An unknown hacker remotely accessed an industrial control computer system at a water treatment plant in Florida, and managed to increase the amount of sodium hydroxide in the supply to potentially dangerous levels, police said.
Sodium hydroxide or lye is used to regulate the alkalinity of drinking water and to remove metals in the supply.
A strongly caustic substance, lye is also used as a liquid drain cleaner.
The hacker accessed the system twice last Friday morning, United States time.
Both attempts were spotted by a treatment plant operator for the City of Oldmar, Pinellas County sheriff Bob Gualtieri told media at a press conference.
Gualtieri said that the second computer intrusion which lasted three to five minutes at 1.30pm saw the hacker raise the levels of sodium hydroxide from 100 parts per million (ppm) to 11,100 ppm in the water supply.
Such an increase is significant and potentially dangerous, Gualtieri added.
The computer system had been set up for remote access with the TeamViewer application.
Thanks to that, the operator was able to follow the hacker's actions on the screen, observing the mouse move around to activate various software-controlled water treatment functions, Gualtieri said.
Once the hacker exited the remote access session, the plant operator immediately set the level of sodium hydroxide back to the appropriate 100 ppm level, the sheriff said.
"Because the operator noticed the increase and lowered it right away, at no time was there a significant adverse effect on the water being treated," Gualtieri said.
"Importantly, the public was never in danger," he added.
Gualtieri said that it would have taken 24 to 36 hours before the increased amounts of sodium hydroxide entered the water supply, and that there are further checks before water is released to some 15,000 Oldsmar residents.
A criminal investigation is underway but so far there are no indications as to why the hacker tried to poison the water supply, or clues to the person's identity and location.