Water Treatment Facility

On a sunny day in Florida during February 2021, a plant operator at a water treatment facility in Oldsmar noticed something unusual. According to the Tampa Bay Times the levels of sodium hydroxide, commonly known as lye, had been increased to levels of more than 100x what is thought to be safe. Thinking this might just have been a mistake, the plant operator simply changed the levels back to the normal setting and continued on with the day.

Later that same day the plant operator would come to find out that there was no mistake. While sitting at the desk the operator noticed the mouse on the computer system move. The operator sat at the computer watching as the mouse moved to the software that controls water treatment. The levels of sodium hydroxide were increased again, all while the operator hadn't touched the system.

No, there were no ghosts there that day. Instead, the levels of sodium hydroxide were being intentionally increased remotely by a malicious actor.  The water treatment facility had been the subject of a hack.

This type of hack is the stuff of nightmares. In the worst case scenario the water being treated in Oldsmar and the people and animals drinking it would have been poisoned. In the best case this hack highlights flaws that are likely to exist at water treatment facilities across the country.

In the Tampa Bay Times article written by Jack Evans, Pinellas County Sheriff Bob Gualtieri said

"he didn’t know what physiological effects would result from the concentration dialed up in the attack. Nor was it immediately apparent whether a similar attack had ever happened in the U.S. In 2007, the water of a town in Massachusetts was accidentally treated with too much lye, causing burns and skin irritation among people who showered with it."

A hack of this nature can be tied directly back to the security level of the Industrial Control Systems (ICS) involved. Water treatment plants like other critical infrastructure such as power and energy facilities, are also targets for hacks.

An attack of this scale highlights the vulnerabilities in Industrial Control Systems across the nation. Secmation can protect ICS equipment, see how here.