Water Treatment System Hack is a Warning to Critical Infrastructure Organizations

On February 5, 2021, a hacker remotely accessed a Florida city’s water treatment network and increased the level of sodium hydroxide (lye) in the water supply.

The attack on the City of Oldsmar’s water supply system is a stark reminder that critical infrastructure organizations must prepare for and defend against similar attacks.

The incident underscores the need for utilities, oil and gas providers, and other owners of critical infrastructure to monitor their operational technologies (OT) and industrial control systems (ICS), and secure remote access as part of a robust security program.

It is not a matter of “will it happen?”; rather, it is a matter of “when will it happen?”.

When critical infrastructure and the computer systems that run and manage it are exposed to the internet, the risks of compromise increase dramatically.

Utilities and other owners and operators of critical infrastructure (commercial facilities, communications, energy, financial services, information technology, and financial systems) must assess and limit those risks.

As the Oldsmar attack demonstrates, effective monitoring and secure remote access are two key components of an effective security program. All owners and operators of critical infrastructure must continuously and rigorously implement and update their security programs.

How the Attack Occurred

The computer system at the City of Oldsmar water treatment plant allows for remote access so authorized users can troubleshoot problems from other locations. A plant operator noticed a remote access user opening various functions in the plant computer system that control the amount of sodium hydroxide in the water. The hacker then changed the level of sodium hydroxide from 100 parts per million (ppm) to 11,100 ppm.

The operator immediately changed the setting back to the normal 100 ppm. According to city officials, other routine procedures would have caught the increased level before the water supply became available to residents.

The remote access program (TeamViewer) has had a number of known vulnerabilities.

Lessons Learned

Do You Have a Playbook for Incident Response?

The National Security Agency (NSA) and the Cybersecurity & Infrastructure Security Agency (CISA) have issued an alert with several recommended actions to reduce external exposure and minimize risks to OT and ICS.

Have a Resilience Plan for Operational Technologies

  • Remove functionalities that could increase risk and attack surface area.
  • Test and validate data backups and processes.

Exercise Your Incident Response Plan

Harden Your Network

  • Ensure all communications to remote devices use a virtual private network (VPN) with strong encryption and multifactor authentication.
  • Fully patch all internet-accessible systems, including the third-party software on those systems.

Implement a Continuous and Vigilant System Monitoring Program

  • Monitor for unauthorized controller change attempts.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Jack Pringle

Litigator, appellate advocate, regulatory and information technology attorney @adamsandreese, Information Privacy Professional (CIPP-US)