|NYSDEC Division of Water appreciates your attention to the recent cybersecurity incident in Florida at a water supply utility. On 5 February 2021, unidentified cyber actors obtained unauthorized access, on two separate occasions, approximately five hours apart, to the supervisory control and data acquisition (SCADA) system used at a local municipality’s water treatment plant. The unidentified actors accessed the SCADA system’s software and altered the amount of sodium hydroxide, a caustic chemical, used as part of the water treatment process. Water treatment plant personnel immediately noticed the change in dosing amounts and corrected the issue before the SCADA system’s software detected the manipulation and alarmed due to the unauthorized change. As a result, the water treatment process remained unaffected and continued to operate as normal. In addition to the general information on tools and contacts, here is a more specific description on the events and suggested protective measures. Please share this with the water and wastewater sector.
EPA Water Sector Recommended Mitigation
- Restrict all remote connections to SCADA systems, specifically those that allow physical control and manipulation of devices within the SCADA network. One-way unidirectional monitoring devices are recommended to monitor SCADA systems remotely.
- Install a firewall software/hardware appliance with logging and ensure it is turned on. The firewall should be secluded and not permitted to communicate with unauthorized sources.
- Keep computers, devices, and applications, including SCADA/industrial control systems (ICS) software, patched and up-to-date.
- Use two-factor authentication with strong passwords.
- Only use secure networks and consider installing a virtual private network (VPN).
- Implement an update and patch management cycle. Patch all systems for critical vulnerabilities, prioritizing timely patching of Internet-connected systems for known
USEPA (Cybersecurity Best Practices for Water Sector)
The Cybersecurity and Infrastructure Security Agency (CISA)
American Water Works Association (AWWA Resources on Cybersecurity)
Department of Homeland Security (Cybersecurity)
Center for Internet Security
New York State Chief Information Security Office