Good Morning Water System Owners and Operators,

“Officials in Florida announced that late last week an unknown malicious actor infiltrated a water treatment plant in the city of Oldsmar and made changes to chemical levels in the treatment process. Fortunately this activity was quickly observed by a plant operator and reversed. Officials indicated that the public was never in danger due to the operator's quick action as well as to other measures that would have prevented the release of the water into the distribution system. Speaking about the incident during a press conference earlier today, the Pinellas County Sheriff noted that a plant operator observed two intrusions last Friday that were hours apart. In the second intrusion, which lasted about five minutes, the operator saw the mouse moving around as the hacker accessed various functions. One of these functions controls the amount of sodium hydroxide in the water, which the malicious actor changed from about 100 parts per million to 11,100 parts per million. The operator observed this change and immediately reversed it. Law enforcement authorities are still investigating the incident. They indicated they currently do not know whether the compromise originated from the U.S. or abroad.”

As always water utilities should remain vigilant and practice their cybersecurity protective measures.  Here is some helpful information and suggested recommended mitigation measures:

EPA Water Sector Cybersecurity website  http://www.epa.gov/waterriskassessment/epa-cybersecurity-best-practices-water-sector

NHDES DWGB Cyber bulletin https://www.des.nh.gov/sites/g/files/ehbemt341/files/documents/dwgb-bulletin-cybersecurity.pdf

Water sector/tips and checklists regarding cybersecurity:

• EPA Incident Action Checklist for Cybersecurity: https://www.epa.gov/sites/production/files/2017-11/documents/171013-incidentactionchecklist-cybersecurity_form_508c.pdf
• EPA Water Sector Cybersecurity Sector Brief for States: https://www.epa.gov/sites/production/files/2018-06/documents/cybersecurity_guide_for_states_final_0.pdf
• CISA Industrial Control Systems Advisories and Reports: https://us-cert.cisa.gov/ics
• Water-ISAC’s 15 Cybersecurity Fundamentals: https://www.waterisac.org/system/files/articles/15%20Cybersecurity%20Fundamentals%20%28WaterISAC%29.pdf
• CISA & NSA Alert on Immediate Actions to Reduce Exposure Across Operational Technologies and Control Systems (7/23/2020): https://us-cert.cisa.gov/ncas/alerts/aa20-205a 

WaterISAC strongly recommends review and implementation of the mitigation measures below to protect from similar activity:

• Identify internet accessible OT devices on your network through an internet search (such as Shodan, Censys, Google, etc.) before the bad guys do
• Implement network segmentation
• If remote access is absolutely necessary, use a securely configured VPN
• Filter traffic with methods such as whitelisting or geo-blocking to prevent access from unauthorized persons or places
• Encrypt traffic
• Use non-trivial authentication methods
• Enforce strong passwords
• Configure access for user accounts with the absolute least privilege to accomplish the task
• Report incidents and suspicious activities, first to local and other law enforcement authorities and then to WaterISAC by emailing analyst@waterisac.org, calling 866-H20-ISAC, or using the online incident reporting form.

Thanks for maintaining a water system that is resilient and secure.

Stephanie Nistico
NH Department of Environmental Services
Drinking Water & Groundwater Bureau
29 Hazen Drive, PO Box 95
Concord, NH 03302-0095
(603) 271-0867

stephanie.nistico@des.nh.gov