On Feb. 8, 2021, officials from Florida’s Pinellas County held a news conference in which they announced that “an unlawful intrusion into the city of Oldsmar computer system that [controls] its water treatment plant” had occurred a few days prior on Feb. 5. The intruder was allegedly able to initiate a hundredfold increase in the concentration of a chemical used to balance water pH at a water treatment facility in the gulf coast town of Oldsmar, Florida.
As reported by Wired, the assertions “have yet to be corroborated firsthand by external security auditors,” but local law enforcement officials say that computer logs support the finding, which was first reported by an employee of the plant. Here is everything we know about the incident at this time.
The incident was observed by an employee of the Oldsmar plant and reported to the Pinellas County Sheriff’s Department. The sheriff’s department, in turn, reported the incident to the FBI.
Oldsmar’s water treatment facility used a desktop sharing program — TeamViewer — that allows multiple people to remotely access a central computer that can control some of the plant’s functions. At around 1:30 p.m. on Feb. 5, the employee observed someone access the system remotely “for about three to five minutes, opening various functions on the screen,” according to Pinellas County Sheriff Bob Gualtieri. Most significantly, Gualtieri said, “the hacker changed the sodium hydroxide from about 100 parts per million to 11,100 parts per million.”
Speaking to The Washington Post, Haizhou Liu, an associate professor of chemical and environmental engineering at the University of California at Riverside, explained that sodium hydroxide, also known as lye, is used in water treatment plants to reduce the acidity of drinking water, which is generally mildly acidic when it comes out of the ground. “They use sodium hydroxide to make the pH slightly basic,” he said. An excess amount added to the water, however, could make it basic enough to damage human cells and corrode pipe, he explained.
TeamViewer, the desktop sharing company, disputed that their system was compromised. “We don’t have any indication that our software or platform has been compromised,” spokesman Patrick Pickhan told the Post, pointing instead to unlawfully obtained login credentials. “TeamViewer stands ready to support relevant authorities in their investigation of the technical details such as how the cyber criminals potentially obtained login credentials, which are set and encrypted solely on the device,” he said.
Immediately after the intruder exited the computer system, according to Gualtieri, the employee returned the levels back to normal.
Was the Public Ever at Risk?
Officials have stated that, while the incident was troubling from a cybersecurity perspective, the public was never in danger as a result of the intrusion. “Because the operator noticed the increase and lowered it right away, at no time was there a significant adverse effect on the water being treated,” Gualtieri said. “Importantly, the public was never in danger.” Several automated safeguards, like pH monitors, would have caught the increase even if the operator had not observed that change, he said. Further, he explained, “it would have taken between 24 and 36 hours for that water to hit the water supply system” following the sort of increase attempted in this incident.
“The protocols that we have in place … they work. That’s the good news,” Oldsmar Mayor Eric Seidel said during the news conference.
Do We Know Who Is Responsible?
Outside of the outline provided by officials, few additional details have been released. “Did this come from down the street or outside the country?” Gualtieri asked rhetorically in an interview with Wired. “No idea.”
In that interview, Gualtieri said that the intruder appeared to have compromised the plant’s TeamViewer software and likely accessed it from somewhere on the internet. Network logs substantiate the plant operator’s story, he added. Past that, Wired reported, Gualtieri “had little else to share about how the hacker accessed TeamViewer or gained initial access to the plant’s IT network.” Gualtieri also “provided no details as to how the intruder broke into the so-called operational technology network that controls physical equipment in industrial control systems.”
In addition to the Pinellas County Sheriff’s Office, the FBI and the Secret Service are also investigating the case, reported the Tampa Bay Times.
We will update this article as new information becomes available, but the claim that a Florida water treatment plant reported an intrusion into their system that allowed an unknown entity to alter, briefly, chemical levels in a town’s public water supply is “True.”