As we now know, the 2021 cyber incident in Oldsmar, FL was anything but a cyber attack. In reality, an employee mistakenly clicked the wrong buttons, before alerting his superiors to his error, as recently disclosed by a city official. And guess what, the accidental nature of the event was known from the beginning, which did not keep law enforcement and the media to falsely handle it as a cyber attack with potentially deadly consequences:
Former Oldsmar City Manager Al Braithwaite described it as a “non-event” that was resolved in two minutes, but said law enforcement and the media seized on the idea of a cyberattack and “ran with it.” The attention resulted in a four-month FBI investigation, which Braithwaite said reached the same conclusion that employee error was to blame.
So we have one cyber-physical attack less on the record, which now leaves us just with Stuxnet, the 2015 attack against Ukraine, and the Triconex attack.
Lesson learned: Next time you see media reports on a devastating cyber attack on critical infrastructure, be a bit more sceptical before panicking. In the following collection of headlines from 2021, notice that all media organisations immediately jumped the shark by calling out the motive (mass murder) of an attacker that didn’t exist:
ABC News: The Oldsmar water hack saw someone try to poison the water supply with lye
CNN: Someone tried to poison a Florida city by hacking into the water treatment system
BBC: Hacker tries to poison water supply of Florida city
Wired: A Hacker Tried to Poison a Florida City’s Water Supply
New York Times: ‘Dangerous Stuff’: Hackers Tried to Poison Water Supply of Florida Town
Washington Post: hacker broke into a Florida town’s water supply and tried to poison it with lye
NPR: FBI Called In After Hacker Tries To Poison Tampa-Area City’s Water With Lye
CBS: Feds tracking down hacker who tried to poison Florida town’s water supply
Scientific American: an unknown cyberattacker tried to poison the water supply of Oldsmar, Fla.
Securityweek: Remote Hacker Caught Poisoning Florida City Water Supply
Newsweek: Hackers Tried to Poison California Water Supply in Major Cyber Attack
USA Today: hacker tried to poison a Florida city’s water with lye
Threatpost: Hacker Tries to Poison Water Supply of Florida Town
CNBC: Lye-poisoning attack in Florida shows cybersecurity gaps in water systems
Don’t hold your breath when waiting for any of these publications to correct their reporting. And it’s going to be quite interesting to see future OT security vendor presentations and check if they still run with this now debunked nonsense. We can even predict the justification used by those who will: “Ok it was not a cyber attack but it could have been.” You then know that you are in Phantasyland. And in Phantasyland they pay vendors in Phantasydollars.