Cybersecurity for Water and Wastewater Systems

Last week, a hacker targeted a chemical pump at a water treatment facility in Florida. An operator noticed the attack and was able to prevent any harm from happening. (Read more from CNN and NY Times and see EPA report below). And last fall, a ransomware attack at the University of Vermont Medical Center interrupted operations for months. (Read more from VT Digger).

These events show that even at water and wastewater systems, even in Vermont, it is important to be alert and take precautions to protect your digital infrastructure, from email to bill payment to SCADA. (Read more from the St Albans Messanger.)

Learn about Cybersecurity

Vermont Rural Water will be holding a training session on cybersecurity at our Annual Conference in May.

There are many good resources available about cybersecurity for water and wastewater systems:

February 11 Joint Cybersecurity Advisory from FBI, CSIA, and EPA

Water Sector Cybersecurity Brief from EPA

EPA Incident Action Checklist for Cybersecurity

15 Cybersecurity Fundamentals from WaterISAC

In addition, EPA and the Horsley Witten Group are offering free cybersecurity assessments for water and wastewater systems. They can also help you develop a cyber action plan. Find more information about this program here.

Cybersecurity Alert from EPA

Background 

On 5 February 2021, unidentified cyber actors obtained unauthorized access, on two separate occasions, approximately five hours apart, to the supervisory control and data acquisition (SCADA) system used at a local municipality’s water treatment plant. The unidentified actors accessed the SCADA system’s software and altered the amount of sodium hydroxide, a caustic chemical, used as part of the water treatment process. Water treatment plant personnel immediately noticed the change in dosing amounts and corrected the issue before the SCADA system’s software detected the manipulation and alarmed due to the unauthorized change. As a result, the water treatment process remained unaffected and continued to operate as normal.

The unidentified actors accessed the water treatment plant’s SCADA controls via remote access software, TeamViewer, which was installed on one of several computers the water treatment plant personnel used to conduct system status checks and to respond to alarms or any other issues that arose during the water treatment process. All computers used by water plant personnel were connected to the SCADA system and used the 32-bit version of the Windows 7 operating system. Further, all computers shared the same password for remote access and appeared to be connected directly to the Internet without any type of firewall protection installed.

Recommended Mitigation 

  • Restrict all remote connections to SCADA systems, specifically those that allow physical control and manipulation of devices within the SCADA network. One-way unidirectional monitoring devices are recommended to monitor SCADA systems remotely.
  • Install a firewall software/hardware appliance with logging and ensure it is turned on. The firewall should be secluded and not permitted to communicate with unauthorized sources.
  • Keep computers, devices, and applications, including SCADA/industrial control systems (ICS) software, patched and up-to-date.
  • Use two-factor authentication with strong passwords.
  • Only use secure networks and consider installing a virtual private network (VPN).
  • Implement an update and patch management cycle. Patch all systems for critical vulnerabilities, prioritizing timely patching of Internet-connected systems for known vulnerabilities and software processing Internet data, such as Web browsers, browser plugins, and document readers.

Last updated 2/22/21