Oldsmar water plant intrusion occurred after code exposure: firm

Opt-in to Cyber Safety. Multiple layers of protection for your devices, online privacy and more.

The incident “highlights the importance of controlling access to untrusted websites,” security company Dragos wrote.

OLDSMAR, Fla. — A person on the city of Oldsmar’s computer network went to a website that had been compromised with malicious code on the same day someone accessed its water system and changed chemical levels to poisonous levels, security company Dragos said in a blog post.

Although the code likely did not lead to the actual intrusion, the company in part said the threat “does represent an exposure risk to the water industry and highlights the importance of controlling access to untrusted websites.”

Pinellas County Sheriff Bob Gualtieri announced Monday, Feb. 8, that on the previous Friday, an operator at Oldsmar’s water treatment plant noticed the cursor on his computer screen moving around. It was during this instance that the person on the other end was making changes to the facility’s systems and controls.

RELATED: ‘This is dangerous stuff’: Hacker increased chemical level at Oldsmar’s city water system, sheriff says

Those adjustments, if they weren’t caught in time, could have poisoned the water supply for a city of about 15,000 people. The intruder changed levels of sodium hydroxide, or lye, from 100 parts per million to 11,100 parts per million. The chemical helps to control pH levels in the water but at such a high level, it is considered corrosive to any human tissue it touches.

Author Kent Backman with Dragos wrote the company in its investigation discovered the malicious computer code on the website of an unnamed Florida water utility contractor. The code was placed seemingly to target water utilities and, as Dragos found, had been accessed more than 1,000 times during the course of a 58-day window starting in December 2020.