Water & Wastewater Cyberattacks: A Case Study

Background 

On Feb. 5, 2021, unidentified cyber actors obtained unauthorized access, on two separate occasions, approximately five hours apart, to the supervisory control and data acquisition (SCADA) system used at a municipal water treatment plant in Florida. The unidentified actors accessed the SCADA system’s software and raised the amount of sodium hydroxide, a caustic chemical, being used as part of the water treatment process. Plant personnel immediately noticed the change in dosing amounts and corrected the issue before the SCADA system’s software detected the manipulation and alarmed. As a result, the water treatment process remained unaffected and continued to operate as normal. 

This incident was possible because cyber-security weaknesses, including poor password security and an outdated operating system, were exploited.

It appears the cyber criminals accessed the water treatment plant’s SCADA controls via a remote access software, TeamViewer. This software was installed on one of several computers that plant personnel used to conduct system status checks and to respond to issues. All computers used by plant personnel were connected to the SCADA system and used the 32-bit version of Windows 7, an operating system that is no longer supported by Microsoft. Further, all computers shared the same password for remote access, and appeared to be connected directly to the Internet with no firewall protection. 

This background information was provided by a Joint Cyber Security Advisory that was co-authored by the FBI, CISA, EPA, and Multi-State ISAC. The full advisory can be viewed here. 

 What are the key takeaways?

1.      Never use an outdated, unsupported operating system.

2.      Never share passwords between users.

3.      Always install firewall protection for any systems connected to or operating over the Internet.

4.      Engage an IT professional to make sure your organization does not fall victim to this type of cyberattack.

What can I do as a city manager or elected official?

Your organization MUST have a comprehensive cyber risk management program. As the chief executive or elected official, your role is to ask what measures are in place to prevent these types of events, and to ensure that your organization understands who is responsible for leading your cyber security program.

For more information, please reach out to your regional Property Conservation Consultant