The Oldsmar Water Treatment Attack (2021): A Wake-Up Call for Utilities
On 5 February 2021, an intruder gained remote access to the control systems of the water treatment plant in Oldsmar, Florida, and briefly raised the level of sodium hydroxide, commonly known as lye, from about 100 parts per million to roughly 11,100 parts per million, a dangerous concentration. An on-duty operator saw the cursor move across the human-machine interface and reverted the change almost immediately, so no contaminated water reached the public. The incident became a stark warning about how exposed remote access can put public health at risk.
Lye setpoint pushed from ~100 ppm toward ~11,100 ppm via remote access
What happened
Oldsmar is a small city near Tampa, Florida. On the morning of 5 February 2021, a plant operator noticed someone briefly take remote control of his workstation, but assumed it was a supervisor using shared remote-access software. That afternoon the intruder returned, moved the mouse across the HMI screen for several minutes, and changed the sodium hydroxide dosing setpoint to a dangerous level. The operator immediately reset the value to normal. Sodium hydroxide is used in small quantities to control water acidity, but in high concentrations it is harmful. Plant safeguards and the alert operator meant the public water supply was never actually affected.
- Date: 5 February 2021, at a water treatment plant serving Oldsmar, Florida.
- Lye (sodium hydroxide) setpoint raised from ~100 ppm toward ~11,100 ppm.
- An alert operator reverted the change within moments, so no harm reached the public.
- Demonstrated a direct, remote path from the internet to a safety-critical setpoint.
How the attack worked
The intruder reached the plant through TeamViewer, a legitimate remote-access tool installed on plant computers so staff could monitor systems from elsewhere. Investigations highlighted a weak security posture: the remote-access software was reachable, the plant computers reportedly shared the same password and were running an outdated operating system, and there was no robust barrier between the remote-access entry point and the safety-critical dosing controls. In short, a tool meant for convenience became an open door straight to the human-machine interface controlling chemical dosing.
- Entry via TeamViewer remote-access software installed for staff convenience.
- Reported use of a shared password across plant computers.
- Outdated operating system in use on plant machines.
- No strong separation between remote access and safety-critical dosing controls.
The impact
No member of the public was harmed, thanks to the alert operator and chemical safeguards in the treatment process. But the near miss resonated worldwide because it showed how a poorly secured remote-access tool could let a stranger tamper with the chemistry of drinking water. It put a spotlight on the thousands of small water utilities that run lean operations with limited cybersecurity budgets, and it reinforced that safety-critical processes must never sit one weak password away from the open internet.
Lessons for operators
Oldsmar was a failure of remote-access hygiene rather than a sophisticated exploit, which makes its lessons broadly applicable to UK water and utility operators under the NIS Regulations and NCSC guidance.
- Replace shared or ad-hoc remote-access tools with controlled, monitored gateways.
- Enforce unique credentials and multi-factor authentication for every remote session.
- Keep operating systems and remote-access software patched and supported.
- Segment safety-critical control systems away from general remote access.
- Configure alerting on unexpected setpoint changes so operators are warned automatically.
How to defend against this
Oldsmar shows that the most damaging incidents can come from the simplest gaps: an exposed remote tool, a shared password, an unpatched machine. Kyanite Blue helps UK water utilities lock down remote access, segment safety-critical controls, and put continuous monitoring around the systems that matter most. **Sophos** managed detection and response delivers 24/7 monitoring and the rapid detection of unauthorised remote sessions, so a stranger taking control of an HMI raises an alarm rather than relying on one operator happening to watch the screen. Paired with controlled remote-access gateways, enforced MFA and disciplined patching, that closes the exact doors the Oldsmar intruder walked through.
- Sophos MDR detects unauthorised remote sessions and abnormal activity around the clock.
- Kyanite Blue hardens and segments remote access to safety-critical control systems.
- Enforced MFA, unique credentials and patching remove the basic gaps Oldsmar exposed.
Frequently Asked Questions
What did the Oldsmar attacker try to do?
They briefly raised the sodium hydroxide (lye) dosing setpoint from about 100 ppm toward roughly 11,100 ppm, a dangerous level, before an operator reverted it almost immediately.
How did the attacker get into the plant?
Through TeamViewer, a legitimate remote-access tool installed on plant computers, which was reachable and reportedly protected only by a shared password on outdated systems.
Was anyone harmed?
No. An alert operator saw the change and reset the value within moments, and chemical safeguards in the treatment process provided an additional layer of protection, so no contaminated water reached the public.
What is the main lesson for water utilities?
Safety-critical controls must never be one weak password away from the internet. Controlled remote access, multi-factor authentication, patching, segmentation and continuous monitoring would all have helped prevent the intrusion.
Protect your water treatment controls before the next near miss
Kyanite Blue specialises in cybersecurity for iGaming operators. MGA-licensed operators across Malta trust our stack.
Get in touchReady to secure your iGaming operation?
MGA-licensed operators across Malta trust Kyanite Blue.