Support

Florida Water Treatment Plant Hit With Cyber Attack

April 10, 2023

On Friday, February 5, 2021, a hacker initiated an attack on an Oldsmar, Florida water treatment facility which briefly adjusted the levels of sodium hydroxide from 100 parts per million to 11,100 parts per million. This attack occurred about 15 miles from the location of, and two days before the Super Bowl. If successful, the attack would have increased the amount of sodium hydroxide to an incredibly dangerous level in the water supply. Fortunately, a vigilant employee saw the intrusion attempt as it was occurring, and stopped it.

As the article noted, “Experts say municipal water and other systems have the potential to be easy targets for hackers because local governments’ computer infrastructure tends to be underfunded.” This is not the first attempt to gain control over industrial control systems (ICS) at a water treatment facility. In April 2020, Israel’s National Cyber Directorate announced, “Reports have been received by the National Cyber Directorate about attempted attacks on command and control systems of wastewater treatment plants, pumping stations, and sewage.”

While the method of intrusion in the Florida attack was the abuse of remote access credentials that were shared between employees, there are many other approaches that hackers can and will take to infiltrate critical infrastructure facilities. With the increased interconnected-ness provided by the Internet, there are no longer many facilities that can rely on isolation or an air-gap for security. While state actors might be more focused on infiltrating the electric power grid, they may find it easier to attack seemingly less critical and less protected municipal facilities.

So did the attack happen? Did the Florida Water Treatment Plant Get Hit by a Cyberattack?

Two years after the incident and further investigations have casted doubt on the incident itself. Reports from 2023 put into doubt whether the purported cyberattack actually occurred, or if it was instead an inside job, possibly due to an error made by an employee.

Al Braithwaite, who was Oldsmar’s city manager at the time of the Feb. 2021 incident, claimed that the FBI has ruled privately that the hacking incident did not occur.

Despite the lingering questions and controversies surrounding the incident, as of today, the FBI has not issued a formal ruling or publicly concluded their investigation into the matter, even two years after the incident initially came to light. Current Oldsmar City Manager Felicia Donnelly has also declined to comment on the incident and asked to direct all questions to the appropriate authorities.

Could This Attack Have Been Avoided?

From what we know about this cyber incident, it could have been prevented with more securely configured remote engineering access. This facility was allowing remote access into their ICS systems with a software package called TeamViewer, which was not securely configured (and may not have even been authorized software). In addition to the insecure remote access problem, there is another operational issue that comes to mind. Why did the HMI application allow such a value for sodium hydroxide?

Despite questions on the validity of the incident, the plausibility of the attack, especially for critical infrastructures should still be considered. Employing proper security measures ensures that they are up to standard and prevents future incidents or scares.

As our Principal Risk and Solutions Consultant, Jeremy Morgan, put it, “That’s just poor design, unless the attacker also modified the settings files or something even deeper. Engineering teams should never build an HMI that allows this, and even if you need it for emergencies or maintenance, there should be manual lockouts on the valve requiring human intervention. This is control system 101 territory.”

All infrastructure facilities need to be more aware of cybersecurity issues. There are two main facets of awareness. The first facet is employee training (and re-training) on best practices for cybersecurity. In the case of the Florida treatment facility, the incident might have been prevented by better password security practices and rules on sharing accounts among employees. The second facet is having the appropriate cybersecurity products to apply and audit security best practices, quickly identify intrusions, and provide contextual alerts to experts who can mitigate an attack.

What You Can Do to Mitigate the Remote Access Risk Vector

As OT cybersecurity attacks increase, companies need to be more proactive about implementing stronger cybersecurity controls and selecting the right tools to help them do this. While many security products have an IT focus, critical infrastructure teams need a tool that is purpose-built for ICS environments, since these systems have a unique set of vendor products (hardware and software) and associated requirements, such as NERC CIP, that must be met to adequately provide protection against cybersecurity threats.

If you are a current Industrial Defender customer, you can create a software inventory report and filter to see what remote access software is in your OT systems and which devices are using it. Make sure to look at interfaces on key computers in the system for unauthorized outside connections to identify alternate remote access paths. Accounts frequently used for remote access should also change passwords often, even with 2FA enabled. To learn more about how you can use Industrial Defender to secure OT remote access, check out this infographic.