C0009 Oldsmar Treatment Plant Intrusion

Oldsmar Treatment Plant Intrusion was a cyber incident involving a water treatment facility in Florida. During this incident, unidentified threat actors leveraged features of the system to access and modify setpoints for a specific chemical required in the treatment process. The incident was detected immediately and prevented before it could cause any harm to the public.²¹³

Item	Value
ID	C0009
Associated Names
First Seen	February 2021
Last Seen	February 2021
Version	1.0
Created	20 September 2022
Last Modified	21 October 2022
Navigation Layer	View In ATT&CK® Navigator

Techniques Used

Domain	ID	Name	Use
ics	T0823	Graphical User Interface	During the Oldsmar Treatment Plant Intrusion, the threat actors utilized the operator HMI interface through the graphical user interface. This action led to immediate operator detection as they were able to see the adversary making changes on their screen.²
ics	T0831	Manipulation of Control	During the Oldsmar Treatment Plant Intrusion, the threat actors utilized an operator HMI to manipulate process control setpoint values far beyond normal operating levels.²
ics	T0836	Modify Parameter	During the Oldsmar Treatment Plant Intrusion, the threat actors raised the sodium hydroxide setpoint value from 100 part-per-million (ppm) to 11,100 ppm, far beyond normal operating levels.²
ics	T0886	Remote Services	During the Oldsmar Treatment Plant Intrusion, the threat actors gained access to the system through remote access software, allowing for the use of the standard operator HMI interface.²

References

CISA. (2021, February 11). Compromise of U.S. Water Treatment Facility . Retrieved October 18, 2022. ↩
Pinellas County Sheriffs Office 2021, February 8 Treatment Plant Intrusion Press Conference Retrieved. 2021/10/08 ↩↩↩↩↩
Serino, G., et al . (2021, February 8). Recommendations Following the Oldsmar Water Treatment Facility Cyber Attack. Retrieved October 21, 2022. ↩