DEC Cybersecurity Alert to Wastewater Treatment Plant Operators & POTWs

New York State Department of Environmental Conservation
DEC Delivers - Information to keep you connected and informed from the NYS Department of Environmental Conservation
Share or view as a web page || Update preferences or unsubscribe

DEC Cybersecurity Alert to Wastewater Treatment Plant Operators & POTWs

NYSDEC Division of Water appreciates your attention to the recent cybersecurity incident in Florida at a water supply utility. On 5 February 2021, unidentified cyber actors obtained unauthorized access, on two separate occasions, approximately five hours apart, to the supervisory control and data acquisition (SCADA) system used at a local municipality’s water treatment plant. The unidentified actors accessed the SCADA system’s software and altered the amount of sodium hydroxide, a caustic chemical, used as part of the water treatment process. Water treatment plant personnel immediately noticed the change in dosing amounts and corrected the issue before the SCADA system’s software detected the manipulation and alarmed due to the unauthorized change. As a result, the water treatment process remained unaffected and continued to operate as normal. In addition to the general information on tools and contacts, here is a more specific description on the events and suggested protective measures. Please share this with the water and wastewater sector.

EPA Water Sector Recommended Mitigation

  • Restrict all remote connections to SCADA systems, specifically those that allow physical control and manipulation of devices within the SCADA network. One-way unidirectional monitoring devices are recommended to monitor SCADA systems remotely.
  • Install a firewall software/hardware appliance with logging and ensure it is turned on. The firewall should be secluded and not permitted to communicate with unauthorized sources.
  • Keep computers, devices, and applications, including SCADA/industrial control systems (ICS) software, patched and up-to-date.
  • Use two-factor authentication with strong passwords.
  • Only use secure networks and consider installing a virtual private network (VPN).
  • Implement an update and patch management cycle. Patch all systems for critical vulnerabilities, prioritizing timely patching of Internet-connected systems for known

Additional Resources

USEPA (Cybersecurity Best Practices for Water Sector)

https://www.epa.gov/waterriskassessment/epa-cybersecurity-best-practices-water-sector

The Cybersecurity and Infrastructure Security Agency (CISA)

https://us-cert.cisa.gov/resources

American Water Works Association (AWWA Resources on Cybersecurity)

https://www.awwa.org/Resources-Tools/Resource-Topics/Risk-Resilience/Cybersecurity-Guidance

Department of Homeland Security (Cybersecurity)

https://www.dhs.gov/topic/cybersecurity

Center for Internet Security

https://www.cisecurity.org/

New York State Chief Information Security Office

https://its.ny.gov/ciso

The New York State Department of Environmental Conservation respects your right to privacy and welcomes your feedback | Update preferences or unsubscribe | Learn more about DEC Delivers
Connect with DEC: Facebook Twitter YouTube
Basil Seggos, Commissioner

No Comments Yet.

Leave a comment

You must be Logged in to post a comment.

%d bloggers like this: