Florida city hit with unlawful intrusion of water treatment system

February 9, 2021

by Paul Ciampoli
APPA News Director
February 9, 2021

The Pinellas County Sheriff’s Office in Florida and the City of Oldsmar, Fla., recently disclosed the unlawful intrusion of the city’s water treatment system.

Detectives assigned to a Digital Forensics Unit are investigating an unlawful computer software intrusion at the city’s water treatment plant, the Sheriff’s Office’s said on its website.

On Feb. 5, 2021, the Pinellas County Sheriff’s Office was notified by the city that its computer system had been remotely accessed at 8:00 a.m. and 1:30 p.m. by an unknown suspect.

According to detectives, the City of Oldsmar’s computer control system at the water treatment plant allows for remote access by authorized users to troubleshoot any system problems from other locations.

“The initial intrusion at 8:00 a.m. was brief and not cause for concern due to supervisors regularly accessing the system remotely to monitor the system,” the Sheriff’s Office’s said.

 At 1:30 p.m., a plant operator witnessed a second remote access user opening various functions in the system that control the amount of sodium hydroxide in the water. The operator noted the remote access user raised the levels of sodium hydroxide in the water.

The operator immediately reduced the levels to their appropriate amount. The initial investigation revealed that the hacker remotely accessed the treatment plant’s control system for approximately 3 to 5 minutes.

Cybersecurity firm, Dragos Inc., has published a blog post on the subject: Recommendations Following the Oldsmar Water Treatment Facility Cyber Attack.

“While this incident did not involve an electric utility, the relevance to the electricity subsector cannot be understated,” said Sam Rozenberg, Senior Director of Security and Resilience at the American Public Power Association.

APPA continues to stress the importance of public power utilities joining the Electricity Information Sharing and Analysis Center (E-ISAC) for timely and actionable sharing of threats to the electricity subsector. To learn more about the E-ISAC and how to join, visit the E-ISAC website or contact E-ISAC Member Services.

Any questions can be directed to: cybersecurity@publicpower.org.