OLDSMAR, Fla. (WFLA) – On February 5, 2021, at approximately 1:30 p.m., cybercriminals tried to poison the water supply for nearly 15,000 people in Oldsmar.
The Colonial Pipeline wasn’t so lucky.
As gas stations along the eastern seaboard ran dry, computer hackers forced the company to pay millions in ransom.
A security expert tells 8 On Your Side, the City of Oldsmar dodged a bullet during a recent cybersecurity attack. In the first three to five minutes of the Oldsmar hack, the unknown perpetrator spiked the levels of lye, the main ingredient in drain cleaner.
Fortunately, a plant worker noticed someone had taken over his computer so the poisonous water never got close to families.
The breach was alarming.
“It is frightening that they can go in and change things,” said Jo Boles, who works in the city.
Oldsmar officials told residents they were protected. Mayor Eric Seidel says this was a success story.
“The protocols that we have in place…they worked, that’s the good news,” said Oldsmar Mayor Eric Seidel.
Mark Montgomery is a Senior Advisor at the U.S. Cyberspace Solarium Commission.
The commission was set up by Congress to study cybersecurity threats. He says Oldsmar was lax.
“This was not a success story. This was a disaster averted,” said Montgomery. “It was not practicing the kind of hygiene that’s necessary to keep out even a basic criminal.”
According to Montgomery, the first step in protecting our power, water, gas and economy is to identify what hackers already know.
Our water distribution systems, energy distribution systems, gas and fuel pipelines, waterways, ports and terminals, and the entire healthcare industry makeup critical infrastructure most at risk:
“How close are we to disaster?” asked 8 On Your Side Investigator Mahsa Saeidi.
“We’re in an increasingly vulnerable, dangerous period,” said Montgomery.
Roughly 85% of our critical infrastructure is owned by the private sector.
This means that small businesses, counties and municipalities must protect their own systems. Montgomery also points out much of our infrastructure is connected. Florida, he says, sinks or swims with the rest of the country.
“Florida holds a lot of national critical infrastructure,” said Montgomery. “It’s fully integrated with the rest of the southeast critical infrastructure.”
“What can we do to not just stop them but to get them?” asked Saeidi.
It’s unlikely law enforcement alone can solve this problem. The answer is building better defense.
It’s not rocket science, but Montgomery says it likely would have prevented the breach in Oldsmar. As a country, he says, we’re not doing enough and that could have disastrous consequences.
“I’m very concerned about the economic security of the United States,” said Montgomery.
According to Montgomery, there are a dozen steps an organization can take to stop 99.5% of attacks.
Montgomery says government needs to help the private sector better defend its critical infrastructure.
“That kind of compact, between the private sector and the public sector, that’s the collaboration we need and the only way you can get that is with legislation,” he said.
In 2020, 25 legislative proposals put forward by the Cyberspace Solarium Commission were passed into law.
“Our personal security, our economic security and our national security are increasingly vulnerable to a threat that we’ve chosen to either ignore or make a fainthearted effort at protecting ourselves.”
Here’s the document Montgomery is sharing to instruct and guide businesses, cities and counties: