One cyber-physical attack less on the record!
As we now know, the 2021 cyber incident in Oldsmar, FL was anything but a cyber attack. In reality, an employee mistakenly clicked the wrong buttons, before alerting his superiors to his error, as recently disclosed by a city official. And guess what, the accidental nature of the event was known from the beginning, which did not keep law enforcement and the media to falsely handle it as a cyber attack with potentially deadly consequences:
Former Oldsmar City Manager Al Braithwaite described it as a “non-event” that was resolved in two minutes, but said law enforcement and the media seized on the idea of a cyberattack and “ran with it.” The attention resulted in a four-month FBI investigation, which Braithwaite said reached the same conclusion that employee error was to blame.
So we have one cyber-physical attack less on the record, which now leaves us just with Stuxnet, the 2015 attack against Ukraine, and the Triconex attack.
Lesson learned: Next time you see media reports on a devastating cyber attack on critical infrastructure, be a bit more sceptical before panicking. In the following collection of headlines from 2021, notice that all media organisations immediately jumped the shark by calling out the motive (mass murder) of an attacker that didn't exist:
ABC News: The Oldsmar water hack saw someone try to poison the water supply with lye
CNN: Someone tried to poison a Florida city by hacking into the water treatment system
BBC: Hacker tries to poison water supply of Florida city
Wired: A Hacker Tried to Poison a Florida City's Water Supply
New York Times: ‘Dangerous Stuff’: Hackers Tried to Poison Water Supply of Florida Town
Washington Post: hacker broke into a Florida town’s water supply and tried to poison it with lye
NPR: FBI Called In After Hacker Tries To Poison Tampa-Area City's Water With Lye
CBS: Feds tracking down hacker who tried to poison Florida town's water supply
Scientific American: an unknown cyberattacker tried to poison the water supply of Oldsmar, Fla.
Securityweek: Remote Hacker Caught Poisoning Florida City Water Supply
Newsweek: Hackers Tried to Poison California Water Supply in Major Cyber Attack
USA Today: hacker tried to poison a Florida city's water with lye
Threatpost: Hacker Tries to Poison Water Supply of Florida Town
CNBC: Lye-poisoning attack in Florida shows cybersecurity gaps in water systems
Don't hold your breath when waiting for any of these publications to correct their reporting. And it's going to be quite interesting to see future OT security vendor presentations and check if they still run with this now debunked nonsense. We can even predict the justification used by those who will: "Ok it was not a cyber attack but it could have been." You then know that you are in Phantasyland. And in Phantasyland they pay vendors in Phantasydollars.
Leading ICS-OT-IIOT Cyber Security Expert, Consultant, Workshops Lecturer, International Keynote Speaker
1yI'm not satisfied with this story as well! Things must be accurately explained. I rather ask another question referring to ISA 62443 section 2-4 >> the role of the integrator and service provider: "Why the SCADA system did not include input validation to prevent such major change in the chemical > X100"
Chief Strategy Officer (CSO) and EVP
1yToo much ambulance chasing by IT wanna bees. ICS/PCN asset jockeys continue to teach us all how to safely secure complex environments. Some of the best cyber talent is in ICS. Better than most IT pros I have met over 3 decades. Imho. "Oh...flaring in Freeport Tx....must be Ransomware" . Please
Electronics Technologist (Communications Technologist)
1yI'm shocked!
Hi, Ralph. What do you make of the early reports that TeamViewer remote access was part of the incident? What doesn't add up for me is: if the error was by a local operator at the plant, why was he using TeamViewer - a "dormant" software package that hadn't been used as SOP in over 6 months? I could chalk it up to the fog of battle - early reports are often inaccurate or missing key details. But the latest headlines concern me in that they stress absence of evidence, which we know full well is not evidence of absence. I'm on the fence without good data.