By Peter Chawaga
According to a local official with direct knowledge, an alarming drinking water contamination event thought to be the result of cyberattack was actually just an operations flub.
“In 2021, news broke of a cyberattack at the Oldsmar, Florida, water treatment plant, an event that sparked fears about the cyber vulnerabilities of critical infrastructure,” GCN reported. “But according to one official who was with the city at the time, the incident was not a hack at all, just a case of an employee mistakenly clicking on the wrong buttons, before alerting his superiors to his error.”
Framed at the time as an intentional hack meant to poison Oldsmar’s drinking water, the 2021 event saw the chemical controls of the plant’s computer system changed to dump lye into the local drinking water. It was closely associated with similar drinking water system hacks in the Bay Area and Baltimore, as well as wastewater facility cyberattacks in Maine and California.
Following the slew of perceived attacks, the White House made efforts to strengthen cybersecurity across national drinking water and wastewater systems.
But, speaking recently at the 2023 American Society for Public Administration Annual Conference, the former Oldsmar official suggested that the cyber threat might be overblown.
“Former Oldsmar City Manager Al Braithwaite described it as a ‘non-event’ that was resolved in two minutes, but said law enforcement and the media seized on the idea of a cyberattack and ‘ran with it,’” according to GCN. “The attention resulted in a four-month FBI investigation, which Braithwaite said reached the same conclusion that employee error was to blame.”
A spokesperson for the FBI’s Tampa office declined to comment on the investigation following Braithwaite’s statements, per GCN, but even if this incident was due to operator error rather than third-party attack, there are many other recent examples of perceived third-party attacks to compel the strengthening of public computer systems.
And whether the incident was due to operator error or an unexpected attack, the staff in Oldsmar has been given the benefit of the doubt.
“As for the employee who made the error and then reported it to his supervisors, Braithwaite said he has not been fired, and nor should he have been,” GCN reported. “Other panelists said terminating employees for following standard operating procedures would set a dangerous precedent, especially given the staff shortages state and local governments have in tech and cybersecurity.”
To read more about how water systems prepare for cyberattacks, visit Water Online’s Resiliency Solutions Center.