An aerial view of a wastewater treatment plant in California. An attempt to poison the Oldsmar, Florida water supply by hijacking a remote access system demonstrates the critical threat tied to failure to properly secure operational technology. (Photo by Justin Sullivan/Getty Images)

In the aftermath of the compromise and attempted sabotage of the Bruce T. Haddock Water Treatment Plant in Oldsmar, Florida earlier this year, threat analysts at ICS security company Dragos conducted an investigation into the incident – and for a brief moment, it appeared as if they had discovered a bombshell.

Dragos discovered a watering-hole attack that had compromised a website – operated by a Florida-based water utility contractor – that had been infecting visitors with malicious code. Moreover, a user at the Oldsmar plant had actually visited the site on the very day of the attack. The discovery set off alarm bells – yet Dragos, as it explained in this company blog post – ultimately determined that its discovery was unrelated to the Oldsmar incident, in which an actor exploited TeamViewer to hijack plant controls and then tried to increase the amount of lye in the water to dangerous levels.