Water Treatment Access Authority Failure Through Unauthenticated Remote Desktop Access to Chemical Dosing Controls at Oldsmar

The Oldsmar water treatment plant provided drinking water to approximately 15,000 residents. The plant used a SCADA system to monitor and control water treatment operations, including the chemical dosing processes that adjusted water chemistry. Sodium hydroxide is added to drinking water in controlled amounts to adjust pH and reduce corrosion in distribution pipes. The dosing level is a safety-critical parameter — the amount added must be within a specific range. At dramatically elevated levels, sodium hydroxide is caustic and dangerous.

The plant had installed TeamViewer — a commercial remote desktop application — on computers connected to the SCADA system. TeamViewer was used by operators and IT staff to remotely access the plant's systems for monitoring and troubleshooting. The installation was configured with a shared password used by multiple staff members. The TeamViewer connection was accessible from the internet. No multi-factor authentication was required. No firewall rules restricted which IP addresses could initiate remote connections. No network segmentation separated the remote access path from the SCADA controls that managed chemical dosing.

On February 5, 2021, an operator at the plant observed the mouse cursor on the SCADA workstation moving independently — someone was controlling the system remotely through TeamViewer. The operator watched as the remote user navigated to the sodium hydroxide control and changed the dosing level from approximately 100 parts per million to 11,100 parts per million. The operator immediately reversed the change, restoring the sodium hydroxide to its normal level. The total time the elevated setting was in place was brief, and the water treatment process included downstream monitoring that would have detected the change before affected water reached the distribution system.

The incident prompted an immediate investigation by the Pinellas County Sheriff's Office, the FBI, and the U.S. Secret Service. The investigation revealed the access control deficiencies: shared passwords, internet-facing TeamViewer with no MFA, no network segmentation, and no access logging sufficient to identify the specific individual who initiated the remote connection. The plant had previously used the remote access configuration without incident. The attacker's identity was not definitively established through public reporting.

The chemical dosing controls for a public water supply were accessible through a remote desktop connection to the internet, protected by a single shared password with no additional authentication. The access path from the internet to the chemical controls had no intermediate barrier — no MFA, no VPN, no firewall restriction, no network segmentation between the remote access application and the SCADA system. Anyone who obtained the shared password could connect from anywhere on the internet and manipulate the chemical dosing controls with the same access level as an authorized plant operator.

The absence was not of technology — multi-factor authentication, VPNs, firewall rules, and network segmentation are standard and widely available. The absence was of any of these controls being applied to the access path between the internet and the systems controlling what chemicals enter the public water supply. The system that determined how much sodium hydroxide went into the drinking water was reachable from the open internet through a consumer remote desktop application with a shared password. The access controls that would have restricted that path — individualized credentials, MFA, network segmentation, access logging — were not absent from the market. They were absent from this facility. The controls that manage public drinking water chemistry were protected by the same level of authentication as a personal computer.

The plant immediately disabled remote access and strengthened its access controls. CISA issued an advisory to water and wastewater utilities on securing remote access to operational technology systems. The incident became a primary reference case for critical infrastructure cybersecurity, illustrating that many small and mid-sized water utilities lacked basic access controls on systems with direct public safety consequences. Subsequent surveys found that remote access tools with minimal authentication were common across the U.S. water sector, particularly at smaller utilities with limited IT staff and budgets. Congress held hearings on water infrastructure cybersecurity. EPA guidance on cybersecurity for water systems was strengthened, though mandatory standards for water utility cybersecurity remained limited.