US water companies given cybersecurity advice after attempt to poison city’s supply

2021-02-17T07:52:00+00:00

No comments

Water companies across the US are being urged to be on heightened alert and monitor their computer systems for any unusual activity.

The advice from the Massachusetts department of environmental protection, echoed by a similar advisory from several agencies including the Federal Bureau of Investigation (FBI), comes days after a hacker tried to add a dangerous amount of a toxic sodium hydroxide to Oldsmar’s water system in Florida.

In that incident, the water plant’s operator changed the chemical concentration back to normal as soon as the attacker left the computer system.

A note from the FBI, DHS, US Secret Service, and the Pinellas County Sheriff’s Office said: “The unidentified actors accessed the water treatment plant’s supervisory control and data acquisition (SCADA) controls via remote access software, TeamViewer, which was installed on one of several computers the water treatment plant personnel used to conduct system status checks and to respond to alarms or any other issues that arose during the water treatment process.

“All computers used by water plant personnel were connected to the SCADA system and used the 32-bit version of the Windows 7 operating system. “Further, all computers shared the same password for remote access and appeared to be connected directly to the Internet without any type of firewall protection installed.”

The Massachusetts department recommends the following:

All remote connections to supervisory control and data acquisition (Scada) systems are restricted to allow physical control and manipulation of devices within the network.
One-way monitoring devices should be used to check Scada systems remotely.
Using two-factor authentication with strong passwords.
A firewall should be installed with login control and kept turned on. It should also be secluded and not permitted to communicate with unauthorised sources.
All computers, devices and applications, including Scada and industrial control systems software, should be patched and kept up-to-date and a cycle implemented for those tasks.
Only using secure networks and consider installing a virtual private network (VPN).

Topics

No comments

News
Chicago Gears Up for GRC Connect: Sharpen Skills, Network, and Navigate the Future of GRC

2024-04-15T11:39:00Z By Jonathan Sumner, Chief Digital & Marketing Officer, GRC World Forums.

Get ready, Chicago! GRC Connect kicks off tomorrow, bringing together the brightest minds in governance, risk management, and compliance (GRC) for two days of insightful learning, valuable networking opportunities, and expert guidance on navigating the ever-evolving GRC landscape.
Article
New bill proposes US federal data privacy framework

2024-04-12T12:58:00Z

Senate Commerce Committee Chair Maria Cantwell and House Energy and Commerce Committee Chair Cathy McMorris Rodgers have unveiled the American Privacy Rights Act.
Article
US citizens want stronger AI laws

2024-04-12T09:32:00Z

Concerns over personal privacy are intensifying among US citizens in the face of rapid AI tech development, a new study shows.