It was the sort of nightmare scenario cybersecurity experts have been warning of for years. Friday morning hackers gained access to the computerized system controlling the water supply in Oldsmar, the city at the north end of Tampa Bay, and tried to poison customers by altering the chemical balance in the water.
The hackers briefly succeeded, raising the level of sodium hydroxide from 100 parts per million to over 11,000. Sodium hydroxide, a lye, is a powerful chemical used to clean drains, pulp wood, make bleaches and innumerable other functions. In water-treatment plants, it’s used to slightly raise the acidity of the water to reduce corrosion and lead content. The chemical is harmful to humans when they’re exposed to it beyond certain levels.
“This is obviously a significant and potentially dangerous increase,” Pinellas County Sheriff Bob Gualtieri said on Monday. But the attack was foiled in time, before it could cause harm, though the attack was repeated at least once before it was ended as hackers literally took over the controls of the Oldsmar water system as if they were an employee of the utility. Employees routinely access the system remotely for monitoring purposes, so when hackers did, they went undetected.
A supervisor witnessed the second attack and prevented the chemicals from being dangerously altered before calling in the Sheriff’s Office. The FBI has since joined the hunt for the hackers, which quickly rippled into alarms across the state and the nation.
“It’s a security concern,” Palm Coast City Manager Matt Morton told the city council at the end of a workshop just before noon today. He sought to reassure them: Palm Coast was not, and is not, in danger of being hacked, though that degree of certainty can fluctuate: moments later, Morton was also discussing the need for spending on the system’s safety infrastructure.
“You can never be secure enough,” Morton said. “It’s something that caused us all to stop very early this morning, very late last night and say, let’s use this as a learning tool and continue as we move forward. It’s something that’s very scary, very real, and it’s unfortunate to see that attack on a municipal water system in the state of Florida.”
He described the Oldsmar incident as “a very unfortunate, very serious attack on a municipal water system,” but not quite a surprise. “This is a conversation we’ve been having as municipal leaders for years,” Morton said.
“I don’t want to get into any detail for obvious reasons,” he said, before explaining in general terms why Palm Coast’s utility is relatively safe. “One, we do not use the system that was compromised, thankfully, IT moved from that years ago because of vulnerabilities. More importantly, IT has been working on a project for some time to follow industry best practices and isolate all of our critical services off internet access, internet-facing servers. ” The council will be hearing more about this in the future, as it will entail capital spending.