million with a caustic substance. So, you label it however you want, those are the facts.”

The hacker didn’t directly access the water control software, instead they apparently gained access to a program used for screen-sharing which gave them remote access of the machine.

Jessica Mackesy from the Pinellas County Sheriff’s Office told Motherboard in an email that the remote access software used was TeamViewer. TeamViewer is a common piece of software that organizations use to remote control computers.

At this point, I’m almost hoping this turns out to be some idiot teenager trying to show of his hacking skills. The other alternative is that this really was some kind of intentional terrorism either by homegrown crazies or hackers abroad. If it’s the latter then this probably won’t be the last time someone tries this.