A computer hacker gained access to the water system of a city in Florida and tried to pump in a “dangerous” amount of a chemical, officials say.
The hacker briefly increased the amount of sodium hydroxide (lye) in Oldsmar’s water treatment system, but a worker spotted it and reversed the action.
Lye is used in small amounts to control acidity but a large amount could have caused major problems in the water.
Oldsmar Mayor Eric Seidel said: “There’s a bad actor out there.”
No arrests have yet been made and it is not known if the hack was done from within the US or outside.
A computer controlling Oldsmar’s water treatment system was remotely accessed on Friday.
A plant operator saw an attempt to access the system in the morning but assumed it was his supervisor, the Tampa Bay Times reported.
But another attempt was made early in the afternoon and this time the hacker accessed the treatment software and increased the sodium hydroxide content from 100 parts per million to 11,100 ppm.
The operator immediately reduced the level to normal.
Sodium hydroxide is the chief ingredient in liquid drain cleaners. It is very corrosive and can cause irritation to the skin and eyes, along with temporary loss of hair.
Swallowing it can cause damage to the mouth, throat and stomach and induce vomiting, nausea and diarrhoea.
Pinellas County Sheriff Bob Gualtieri said: “I’m not a chemist. But I can tell you what I do know is… if you put that amount of that substance into the drinking water, it’s not a good thing.”
But he added: “At no time was there a significant adverse effect on the water being treated. Importantly, the public was never in danger.”
The Oldsmar plant provides water to businesses and about 15,000 residents.
The remote access programme to the water system has been temporarily disabled.
‘Bad actors out there’
Analysis by Joe Tidy, cyber reporter
Imagine the horror as this worker watched their own mouse cursor being moved around the screen by an invisible hand. Then seeing it click open and adjust the electronic dials to poison the water.
Perhaps more terrifying is that this isn’t the first time it’s happened.
In 2016, a security report from Verizon detailed a similar attack on another unnamed US water facility. And in 2020 there were multiple unsuccessful hacks on Israeli water supplies.
This latest attack in Florida will do nothing to calm cyber-security experts who’ve been warning for years that so called “critical national infrastructure” facilities are being targeted.
Water, electricity, nuclear plants and transport are being probed for weaknesses all the time not just because of the potential for mass disruption but also because they are often running on out-of-date and vulnerable IT systems.
So far all attacks on water supplies have been averted.
But as Mayor Seidel put it in his press conference, this is an event that “puts everyone on notice: these types of bad actors are out there and this is happening”.