National Rural Water Association Statement on City of Oldsmar, Florida Cybersecurity Incident
Sheriff Bob Gualtieri gave a press conference on Monday, February 8, 2021 surrounding the unlawful intrusion to the City of Oldsmar’s water treatment system. Mayor Eric Seidel and City Manager Al Braithwaite joined the press conference as well.
The sequence of events laid out by Sherriff Gualtieri are as follows: On Friday, February 5th at approximately 8 a.m., an operator at a water treatment plant noticed someone accessing the control system, Human Machine Interface (HMI), remotely. The operator was aware that his supervisor and other users routinely used remote access to view the HMI screen, so he did not report the incident immediately. At approximately 1:30 p.m. on the same day, the operator noticed a user accessing the HMI remotely again. This time the user navigated through various screens and eventually modified the set point for Sodium Hydroxide (Lye) from 100 parts per million to 11,100, a toxic level to humans. The remote user logged off and the operator immediately reset the Sodium Hydroxide level back to normal. He then disabled remote access and reported the incident to the City, along with local and state law enforcement.
According to the Mission Critical Global Alliance (MCGA), the investigation is still underway, while the culprit’s identity and their intentions are still unclear. The most likely options range from an authorized user who made a change in error, a disgruntled former employee or contractor, or a random hacker who discovered the system was accessible from the internet. Other less likely options that should not be discounted are organized crime syndicates or nation states.
The United States has more than 145,000 active public water systems, while 97 percent of them are considered ‘small’ systems under the Safe Drinking Water Act. This group of small systems serve 10,000 or fewer populations. The system size of City of Oldsmar is 15,000. These small systems have limited access to resources to manage the cybersecurity threat to their systems. National and State Rural Water Associations are available to assist small systems assess their vulnerabilities to cybersecurity and other threats.
According to Sheriff Gualtieri, there is no knowledge of any other area systems being unlawfully accessed, but he did ask all area governmental entities to take a critical look at their infrastructure to ensure their security practices are up to par.
“The Florida Rural Water Association encourages all water utilities to take appropriate and affordable steps within their budgets to implement measures to decrease vulnerabilities, including increased cyber security risks,” stated Gary Williams, Florida Rural Water Association Executive Director.
NRWA urges increased priority be to cybersecurity for our small and rural systems following this unlawful intrusion into the City of Oldsmar’s water system. MCGA also states training and awareness are key to improving a water system’s cybersecurity posture. Employees should learn about system concepts, standards, technology, operations, safety and physical security, risk management, and emergency response preparedness. With better awareness and knowledge, a water system can prepare its people, update its processes and manage its technology.
For more information, visit https://www.mcgalliance.org/post/oldsmar-cybersecurity-incident.