Wisconsin DNR discusses water systems security following hack in Florida
MILWAUKEE (CBS 58) --Miranda Mello, with the Wisconsin DNR, says the hack of a water treatment plant in Florida is an important reminder for water systems to be prepared.
"In general, there are some things with water systems they can do on the physical side to say 'okay, worse case if a hacker does come in,' there's so many other redundant systems in place that will protect the water supply," she said.
The Wisconsin DNR sent a message to all community water systems. It said in part that the EPA has recommended that all water systems implement the following mitigation measures when applicable:
- Restrict all remote connections to SCADA systems, specifically those that allow physical control and manipulation of devices within the SCADA network. One-way unidirectional monitoring devices are recommended to monitor SCADA systems remotely.
- Install a firewall software/hardware appliance with logging and ensure it is turned on. The firewall should be secluded and not permitted to communicate with unauthorized sources.
- Keep computers, devices and applications, including SCADA/industrial control systems (ICS) software, patched and up to date.
- Use two-factor authentication with strong passwords.
- Only use secure networks and consider installing a virtual private network (VPN).
- Implement an update and patch management cycle. Patch all systems for critical vulnerabilities, prioritizing timely patching of internet-connected systems for known vulnerabilities and software processing Internet data, such as web browsers, browser plugins and document readers.
"A lot of it is what they call cyber hygiene, that applies to the everyday person as much as it does a water utility, and those are basic things -- just making sure your operating system is up to date, you use multi factor authentication when accessing programs, using strong passwords," said Mello.
She says in the last few years, there have been new requirements for all water systems that serve more than 3,300 people.
"All water systems have to sit down and do a risk assessment of their water system, and that's thinking about monovalent acts or natural hazards or cyber security," she said.
She says if something were to happen, there is a network of state agencies that would support the water systems.
"With any efforts, they need to make sure that their water is safe," said Mello.
In a statement, Milwaukee Water Works Superintendent said:
"Milwaukee Water Works’ critical water infrastructure is designed to be secure and we are vigilant about ensuring cyber security and emergency response preparedness to provide a reliable supply of safe drinking water for our customers. We have a longstanding working relationship with the Department of Homeland Security Cybersecurity & Infrastructure Security Agency (CISA). With CISA guidance, we enhanced our systems in preparation for the Democratic National Convention and continue to improve our cyber security posture in an ever changing threat environment. We closely follow cybersecurity alerts and industry information, including the Oldsmar, Florida event, and have determined our water system is secure from this type of remote access breach."