Fact Check

Was a Florida Water Treatment Plant Hacked?

The event was witnessed by a plant employee viewing the shared desktop of a computer that controlled, among other things, chemical levels in the region's public drinking water.

Published Feb 9, 2021

MIAMI, FL - JANUARY 30:  A control panel is seen at the Miami Dade County Water Systems treatment plant as the department prepares for any problems on Super bowl Sunday if demand for water is too much due to a spike in bathroom trips that could impact household water pressure on January 30, 2015 in Miami, Florida. The Water department has found that on footballs biggest day: water pressure can drop by as much as 18-22 pounds per square inch right at the two-minute warning of the first half and continue throughout halftime, as well as right after the game. Due to the spike in use the department will be monitoring the systems demand and may add another pump to the system at each plant to compensate for the decrease in pressure.  (Photo by Joe Raedle/Getty Images) (oe Raedle / Getty Images)
Image Via oe Raedle / Getty Images
A water treatment plant in Florida reported that it was successfully taken over by someone who attempted to alter chemical levels in the public water supply.

On Feb. 8, 2021, officials from Florida's Pinellas County held a news conference in which they announced that "an unlawful intrusion into the city of Oldsmar computer system that [controls] its water treatment plant" had occurred a few days prior on Feb. 5. The intruder was allegedly able to initiate a hundredfold increase in the concentration of a chemical used to balance water pH at a water treatment facility in the gulf coast town of Oldsmar, Florida.

As reported by Wired, the assertions "have yet to be corroborated firsthand by external security auditors," but local law enforcement officials say that computer logs support the finding, which was first reported by an employee of the plant. Here is everything we know about the incident at this time.

What Happened?

The incident was observed by an employee of the Oldsmar plant and reported to the Pinellas County Sheriff's Department. The sheriff's department, in turn, reported the incident to the FBI.

Oldsmar's water treatment facility used a desktop sharing program — TeamViewer —  that allows multiple people to remotely access a central computer that can control some of the plant's functions. At around 1:30 p.m. on Feb. 5, the employee observed someone access the system remotely "for about three to five minutes, opening various functions on the screen," according to Pinellas County Sheriff Bob Gualtieri. Most significantly, Gualtieri said, "the hacker changed the sodium hydroxide from about 100 parts per million to 11,100 parts per million."

Speaking to The Washington Post, Haizhou Liu, an associate professor of chemical and environmental engineering at the University of California at Riverside, explained that sodium hydroxide, also known as lye, is used in water treatment plants to reduce the acidity of drinking water, which is generally mildly acidic when it comes out of the ground. "They use sodium hydroxide to make the pH slightly basic," he said. An excess amount added to the water, however, could make it basic enough to damage human cells and corrode pipe, he explained.

TeamViewer, the desktop sharing company, disputed that their system was compromised. “We don’t have any indication that our software or platform has been compromised,” spokesman Patrick Pickhan told the Post, pointing instead to unlawfully obtained login credentials. “TeamViewer stands ready to support relevant authorities in their investigation of the technical details such as how the cyber criminals potentially obtained login credentials, which are set and encrypted solely on the device,” he said.

Immediately after the intruder exited the computer system, according to Gualtieri, the employee returned the levels back to normal.

Was the Public Ever at Risk?

Officials have stated that, while the incident was troubling from a cybersecurity perspective, the public was never in danger as a result of the intrusion. "Because the operator noticed the increase and lowered it right away, at no time was there a significant adverse effect on the water being treated," Gualtieri said. "Importantly, the public was never in danger." Several automated safeguards, like pH monitors, would have caught the increase even if the operator had not observed that change, he said. Further, he explained, "it would have taken between 24 and 36 hours for that water to hit the water supply system" following the sort of increase attempted in this incident.

“The protocols that we have in place ... they work. That’s the good news,” Oldsmar Mayor Eric Seidel said during the news conference.

Do We Know Who Is Responsible?

Outside of the outline provided by officials, few additional details have been released. "Did this come from down the street or outside the country?" Gualtieri asked rhetorically in an interview with Wired. "No idea."

In that interview, Gualtieri said that the intruder appeared to have compromised the plant's TeamViewer software and likely accessed it from somewhere on the internet. Network logs substantiate the plant operator's story, he added. Past that, Wired reported, Gualtieri "had little else to share about how the hacker accessed TeamViewer or gained initial access to the plant's IT network." Gualtieri also "provided no details as to how the intruder broke into the so-called operational technology network that controls physical equipment in industrial control systems."

In addition to the Pinellas County Sheriff’s Office, the FBI and the Secret Service are also investigating the case, reported the Tampa Bay Times.

We will update this article as new information becomes available, but the claim that a Florida water treatment plant reported an intrusion into their system that allowed an unknown entity to alter, briefly, chemical levels in a town's public water supply is "True."

Alex Kasprak is an investigative journalist and science writer reporting on scientific misinformation, online fraud, and financial crime.