The Incident

On February 5, 2021, at approximately 8:00 AM and 1:30 PM EST two separate cyber incidents occurred at the Bruce T. Haddock water treatment plant in Oldsmar, Florida. Unauthorized remote access was manipulated within the supervisory control and data acquisition system (SCADA) causing sodium hydroxide levels to go from 100 ppm to 11,100 ppm. Fortunately, this dangerous chemical change was quickly detected and adjusted by employees at the plant. While no public harm occurred, the incident exposed vulnerabilities in the water plant infrastructure’s security measures such as an outdated Windows 7 operating system as well as remote desktop sharing software.

What Happened

The first intrusion occurred at 8:00 AM EST when the plant operators noticed the mouse cursor on their screens operating remotely but it was dismissed as the supervisor monitoring them as had previously occurred. Then, at 1:30 PM EST, the operators noticed similar cursor movements and only then realized that the remote access was unauthorized when they observed various software functions being accessed for approximately three to five minutes. During this time, the setpoint of sodium hydroxide (lye) which had been set to 100 ppm (parts per million) being adjusted to a dangerous 11,100 ppm before the remote access ended and exited their system. This adjustment was quickly noticed by plant operators and thus allowed the setpoint to be set back at 100 ppm. The following agencies participated in the subsequent analysis and investigation: the Pinellas County Sheriff’s Office were involved in the initial investigation and incident response. The Federal Bureau of Investigations (FBI) carried out the cyber forensic investigation. The Cybersecurity and Infrastructure Security Agency (CISA) issued joint advisory. Initially, the FBI was unable to determine whether the cyber incident had in fact been a coordinated attack leading to a later issue announcing that it could also be attributed to employee error. Additionally, a comprehensive assessment was not carried out until 2024 by the EPA, leading to the discovery of widespread systemic vulnerabilities that made this incident possible.

Response and Impact

The Oldsmar incident had no immediate public safety impact as plant operators quickly reversed the dangerous sodium hydroxide preventing harm to the 15,000 residents served. While no direct economic losses occurred, the incident exposed vulnerabilities that could cost billions nationally, with EPA estimates showing a one-day water disruption could jeopardize $43.5 billion in economic activity. Multiple federal agencies responded, including FBI, Secret Service, and Pinellas County Sheriff's Office. Long-term effects included significant policy changes: CISA issued Joint Cybersecurity Advisory with comprehensive security recommendations.

Investigation and Attribution

The response showed mixed effectiveness with strong immediate action but poor strategic coordination. Plant operators quickly detected and reversed the chemical manipulation, preventing public harm, while federal agencies (FBI, Secret Service, CISA) issued comprehensive security guidance. However, EPA lacked its own incident reporting system and had no documented coordination procedures with CISA, creating information-sharing gaps. The FBI's inability to confirm whether this was actually a cyberattack revealed investigative limitations. TeamViewer software was the suspected attack vector, and the incident exposed widespread private sector failures.

Initial investigations by the FBI, U.S. Secret Service, and Pinellas County Sheriff's Office revealed that the attackers exploited basic cybersecurity weaknesses including poor password security, shared user accounts, and an outdated Windows 7 operating system to access TeamViewer remote desktop software. Despite extensive forensic analysis, the FBI was unable to confirm that the incident was initiated by a targeted cyber intrusion, with later evidence suggesting it may have been employee error rather than an external attack by sophisticated threat actors. The incident's origin remains inconclusive, contrary to initial assumptions.

Policy Implications

The incident exposed fundamental security failures including the use of outdated systems and security protocols. The EPA found over 70% of water systems non-compliant with basic cybersecurity practices, revealing an urgent need for comprehensive security assessments, multi-factor authentication, and regular system updates across the water sector.

The response revealed significant coordination gaps, with EPA lacking its own cybersecurity incident reporting system and no documented procedures for coordinating with CISA and other federal agencies during water sector emergencies. Future efforts must establish clear communication protocols and unified reporting mechanisms to ensure swift, coordinated responses to critical infrastructure incidents.

Recommendations

EPA should immediately mandate comprehensive cybersecurity assessments of all community water systems focusing on basic security hygiene, given that 97 water systems serving 26.6 million users currently have critical vulnerabilities. Federal agencies must establish formal coordination protocols between EPA and CISA. Additionally, enforceable cybersecurity protocols and regular monitoring with penalties for non-compliance are essential to protect this critical infrastructure.

Conclusion

The Oldsmar water treatment incident represents a critical wake-up call regarding cybersecurity vulnerabilities in our nation's water infrastructure. While immediate harm was prevented through rapid operator response, the incident exposed fundamental security weaknesses that persist across the sector. Continued vigilance and enhanced cooperation between federal agencies, state authorities, and private water system operators will be crucial in protecting this vital critical infrastructure from future threats.

References

Cybersecurity and Infrastructure Security Agency. (2021, February 11). Compromise of U.S. water treatment facility (AA21-042A). CISA. https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-042a

Republican Policy Committee. (2021). Infrastructure cybersecurity: Water systems. U.S. Senate. https://www.rpc.senate.gov/policy-papers/infrastructure-cybersecurity-water-systems

U.S. Environmental Protection Agency. (2023, March 3). EPA takes action to improve cybersecurity resilience for public water systems [Press release]. https://www.epa.gov/newsreleases/epa-takes-action-improve-cybersecurity-resilience-public-water-systems

U.S. Environmental Protection Agency Office of Inspector General. (2024, November 13). Management implication report: Cybersecurity concerns related to drinking water systems (Report No. 25-N-0004T). https://www.epaoig.gov/sites/default/files/reports/2024-11/full_report_-_25-n-0004t_1.pdf

U.S. Environmental Protection Agency Office of Inspector General. (2024, November 15). Management implication report: Cybersecurity concerns related to drinking water systems (Report No. 25-N-0004T). https://www.epaoig.gov/reports/other/management-implication-report-cybersecurity-concerns-related-drinking-water-systems

U.S. Government Accountability Office. (2024, August 1). Critical infrastructure protection: EPA urgently needs a strategy to address cybersecurity risks to water and wastewater systems (GAO-24-106744). GAO. https://www.gao.gov/products/gao-24-106744