Oldsmar Water Treatment Plant Intrusion

February 2021

SabotagePeak: DisruptionAttribution: Low ConfidenceCritical Infrastructure

Year

2021

Actor country

Unknown

Target regions

United States

Unpeace score

Executive Summary

An unauthorized actor remotely accessed the SCADA system at the Oldsmar, Florida water treatment plant via TeamViewer and attempted to increase sodium hydroxide (lye) levels to potentially dangerous concentrations. An operator observed the cursor movement in real time and immediately reversed the change. No public harm resulted.

Why This Matters

Oldsmar made water-system cyber risk tangible for policymakers and the public, revealing how small utilities with minimal security budgets can become targets with public-health consequences.

Escalation Profile

7-Dimension Profile

Escalation Ladder

Probing

Intrusion

Disruption

Degradation

Destruction

Strategic

Phases

2021-02-05

Intrusion

Remote access via TeamViewer

Attacker accessed the plant's HMI through TeamViewer software using shared credentials on an internet-facing system.

2021-02-05

Disruption

Chemical setpoint manipulation

Sodium hydroxide level changed from ~100 ppm to ~11,100 ppm — an operator noticed and reversed the change within minutes.

Threshold Crossings

•Demonstrated that remote access to water treatment SCADA can enable potentially harmful chemical manipulation
•Highlighted systemic weaknesses: shared passwords, unpatched remote-access software, flat networks

Restraint Factors

•Operator observation enabled immediate reversal
•Multiple downstream safety checks would likely have caught the change before it reached consumers

Attribution Assessment

Low ConfidenceUnknown; initial reports suggested a remote intruder, though subsequent investigation raised the possibility of insider involvement

Unknown

1. Technical

Threat actor mapped to Unknown based on infrastructure analysis, malware attribution, and operational patterns.

2. Political / Legal

No formal state response

•CISA, FBI, and EPA joint advisory on water/wastewater sector cybersecurity
•Congressional attention to water-sector cyber resilience funding gaps

Sources: CISA/FBI/EPA Advisory AA21-042A; Pinellas County Sheriff press conference transcript

3. Open Source

No dedicated journalistic sources in dataset. See sources section for full references.

“Low Confidence” reflects available public evidence. All assessments carry inherent uncertainty and should be read alongside source material.

Unpeace Position

Unpeace Score

Composite severity rating on the peace–conflict spectrum

Stable

Contested

Escalatory

03060100

Contributing Dimensions

Escalation peak3/6

Threshold crossings2/4

Governance flags1/8

Sectors affected1/6

Entanglement3/10

Country scope1/6

Coercive Function

Sabotage

Physical or functional disruption of systems — coercive value through demonstrating capability to cause real-world harm.

Observed coercive effects

•Demonstrated that remote access to water treatment SCADA can enable potentially harmful chemical manipulation
•Highlighted systemic weaknesses: shared passwords, unpatched remote-access software, flat networks

Entanglement Risk

Entanglement score3

Sectors affected

Critical Infrastructure

Countries / regions

United States

Impact summary

No public harm; chemical change reversed within minutes by an alert operator.

Infrastructure Meaning

Capability profile

No public harm; chemical change reversed within minutes by an alert operator.

3 ATT&CK techniques mapped — see ATT&CK mapping below.

Governance Analysis

Governance Flags

!Norm Violation

APublic Attribution

SSanctions Imposed

IIndictment

UUN Discussion

RRegulatory Change

CInternational Cooperation

DDeterrence Signal

Norms invoked

•Safe drinking water as a protected civilian necessity
•Duty to secure public health infrastructure

Policy responses

•CISA, FBI, and EPA joint advisory on water/wastewater sector cybersecurity
•Congressional attention to water-sector cyber resilience funding gaps

Regulatory changes

•EPA increased focus on cybersecurity in sanitary surveys (later challenged in court)
•CISA launched water-sector specific vulnerability scanning services

Governance impact assessment

Exposed the severe under-investment in water-sector cybersecurity and became a catalyst for federal efforts to extend cyber standards to small utilities — though regulatory authority remains contested.

Sources

CISA/FBI/EPA Advisory AA21-042A

Government2021-02-11

Pinellas County Sheriff press conference transcript

Government2021-02-08

Sources listed reflect publicly available materials used to construct this case entry. Inclusion does not imply endorsement. Where no URL is provided, the source may be found via its title and date.

Industroyer2

April 2022 · Russia

Industroyer2 confirmed that grid-targeting ICS malware is now a recurring feature of armed conflict, while its successful mitigation showed that coordinated cyber defense can work under wartime conditions.

SabotageDisruption

Stuxnet

circa 2007 – 2010 · United States / Israel

Stuxnet proved that software alone can destroy physical infrastructure, fundamentally changing how states, lawyers, and strategists think about the threshold between cyber operations and armed conflict.

SabotageDestruction

Ukraine Grid I

December 2015 · Russia

Ukraine 2015 was the first confirmed cyber-caused power outage, turning a theoretical risk into an operational reality that reshaped how governments defend energy grids.

SabotageDegradation

Ukraine Grid II

December 2016 · Russia

Industroyer represented a generational leap in ICS malware sophistication — a modular, protocol-aware weapon that signaled the industrialization of grid-targeted cyber capabilities.