Poison in the Water: The Physical Repercussions of IoT Security Threats


d wager few people had ever heard of Oldsmar, Florida, prior to 2021. That all changed in February when the city made headlines. The reason? An Internet of things (IoT) security incident moved into the physical world.

A Tale of Lifted Lye Levels

At 8 a.m. local time on February 5, 2021, an operator at Oldsmar’s water treatment plant noticed someone had remotely entered the computer system he was watching and taken control of his mouse. The attacker used their control to change the amount of sodium hydroxide in the water from 100 parts per million to 11,000 — a potentially dangerous level of lye. If consumed, this cyber-physical attack could have caused loss of vision, pain and shock, among other symptoms.