As we now know, the 2021 cyber incident in Oldsmar, FL was anything but a cyber attack. In reality, an employee mistakenly clicked the wrong buttons, before alerting his superiors to his error, as recently disclosed by a city official. And guess what, the accidental nature of the event was known from the beginning, which did not keep law enforcement and the media to falsely handle it as a cyber attack with potentially deadly consequences:

Former Oldsmar City Manager Al Braithwaite described it as a “non-event” that was resolved in two minutes, but said law enforcement and the media seized on the idea of a cyberattack and “ran with it.” The attention resulted in a four-month FBI investigation, which Braithwaite said reached the same conclusion that employee error was to blame.

So we have one cyber-physical attack less on the record, which now leaves us just with Stuxnet, the 2015 attack against Ukraine, and the Triconex attack.

Lesson learned: Next time you see media reports on a devastating cyber attack on critical infrastructure, be a bit more sceptical before panicking. In the following collection of headlines from 2021, notice that all media organisations immediately jumped the shark by calling out the motive (mass murder) of an attacker that didn’t exist:

ABC NewsThe Oldsmar water hack saw someone try to poison the water supply with lye

CNNSomeone tried to poison a Florida city by hacking into the water treatment system

BBCHacker tries to poison water supply of Florida city

WiredA Hacker Tried to Poison a Florida City’s Water Supply

New York Times‘Dangerous Stuff’: Hackers Tried to Poison Water Supply of Florida Town

Washington Posthacker broke into a Florida town’s water supply and tried to poison it with lye

NPRFBI Called In After Hacker Tries To Poison Tampa-Area City’s Water With Lye

CBSFeds tracking down hacker who tried to poison Florida town’s water supply

Scientific American: an unknown cyberattacker tried to poison the water supply of Oldsmar, Fla.

SecurityweekRemote Hacker Caught Poisoning Florida City Water Supply

NewsweekHackers Tried to Poison California Water Supply in Major Cyber Attack

USA Todayhacker tried to poison a Florida city’s water with lye

ThreatpostHacker Tries to Poison Water Supply of Florida Town

CNBCLye-poisoning attack in Florida shows cybersecurity gaps in water systems

Don’t hold your breath when waiting for any of these publications to correct their reporting. And it’s going to be quite interesting to see future OT security vendor presentations and check if they still run with this now debunked nonsense. We can even predict the justification used by those who will: “Ok it was not a cyber attack but it could have been.” You then know that you are in Phantasyland. And in Phantasyland they pay vendors in Phantasydollars.