By now, many of you have heard of the cyber attack on the water treatment facility in the City of Oldsmar, FL on February 5, 2021. You can view the city’s press conference at https://www.youtube.com/watch?v=zx1wTh8G97Q.
The event consisted of unauthorized remote access to the utility’s supervisory control and data acquisition (SCADA) system where an intruder altered the amount of sodium hydroxide, raising the dosage by a factor of 100. This could have led to thousands of people suffering from sodium hydroxide poisoning, which includes: lung inflammation, throat swelling, burning of the esophagus and stomach, severe abdominal pain, vision loss, and low blood pressure, according to the University of Florida Health System. Fortunately, the water treatment operator on duty noticed the intrusion and corrected the issue before the change was able to take place. According to a release from the FBI:
“The cyber actors likely accessed the system by exploiting cybersecurity weaknesses including poor password security, and an outdated Windows 7 operating system to compromise software used to remotely manage water treatment. The actor also likely used the desktop sharing software TeamViewer to gain unauthorized access to the system.”
What would have happened if the operator was not on duty or did not notice the change? Would downstream monitoring and other alarms have detected this change before water quality and public health were impacted?
Has your system evaluated cybersecurity? Would you be able to prevent and/or respond to this type of attack?
Cybersecurity is one component of the risk and resiliency assessment (RRA) and emergency response planning (ERP) processes identified in America’s Water Infrastructure Act of 2018 (AWIA). The goal of the RRA and ERP process is to assess potential risks and then develop plans to respond. As shown in the recent case at the City of Oldsmar, water systems are vulnerable to cyber-attack. Awareness and planning are needed to protect against these vulnerabilities. RCAP, through its regional partners, has assisted a number of water and wastewater utilities in developing the EPA-compliant RRAs and ERPs required under AWIA.
One of the key components in addressing risk and resilience is training to raise awareness and identify potential actions to be taken to protect water systems. Under an EPA cooperative agreement, RCAP and its partner, American Water Works Association (AWWA), developed the AWIA Small Systems Certification Program. This program consists of 5 eLearning modules. All are available free of charge to small water utilities at https://www.awwa.org/Professional-Development/Small-Systems#10954561-awia-small-systems-certificate-program.
Course 1: Introduction to Resiliency and America’s Water Infrastructure Act of 2018 – EL272 – As the introductory course in the Small Systems Resiliency Certificate Program, this course introduces the requirements for water utilities established by America’s Water Infrastructure Act of 2018 (AWIA) and defines how the certificate program can help small systems to meet those requirements.
Course 2: Operational Measures for Resiliency – EL273 – The second course in the Small Systems Resiliency Certificate Program, the course content covers each aspect of security, field assessments of critical assets, and operational resiliency.
Course 3: How to Develop a Risk and Resilience Assessment – EL274 – As the third course in the Small Systems Resiliency Certificate Program, the course guides small systems through developing a Risk and Resiliency Assessment (RRA) with an RCAP/AWWA worksheet designed for small utilities.
Course 4: How to Develop a Small System Emergency Response Plan – EL275 – As the fourth course in the Small Systems Resiliency Certificate Program, the course guides small systems through developing an Emergency Response Plan (ERP) with the EPA ERP template.
Course 5: Cybersecurity for Water Systems – EL276 – The fifth course in the Small Systems Resiliency Certificate program explains the importance of cybersecurity best practices for critical infrastructure and demonstrates how AWWA’s water sector cybersecurity risk management guidance and tool can help a utility identify gaps in current cybersecurity practices.
The cybersecurity module is currently geared towards water systems of all sizes but is being modified by RCAP and AWWA to better address the needs of small communities. A draft of the revised module should be available for release by the end of March.
While the eLearning modules provide the essential knowledge for addressing AWIA requirements and can be used by some facilities in developing plans, additional training and technical assistance is often needed to help small communities conduct these assessments and develop complimentary ERPs. RCAP can provide this training and technical assistance. When needed, RCAP and its partners can also provide more in-depth cybersecurity training and analysis. The process consists of assessing the current use of technology; evaluating the controls and practices to identify, protect, and detect threats to their cyber systems; and where to go for more support.
For more information, contact Jeff Oxenford, RCAP Director of Training and Technical Services at firstname.lastname@example.org or (720) 353-4242.