Last Friday, an employee at a small water treatment plant in Oldsmar, Florida witnessed an attempted cyber attack, in which an unknown person gained access to the plant’s computer system and increased the concentration of sodium hydroxide—also called lye—in the city’s drinking water supply to potentially dangerous levels, Pinellas County Sheriff Bob Gualtieri said in a press conference. The operator at the plant immediately noticed the change and returned the levels of the caustic substance to normal. The FBI is investigating the attack. No suspects have yet been named. C&EN asked experts to explain the potential consequences of high lye concentrations in drinking water.
The strong base sodium hydroxide (NaOH) is commonly used in water treatment plants to keep the pH of drinking water in check, since acidic water can corrode pipes and leach toxic chemicals, such as lead, out of the pipes and into the water, says Susan Masten, a civil and environmental engineer at Michigan State University. NaOH is caustic and in high concentrations can cause chemical burns to the skin or internal corrosive damage if ingested. It’s uncertain that the water would have been harmful to the public had it been released, says Haizhou Liu, a chemical and environmental engineer at the University of California, Riverside. There are multiple steps to treating water so it’s safe to drink, and NaOH can potentially be used at a number of points in the process, he says, including right before the water is released for distribution. Gualtieri said in the statement that had the operator not noticed the change, the tainted water would not have reached the public, since the pH of the water is checked multiple times before being released.
Gualtieri said that the hacker changed the NaOH level from 100 ppm to 11,100 ppm. But all three water experts that spoke to C&EN say it’s impossible to calculate what the pH of the water would have been after that increase, as they don’t know the stage of treatment where the increase was applied, the flow rate of the water at that stage, the release rate of the NaOH, or if the 11,100 ppm NaOH concentration reported by Gualtieri refers to the concentration of the solution being added or the target concentration for the drinking water. Because of the ongoing FBI investigation, Oldsmar assistant city manager Felicia Donnelly would not answer questions about the town’s water treatment process or the stage of treatment the hacker targeted.
Most municipal drinking water has a pH around 7.5, Liu says, although Masten points out it can be as high as 9. Up to a pH of around 10 or 11, it’s unlikely that people turning on the tap would have noticed a difference, Liu says. “It still looks like clean water. There’s no color in it,” although it might taste somewhat different, he says. Two past incidents of accidental NaOH release into drinking water resulted in drinking water with a pH of around 12. In both cases, people exposed suffered skin burns and gastrointestinal distress. However, exposure to lower NaOH concentrations may have effects after repeated or prolongued exposure, according to the Agency for Toxic Substances and Disease Registry.
Increasing the water’s pH could also cause the chlorine disinfectants added at the plant to be less effective, Masten says. And it could lead to contamination beyond metal leaching, says Susan Richardson, analytical environmental chemist at the University of South Carolina. A high pH could cause bacterial biofilms that build up inside the pipes to release into water. Most of the harmful microorganisms in biofilms are killed when the water is disinfected, she says, but biofilm breakdown could increase microbial concentrations, and if disinfection effectiveness is reduced, harmful microbe levels might increase in the water supply.
Most municipal water systems, even very small ones, use remote computer programs to control water treatment, Michigan State’s Masten says. These systems need fewer people to run and can be monitored from anywhere, even a phone. But unlike the old manual systems, where workers had to walk around the plant and change everything by hand, there’s a lot more opportunity for remote systems to be hacked, she says. Most systems have security in place to reduce this risk, she says. The unauthorized access of Oldmar’s water controls may have been due to flaws in computer security, according to a statement by the Commonwealth of Massachusetts warning public water suppliers of similar attacks.
This story was updated on Feb. 12, 2021, to clarify that Haizhou Liu was the person who said that people turning on the tap would be unlikely to notice a difference in water with a pH up to around 10 or 11. Pronoun usage in an earlier version made that attribution unclear.