Water companies across the US are being urged to be on heightened alert and monitor their computer systems for any unusual activity.

The advice from the Massachusetts department of environmental protection, echoed by a similar advisory from several agencies including the Federal Bureau of Investigation (FBI), comes days after a hacker tried to add a dangerous amount of a toxic sodium hydroxide to Oldsmar’s water system in Florida.

In that incident, the water plant’s operator changed the chemical concentration back to normal as soon as the attacker left the computer system.

A note from the FBI, DHS, US Secret Service, and the Pinellas County Sheriff’s Office said: “The unidentified actors accessed the water treatment plant’s supervisory control and data acquisition (SCADA) controls via remote access software, TeamViewer, which was installed on one of several computers the water treatment plant personnel used to conduct system status checks and to respond to alarms or any other issues that arose during the water treatment process.

“All computers used by water plant personnel were connected to the SCADA system and used the 32-bit version of the Windows 7 operating system. “Further, all computers shared the same password for remote access and appeared to be connected directly to the Internet without any type of firewall protection installed.”

The Massachusetts department recommends the following: 

  • All remote connections to supervisory control and data acquisition (Scada) systems are restricted to allow physical control and manipulation of devices within the network.
  • One-way monitoring devices should be used to check Scada systems remotely.
  • Using two-factor authentication with strong passwords.
  • A firewall should be installed with login control and kept turned on. It should also be secluded and not permitted to communicate with unauthorised sources.
  • All computers, devices and applications, including Scada and industrial control systems software, should be patched and kept up-to-date and a cycle implemented for those tasks.
  • Only using secure networks and consider installing a virtual private network (VPN).