How an attentive employee prevented a cyberattack on the drinking water supply in Oldsmar, Florida

In early February this year, the 15,000 residents of Oldsmar, Florida, escaped having their drinking water poisoned because an employee noticed suspicious activity and prevented it from taking place.

On the morning of Friday 5th February, the operator in charge (i.e. the employee assigned to monitor and operate the water supply) noticed remote access to the system. However, such remote access was quite normal, as the supervisor was also regularly in the system from outside the actual control room. A few hours later, shortly after noon, the operator saw something very suspicious: his mouse moved across the screen on its own, opened various applications and finally increased the entry of sodium hydroxide – lye used for drinking water treatment in small concentrations, but harmful to health in large concentrations – from 100 ppm to 11,100 ppm, i.e. by more than 100 times. Overall, this only took about three to five minutes.  

The operator immediately adjusted the concentration back to the correct level and alerted his colleagues and the relevant authorities. The systems were examined for digital traces and the FBI started investigations (unfortunately without success to date). Security measures were also strengthened very quickly,  with remote access no longer so easily possible. I can highly recommend the recording of the press conference which the sheriff in charge gave together with the Mayor of Oldsmar and a manager from the water supplier a few days later  – in my opinion,  an exemplary example of informing the public, which otherwise does not happen so often in similar cases.

But such cyberattacks on critical infrastructures and corporate IT networks, in general, do happen – and they are increasing.  Just a few days ago, a state of emergency was declared in the eastern United States after an extortion attack crippled Colonial Pipeline's fuel transportation network.  Without elaborating too much: All types of IT networks, whether municipalities, industrial companies, critical infrastructures or other organisations have been affected.

However, it is not the case that we are defencelessly at the mercy of an "evil world" of hackers, criminals and terrorists. On the contrary, as with all other types of risks, there are a whole host of protective measures which, particularly in a prudent (and cost-effective) combination, enable a sufficient level of security. Just as we protect ourselves from intruders with lockable doors and windows, we use firewalls, network monitoring systems, virus detection and more.

Good to know: Even if the attack had not been discovered immediately in Oldsmar - the far too high concentration of lye would have been noticed  in any case by regular chemical monitoring before the drinking water reached the consumers. It is a good example of a combination of protective measures from entirely different areas.

The most important factor is the employees. They operate the plants,  monitor the facilities and systems – and they must be able to react if something is wrong (incidentally, not only for security and safety reasons, but also if there are technical faults etc.). The operator in the control room in Oldsmar was perhaps initially shocked when the mouse moved on his screen as if by magic, but he was trained and knew how to react. 

There is absolutely no reason to panic  even in the case of attacks on such vital infrastructures such as the water supply;  what is important is a systematic implementation of protective measures based on reasonable standards. All technical measures are not worth much if people are not able to handle them. Regular training is always the necessary basis.

About the author

Dr. Frank Stummer is the co-founder of several companies in the high-tech sector, including ipoque GmbH and Adyton Systems AG, both of which were acquired by a corporate group, as well as Rhebo GmbH, a company for information security and network monitoring for Industry 4.0. Previously, he worked as a management consultant for major international corporations. Dr Stummer studied business administration at the TU Bergakademie Freiberg and completed his doctorate on venture capital partnerships at the Fraunhofer Institute for Systems and Innovation Research in Karlsruhe.