Lessons Learned from Oldsmar Water Plant Hack

Lessons Learned from Oldsmar Water Plant Hack

Cybersecurity experts have long warned of attacks on small municipal systems. Until hackers accessed the water treatment plant of a small Florida city this year, those warnings were “out of sight, out of mind.” Now, both local and national authorities’ perspectives on the dangers of cybersecurity attacks are changing.

The intrusion only lasted between three and five minutes, according to the Tampa Bay Times. In that time, the level of sodium hydroxide being fed to the city of Oldsmar, Florida—home to 15,000 people—was changed from 100 parts per million to 11,100 parts per million. It took five and a half hours for an employee to notice the change.

“This is dangerous stuff,” Pinellas County Sheriff Bob Gualtieri said at a news conference. Consumed in large quantities, sodium hydroxide can cause vomiting, chest and abdominal pain, skin burns, even hair loss, according to the Centers for Disease Control.

Florida Senator Marco Rubio addressed the attack on Twitter, calling it a “matter of national security.”

Why This Matters
This scenario is an example of how a critical infrastructure intrusion at any level puts residents’ lives at risk. Eric Chien, a security researcher at Symantec, described the Oldsmar city water plant as exactly the kind of utility security professionals need to worry about.

“This is a small municipality that is likely small-budgeted and under-resourced, which purposely set up remote access so employees and outside contractors can remote in,” Chien told The New York Times. He described it further as a ripe target.

Cybersecurity breaches can have catastrophic effects on any sized municipal entities, making protection against cyber threats, compliance, and responsible data management more important now than ever.

Critical Next Steps
Luckily, raised awareness around the importance of cybersecurity has also generated strategies for preventing these same kinds of events from being repeated. Today, security professionals can prepare their municipalities for all cyber threats by following these best practices:

Segment Operational Technology (OT) away from Information Technology (IT). While OT networks control elements in the physical world, IT systems manage crucial data networks. This means, separating the two means protecting OT devices from any possible digital breach.

Be aware of any remote access software (such as TeamViewer) in your environment. These programs may reduce the need for employees on site and streamline access, from anywhere in the world. Remote access software is also the most vulnerable to cybersecurity breaches.

Mitigate potential security breaches through apps, using strong passwords, two-factor authentication strategies, and by whitelisting (i.e., only allowing authorized sites access to your IT networks).

Make sure there is always a third-party continuously monitoring for any incidents. Just as important as cyber hardness is the ability to step in and mitigate the effects of breaches in real-time.

Conclusion
The event in Oldsmar, Florida, this year was an isolated event. Hackers remotely accessed a small town’s water treatment plant and tried to poison the water supply. Local authorities were able to intervene, before any serious damage was done. But this doesn’t mean similar entities in other cities are off the hook.

Cyberattacks have the potential to put thousands of lives in danger—make sure you are implementing smart, sustainable strategies to prevent this from happening to you.

About the Author

Jeremy Rasmussen is chief technology officer at Abacode.

Featured

  • Maximizing Your Security Budget This Year

    7 Ways You Can Secure a High-Traffic Commercial Security Gate  

    Your commercial security gate is one of your most powerful tools to keep thieves off your property. Without a security gate, your commercial perimeter security plan is all for nothing. Read Now

  • Survey: Only 13 Percent of Research Institutions Are Prepared for AI

    A new survey commissioned by SHI International and Dell Technologies underscores the transformative potential of artificial intelligence (AI) while exposing significant gaps in preparedness at many research institutions. Read Now

  • Survey: 70 Percent of Organizations Have Established Dedicated SaaS Security Teams

    Seventy percent of organizations have prioritized investment in SaaS security, establishing dedicated SaaS security teams, despite economic uncertainty and workforce reductions. This was a key finding in the fourth Annual SaaS Security Survey Report: 2025 CISO Plans and Priorities released today by the Cloud Security Alliance (CSA), the world’s leading organization dedicated to defining standards, certifications, and best practices to help ensure a secure cloud computing environment. Read Now

  • Mobile Applications Are Empowering Security Personnel

    From real-time surveillance and access control management to remote monitoring and communications, a new generation of mobile applications is empowering security personnel to protect people and places. Mobile applications for physical security systems are emerging as indispensable tools to enhance safety. They also offer many features that are reshaping how modern security professionals approach their work. Read Now

Featured Cybersecurity

Webinars

New Products

  • Unified VMS

    AxxonSoft introduces version 2.0 of the Axxon One VMS. The new release features integrations with various physical security systems, making Axxon One a unified VMS. Other enhancements include new AI video analytics and intelligent search functions, hardened cybersecurity, usability and performance improvements, and expanded cloud capabilities 3

  • HD2055 Modular Barricade

    Delta Scientific’s electric HD2055 modular shallow foundation barricade is tested to ASTM M50/P1 with negative penetration from the vehicle upon impact. With a shallow foundation of only 24 inches, the HD2055 can be installed without worrying about buried power lines and other below grade obstructions. The modular make-up of the barrier also allows you to cover wider roadways by adding additional modules to the system. The HD2055 boasts an Emergency Fast Operation of 1.5 seconds giving the guard ample time to deploy under a high threat situation. 3

  • Automatic Systems V07

    Automatic Systems V07

    Automatic Systems, an industry-leading manufacturer of pedestrian and vehicle secure entrance control access systems, is pleased to announce the release of its groundbreaking V07 software. The V07 software update is designed specifically to address cybersecurity concerns and will ensure the integrity and confidentiality of Automatic Systems applications. With the new V07 software, updates will be delivered by means of an encrypted file. 3