Florida city water cyber incident allegedly caused by employee error

The Oldsmar, Florida, water treatment plant was the target of a cyberattack in 2021, which raised concerns about the cyber vulnerability of crucial infrastructure.

Reports at the time claimed that a worker at the company witnessed his computer being accessed and managed remotely. The amount of sodium hydroxide, also known as lye, in the water was adjusted from approximately 100 parts per million to 11,100 parts per million as soon as his mouse was moved to open functions to manage water treatment processes. As soon as the chemical was decreased to the right amount, the operator informed a supervisor.

The alleged hack led to joint federal advisory warning operators of water treatment facilities of the dangers they faced from hackers and urging them to upgrade their security systems, as well as an investigation led by the FBI and the U.S. Secret Service. Subsequent press conferences by Pinellas County Sheriff Bob Gualtieri and other top officials helped the incident gain international attention.

Nevertheless, one official who worked for the city at the time claims that the incident was not at all a hack and that instead, an employee accidentally clicked on the wrong buttons before notifying his superiors of his mistake.

Al Braithwaite, the former city manager of Oldsmar, called it a “non-event” that was resolved in two minutes, but he added that police enforcement and the media were involved.

On March 20, Braithwaite participated in a panel discussion at the American Society for Public Administration’s Annual Conference. “The FBI concluded there was nothing, no evidence of any access from the outside, and that it was probably the same employee who was purported to be a hero for catching it, was actually banging on his keyboard,” Braithwaite said.

A Tampa Field Office of the FBI spokeswoman who oversaw the federal inquiry in 2021 denied making any comments on the probe or any findings, citing legal limits.

The staff at Oldsmar, which, according to Braithwaite, operates its water treatment facility on a network, was singled out for criticism in the many investigations brought on by the incident, including one by the Florida Office of Information Technology.

“Our staff felt like they were being accused [by investigators] of being the criminals,” he said. Braithwaite said state officials came in “to identify our many—I admit it, many—vulnerabilities,” and to suggest ways they could remedy them. He added that the investigations were “extremely taxing” on staff.

As for the employee who made the error and then reported it to his supervisors, Braithwaite said he has not been fired, and nor should he have been.

http://www.infracritical.com

Bob is the founder, owner and co-moderator of the SCADASEC mailing list, and has written several books on topics pertaining to critical infrastructure research and cybersecurity.