Degraded Operation

SCID #00113
City of Oldsmar (2021)

Plant System(s) Breached
Date of Event/Incident: 5-Feb-2021 (Friday)
Date Updated: 9-Feb-2021 (Tuesday)
Date Updated (SCIDMARK): 11-Mar-2021 (Thursday)


BETA VERSION v0.57

Information Statement

Information contained within this site is considered ‘experimental’, and is not recommended for legal or evidentiary purposes.


NOTE: For additional reference specific to this incident, please refer to this case number as:

http://scidmark.com/scid-00113-20210205.pdf

Case Information

On February 5, 2021 (Friday) at 8:00 am local time, investigators indicated that an unidentified individual had managed to gain full command and control (C2) access the computer system responsible for controlling the City of Oldsmar’s water system, and attempted to poison the city’s water supply.†1

infracritical

The onsite plant operator noticed someone briefly accessing the plant computer system that he was monitoring remotely. The operator did not appear to be concerned with the activities of the individual accessing the system as both plant site workers and supervisors regularly use remote access capability to access plant control system.

However, at approximately 1:30 pm local time, the plant operator noticed that the individual had accessed the controls of the same plant computer system. During this time, he observed the mouse on their screen began moving; the mouse accessed several software functions that control water treatment functions, including functions that control the water’s level of sodium hydroxide, altering its level from 100 ppm to 11,000 ppm.

infracritical

The plant operator was alerted to the now-dangerous safety levels. Once the individual left the plant computer system, the plant operator immediately restored the chemical level back to its previous level of 100 ppm.

Access time to the computer system lasted for approximately 3 to 5 minutes.†11

After that, he notified his supervisor about the events that transpired. Law enforcement was called shortly thereafter.†1

Local officials indicated even if the plant operator had not noticed either the intrusion, or the sudden elevated level of sodium hydroxide, other fail-safe and alarm systems would have alerted the plant operator of these conditions. Additionally, despite fail-safes and alarm systems from noticing the sudden increase in sodium hydroxide, according to the sheriff, it would have taken between 24 and 36 hours for the tainted water to reach the water distribution network.

“The protocols that we have in place, monitoring protocols, they work — that’s the good news,” said Oldsmar Mayor Eric Seidel. “Even had they not caught them, there’s redundancies that have alarms in the system that would have caught the change in the pH level.†1
infracritical

City of Oldsmar City Manager Al Braithwaite stated that remote access to all internal plant computer systems was disabled while incident responders and investigators evaluate the situation. Pinellas County Sheriff’s Office (PCSO) has launched a criminal investigation. PCSO is cooperating with the FBI and the U.S. Secret Service as part of their investigation to determine whether the threat actor is located within the United States or not.

Sheriff Gualtieri held a press conference on Monday, Feb. 8†11 to discuss the details of the virtual breach of the city’s critical infrastructure:

"Why the Oldsmar system was targeted ... we have no knowledge of any other systems being unlawfully accessed."

    Updated 10-Feb-2021  

As of 10-Feb-2021, there remain several unanswered questions regarding this investigation:

  • Who is responsible for the breach? Authorities have stated that they are uncertain about whether one person, two persons, or a team of individuals were involved.
  • How did the breach occur? What is known is that access occurred via a remote access system running TeamViewer.†8 No further information has been disclosed.
  • Was the attacked based within the U.S. or abroad? Sheriff Gualtieri has stated that it is unknown whether the actor(s) are locally-based, based elsewhere within the U.S. or if it could be an international or nation-state actor.
  • No reports of any other systems being unlawfully accessed. Both city official and law enforcement have indicated that they are unaware of any other unauthorized access attempts occuring.

Had the plant operator not noticed and recognized the unusual, then unauthorized activity, along with quickly mitigation taken to reverse the attackers changes made, the situation may have had a much different outcome.

    Updated 11-Feb-2021  

ABC Action News (WFTS TV) had a report indicating a released FBI report (Private Industry Notification - PIN No. 20210209-001; dated 9-Feb-2021)†16†17 identifying the following additional factors leading to the access breach:†18

  • The operating system was end-of-life. The plant computer system was using Microsoft Windows 7. In January, Microsoft ended support for Windows 7; this meant that security updates and patches were discontinued. Windows 7 also offered less security protections than Windows 10.†32†33
  • The plant computer system had no firewall. Apparently, the plant computer system was directly connected to the Internet with no protections whatsoever. Additionally, any other computer systems interconnected with the SCADA/HMI system were equally at risk.
  • The TeamViewer password was shared. Based on news media indicators, the account and its password were used by all of the staff at the water treatment facility. Through the use of a shared account password, auditing and traceability capabilities become improbable.

    Updated 12-Feb-2021  

In a statement given by AWWA CEO David LaFrance, quoted the following regarding the Oldsmar incident:†26

The Feb. 5 hacking incident on a Florida water utility is a jarring reminder that the threat of cyberattacks on critical water infrastructure is both real and serious. We live in a world where cyber intrusions are increasingly common in our personal and professional lives. Given the essential nature of water service, it’s well known that water infrastructure – and water treatment plants of all sizes — are potential targets of people with bad intentions.

While the Florida incident is unsettling, there are some takeaways that should bring us confidence. First, while the hacker was able to gain access, it appears a vigilant water operator thwarted any potential harm. There’s no clearer demonstration that water professionals are essential workers, and the work they do each day protects us all.

Second, the incident makes clear to all water utilities and governing boards that they must take action to prevent or discourage similar attacks. The water sector has been actively addressing cybersecurity issues for many years. In fact, the 2018 America’s Water Infrastructure Act requires utilities to complete a risk and resiliency assessment that must include cyber threats to enterprise systems and process control systems. This incident should underscore the urgency of that work.

Third, we are not powerless against cyber threats. There are resources available to help utilities of all sizes. AWWA’s Water Sector Cybersecurity Risk Management Guidance and the accompanying assessment tool are free ... as is the Cybersecurity Risk & Responsibility in the Water Sector report and many other helpful eLearning opportunities and documents.

Federal agencies define cyberattacks as the top threat facing business and critical infrastructure. [The Feb. 5] incident demonstrates why. Let this incident be a constant reminder of the importance of round-the-clock cybersecurity vigilance in the days and decades ahead.†26


    Updated 14-Feb-2021  

The incident specific to the Town of Spencer has many similarities with other incident cases. One case that has several characteristics may be compared to Case #00115 - Town of Spencer. Several of the common factors between the two incident cases have been identified. A comparison chart is provided below:

Municipality Town of Spencer (#00115) City of Oldsmar (#00113)
Incident Type Incident Incident
Incident Sub-Type Accident Attack
Incident Severity Significant Significant
Incident Dispersion Local Local
Incident Impact Significant Significant
Incident Urgency Critical Critical
Failure Method Operation Failure Operation Compromise
Failure Sub-Type Operator Error / Configuration Error External Adversary
Detection Method Human Only Human Only
Detection Type Onsite Staff Onsite Staff
Damage Localized Town of Spencer City of Oldsmar
Controls Bypassed Yes Yes
Controls Bypass Reason Manual Mode Due to Maintenance System Override
Outage Type Partial Partial
Outage Condition Damaged (Degraded) Damaged (Degraded)
Outage Repairability Repairable Repairable
Outage Time > 1 Day, < 1 Week < 1 Hour
Recovery Time < 1 Week ~ 1-2 Hours
Loss of Safety Yes No
Reduced Safety Yes (Temporarily) Yes (Temporarily)
Safety Impacted Yes (Temporarily) Yes (Temporarily)
No. Injured ~ 100-145 0
Loss of Control Yes (Partial) Yes (Partial)
Loss of Operation Yes (Partial) Yes (Partial)
Loss of Configuration Yes (Alarm System Configuration Error) Yes (Partially Due to Intruder)
Operation Type Sodium Hydroxide Injection Sodium Hydroxide Injection
Operation Affected Yes Yes
Operation Compromised Yes Yes
Operational State Manual (NaOH Feed Disabled) Automated (Remote Access Disabled)
Operational Disruption Partial Partial
Operational Impact Partial Partial

    Updated 17-Feb-2021  

Fox News†28 reported that U.S. Senator Mark Warner was now involved with this case. A press release, issued by Senator Warner’s Office states the following:†29

WASHINGTON – U.S. Sen. Mark R. Warner, Chairman of the Senate Select Committee on Intelligence, today requested information from the Federal Bureau of Investigation (FBI) and the Environmental Protection Agency (EPA) following a cyber incident in which hackers remotely breached a Florida water treatment plant and sought to dramatically alter water chemical levels in a move that could have poisoned thousands of residents.
The security and integrity of our critical infrastructure is of utmost importance. The Cybersecurity & Infrastructure Security Agency (CISA) states that 80% of the United States receives potable water from approximately 153,000 public drinking water systems, and any type of attack, including a cyber attack, could result in ‘illnesses or casualties and/or a denial of service that would also impact public health and economic vitality,’
as written by Senator Warner in a letter to the Assistant Director of the FBI and the Acting Assistant Administrator at the EPA.†30
This incident has implications beyond the 15,000-person town of Oldsmar. While the Oldsmar water treatment facility incident was detected with sufficient time to mitigate serious risks to the citizens of Oldsmar, and appears to have been identified as the result of a diligent employee monitoring this facility’s operations, future compromises of this nature may not be detected in time.
He further continued with the following statement indicating that:
The Federal Government must ensure we are taking all precautions to keep drinking water safe for Americans. Designated as one of the 16 infrastructure sectors critical to national security under the Presidential Policy Directive 21 (PPD-21), we must protect water facilities from cyber and other compromises.
On February 5, a water treatment facility in Oldsmar, Florida was accessed remotely by hackers, who increased sodium hydroxide levels from 100 parts per million to 11,100 parts per million, a dangerous amount that could have sickened town residents, had the attack gone unnoticed by a plant employee.

In his letter, Sen. Warner requested a progress update on the FBI’s investigation into this incident. He also asked for an EPA review into whether the Oldsmar water treatment facility was compliant with the most recent Water and Wastewater Sector-Specific Plan, and whether that plan needs to be updated to confront similar risks. Additionally, Sen. Warner inquired about any plans to share timely threat information related to this incident with water and wastewater facilities, and other critical infrastructure providers.

Sen. Warner, a former technology executive, is the co-founder and co-chair of the partisan Senate Cybersecurity Caucus. Throughout the COVID-19 crisis, he has fought for increased cybersecurity measures commensurate with Americans’ increased reliance on remote work. Among other measures, Sen. Warner has advocated for increased funding to modernize federal information technology, urged internet networking device vendors to ensure the security of their products, and pressed cybersecurity officials to bolster defenses against cybersecurity attacks.


    Updated 17-Feb-2021  

A copy of the letter from U.S. Senator Mark Warner to the Assistant Director of the FBI, as well as the Acting Assistant Administrator of the U.S. EPA is provided below:†30

Dear Mr. Gorham and Ms. Fox, I am writing to request information about reports of a serious security compromise of a water treatment plant in Oldsmar, Florida on February 5, 2021. The security and integrity of our critical infrastructure is of utmost importance. The Cybersecurity & Infrastructure Security Agency (CISA) states that 80% of the United States receives potable water from approximately 153,000 public drinking water systems, and any type of attack, including a cyber attack, could result in “illnesses or casualties and/or a denial of service that would also impact public health and economic vitality.”[i] Additionally, other critical infrastructure sectors such as healthcare, emergency services, energy, food and agriculture, and transportation systems depend on the cyber resilience of water facilities.[ii]

According to information released by the Pinellas County Sheriff’s Office, the Oldsmar water treatment facility was accessed remotely by an unauthorized entity, who increased the amount of sodium hydroxide in the potable water supply to a dangerous level.[iii] Given the consequences of a successful compromise of this kind, and the broader security weaknesses this unsuccessful attempt may illustrate within critical infrastructure sectors reliant on similar industrial control systems, I would request first, to be informed of the progress of the FBI’s investigation of the incident; second, a review by the Environmental Protection Agency into whether the Oldsmar water treatment facility was compliant with the most recent Water and Wastewater Sector-Specific Plan, and whether that plan, most recently updated in 2015, needs to be updated to confront similar risks; and third, to confirm the Federal Government is sharing timely threat information related to this incident with water and wastewater facilities, and other critical infrastructure providers across the United States.

This incident has implications beyond the 15,000-person town of Oldsmar. While the Oldsmar water treatment facility incident was detected with sufficient time to mitigate serious risks to the citizens of Oldsmar, and appears to have been identified as the result of a diligent employee monitoring this facility’s operations, future compromises of this nature may not be detected in time. The Federal Government must ensure we are taking all precautions to keep drinking water safe for Americans. Designated as one of the 16 infrastructure sectors critical to national security under the Presidential Policy Directive 21 (PPD-21), we must protect water facilities from cyber and other compromises.

Please coordinate with my office to provide updates on the investigation of the incident, as well as efforts underway to avoid future compromises on water facilities in the United States.

The letter is dated 17-Feb-2021, and was sent to Mr. Matt Gorham, Assistant Director, Federal Buearu of Investigation (FBI), and to Ms. Radhika Fox, Acting Assistant Administrator, Office of Water, Environmental Protection Agency (EPA).

i    Cybersecurity & Infrastructure Security Agency, “Water and Wastewater Systems Sector,” accessed February 15, 2021, https://www.cisa.gov/water-and-wastewater-systems-sector
ii   CISA, “Water and Wastewater Systems Sector.”
iii  Pinellas Sheriff, “Treatment Plant Intrusion Press Conference,” filmed February 8, 2021, https://www.youtube.com/watch?v=MkXDSOgLQ6M&ab_channel=PinellasSheriff


    Updated 20-Feb-2021  

On 20-Feb-2021 (Saturday), a copy of the fiscal year budget for the City of Oldsmar was found online. Within the document, on p. 169 and 170, details regarding a scheduled upgrade to the SCADA system was outlined within the budget for $42K USD:†31

The goals for FY 2020/2021 include the following: ... (last bulleted item) Supervisory Controls and Data Acquisition (SCADA) Upgrade Project to replace the existing computer software that manages the facility operations and data
...
The HSP Replacement and Upgrade and the SCADA Upgrade projects supports the City’s Strategic Plan of focusing on infrastructure improvements that ultimately protect public safety, while providing consistent utility service, protection of the environment, and regulatory compliance.

On p. 170, under “CAPITAL OUTLAY”, line item #2 states “SCADA Upgrade” for $42K USD, under line item #1, “High Service Pump No. 1 Replacement & Upgrade” for $50K USD, totaling $92K USD for capital improvements with the water system.†31

Fiscal budgets for the City of Oldsmar begin on 1-Oct on the current year (2020), ending on 31-Sep on the following year (2021).

    Updated 11-Mar-2021  

On March 8, 2021, two southwest Florida utilities indicated that they use remote access for their plant computer systems at their water treatment plants, but claim that there are security measures in place to protect their environments from events to the City of Oldsmar.

Bonita Springs Utilities and Marco Island both indicated they provide remote access for their plant computer systems.

BSU has in place certain protocols that make an attack like Oldsmar less likely...

… as stated by BSU spokeswoman Jennifer Hamilton. She further indicated that remote access for BSU is …

... limited to approved vendors and staff access through secure firewall configurations ...

Lee County, Collier County, Cape Coral and Naples did not comment to any particular questions from the news media about whether remote access is currently permitted on any of their plant computer systems at any of their water facilities. However, Collier County and Cape Coral indicated their concerns regarding security; Lee County and Naples indicated that their systems are configured differently than the City of Oldsmar’s systems.†34

The City of Fort Myer stated that they have no remote access capabilities to any city computer system, outlined in electronic mail from the city’s spokesperson.

What municipalities did comment on was that they had security measures in place to protect their plant computer systems, with one indicating that they would not provide any detail whatsoever as a matter of security concern (Collier County).

One municipality, the City of Marco Island, made a statement that their water treatment plants are “safe from hackers”. The spokesperson from the city indicated that both water treatment facilities permit remote access, but only through a virtual private network (VPN); the spokesperson further indicated that the city is currently performing a vulnerability assessment “of the water and sewer operations”, which is a federally-mandated requirement by the U.S. government. The city council approved the assessment sometime in November, 2020 for an amount not exceeding approximately $95K USD. Additionally, the city must complete the assessment by June 20, 2021. Please note that a vulnerability assessment performed to satisfy government requirements and not only include a cyber-related evaluation, but physical and procedural processes, along with emergency response processes.†34

NFPA SCALE (0-4)

Health: 3 | Flammability: 0 | Physical Hazard: 1

Health Safety: Similar to other corrosive acids and alkalis, sodium hydroxide solutions can readily decompose proteins and lipids in living tissues via amide hydrolysis and ester hydrolysis, which consequently cause chemical burns and may induce permanent blindness upon contact with eyes.

Sodium hydroxide occurs naturally in water (usually) at very low levels. The chemical is added as part of the water treatment and distribution for corrosion control purposes at rates between 1 and 40 ppm levels.†2 Sodium hydroxide is commonly known by another name as 'lye', which is used in several cleaning (both industrial and consumer) as well as disinfectant products.†3†4†5†7

One cleaning product that is commonly used in practically every household is bleach.†9†10 Liquid chlorine 'bleach' is a household cleaning product that combines chlorine, sodium hypochlorite, and sodium hydroxide.

When used at safe levels, sodium hydroxide is used during water purification to raise the pH level of water supplies. Increased pH makes water less corrosive to plumbing while reducing the amounts of lead, copper and other toxic metals that can dissolve into drinking water.

Source(s):
†1  "Someone tried to poison Oldsmar’s water supply during hack, sheriff says"; Tampa Bay Times; dated 8-Feb-2021; URL: Tampa Bay Times (alt)[alt-01] (alt)[alt-01a] (alt)[alt-01b]
†2  "Hacker tried to poison Oldsmar water system, sheriff says"; FOX 13 TV; dated 8-Feb-2021; URL: FOX 13 TV (alt)[alt-02]
†3  "Product No. 19539 Sodium Hydroxide"; Ted Pella; dated 22-May-2015; URL: Ted Pella (alt)[alt-03]
†4  "SAFETY DATA SHEET, CAUSTIC SODA LIQUID (ALL GRADES), MSDS No.: M32415, Rev. Date: 31-May-2009, Rev. Num.: 05"; OxyChem; dated 31-May-2009; URL: OxyChem (alt)[alt-04]
†5  "Material Safety Data Sheet - Sodium hydroxide, solid - ACC #21300"; Fischer Scientific; URL: Fischer Scientific (alt)[alt-05]
†6  "Hacker tries to poison water supply of Florida city"; BBC; dated 8-Feb-2021; URL: BBC (alt)[alt-06] (alt)[alt-06a]
†7  "Sodium Hydroxide - Safety Data Sheet"; LabChem; dated 21-Feb-2018; URL: LabChem (alt)[alt-07]
†8  "Why Cybersecurity Experts Hate TeamViewer, the Software Used to Tamper With Florida Water Supply"; Motherboard; dated 9-Feb-2021; URL: Vice (alt)[alt-08] (alt)[alt-08a] (alt)[alt-08b]
†9  "Liquid bleach"; Wikipedia; dated 19-Sep-2020; URL: Wikipedia (alt)[alt-09]
†10  "SAFETY DATA SHEET"; The Chlorox Company; dated 12-Jun-2015; URL: The Chlorox Company (alt)[alt-10]
†11  "Treatment Plant Intrusion Press Conference"; Pinellas Sheriff; dated 8-Feb-2021; URL: Pinellas Sheriff (alt)[alt-11]
†16  "Oldsmar water hack connotations"; ABC Action News; dated 10-Feb-2021; URL: ABC Action News (WFTS TV) (alt)[alt-16]
†17  "Oldsmar water hack connotations"; yahoo! news; dated 10-Feb-2021; URL: yahoo! news (alt)[alt-16]
†18  "Breached water plant employees used the same TeamViewer password and no firewall"; insideexpress; dated 11-Feb-2021; URL: insideexpress (alt)[alt-18] (alt)[alt-18a] (alt)[alt-18b]
†26  "Florida water hack underscores cybersecurity threat to utilities"; dated 12-Feb-2021; URL: WATER FINANCE & MANAGEMENT (alt)[alt-26] (alt)[alt-26a] (alt)[alt-26b]
†29  "Warner Requests Answers Following Concerning Cyber Breach on Florida Water Plant"; dated 17-Feb-2021; URL: Honorable Mark Warner, US Senator from the Commonwealth of Virginia (alt)[alt-29] (alt)[alt-29a] (alt)[alt-29b]
†30  "Letter to Mr. Gorham and Ms. Fox"; dated 17-Feb-2021; URL: Honorable Mark Warner, US Senator from the Commonwealth of Virginia (alt)[alt-30]
†31  "City of Oldsmar, FISCAL YEAR 2020/2021 ANNUAL BUDGET"; dated 8-Jul-2020 (modified 4-Nov-2020); URL: City of Oldsmar (alt)[alt-31]
†32  "Cybersecurity Advisory for Public Water Suppliers"; dated 11-Feb-2021; URL: The Commonwealth of Massachusetts (alt)[alt-32] (alt)[alt-32a]
†33  "Compromise of U.S. Water Treatment Facility"; dated 12-Feb-2021; URL: Cybersecurity & Infrastructure Security Agency (alt)[alt-33] (alt)[alt-33a] (alt)[alt-33b]
†34  "How Lee, Collier utilities are responding after cyberattack on a Florida city's water treatment plant"; dated 8-Mar-2021; URL: <a href="https://webcache.googleusercontent.com/search?q=cache:7MDeLgy_WjgJ:https://www.naplesnews.com/story/news/local/2021/03/08/oldsmar-florida-water-plant-cyberattack-prompts-reviews-swfl-utilities/4494540001/+&cd=1&hl=en&ct=clnk&gl=us&client=firefox-b-1-d</a> (alt)[alt-34] (alt)[alt-34a]

Industry Information

Corporate Information

Oldsmar is a city in Pinellas County, Florida, United States. As of the 2010 census, the city had a population of 13,591. The Oldsmar name dates to April 12, 1916 when automobile pioneer Ransom E. Olds purchased 37,541 acres (151.92 km2) of land by the northern part of Tampa Bay to establish "R. E. Olds-on-the-Bay". The name was later changed to Oldsmar, then to "Tampa Shores" in 1927, and finally back to Oldsmar in 1937. Ransom Olds named some of the original streets himself, such as Gim Gong Road for Lue Gim Gong.
Source(s):
†11  "Oldsmar, Florida"; Wikipedia; URL: Wikipedia (alt)[alt-11]

CIP Information

Sector
Water△5
Sub-Sector
Water
Treatment
△6
Note(s):
△5  Relevant sector-specific information may referenced at "Critical Infrastructure Sectors - Water and Wastewater Systems Sector"; date unknown; URL: DHS (CISA) - Water and Wastewater Systems Sector (alt)[delta-05]
△6  Combined subordinate fields of 'Water' and 'Treatment' apply to water treatment and distribution. The term 'water treatment' refers to the clarification of water from wells into drinking water; whereas, 'distribution' refers to local transport only.

Index Information

Vector Information

  Cyber Impact    Primary Op.    Secondary Op.  
Primary Operation
Plant System(s)
Secondary Operation
Local Equipment△7
Note(s):
△7  The term 'local equipment' refers to site-specific equipment used to manage plant process operations.

Occurrence Information

Incident Information

Incident Type
Incident
Incident Sub-Type
Attack
Attack Method
Operation Compromise (Process Tampering)
Attack Source
External Adversaries
Source Reliability△1
Reliable
Source Creditability△1△2
Confirmed
Source
Type   
Media
Source
Sub-Type
Website, News Media
Source Name(s)
Tampa Bay Times, Fox News, The New York Times, The Washington Post, CBS News, Reuters, BBC (et al.)
Operation(s) Affected
Yes
Incident Severity
Level 3 (Significant)
Operation(s) Impacted
Water clarification process involving sodium hydroxide was tampered through an active attack against the computer system controlling pH levels of treated water.
Description of Severity
Level 3 - Significant Business Impact - Operational product features are unavailable with an acceptable workaround; however, no timeframe exists, or time to recovery anticipated longer than expected. Customer's implementation or primary business production, major applications or mission critical systems are functioning with limited capabilities or partially missing functions.
Regulation(s)
Public Health Security and Bioterrorism Preparedness and Response Act (PHSBPRA) of 2002.†12†13
Source(s):
†12  "Public Health Security and Bioterrorism Preparedness and Response Act"; Wikipedia; dated: 15-Aug-2020; URL: Wikipedia (alt)[alt-12]
†13  "PUBLIC HEALTH SECURITY AND BIOTERRORISM PREPAREDNESS AND RESPONSE ACT OF 2002; Public Law No. 107-188"; U.S. Congressional Library, 107th U.S. Congress; dated: 12-Jun-2002; URL: U.S. Congress (alt)[alt-13]
†14  "Water Infrastructure Resilience"; U.S. EPA; dated: 11-Mar-2002; URL: U.S. EPA (alt)[alt-14] (alt)[alt-14a]
Note(s):
△1  Refer to U.S. Army FM 2-22.3, (alt)[delta-01] "HUMAN INTELLIGENCE COLLECTOR OPERATIONS", Appendix B, "Source and Information Reliability Matrix", p. B-1 (285) and B-2 (286) for further information.
△2  The term "information content" may be applied in lieu of the term "source creditability" (refer to △1).

Non-Accident / Accident Information

<<  NO INFORMATION AVAILABLE FOR THIS INCIDENT  >>

Attack Information

Attack Type
Cyber Only
Attack Sub-Type
Targeted
Degree of Intent
Intentional
Degree of Attack
Malicious
Incident Dispersion
Water Treatment Facility
Incident Impact
Significant
Incident Urgency
Critical
Description of Attack to Operations
The attack was conducted via remote access software (TeamViewer)†15 on the plant computer system responsible for water clarification for distributable, portable water to the local community of approximately ~15,000 residents. On February 5, 2021, at approximately 8 am local time, an unknown user entered the plant computer system from an external network and probed the local environment; later, at approximately 1:30 pm local time, the unknown user, now threat actor, attempted to poison the local community by forcibly altering pH levels to unsafe conditions by increasing sodium hydroxide from 100 ppm to 11,000 ppm. The threat actor spent approximately 3-5 minutes (combined) on the plant computer system from both intrusions. The plant operator quickly disabled remote access until further notice.
Source(s):
†15  "TeamViewer Software"; TeamViewer; URL: TeamViewer (alt)[alt-15]

Architecture Information

Architecture
Identified
Windows-Based
Architecture
Type
SCADA/HMI
Architecture
Sub-Type
Software-Based
Hardware
Involved
N/A
H/W
Manufacturer
N/A
H/W
Model No.
N/A
Software
Involved
Yes
S/W
Manufacturer
Unknown
S/W
Model No.
Unknown
H/W Ver.
Release
N/A
H/W Ver.
Patched
N/A
S/W Ver.
Release
Unknown
S/W Ver.
Patched
Uncertain
O/S
Involved
Yes
O/S
Manufacturer
Microsoft Windows
O/S Ver.
Release
Windows 7 (EOL)
O/S Ver.
Patched
Uncertain

Detection Information

Detection△3△4
Human Only
Detection
Time
< 1 Hour
Detection
(Human)
Staff
Detection
(Machine)
N/A
Network Detection?
Unknown; detection appears to have been determined by staff.
Reason
No further information or details are available.
Threat Intel Detection?
Unknown; uncertain if applicable/non-applicable to this incident.
Reason
No further information or details to the incident was provided indicating that any form of threat intelligence was utilized for the detection of the operational system(s).
Note(s):
△3  Refer to NIST Special Publication 800-61, Revision 2, (alt)[delta-03] "Computer Security Incident Handling Guide", Section 3, "Handling an Incident", p. 21 (30) for further information.
△4  Context with regards to embedded control devices and/or control systems may be applicable as suitable countermeasures for detection. Human decision required.

Damage Information

Damage Afflicated
Equipment (possibly) connected to Plant Network, or may be isolated; if connected to the Plant Network, cross-contamination through Plant Network via remote access software loaded on the plant computer system. Extent of damage beyond the plant computer system remains unknown as of 12-Feb-2021.
Damage
Localized
Yes
Controls
Bypassed
Yes
Damage Type
Software
Damage Sub-Type
Operating System
Damage Cost Known
No
Damage Cost Amount
N/A
Description of Damage to Operations
Damage appeared to be isolated to only the plant computer system controlling the water clarification process. Following the attack, remote access capabilities were disabled.

Information regarding the threat actor accessing other systems within the same environment appears to be unknown; additionally, Sheriff Gualtieri and City of Oldsmar City Manager Al Braithwaite have indicated within a public press briefing, given on 8-Feb-2021, similar statements.†11
Source(s):
†11  "Treatment Plant Intrusion Press Conference"; Pinellas Sheriff; dated 8-Feb-2021; URL: Pinellas Sheriff (alt)[alt-11]

Outage Information

Outage
Type
Partial
Outage
Condition
Damaged (Degraded)
Outage
Repairability
Repairable
Outage Time
< 1 Hour

Recovery Information

Recovery Type
Software Disablement
Recovery Time
~ 1-2 Hours
Restoration Type
Software Upgrade
Restoration Sub-Type
Security Enhancement(s)

Reference Information

Authoritative Information

DHS
(CISA)
N/A
FBI
(CYBER)
N/A
DOE
(FERC)
N/A
NRC
(NSIR)
N/A
DOD
(CYBERCOM)
N/A
NIST
(NVD)
N/A
NIST
(NISTIR)
N/A
IEEE
(IEC/ANSI)
N/A
Other
Pinellas County Sheriff's Office†11
Source(s):
†11  "Treatment Plant Intrusion Press Conference"; Pinellas Sheriff; dated 8-Feb-2021; URL: Pinellas Sheriff (alt)[alt-11]

Non-Authoritative Information

RISI
N/A
YouTube
N/A
Other
N/A

Design Information

<<  NO INFORMATION AVAILABLE FOR THIS INCIDENT  >>

URL / Case Number Information



SCID #00113
City of Oldsmar (2021)
QR Updated:
5-Feb-2021 (Friday)

Impact Information

Safety Information

Loss of Safety
No
Reduced Safety
Yes, temporarily
Safety Impacted
Yes, temporarily
Other(s) Impacted
No
Method of Safety Impacted
Threat actor modified safety levels by intentionally raising sodium hydroxide injection from 100 ppm to 11,000 ppm.
Safety Standard(s)
N/A
Loss of Life
No
No. of Deaths
N/A
Loss of Health
No
No. of Injured
N/A

Operational Information

Denial of
View
(DOV)
No
Denial of
Control
(DOC)
No
Denial of
Access
(DOA)
No
Denial of
Operation
(DOO)
No
Loss of
View
(LOV)
No
Loss of
Control
(LOC)
Yes, partial
Loss of
Access
(LOA)
No
Loss of
Operation
(LOO)
Yes, partial
Breakdown of Loss of Operational Information
>> (LOO) Threat actor established contact with the internal plant computer system, took control of the system and its environment, modified settings, then left the plant network.†1
Operation(s)
Compromised
Yes
Operational
State
Automated, but with remote access disabled.
Operational
Disruption
Partial
Operational
Impact
Partial
Loss of
Recovery
No
Loss of
Restoration
No
Loss of
Backups
N/A
Backups
(F/P/I/NA)
N/A
Loss of Comm.
No
Comm. Outage Time
Unknown
SCADA/HMI(s)
Yes
DCS(sic)
No
PLC(s)
Possible (Speculative)
RTU(s)
No
IoT/IIoT
No
Telemetry
No
Sensor(s)
No
Other
N/A
Loss of
Logging
(LOL)
Uncertain
Loss of
Log(s)
(Deleted)
Uncertain
Loss of
Log(s)
(Archive)
Uncertain
Loss of
Log(s)
(Integrity)
Uncertain
Loss of
Integrity
(LOI)
Yes, temporarily
Loss of
Config
(LOCC)
Yes, temporarily
Description of Impact
Threat actor modified sodium hydroxide levels.†1†2
Source(s):
†1  "Someone tried to poison Oldsmar’s water supply during hack, sheriff says"; Tampa Bay Times; dated 8-Feb-2021; URL: Tampa Bay Times (alt)[alt-01] (alt)[alt-01a] (alt)[alt-01b]
†2  "Hacker tried to poison Oldsmar water system, sheriff says"; FOX 13 TV; dated 8-Feb-2021; URL: FOX 13 TV (alt)[alt-02]

Financial Information

<<  NO INFORMATION AVAILABLE FOR THIS INCIDENT  >>

Data Information

Incorrect Configuration
(E/I/NI/NA)
N/A
Missing Configuration
(E/I/NI/NA)
N/A
Sent Incorrect Data
(DAR/FS/IT/NA)
N/A
Rcvd Incorrect Data
(DAR/FS/IT/NA)
N/A
Attempted Reset/Reboot
No
Information Replayed
No
Description of Replay
N/A
Unintended Operation
Yes; threat actor took complete control.
Unintended
Input
No
Unintended
Output
No
Loss of Data
(At Rest)
No; all data is intact.
Loss of Data
(From Src)
Unknown
Loss of Data
(In-Transit)
Unknown
Loss of Data
(Confidential)
Unknown

Timing Information

<<  NO INFORMATION AVAILABLE FOR THIS INCIDENT  >>

Unconfirmed / Speculative Information

Some information stated by public officials are either speculative or unconfirmed. This information may never be completely confirmed; however, given the nature of this incident, it has been considered as admissible evidence for this case.

The incident occurred near the Tampa Bay Super Bowl 2021 - State of Information: Speculative - Oldsmar is about 15 miles northwest of Tampa. The incident occurred on the same weekend - just one day - before the Super Bowl LV at Raymond Jay Stadium.†20†21†22

Law enforcement does not know if it was a disgruntled or dismissed employee - State of Information: Unconfirmed - According to Sheriff Gualtieri he indicated that the intruder knew what he was doing. ... “In order to get into the system, somebody had to use some pretty sophisticated ways of doing it."†23 ... "Cybersecurity experts said the culprit could just as easily be bored teenagers, a disgruntled employee, or a nation state or contractors doing their bidding. The process of attributing the attack could take months — or longer."†24

The exposure of the current SCADA/HMI configuration posted by an engineering firm on the Internet used as valid intelligence - State of Information: Speculative - Information was found on the engineering firm - McKim & Creed - web site. On 9-Feb-2021, the weg page containing information pertinent to the City of Oldsmar accomplishment by McKim & Creed shows a screenshot of the SCADA/HMI server, dated 2-Oct-2018, along with a description of work that was performed by the firm. As of 12-Feb-2021, the web page appears to have been removed.

News sources indicated a 'Trojan-horse'-style virus used to infiltrate the system. - State of Information: Speculative - Fox News made inferences that "...in a way that made it 'functionally similar' to Trojan-horse style viruses that infect a computer from within and grant remote entry to hackers."†27

Congress is involved with this case. - State of Information: Confirmed - Senate Intelligence Chairman Mark Warner has sent a letter to both the FBI and U.S. EPA regarding the matter.†28

    Updated 12-Feb-2021  

It should be noted that the URL link for Ref No. 25 now shows "Sorry, we could not find this page." As of 12-Feb-2021, a search was performed for the missing page; to date, there is no record of the current location.†25

NOTE: Documents alt-25, alt-25a, and alt-25b were taken on 12-Feb-2021, now showing the error message 404 page.
NOTE: Documents alt-25c, alt-25d, alt-25e, and alt-25f were taken on 9-Feb-2021, showing the web page prior to removal.
Source(s):
†20  "Hacker tried to poison Florida water supply near Super Bowl, police say"; Fox News TV; dated 8-Feb-2021; URL: Fox News TV (alt)[alt-20] (alt)[alt-20a] (alt)[alt-20b]
†21  "Hackers attempt to poison Florida city's water supply near Super Bowl"; CBS 12 NEWS TV; dated 9-Feb-2021; URL: CBS 12 NEWS TV (alt)[alt-21] (alt)[alt-21a] (alt)[alt-21b]
†22  "Hacker Tries to Poison Water Supply of Florida Town"; threatpost; dated 9-Feb-2021; URL: threatpost (alt)[alt-22] (alt)[alt-22a] (alt)[alt-22b]
†23  "A hacker broke into a Florida town’s water supply and tried to poison it with lye, police said"; Washington Post; dated 9-Feb-2021; URL: Washington Post (alt)[alt-23] (alt)[alt-23a] (alt)[alt-23b]
†24  "Dangerous Stuff’: Hackers Tried to Poison Water Supply of Florida Town"; NY Times; dated 8-Feb-2021; URL: The New York Times (alt)[alt-24] (alt)[alt-24a] (alt)[alt-23b]
†25  "Reduce Operational Inconsistencies by Leveraging Automation"; McKim & Creed; dated 12-Feb-2021; URL: McKim & Creed (alt)[alt-25] (alt)[alt-25a] (alt)[alt-25b] (alt)[alt-25c] (alt)[alt-25d] (alt)[alt-25e] (alt)[alt-25f]
†27  "FBI issues alert amid Florida Oldsmar water-treatment hacking investigation"; dated 12-Feb-2021; URL: Fox News TV (alt)[alt-27] (alt)[alt-27a] (alt)[alt-27b]
†28  "Florida water plant cyberattack: Senate Intel chair seeks answers"; dated 17-Feb-2021; URL: Fox News TV (alt)[alt-28] (alt)[alt-28a] (alt)[alt-28b]