Hacker Attempts to Poison Water Treatment Plant in Florida

A water treatment plant in Florida was hacked to try and poison the drinking water of some 15,000 residents by changing the water's sodium hydroxide level — also known as lye — on Friday.

Officials made the announcement on Monday, detailing the incident that happened at the facility treating water for Oldsmar, a city northwest of Tampa.

An operator working at the plant noticed the computer intrusion as the mouse was remotely controlled, and clicked on various functions on the screen to change the level of sodium hydroxide to over 100 times its normal levels, as per the press release from the Pinelas County Sherriff's Office statement.

Luckily, the operator switched the levels right back down to their normal levels, and noone was in danger.

It still remains to be seen if the intruder was locally based in the U.S. or abroad. Investigations are underway to figure out who was behind this dangerous act. 

Even if the hacker had been successful and an operator had not been present to watch the change happening before his eyes on the computer, the water would have taken between 24 and 36 hours to reach the system, and the treatment facility's systems would have sent alerts about the change before the water could reach residents' homes. 

The effects of sodium hydroxide poisoning

Sodium hydroxide is used in small amounts to treat water's acidity and remove metals. It's also used as the active ingredient in liquid drain cleaners, aquarium products, oven cleaners, and more — and when used at high levels, is toxic. 

Sodium hydroxide poisoning symptoms include lung inflammation, difficulty breathing, throat swelling, severe abdominal pain, burns of the esophagus and stomach, vision loss, low blood pressure, skin irritation, and more, per the University of Florida Health.

Ultimately, no poisonous water was released, but the incident brings up the conversation surrounding remote access to critical infrastructure and utilities, and how to keep them safe from hacking. The simple solution would be to remove remote access, but that then limits companies' and facilities' access.