Breach of water treatment plant illustrates cyber vulnerabilities of US critical infrastructure


A water-treatment plant in Oldsmar, Fla., was breached, and the hacker briefly increased the amount of lye used to treat water to a dangerous level, according to Pinellas County Sheriff Bob Gualtieri.

According to reporting from the Wall Street Journal, a plant operator noticed that someone remotely accessed a computer system the person was monitoring that controls chemicals used to treat water. The computer system is accessible remotely, and the operator detected external access on the network that appeared potentially nefarious.



It appears the breach of the water utility’s industrial control system may have resulted from a misconfiguration of controls tools. This case highlights the vulnerabilities that exist within US critical infrastructure. These vulnerabilities stem from a number of factors, including the rapid digitization of essential services like water, including the merging of IT and operational technology (OT) that characterizes modern industrial controls systems.

The merging of OT and IT in recent years has led to a decrease in the number of air gaps—the thing that used to make critical infrastructure like utilities less vulnerable to cyber-attacks like the one conducted in Pinellas County. With the rise of IoT, industrial control systems have become more connected and thus more vulnerable to attack.

From the work of experts like Dragos, we already see an uptick in ransomware attacks on critical infrastructure seeking to exploit the vulnerabilities borne out of this trend.

The systemic risks posed by events like this should create urgency for renewed focus on things like security controls validation and objective external assessments of cyber performance for any company that is part of the country’s critical infrastructure.

We use cookies to make our website more user-friendly and effective

The Cyberhedge Indices Cookie Policy

What are the Cyberhedge Cyber Governance Indices?

These first ever benchmarks prove good cyber governance matters to shareholder value. They measure stock market performance of companies with good and with bad cyber governance scores. Scores are based on Cyberhedge’s proprietary cyber governance rating methodology. Market performance is tracked by an independent firm. The results show that companies with good cyber governance outperform their peers in US, UK, and EU markets.

Information that we collect

Here you can see and customize the information that we collect about you. To learn more, please read our privacy policy

Continue on website