City of Oldsmar, Florida narrowly avoids ‘hot water’ in remote cyberattack on its infrastructure

By Cameron Abbott, Rob Pulham and Jacqueline Patishman

News reports have surfaced reporting that a hacker in the US gained access to the Oldsmar’s water treatment plant system in an attempt to release a corrosive chemical into the Oldsmar’s water supply.

According to reports the hacker who breached the system last week gained access through a vulnerability in the plant’s remote access system being used by workers during the COVID-19 Pandemic.

The hacker very briefly increased the amount of sodium hydroxide (a chemical used to treat water acidity) by a factor of one hundred. Although it is not harmful in small quantities, this caustic chemical (commonly found in cleaning supplies such as drain cleaners) is toxic in larger volumes.

It has been reported that luckily, a vigilant supervisor working at the water treatment plant saw the hacker’s mouse move across the screen making changes to settings and was able to immediately revert the changes the intruder had made in the 3-5 minutes they were active.

The plant has since disabled its remote-access system and has reassured the public that there were other safeguards in place including manual monitoring that would have caught the changes within 24-36 hours before any increased level of the chemical in the water supply.

This security breach highlights the far more serious impacts that hackers can have when infiltrate weaknesses in utilities and other heavy asset industries.  It is essential that organisations pay close attention to their security measures to avoid getting into ‘hot water’.