On Feb. 5, 2021, a plant operator for the city of about 15,000 on Florida’s west coast saw his cursor being moved around on his computer screen, opening various software functions that control the water being treated.

What happened at Oldsmar Water Treatment Facility?

The Friday before the Super Bowl in Tampa Bay, a hacker gained access to the control systems for the Oldsmar Water Treatment facility and increased the sodium hydroxide levels in the city’s water from 100 parts per million to 11,100 parts per million. If allowed to reach the public, the results could have been lethal.

Sodium hydroxide in small amounts is used to keep water systems clean. However, the compound also is used in cleaning supplies such as drain cleaners. In higher concentrations, it can cause irritation, burns and cause harm to people.

State officials reported that existing controls would have likely prevented contaminated water from reaching the public. However, people are concerned about the ease with which the hacker was able to gain remote access.

The infiltrator quickly accessed the systems controlling chemical levels and began to make changes. Both the person’s awareness of the system and their actions demonstrate a malicious intent that should concern everyone who oversees critical infrastructure.

For more information, federal agencies have released a report entitled, “Compromise of U.S. water treatment facility” that summarizes the incident.

What are the key issues to be aware of?

  • The software security controls did not report the dangerous changes before the manual operator saw what was happening and changed the chemical levels back to normal.
  • People operating in the field and consultants routinely access systems or provide support from remote locations. Remote access to systems managing critical infrastructure has become a necessity. Because people frequently access systems remotely, facility monitors did not initially see the infiltrator’s actions as malevolent until the chemical changes started to take place.
  • Network IT security did not prevent the attacker from gaining access through software vulnerabilities and did not notify personnel there was a cyberattack underway.

What can be done?

Though many security recommendations have been made such as updating passwords, setting tighter access requirements and updating operating systems, these steps are good standard network hygiene. However, this does not solve the critical network security issues. Implementing a network based on Zero Trust can address these issues.

Zero Trust requires that you must first verify that every node on the system is trustworthy before moving between endpoints. This is the most effective way of eliminating data breach and securing your critical infrastructure. Zero Trust is a proven cybersecurity practice.

Key Quotes

“Luckily somebody stopped it beforehand, but what it did was open my eyes that there’s something going on in our state… We might have some more cyberattacks in the future, which really could put people’s lives at risk if we don’t get this under control sooner than later.”
– Nikki Fried, Florida Agriculture Commissioner

“Early information indicates it is possible that a desktop sharing software, such as TeamViewer, may have been used to gain unauthorized access to the system, although this cannot be confirmed at present date.”
– Compromise of U.S. Water Treatment Facility report

“Remote access has been allowed because it allows Plant personnel to access the system while out in the field, and the consultant needs access in order to assist the staff in making programming adjustments/changes quickly, if necessary.”
– Eric Seidel, Mayor, Oldsmar

Mapping of Onclave TrustedPlatform™ to the Executive Order 14028 – May 2021