Poisoned Drinking Water

We’ve long known that systems and utilities are a target for hackers, but revelations like the one in Florida should give us all pause, as it may just be the start of a deadly escalation in the hacker’s playbook.

An unidentified threat actor attempted to poison a Florida city by hacking into its water treatment system, officials announced Monday.

Pinellas County Sheriff Bob Gualtieri announced that a hacker or hackers had attempted to increase the amount of sodium hydroxide—more commonly called lye— in the water supply of Oldsmar, Florida. The increase was from 100 parts per million to 11,100. If successful, the act could have poisoned many of the city’s 15,000 residents, although a public statement announced safeguards were in place that would have caught the change in PH levels before any harm was done.

Luck Is Not a Strategy

While you may be hoping that the attack was thwarted by robust cybersecurity measures, that’s not what happened.

An operator at the water treatment plant noticed an intrusion into its network on Friday, February 5 and immediately reversed the adjustment to the water’s lye content. While safeguards no doubt would have prevented the contaminated water from reaching the public, the activity has unsettling implications for the cybersecurity practices of public utilities.

The Pinellas County Sheriff’s Office, Secret Service, and FBI are all investigating the incident. 


  • Public utilities are critical infrastructure, including electrical utilities and water treatment plants are attractive and vulnerable targets for hackers due to their high potential for disruption.
  • The attacker might be state-sponsored as we saw when an Iranian hacker targeted a small dam outside of New York City. Today’s tools are readily available, which raises a new specter that future attacks could be perpetrated by lone individuals.
  • Many utilities rely on obsolete and/or outdated legacy software to run their systems, which can make them easier to compromise.
  • The same methods most commonly deployed by hackers against other targets, including spear-phishing, credential stuffing, and watering-hole attacks, still apply here. Poor data hygiene by employees and third-party vendors remains the highest risk.
  • We are well past midnight when it comes to the cybersecurity and the protection of critical operations systems. We’re not talking about red states or blue states: We’re talking about a state of emergency.