How Hackers Tried to Add Dangerous Lye into a City’s Water Supply

On February 5, an unknown cyberattacker tried to poison the water supply of Oldsmar, Fla. City officials say the targeted water-treatment facility had a software remote-access system that let staff control the plant’s computers from a distance. The hacker entered the system and set it to massively increase sodium hydroxide levels in the water. This chemical (better known as lye) was originally set at 100 parts per million, an innocuous amount that helps control the water’s pH levels. The attacker tried to boost that to 11,100 ppm, high enough to damage skin and cause hair loss if the water contacts the body—or, if it is ingested, to cause potentially deadly gastrointestinal symptoms. Fortunately, a staff member noticed the attack as it was happening and restored the correct settings before anything changed.

How much of a broader threat might attacks like this pose to public facilities, and what can be done to protect them? Scientific American asked Ben Buchanan, a professor specializing in cybersecurity and statecraft at Georgetown University’s School of Foreign Service.

[An edited transcript of the interview follows.]

What might make city infrastructure like a water treatment plant vulnerable to hackers?

Speaking generally, the challenge with a lot of these facilities is oftentimes that they are older, or they just don’t have the security infrastructure that we would want to guard against hackers. So, if the systems are not as secure as we would like, but their internet is accessible, that is a recipe for trouble.

Who might have been responsible for the attack?

Oftentimes the thing about targeting an industrial control system is that, in order to have the effect you want as an attacker, you need to understand the system reasonably well. If you’re truly a foreign attacker, you want to do a lot of reconnaissance on the system. If you’re an insider, you already have that kind of knowledge. A lot of times the people who carry out cases like this—of which there are not that many—were disgruntled employees who already knew the system and how to manipulate it. [But in this case] it is too soon to say, ‘This is a disgruntled employee,’ and it’s definitely…