Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • The Security Leadership Issue
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!
CybersecurityManagementPhysicalSecurity NewswireSecurity Enterprise ServicesSecurity Leadership and ManagementLogical SecuritySecurity & Business ResilienceSecurity Education & TrainingFire & Life SafetyPhysical SecurityCybersecurity News

Hacker breaks into Florida water treatment facility, changes chemical levels

By Maria Henriquez
water utilities security
February 9, 2021

Hackers broke into a water treatment facility in Florida, gained access to an internal ICS platform and changed chemical levels, making the water unsafe to consume. 

Authorities in Pinellas County are investigating the incident with the help of federal and other local law enforcement agencies. Sheriff Bob Gualtier said on Friday, February 5, hackers remotely accessed a computer system that a plant operator was monitoring. The computer system was set up with a software system that allows for remote access where authorized users can troubleshoot system problems from other locations. "The remote access at 8 a.m. on Friday morning was brief and the operator didn't think much of it because his supervisor and others will remotely access his computer screen to monitor the system at various times," said the Sheriff.

Nothing happened from that intrusion early in the morning, Sheriff Gualtier said. However, at 1:30 p.m., someone again remotely accessed the system and it showed up on the operator's screen with the mouse being moved about to open various software functions that control the water being treated in the system. "The [hacker] remotely access the system for about three to five minutes opening various functions on the screen. One of the functions opened by the hacker was one that controls the amount of sodium hydroxide in the water. The hacker changed the sodium hydroxide from about 100 parts per million to 11,100 parts per million," the Sheriff explained. 

"This is obviously a significant and potentially dangerous increase. Sodium hydroxide, also known as lye, is the main ingredient in liquid drain cleaners. It's also used to control water acidity and [to] remove metals from drinking water in the water treatment plants. After the intruder increased the parts per million, the intruder exited the system and the plant operator immediately reduced the level back to the appropriate amount of 100," he said. 

Because the operator noticed the increase and lowered it right away, at no time, was there a significant adverse effect on the water being treated. Importantly, the public was never in danger. Even if the plane operator had not quickly reversed the increased amount of sodium hydroxide, it would have taken between 24 and 36 hours for that water to hit the water supply system  and there are redundancies in place where the water had been checked before it was released, said Sheriff Gualtier.  

A similar attack was launched last year in Israel, where authorities believe Iranian threat actors attempted to disrupt water supplies in at least two locations in Israel. The incident was quickly detected and thwarted before it could cause damage. 

Hitesh Sheth, President and CEO at Vectra, a San Jose, Calif.-based provider of technology which applies AI to detect and hunt for cyber attackers, explains, “Public utilities, including power and water systems, have been prime cyberattack targets for years. There’s a whole Russian cyber team, “Energetic Bear,” focused on hacking American energy infrastructure. In the Oldsmar case it’s premature to assign motive or place blame. However, we’ve seen enough breaches of the US power grid, water systems, and even nuclear plants to conclude this: protecting these critical facilities, and upgrading their cyber defenses, should be a far higher priority.” 

Heather Paunet, Senior Vice President at Untangle, a San Jose, Calif.-based provider of comprehensive network security for SMBs, says, “As we begin 2021, governments, as well as every other type of business, continue to have their employees work remotely. As IT departments reacted quickly in 2020 to enable all their employees to work from home, ensuring a secure work-from-home environment took a bit longer to get right. As employees transitioned to remote work, they put their work devices onto their home networks, which would not have all the safeguards in place as their in-office network had."

Paunet adds, "This can create opportunities for bad actors to hack into networks and potentially cause dangerous situations. In the case with Oldsmar's water treatment plant, it was found that someone had access to their computer system remotely.  With remote access being much more common due to fewer on-premises workers, this may not have been noticed as quickly as it should have been. When thinking about remote access, business of all sizes, and all industries should consider:

  • Use of VPN technologies: provide a secure tunnel, and credentials that are given to employees to access internal resources and keep critical systems protected.
  • Proper onboarding and offboarding: as employees join and leave a company, it is important to ensure that access is only given if needed, and revoked immediately as employees leave.
  • Segregation of network access: ensure that employees are only given access to the systems that they need. Putting different systems on different networks that are only accessible by the groups of employees that need them is important to ensure that if a breach does happen, less systems can be compromised.
  • Dedicated work devices: during times such as the rapid shift to working from home in 2020, where many employees ended up accessing systems remotely, providing a dedicated device to employees rather than allowing employees to access the corporate network from their own devices will give IT departments the most control of their infrastructure.
  • Continual employee training: teaching employees how to recognize phishing emails, is just as important as putting in place protective systems. As security adversaries find new ways to infiltrate networks, keeping employees trained and up-to-date will only strengthen your network security.

"While cybersecurity vendors continually come up with new solutions to guard against data breaches, there are cybersecurity adversaries that are working just as hard to break down those solutions and find new ways to get ahead of those vendors," Paunet says. "That’s why it’s important to stay a step ahead of hackers by keeping up on the latest technologies and providing multiple security layers of protection. If a bad actor does get through the strongest barriers, having multiple security layers provides protection to help isolate the threat and minimize the impact.”

Alec Alvarado, Threat Intelligence Team Lead at Digital Shadows, a San Francisco-based provider of digital risk protection solutions, says, “The attack on the water treatment facility in Oldsmar is a chilling example of how cyberattacks can have more than just financial impacts. Systems belonging to our critical infrastructure are some of the most difficult to maintain. Every day, countless vulnerabilities are found, some of which are so critical that they need to be patched immediately. Enforcing a strong patch management strategy is challenging but is even more challenging in facilities that can't afford lengthy downtimes. Although we aren't sure how the threat actors got access to the Oldsmar water facility systems, it isn't farfetched to believe this attack could happen to other facilities. Regarding attribution, little has been released, but there are some things you can conclude based on reporting. The activity doesn't seem financially motivated, which would suggest either a nation-state actor or hacktivist conducted the attack. Hacktivism usually involves a quick claim for an attack; this is done to draw attention to their movement. Hence why defacement or DDoS is so popular in hacktivist attacks. The covert nature of this attack points more toward a possible nation-state actor.”

“Remote sessions tools, such as TeamViewer or Remote Desktop Protocol (RDP), should never be accessible from the outside. In this case, it seems that this was the case, likely combined with weak or easy to guess passwords," explains Dirk Schrader, Global Vice President at New Net Technologies (NNT), a Naples, Florida-based provider of cybersecurity and compliance software. "If these tools are in place an organization should have all precautionary measures in place to verify the settings, keep them in accordance with NIST or CIS controls, monitor the access and control any change happening to the device with this tools installed. Unfortunately, this is not always the case and attackers seem to have an easy play to get access to critical systems. It is easy to find about 250 systems using these tools connected the public internet, and within two minutes, to have access to an unprotected system belonging to a water utility provider in Florida. Previous research, including the Solarium report, have documented that Critical Infrastructures are vulnerable, and sometimes it is not hard at all to get access to one provider. That status is the same across all critical sectors including healthcare. Whether there are any access logs available in this incident is an open issue. However, the original statement seems to indicate that there are none and identification and attribution will be difficult.”

Austin Berglas, former head of FBI NY Cyber and Global Head of Professional Services, at cybersecurity firm, BlueVoyant, who was the lead on investigating The Bowman Avenue Dam that was wrapped up in an Iran hacking case, says, "Along with energy production and manufacturing, water supply facilities are part of the United State’s critical infrastructure and have long been targets for cyber attack from both criminal and state sponsored entities. Water facilities rely on systems control and data acquisition (SCADA) systems to manage the automated process or water distribution and treatment. Many of these industrial control systems (ICS) are outdated, unpatched, and available for review on the Internet, leaving them incredibly vulnerable to compromise. In addition, many ICS solutions were designed for non-internet facing environments and therefore did not incorporate certain basic security controls - this offers additional vulnerabilities as more and more operational technology environments are allowing access to their ICS systems from the Internet. In 2013, the FBI investigated a compromise of the Bowman Avenue Dam in Rye Brook NY and found that members of the Iranian Revolutionary Guard had gained access through Internet facing controls. Although the Dam was not functioning at the time and was most likely not the Iranian’s main target, it demonstrates the vulnerability of certain critical infrastructure when their ICS systems are allowed to be exposed to the Internet and not isolated."

“The explosion of Internet of Things (IoT) uses cases offers endless efficiencies, but also increased risk, for municipalities, utilities, and critical infrastructure providers. The recent remote hack of a water quality system in Florida is another case in point for cities and towns, as well as the manufacturers of the devices used in street lights, utilities, and even water systems, of the need to ensure secure communications using certificate-based authentication and other advanced cybersecurity technologies, says Alan Grau, VP of IoT at Sectigo, a provider of digital identity management and web security solutions.

KEYWORDS: critical infrastructure security cyber security hackers water utilties security

Share This Story

Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!

Maria Henriquez is a former Associate Editor of Security. She covered topics including cybersecurity and physical security, risk management and more.

Recommended Content

JOIN TODAY
To unlock your recommendations.

Already have an account? Sign In

  • Security's Top Cybersecurity Leaders 2024

    Security's Top Cybersecurity Leaders 2024

    Security magazine's Top Cybersecurity Leaders 2024 award...
    Security Enterprise Services
    By: Security Staff
  • cyber brain

    The intersection of cybersecurity and artificial intelligence

    Artificial intelligence (AI) is a valuable cybersecurity...
    Security Enterprise Services
    By: Pam Nigro
  • artificial intelligence AI graphic

    Assessing the pros and cons of AI for cybersecurity

    Artificial intelligence (AI) has significant implications...
    Technologies & Solutions
    By: Charles Denyer
Subscribe For Free!
  • Security eNewsletter & Other eNews Alerts
  • eMagazine Subscriptions
  • Manage My Preferences
  • Online Registration
  • Mobile App
  • Subscription Customer Service

More Videos

Sponsored Content

Sponsored Content is a special paid section where industry companies provide high quality, objective, non-commercial content around topics of interest to the Security audience. All Sponsored Content is supplied by the advertising company and any opinions expressed in this article are those of the author and not necessarily reflect the views of Security or its parent company, BNP Media. Interested in participating in our Sponsored Content section? Contact your local rep!

close
  • Crisis Response Team
    Sponsored byEverbridge

    Automate or Fall Behind – Crisis Response at the Speed of Risk

  • Perimeter security
    Sponsored byAMAROK

    Why Property Security is the New Competitive Advantage

  • Duty of Care
    Sponsored byAMAROK

    Integrating Technology and Physical Security to Advance Duty of Care

Popular Stories

Internal computer parts

Critical Software Vulnerabilities Rose 37% in 2024

Coding

AI Emerges as the Top Concern for Security Leaders

Half open laptop

“Luigi Was Right”: A Look at the Website Sharing Data on More Than 1,000 Executives

Person working on laptop

Governance in the Age of Citizen Developers and AI

patient at healthcare reception desk

Almost Half of Healthcare Breaches Involved Microsoft 365

2025 Security Benchmark banner

Events

June 24, 2025

Inside a Modern GSOC: How Anthropic Benchmarks Risk Detection Tools for Speed and Accuracy

For today's security teams, making informed decisions in the first moments of a crisis is critical.

August 27, 2025

Risk Mitigation as a Competitive Edge

In today’s volatile environment, a robust risk management strategy isn’t just a requirement—it’s a foundation for organizational resilience. From cyber threats to climate disruptions, the ability to anticipate, withstand, and adapt to disruption is becoming a hallmark of industry leaders.

View All Submit An Event

Products

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

See More Products

Related Articles

  • water treatment

    CISA and partners release cybersecurity advisory on compromise of US water treatment facility

    See More
  • leader Souza

    Embedding cybersecurity into all organization levels

    See More
  • water tower

    Florida city investigated by OSHA for whistleblower treatment

    See More
×

Sign-up to receive top management & result-driven techniques in the industry.

Join over 20,000+ industry leaders who receive our premium content.

SIGN UP TODAY!
  • RESOURCES
    • Advertise
    • Contact Us
    • Store
    • Want More
  • SIGN UP TODAY
    • Create Account
    • eMagazine
    • eNewsletter
    • Customer Service
    • Manage Preferences
  • SERVICES
    • Marketing Services
    • Reprints
    • Market Research
    • List Rental
    • Survey/Respondent Access
  • STAY CONNECTED
    • LinkedIn
    • Facebook
    • YouTube
    • X (Twitter)
  • PRIVACY
    • PRIVACY POLICY
    • TERMS & CONDITIONS
    • DO NOT SELL MY PERSONAL INFORMATION
    • PRIVACY REQUEST
    • ACCESSIBILITY

Copyright ©2025. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing