Cyberattack of Oldsmar Water Treatment Facility Could
Have Been Lethal

Recirculation Solid contact Clarifier Sedimentation Tank in Water treatment plant.

Every executive, director and manager involved in security for our critical infrastructure should have a poster on their office wall with a picture of a water treatment facility and the slogan, “Remember Oldsmar!”

What happened at Oldsmar Water Treatment Facility?

In early February of 2021, the Friday before the Super Bowl in Tampa Bay, a hacker gained access to the control systems for the Oldsmar Water Treatment facility and increased the sodium hydroxide levels in the city’s water from 100 parts per million to 11,100 parts per million. If allowed to reach the public, the results could have been lethal.

Sodium hydroxide in small amounts is used to keep water systems clean. However, the compound also is used in cleaning supplies such as drain cleaners. In higher concentrations it can cause irritation, burns and cause harm to people.

Though various officials state that existing controls would have likely prevented contaminated water from reaching the public if the operator did not see the change, people are concerned about the ease with which a hacker was able to gain remote access. The infiltrator quickly accessed the systems controlling chemical levels and began to make changes. Both the person’s awareness of the system and their actions demonstrate a malicious intent that should concern everyone who oversees critical infrastructure.

For more information, federal agencies have released a report entitled, “Compromise of U.S. water treatment facility” that summarizes the incident.

What are the key issues to be aware of

  • Supervisors at the facility manually monitor the systems. The software security controls did not report the dangerous changes before the manual operator saw what was happening and changed the chemical levels back to normal.
  • Remote access to systems managing critical infrastructure has become a necessity. People operating in the field and consultants routinely access systems or provide support from remote locations. Because people frequently access systems remotely, facility monitors did not initially see the infiltrator’s actions as malevolent until the chemical changes started to take place.
  • Network IT security did not prevent the attacker from gaining access through software vulnerabilities and did not notify personnel there was a cyberattack underway.

What can be done?

Though many security recommendations have been made such as updating passwords, setting tighter access requirements and updating operating systems, none of these steps greatly enhances security.

Implementing a Zero Trust+ network wherein devices, systems and people using operational technology must verify they are trustworthy before moving between endpoints in an IT network is the most effective way of eliminating data breach and securing your critical infrastructure.

Key Quotes

“Early information indicates it is possible that a desktop sharing software, such as TeamViewer, may have been used to gain unauthorized access to the system, although this cannot be confirmed at present date.” – Compromise of U.S. Water Treatment Facility report

“We don’t know right now whether the breach originated from within the United States or outside the country.” – Bob Gualtieri, Sheriff, Pinellas County, Florida

“Remote access has been allowed because it allows Plant personnel to access the system while out in the field, and the consultant needs access in order to assist the staff in making programming adjustments/changes quickly, if necessary.” – Eric Seidel, Mayor, Oldsmar

“Luckily somebody stopped it beforehand, but what it did was open my eyes that there’s something going on in our state… We might have some more cyberattacks in the future, which really could put people’s lives at risk if we don’t get this under control sooner than later.” – Nikki Fried, Florida Agriculture Commissioner