Miami-Dade Water & Sewer Does Risk Assessment After Florida Water Plant Hack

TAMPA (CBSMiami/AP) – Secret Service and FBI cyber units are trying to determine who is behind the hack of a water treatment plant in Pinellas County.

According to investigators, on Friday, a supervisor at the plant in Oldsmar noticed a hacker, or hackers, controlling the computer system's mouse, opening various functions on the screen and changing the sodium hydroxide in the water supply from about 100 parts per million to 11,100 parts per million.

"This is obviously a significant and potentially dangerous increase. Sodium hydroxide, also known as lye, is the main ingredient in liquid drain cleaners," said Pinellas County Sheriff Bob Gualtieri.

According to the Centers for Disease Control, if ingested in large amounts sodium hydroxide can cause vomiting, chest and abdominal pain.

Gualtieri said the intruder was active for three to five minutes. When they exited, the plant operator immediately restored the proper chemical mix, he said.

The hacker who breached the system used a remote access program shared by plant workers.

Oldsmar officials have since disabled the remote-access system, and say other safeguards were in place to prevent the increased chemical from getting into the water.

Jose Cueto, interim director of Miami-Dade Water and Sewer, said the county's treatment plants have automatic censors and undergo manual monitoring to guard against cyberattacks.

"At water and sewer, from a utility perspective, our immediate reaction of course was concern," he said.

Miami-Dade has undergone analysis and risk assessments for both physical and cyberattacks. Local police work with the Department of Homeland Security to make sure critical infrastructure remains safe.

"Our staff also undertake manual monitoring and testing of our treated water and water supply," Cueto said. "As a result, should there ever be a bad actor and a cybersecurity threat, our staff would take corrective action to minimize that risk."

In the Oldsmar breach, investigators said it wasn't immediately clear where the attack came from or whether the hacker was domestic or foreign.

Oldsmar is about 15 miles northwest of Tampa which hosted the Super Bowl over the weekend. Officials warned other city leaders in the region about the incident and suggested they check their systems.

Experts say municipal water and other systems have the potential to be easy targets for hackers because local governments' computer infrastructure tends to be underfunded.

Robert M. Lee, CEO of Dragos Security and a specialist in industrial control system vulnerabilities, said remote access to industrial control systems such as those running water treatment plants has become increasingly common.

"As industries become more digitally connected we will continue to see more states and criminals target these sites for the impact they have on society," Lee said.

The leading cybersecurity firm FireEye attributed an uptick in hacking attempts it has seen in the last year mostly to novices seeking to learn about remotely accessible industrial systems. Many victims appear to have been selected arbitrarily and no serious damage was caused in any of the cases -- in part because of safety mechanisms and professional monitoring, FireEye analyst Daniel Kapellmann Zafra said in a statement.

"While the (Oldsmar) incident does not appear to be particularly complex, it highlights the need to strengthen the cybersecurity capabilities across the water and wastewater industry," he said.

What concerns experts most is the potential for state-backed hackers intent on doing serious harm targeting water supplies, power grids, and other vital services.

In May, Israel's cyber chief said the country had thwarted a major cyber attack a month earlier against its water systems, an assault widely attributed to its archenemy Iran. Had Israel not detected the attack in real-time, he said chlorine or other chemicals could have entered the water, leading to a "disastrous" outcome.

Russian state-backed hackers have in recent years penetrated some U.S. industrial control systems, including the power grid and manufacturing plants while Iranian hackers were caught seizing control of a suburban New York dam in 2013. In no case was damage inflicted but officials say they believe the foreign adversaries have planted software boobytraps that could be activated in an armed conflict.

(© Copyright 2021 CBS Broadcasting Inc. All Rights Reserved. The Associated Press contributed to this report.)