It’s been more than two years since Oldsmar, the small city on the Pinellas-Hillsborough county line, became the center of an international news story after authorities said someone remotely accessed a computer in the city’s water treatment plant and tried to contaminate the water supply.
An employee noticed the change and quickly righted it; nobody was hurt. But authorities emphasized just how big a bullet Oldsmar had dodged. Pinellas County Sheriff Bob Gualtieri quickly and definitively described the incident as a cyberattack. The FBI and U.S. Secret Service joined the investigation. Experts described it as possibly the most successful cyberattack on critical infrastructure in the U.S. to date.
A new era of terrorism — targeting America’s vulnerable critical infrastructure — was arriving, the story went, and Tampa Bay was playing host to a preview.
Except, one former city official now says, there was never any attack.
Al Braithwaite, who was Oldsmar’s city manager at the time of the February 2021 incident, made that claim at an industry conference last month. On April 11, after the Tampa Bay Times asked about Braithwaite’s comments, the FBI said it did not find evidence of a cyberattack.
Braithwaite’s statements came during a cybersecurity panel last month at the American Society for Public Administration’s annual conference. He described the so-called cyberattack as a “nonevent” likely caused by an error by “the same employee that was purported to be a hero for catching it.”
After a four-month investigation, he said, “the FBI conclusion was, it didn’t happen.”
Braithwaite’s statements constituted the most substantial public update on the case in more than two years. He did not respond to requests for comment by phone Monday and Tuesday.
The Times has periodically sought updates on the case. Twice in the past year, and as recently as last month, the Pinellas County Sheriff’s Office said it couldn’t release records or information about the case because it was “still open and active.” It reiterated that position on Tuesday.
“The investigation is still open, and we have no comment,” Dave Brenn, a spokesperson for the agency, said.
In October, a spokesperson for the FBI’s Tampa office said that, as a matter of agency policy, she could not “confirm the existence or status of any investigative work.”
But on April 11, after the Times posed questions about Braithwaite’s statements, the FBI Tampa office issued a brief statement.
“Through the course of the investigation the FBI was not able to confirm that this incident was initiated by a targeted cyber intrusion of Oldsmar,” spokesperson Andrea Aprea wrote in an email. “We have no further comment beyond this statement.”
Aprea did not address questions about when the FBI concluded its investigation, whether it shared results with city officials and why it did not publicly disclose its findings.
Oldsmar’s current city manager, Felicia Donnelly, said in an email April 11 that the city would not engage in “any conversations regarding that infrastructure” and referred questions to the law enforcement agencies.
Almost nothing has emerged about the case since the same month the incident occurred, when the FBI and other federal agencies issued an advisory suggesting that a remote-access system, poor password security or outdated Windows software had allowed a culprit to increase the concentration of lye in the water supply more than 100 times over.
Even if the change hadn’t been quickly reversed, water-quality experts said at the time, the poisoning wouldn’t have been enough to kill any of the 15,000 customers of Oldsmar’s water. But it illustrated the limited and outdated security of much of America’s critical infrastructure, and cybersecurity experts said the city was lucky the attacker wasn’t more sophisticated.
The story took on a life of its own, though, beginning with local law enforcement, Braithwaite said in his panel. He described how the employee who caught the change in lye concentration reported the incident to the sheriff’s office. When detectives learned about the plant’s computer system — five computers with virtual private network access to accommodate a consultant — they assumed someone had used that network access to remotely attack the plant, he said.
Three days later, on the day after Super Bowl Sunday, Braithwaite stood feet away from Gualtieri as he announced there had been a cyberattack.
“Local law enforcement, the state authorities and every news outlet in the world all the way to India ran with it to say, ‘Look at these yahoos that don’t know what they’re doing,’” Braithwaite said during the panel.
He said FBI officials told him its prevailing theory was that the employee, “banging on his keyboard,” accidentally caused the increased lye concentration. The employee probably hadn’t realized what he’d done, Braithwaite said, and he did his job by reporting the incident to law enforcement; he wasn’t fired.
Nor did Braithwaite blame Gualtieri, who he said was trying to raise awareness about the threat to critical infrastructure. In the aftermath, experts noted that attacks on such assets — including electrical grids, dams and nuclear facilities — could be catastrophic, and that many on American soil have been slow to modernize their security.
“I had city managers in my area thanking me for months afterward,” Braithwaite said, “because any budget question about additional funding for cybersecurity all of a sudden became an absolute yes.”