On September 5, 2024 The Federal Bureau of Investigation (FBI), in partnership with CISA, the National Security Agency (NSA), and other U.S. and international partners, released a joint Cybersecurity Advisory: Russian Military Cyber Actors Target U.S. and Global Critical Infrastructure. This advisory provides overlapping cybersecurity industry cyber threat intelligence, tactics, techniques, and procedures to protect critical infrastructure against the Russian military cyber actors and other international cyber criminals. This advisory highlights the increasing risk that cyberattacks pose to US critical infrastructure and, by extension, Colorado public drinking water systems and wastewater providers.
Because of this continued rise in attacks, the department’s Drinking Water Coaches want to take a moment to discuss a crucial potential vulnerability in drinking water cybersecurity: remote SCADA. With the increasing reliance on operational technologies (OT) like smart phones, laptops, and tablets, it is crucial to ensure that these systems are protected from potential cybersecurity threats.
What is remote SCADA?
Remote SCADA access allows operators to monitor and control water treatment and distribution systems even when they are not physically present at the plant. This tool provides real-time information on water quality, levels, pressure, and alarms, enabling quick action to be taken if needed.
How can you protect your remote SCADA?
To safeguard your drinking water systems, we recommend the following best management practices:
- Use a Separate Device and Minimal App Use: Utilize a dedicated device solely for accessing the SCADA system to minimize the risk of unauthorized access. Limit the installation of additional apps on this device to reduce vulnerabilities.
- Implement Multi-Factor Authentication (MFA): Enhance security by requiring multiple forms of verification before granting access. This additional layer of protection can prevent unauthorized entry even if one factor is compromised. A common example is to use text and email verification.
- Granular Access Controls: Restrict users' access within the SCADA system based on their roles and responsibilities. This ensures that each user can only modify controls relevant to their job function. Establish a process for users to request permission changes, which should be approved by authorized personnel. This segmentation of your SCADA controls will ensure that if one user’s remote access is compromised, the damage will be minimized.
- Robust Remote Access Program: Regularly evaluate the strength of your remote access program by ensuring that software and infrastructure are updated with the latest security patches and protocols. Conduct security audits and penetration testing to identify and address vulnerabilities. Consider using encryption technologies like Virtual Private Networks (VPNs) to secure data transmission.
- Limit network connectivity: Utilize only cellular data or private Wi-Fi connections. Turn off auto-connect to avoid automatically connecting to public Wi-Fi networks. If using a private Wi-Fi connection, ensure a key must be entered for access and the connection is encrypted.
By following these strategies, water systems can enhance the resilience and integrity of their infrastructure against cyber threats. Remember, protecting our drinking water resources is a shared responsibility that requires ongoing vigilance and adaptability to evolving cybersecurity challenges. Safeguarding our drinking water systems is essential for maintaining public health and public trust. Thank you for your dedication to ensuring the safety and quality of our water supply.
We want to know - How do you protect your remote SCADA OT?
The department and our state and federal cybersecurity partners continue to create new resources and tools to help you as you protect your systems from cyber attacks. If you have a robust Remote SCADA protection plan please email kyra.gregory@state.co.us. We are hoping to gather information and produce a best management practices guidance document.
How can your system become more cyber literate?
Please see the below list of cybersecurity resources to help your system to better protect your IT/OT from cyber attacks:
- CDPHE Security Toolbox: The department gathered resources to help your system prepare for and respond to cyber and physical security incidents.
- WQCD Guidance: Respond and Report Cyberattacks can be used when your water/wastewater facility experiences a cybersecurity event. It outlines what steps to take, the required steps to report the event, and what to expect after reporting the event.
- Self-Assessment: EPA self assessment resources and Water Cybersecurity Assessment Tool (WCAT)
- Third-Party Assessment: EPA’s Water Sector Cybersecurity Evaluation Program and Colorado Information Analysis Center Cyber Assistance
- EPA Cybersecurity Technical Assistance Program for the Water Sector
- EPA Cybersecurity Incident Action Checklist
- EPA collection and explanation of cybersecurity funding opportunities
➽ Kyra Gregory Drinking Water Training Specialist
