Oldsmar Water Treatment Facility Attack

By Edgar Namoca on March 4, 2021

(By: Edgar Namoca on February 18, 2021)

Executive Summary

On February 5, 2021, adversaries we able to gain remote access to the Oldsmar water treatment plant [1].  The Oldsmar water treatment plant located in the Tampa Bay area of Florida cleans and provides water for approximately 15,000 people [1] .  The hacker was able to gain access to the water treatment facility through the remote desktop application TeamViewer [3]. While connected to the compromised computer, the adversary attempted to change sodium hydroxide concentration (NaOH), also known as lye, from 100 parts per million to 11100 parts per million [2].  The employee noticed the changes and immediately and restored the concentration levels back to normal before anything could have happened [2].


Friday, February 5, 2021, an adversary successfully connected to an engineer workstation at the Oldsmar water treatment plant.  An alert employee was aware that someone had connected to the computer at the bottom of the screen [5].  The employee was not alarmed because it was typical for managers and other engineers to connect remotely to check the water plant’s operational condition [5].  However, the employee continued to watch as the attacker started to open the critical functions and finally making changes to the function to control the amount of sodium hydroxide present in the water treatment process.  Sodium hydroxide is a chemical used to remove metals from the water in the treatment process, commonly known to us as drain cleaner.  The changes made to the system would have taken from 24 to 36 hours to take effect, putting no one in danger.  The Federal Bureau of Investigation (FBI) is currently investigating the attack and has released an advisory warning of similar attacks that can happen.  The advisory states the importance of updating and patching the critical infrastructure systems to prevent attackers from exploiting their systems [6].  It has not been determined if TeamViewer was the root cause of entry, but at this moment, there are no indications that their software has been compromised. It was stated that the Oldsmar water plant was still using an outdated operating system, which could have lead to the original foothold obtained by attackers [7].


The adversaries responsible for the Oldsmar water treatment facility attack are still not identified, so it is impossible to determine the attackers’ motive.  If the system’s changes went unnoticed and increased the amounts of sodium hydroxide, the water supplied by the Oldsmar water plant would be unsafe for human consumption.  The effects of increased sodium hydroxide in the water could have caused severe burns to the skin, irritation of the eyes, nausea, induced vomiting, severe chest and stomach pains, and damage to the mouth, throat, and digestive system [4].  The effects will increase as concentration or exposure to the chemical increases [4]. 


The Oldsmar attack on a water supply system was not the first of its type.  Similar attacks happened from 2015 to 2016 to water treatment facilities in the United States.  Recently in 2020, the Israeli government also reported attacks on their water infrastructure as well.  Multiple advisories were released by security firms such as the FBI, Department of Homeland Security (DHS), and the Cybersecurity and Infrastructure Security Agency (CISA), warning about the increase of SCADA attacks and critical infrastructure sectors.  The Health and Public Health sectors have been struggling with ransomware attacks, and now adversaries are finally branching out to other critical industries.  If attackers can successfully the US’s water supply system, it will inadvertently bring other critical infrastructure to its knees as almost all critical infrastructure relies on water for operation.


[1] https://www.wfla.com/news/politics/white-house-addresses-hack-of-oldsmar-water-system/

[2] https://www.nytimes.com/2021/02/08/us/oldsmar-florida-water-supply-hack.html

[3] https://www.tampabay.com/news/pinellas/2021/02/10/oldsmars-water-supply-attack-is-a-warning-experts-say-it-couldve-been-worse/

[4] https://www.tn.gov/health/cedep/environmental/environmental-health-topics/eht/sodium-hydroxide.html#:~:text=Eating%20or%20drinking%20sodium%20hydroxide,throat%20and%20stomach%20is%20immediate.

[5] https://www.scmagazine.com/home/security-news/network-security/security-gaps-in-operational-tech-exposed-with-hacker-attempt-to-poison-florida-city-water/

[6] https://www.reuters.com/article/us-usa-cyber-florida-idUSKBN2A82FV

[7] https://www.zdnet.com/article/hacker-modified-drinking-water-chemical-levels-in-a-us-city/