Tech

Much-Hyped Water Plant Hack Wasn't a Hack, Was Actually User Error, Official Says

"The FBI concluded there was nothing, no evidence of any access from the outside, and that it was likely the same employee that was purported to be a hero for catching it, was actually banging on his keyboard."
tktk

The most highly publicized hack of a town’s public water infrastructure, and one that seemingly showed the cybersecurity risks of America’s water supply, wasn’t a hack at all. The FBI determined that a 2021 security incident that changed the settings of Oldsmar, Florida’s water supply wasn’t a hack at all.

Advertisement

A former top city official now says it was user error, and the FBI says it has found no evidence of a hack.

At the time, Pinellas County Sheriff Bob Gualtieri held a press conference where he claimed that a "The hacker changed the sodium hydroxide from about one hundred parts per million, to 11,100 parts per million," in the town’s water supply, “noting that these were “dangerous" levels of the chemical. When asked if this should be considered an attempt at bioterrorism, Gualtieri said, "What it is is someone hacked into the system not just once but twice ... opened the program and changed the levels from 100 to 11,100 parts per million with a caustic substance. So, you label it however you want, those are the facts."

Now, more than two years later, Al Braithwaite, the city manager at the time, is calling it a “nonevent,” according to comments he made at the American Society for Public Administration’s annual conference

“The FBI concluded there was nothing, no evidence of any access from the outside, and that it was likely the same employee that was purported to be a hero for catching it, was actually banging on his keyboard,” Braithwaite said, according to a writeup by the conference.

The conference has not yet uploaded audio or video of Braithwaite’s comments. 

The FBI told the Tampa Bay Times that it has no evidence that this was a cyber attack: “Through the course of the investigation the FBI was not able to confirm that this incident was initiated by a targeted cyber intrusion of Oldsmar,” the FBI told the Times. “We have no further comment beyond this statement.”

This apparent “non event” is notable because the supposed hack against Oldsmar has been considered one of the more significant cybersecurity events affecting an American town. It is often used as an example by cybersecurity experts of the risks that hackers pose to critical infrastructure, and the tangible affect that hackers may have on the physical world. 

We still don’t have full details of what happened in this case, but it still highlights the vulnerability of software-controlled water systems that can be accessed remotely. At the time, the city said that a hacker remotely accessed the software controls that affected the chemical levels of the system.