Anatomy of a Breach

Anatomy of a Breach: Oldsmar — A Hacker Tried to Poison a City's Water Supply Through TeamViewer

> series: anatomy_of_a_breach —— part: 146 —— target: oldsmar_water_treatment —— chemical: sodium_hydroxide —— increase: 100ppm_to_11,100ppm —— access: teamviewer<span class="cursor-blink">_</span>_

Hedgehog Security 28 February 2021 14 min read
oldsmar water-treatment scada critical-infrastructure teamviewer public-safety ot-security series
Breach #146

Sodium hydroxide increased 111 times. Through TeamViewer. On a Windows 7 workstation. With a shared password.

On 5 February 2021, an operator at the Oldsmar water treatment plant in Pinellas County, Florida, observed the mouse cursor on a SCADA control workstation moving independently. Someone had remotely connected to the system and was navigating to the chemical dosing controls. The operator watched as the intruder increased the sodium hydroxide (lye) setting from 100 parts per million to 11,100 parts per million — a 111-fold increase that, if left in place and undetected by downstream safety systems, could have produced dangerously caustic water.

The operator immediately reversed the change, and the plant's safety alarms and pH monitoring systems would have detected the alteration before contaminated water reached the public. But the attack — conducted through TeamViewer, a consumer-grade remote access tool, using a shared password, on a workstation running unsupported Windows 7 — demonstrated that critical infrastructure controlling public health and safety could be accessed through the most basic of attack vectors. The case was investigated by the FBI, the Secret Service, and Pinellas County Sheriff's Office.

Critical Infrastructure Exposure
Recommended

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call

SCADA. Internet-connected. TeamViewer. Shared password. Windows 7.

Public Safety at Risk
The Oldsmar attack targeted the chemical composition of drinking water — a direct threat to public health. While safety systems would likely have caught the change, the attack demonstrated intent and capability to harm through cyber means. For UK water companies and critical infrastructure operators, SCADA security is a public safety obligation. Our <a href="/penetration-testing/infrastructure">infrastructure testing</a> includes SCADA and OT assessment.
TeamViewer on SCADA Systems
A consumer-grade remote access tool (TeamViewer) was installed on a SCADA workstation connected to the internet — with a shared password. This combination of factors violates every OT security principle. <a href="/cyber-essentials">Cyber Essentials Danzell</a> mandates MFA on all remote access and prohibits shared passwords.
Windows 7 — Unsupported Since January 2020
The SCADA workstation ran Windows 7, which had been end-of-life since January 2020 — over a year before the attack. <a href="/cyber-essentials">Cyber Essentials</a> requires that unsupported software is removed from scope. The same unsupported OS vulnerability that powered <a href="/blog/anatomy-of-a-breach-wannacry">WannaCry's</a> NHS devastation was present in water treatment infrastructure.
Human Operator Saved the Day
The attack was stopped because a human operator was watching the screen and noticed the cursor moving. Without that alertness, the chemical change would have relied on automated safety systems for detection. <a href="https://www.socinabox.co.uk">SOC in a Box</a> provides the continuous monitoring that supplements human observation — detecting remote access anomalies and SCADA configuration changes 24/7.
UK Critical Infrastructure

If Oldsmar can happen in Florida, it can happen in the UK.

The Oldsmar attack is directly relevant to UK water companies, energy providers, and all critical infrastructure operators. The same combination of factors — internet-connected SCADA systems, remote access tools, shared credentials, unsupported operating systems — exists in critical infrastructure worldwide. For UK operators, the controls are clear: isolate OT networks from the internet, enforce MFA on all remote access, eliminate shared passwords, retire unsupported systems, and deploy continuous monitoring.

Cyber Essentials mandates MFA, prohibits shared passwords, and requires unsupported software removal. Our infrastructure testing assesses OT/SCADA security. SOC in a Box monitors for anomalous remote access to critical systems. And UK Cyber Defence provides incident response for critical infrastructure incidents.

Critical Infrastructure Security

A hacker tried to poison a city's water through TeamViewer. Is your critical infrastructure protected?

<a href="/penetration-testing/infrastructure">Infrastructure testing</a> assesses SCADA/OT security. <a href="/cyber-essentials">Cyber Essentials</a> mandates MFA and bans shared passwords. <a href="https://www.socinabox.co.uk">SOC in a Box</a> monitors critical systems.

Commission a Critical Infrastructure Assessment Next: Microsoft Exchange / Hafnium
Next Step

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call
Keep Reading

Related Articles

Anatomy of a Breach 30 June 2010

Anatomy of a Breach: Stuxnet — The World's First Cyber Weapon

Breach #018. In June 2010, a Belarusian security firm discovered Stuxnet — the first known cyber weapon, designed to sabotage Iran's nuclear enrichment programme by targeting Siemens SCADA systems controlling uranium centrifuges at Natanz. Stuxnet crossed the air gap via USB, exploited four zero-day vulnerabilities, and caused centrifuges to spin themselves apart while reporting normal operations to operators. The attack that proved cyber warfare could cause physical destruction.

stuxnet cyber-weapon
14 min read
Anatomy of a Breach 30 September 2024

Anatomy of a Breach: Transport for London — Cyber Attack Forces 5,000 Staff Credential Resets and a Teenager Is Arrested

Breach #189. On 1 September 2024, Transport for London (TfL) — the body responsible for London's public transport network serving 9 million journeys daily — disclosed a cyber attack that affected internal systems, customer-facing services, and staff operations. Approximately 5,000 TfL employees were required to attend in-person appointments to verify their identity and reset credentials. Customer data including names, email addresses, home addresses, and Oyster card refund bank account details for approximately 5,000 customers was accessed. A 17-year-old was arrested in connection with the attack. The breach disrupted one of Europe's largest transport networks and forced a massive in-person credential reset operation.

tfl transport-for-london
13 min read
Anatomy of a Breach 30 June 2021

Anatomy of a Breach: The Irish HSE and JBS — When Ransomware Hit Healthcare and the Food Supply in the Same Month

Breach #150. In May-June 2021, ransomware struck two critical infrastructure sectors simultaneously. On 14 May, Conti ransomware devastated Ireland's Health Service Executive (HSE), forcing hospitals to cancel thousands of appointments, revert to paper records, and delay cancer treatments — with full recovery taking over four months and costing an estimated €100 million. On 30 May, REvil ransomware hit JBS — the world's largest meat processing company — forcing closure of plants in the US, Canada, and Australia, and triggering fears of food supply disruption. JBS paid $11 million in ransom. Two critical sectors. Two weeks apart. The ransomware epidemic against essential services had reached crisis proportions.

ransomware irish-hse
15 min read
All Posts Get in Touch