Analysis
Attacks and Vulnerabilities
Control device security
Critical infrastructure
News
Utilities: Energy & Power, Water, Waste

Oldsmar water treatment plant incident allegedly caused by human error, not remote access cybersecurity breach

April 04, 2023
Oldsmar water treatment plant incident allegedly caused by human error, not remote access cybersecurity breach

An official at the Oldsmar water treatment facility, outside Tampa, Florida, announced last month that the 2021 remote access cybersecurity breach was not a hack at all. The incident has now been described as a case of an employee inadvertently clicking on the incorrect buttons before notifying his supervisors of his blunder.

Al Braithwaite, former Oldsmar City Manager, described it as a ‘non-event’ that was resolved in two minutes, but said law enforcement and the media seized on the idea of a cyberattack and ‘ran with it,’ recent media reports have revealed. The attention resulted in a four-month Federal Bureau of Investigation (FBI) investigation, which Braithwaite said reached the same conclusion that employee error was to blame.

On Mar. 20, Braithwaite participated in a panel discussion at the American Society for Public Administration’s Annual Conference. “The FBI concluded there was nothing, no evidence of any access from the outside, and that it was probably the same employee who was purported to be a hero for catching it, was actually banging on his keyboard,” Braithwaite said.

A Tampa Field Office of the FBI spokeswoman who oversaw the federal inquiry in 2021 denied making any comments on the probe or any findings, citing legal limits.

The staff at Oldsmar, which, according to Braithwaite, operates its water treatment facility on a network, was singled out for criticism in the many investigations brought on by the incident, including one by the Florida Office of Information Technology.

“Our staff felt like they were being accused [by investigators] of being the criminals,” he said. Braithwaite said state officials came in “to identify our many—I admit it, many—vulnerabilities,” and to suggest ways they could remedy them. He added that the investigations were “extremely taxing” on staff.

As for the employee who made the error and then reported it to his supervisors, Braithwaite said he has not been fired, and nor should he have been.

“The employee did everything he was supposed to do,” he said. “I could say that they screwed up and that there was some kind of accountability that needed to be dished out.” Instead, Braithwaite said the responsibility rested with him as the city manager, as he was “responsible for everything that goes on there.”

“I wasn’t, but I should have been held accountable for the fact that it happened, even if they discovered later on that it didn’t really happen,” he added.

In February 2021, a joint cybersecurity advisory was issued by the FBI, the Cybersecurity and Infrastructure Security Agency (CISA), the Environmental Protection Agency (EPA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC). Additionally, onsite response to the Oldsmar water plant hack is provided by Pinellas County Sheriff Office (PCSO), U.S. Secret Service (USSS), and the FBI.

The agencies detected a pattern of corrupt insiders and outside cyber actors using desktop-sharing software to victimize targets in a range of organizations, including those in the critical infrastructure sectors. In addition, cybercriminals targeted and exploited desktop-sharing software and computer networks running operating systems with end-of-life status, to gain unauthorized access to systems.

Apart from this advisory, the Commonwealth of Massachusetts issued a cybersecurity advisory for public water suppliers, detailing how these agencies can protect themselves from cyber attacks on water supplies.

Details from the Massachusetts agency reveal that the water treatment plant’s SCADA controls using TeamViewer remote access software were installed on one of several computers by the water treatment plant personnel, which were used to conduct system status checks and respond to alarms or any other issues that arose during the water treatment process.

“All computers shared the same password for remote access and appeared to be connected directly to the Internet without any type of firewall protection installed,” the advisory disclosed.

In May 2021, researchers from industrial cybersecurity firm Dragos revealed that an unnamed Florida water utility contractor hosted malicious code on their website, which seemingly targeted water utilities, particularly in Florida. More significantly, the code was accessed by a browser from the city of Oldsmar on the same day as the poisoning event at the city’s water utility. 

The hacker is believed to have inserted the malicious code into the footer file of the WordPress-based site associated with a Florida water infrastructure construction company, Dragos pointed out in its report that it describes, as an ‘investigative anecdote.’

Last January, the U.S. Administration announced it will extend the Industrial Control Systems (ICS) Cybersecurity Initiative to the water sector. The Water Sector Action plan outlines surge actions that will take place over the next 100 days to improve the cybersecurity of the sector. The action plan was developed in close partnership with the EPA, CISA, and the Water Sector Coordinating Council (WSCC).

By September, the EPA presented a document covering a cybersecurity support plan for public water systems (PWSs) to Congress. The plan looks into the methodology to identify specific PWSs for which cybersecurity support should be prioritized, in addition to prescribing timelines for making voluntary technical support for cybersecurity available to specific PWSs.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

TXOne’s Portable Security Pro works towards improving security in ICS environments
TXOne Networks presents SageOne, its new CPS protection platform
Critical Start
Critical Start introduces managed detection and response services for OT environments
Shift5
Shift5 debuts GPS integrity module to combat GPS spoofing risks
Securing cloud, IIoT in Industry 4.0 emerges crucial for protecting industrial operations across OT/ICS environments
Securing cloud, IIoT in Industry 4.0 emerges crucial for protecting industrial operations across OT/ICS environments
Through the Lens of a Case Study: What It Takes to Be a Cyber-Physical Risk Analyst
Through the Lens of a Case Study: What It Takes to Be a Cyber-Physical Risk Analyst
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
MITRE's CREF Navigator aligns with DoD's CMMC to boost cyber resilience in defense industrial base
MITRE’s CREF Navigator aligns with DoD’s CMMC to boost cyber resilience in defense industrial base
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates