Sheriff Bob Gualtieri said the public was never in danger (Picture: FOX 13/AP)
An unidentified person hacked into the system supplying water to a Florida city and tried to contaminate it, US officials have revealed.
The hacker breached the system controlling a water treatment plant in Oldsmar and tried to taint the water supply with a caustic chemical.
They planned to multiply the amount of sodium hydroxide in the water more than 100 fold, after using a remote access programme shared by plant workers, Pinellas County Sheriff Bob Gualtieri said during a news conference.
But a quick-thinking supervisor intervened after noticing the chemical, also called lye, being tampered with last week. A computer mouse controlled by the intruder was seen moving across the screen and changing settings – before the supervisor intervened and immediately reversed it, Mr Gualtieri explained.
The FBI, along with the Secret Service and the Pinellas County Sheriff’s Office, are now investigating the incident.
The Sheriff claimed the public was never in danger but he did say the intruder took ‘the sodium hydroxide up to dangerous levels’. It was previously at 100 parts per million but was then increased to 11,100.
The chemical is used to treat water acidity but is also found in cleaning supplies such as soaps and drain cleaners.
Pinellas County Sheriff Mr Gualtieri said a supervisor immediately intervened to avoid any contamination (Picture: AP)
The incident occurred in Oldsmar, Florida, last Friday (Picture: FOX 13)
It can cause irritation, burns and other complications in larger quantities.
Oldsmar officials say they have now disabled the remote-access system, and that other safeguards were in place to prevent the increased chemical from getting into the water.
Officials warned other city leaders in the region – which was hosting the Super Bowl – about the incident and suggested they check their systems.
Experts say municipal water and other systems have the potential to be easy targets for hackers because local governments’ computer infrastructure tends to be underfunded.
A plant worker first noticed the unusual activity at around 8am local time on Friday when someone briefly accessed the system, but thought little of it because co-workers regularly accessed the system remotely, Mr Gualtieri told reporters.
The hacker was active for around 3 – 5 minutes and then their actions were immediately reversed, officials say (Picture: FOX 13)
The settings were changed at the plant to put more sodium hydroxide into the water (Picture: FOX 13)
But at about 1.30pm, someone accessed it again, took control of the mouse, directed it to the software that controls water treatment and increased the amount of sodium hydroxide.
The sheriff said the intruder was active for three to five minutes.
When they exited, the plant operator immediately restored the proper chemical mix, he said.
Other safeguards in place – including manual monitoring – were likely to have caught the change in the 24 to 36 hours it took before it reached the water supply, the sheriff said.
Investigators said it was not immediately clear where the attack came from or whether the hacker was domestic or foreign.
Russian state-backed hackers have in recent years penetrated some US industrial control systems, including the power grid and manufacturing plants, while Iranian hackers were caught seizing control of a suburban New York dam in 2013.
In no case was damage inflicted but officials say they believe the foreign adversaries have planted software boobytraps that could be activated in the event of war.
It comes as the British Defence Secretary warned of a growing threat of chemical and biological attacks.
Robert Lee, chief executive of Dragos Security, and a specialist in industrial control system vulnerabilities, said remote access to industrial control systems such as those running water treatment plants has become increasingly common.
He warned: ‘As industries become more digitally connected, we will continue to see more states and criminals target these sites for the impact they have on society.’
The leading cybersecurity firm FireEye attributed an increase in hacking attempts it has seen in the last year mostly to novices seeking to learn about remotely accessible industrial systems.
Many victims appear to have been selected arbitrarily and no serious damage was caused in any of the cases – in part because of safety mechanisms and professional monitoring, FireEye analyst Daniel Kapellmann Zafra said in a statement.
‘While the (Oldsmar) incident does not appear to be particularly complex, it highlights the need to strengthen the cybersecurity capabilities across the water and wastewater industry,’ he said.
What concerns experts most is the potential for state-backed hackers intent on doing serious harm targeting water supplies, power grids and other vital services.
In May, Israel’s cyber chief said the country had thwarted a major cyber attack a month earlier against its water systems, in an assault widely attributed to Iran.
Had Israel not detected the attack in real time, he claimed chlorine or other chemicals could have entered the water, leading to a ‘disastrous’ outcome.
Get in touch with our news team by emailing us at [email protected].
For more stories like this, check our news page.