Oldsmar accesses its own well fields and treats its water to provide drinking water directly to businesses and residences, the sheriff explained during a press conference on Monday. The treatment facility uses a system that allows remote access so employees can monitor water levels. The sodium hydroxide, which is usually used minimally to control water acidity and remove metals from water, was increased to dangerous levels. Gualtieri said someone remotely accessed the system briefly around 8 AM, but the plant operator didn’t notice a problem. It’s not unusual for supervisors to remotely check water levels, Gualtieri said.
The worker became suspicious when someone again remotely accessed the computer system around 1:30 PM and the worker saw the mouse moving quickly between system controls, Gualtieri said. “The person remotely accessed the system for about three to five minutes, opening various functions on the screen,” the sheriff said.
The hacker changed the sodium hydroxide levels from about 100 parts per million to 11,100 parts per million, Gualtieri said. “This is obviously a significant and potentially dangerous increase,” he added. Luckily, no one was affected because the worker immediately reduced the chemical when he noticed a change, Gualtieri said.
“Importantly, the public was never in danger,” the sheriff added. He said he doesn’t know who orchestrated the scheme, but the Secret Service and FBI have been alerted to begin an investigation. “The important thing is to put everyone on notice,” he said.
Wired Magazine reported back in 2012 that more than 10,000 industrial control systems were connected to the internet and could be easily hacked. That includes water and sewage facilities. “Vendors expect systems to be on segregated networks — they comfort themselves with this,” Eireann Leverett, a doctoral student at Cambridge University at the time, told the magazine. “They say in their documentation to not put it on an open network. On the other side, asset owners swear that they are not connected.” Leverett later added: “At least one customer told us ‘We didn’t even know it was attached.'”