On February 8, the world learned about a digital attack at the water treatment plant serving the 15,000-person City of Oldsmar, Florida.

An operator at the water treatment plant observed someone remotely take control of his mouse and use it to change the setting of sodium hydroxide within the water from 100 parts per million (ppm) to 11,100 ppm.

This change could have endangered public health if the operator had not immediately undone the attacker’s work and if the water treatment plant didn’t already have safety measures in place.

Those who perpetrated the attack did so after compromising the water treatment plant’s TeamViewer software, according to local media reports.

Security Best Practices for Water Utilities

Attacks such as the one at Oldsmar highlight the need for water facilities to continue honing their ability to defend themselves against digital attacks. Towards that aim, they can use WaterISAC’s guidelines for water and wastewater utilities.

The security fundamentals covered in those guidelines include the following:

Asset Inventory Database

You can’t protect what you don’t know you have. It’s therefore imperative that water facilities create an inventory of network assets. This effort should consist not only of network scanning but also of physical inspection, as the former can uncover only so much. In the process, these utilities can help to reveal blind spots by identifying what shouldn’t belong on the network.

Assess Risks

Water facilities need to identify security gaps and vulnerabilities in their environments. The best way they can do both is by undergoing a risk assessment. In order to effectively prioritize risks on business-critical assets, water utilities should conduct a risk assessment on a regular basis. This isn’t always easy to do, but organizations can use several free and voluntary networks such as the NIST Cybersecurity Framework for help.

Minimize Control (Read more...)