The URL can be used to link to this page

Home My WebLink AboutIR 10552INFORMAL REPORT TO CITY COUNCIL MEMBERS No. 21-10552 To the Mayor and Members of the City Council March 23, 2021 Page 1 of 2 SUBJECT: CYBERSECURITY AND WATER TREATMENT PROCESSES ISSUED BY THE CITY MANAGER FORT WORTH, TEXAS This report is to respond to the City Council’s request for information on cybersecurity strategies for water treatment facilities and processes. Recent cybersecurity attacks on water systems in Oldsmar, Florida, and other communities around the country have raised awareness and concerns about the security of water treatment processes from unauthorized actors. The Fort Worth Water Utility embraces a defense-in- depth security risk mitigation strategy for water treatment process control systems that leverages components of multiple best-practice frameworks. The Oldsmar, Florida, Attack Specifically, the attack in Florida centered on unauthorized access to the water treatment plant’s Supervisory Control and Data Acquisition (SCADA) controls via remote access software used by staff to conduct system status checks and to respond to alarms or other issues that arise during the water treatment process. In the Oldsmar case, all computers used by water plant personnel were connected to the SCADA system and used the 32-bit version of the Windows 7 operating system. Further, all computers shared the same password for remote access and appeared to be connected directly to the internet without any type of firewall protection installed. SCADA Process Control Systems Water treatment plants use electronic process control systems commonly known as SCADA systems, which electronically monitor and control the components of the treatment process. These systems monitor equipment functions and collect data on performance. Using an HMI, or Human Machine Interface, SCADA systems can also control the functions of equipment used in the process, maintain settings that define allowed parameters, and trigger alarms that notify a trained operator when settings are changed or components malfunction. Fort Worth Water’s Approach: Fort Worth Water uses a comprehensive approach for effective cybersecurity that combines the assessment of people, procedures, new technologies, systems, and adversarial awareness to reduce risks posed to the process control systems used in the water treatment process. Ongoing Process Monitoring – Fort Worth Water staff actively manage the water treatment process on a 24 x 7 x 365 basis. Following regulatory guidance for the water sector, daily monitoring and field inspections occur at multiple points in the water treatment process to ensure quality. Alarms are set to detect parameters that are out of acceptable ranges. Licensed and highly trained water operators provide ongoing system monitoring. SCADA system data are recorded and incorporated into monthly regulatory reports that are submitted to the Texas Commission on Environmental Quality. Defense-In-Depth Approach Using Multiple Frameworks – Fort Worth Water segments the utility’s network from the City’s larger business network in order to deter business threat actors from impacting the process control system and utility business operations. Fort Worth Water also leverages guidance from cybersecurity frameworks provided by the American Water Works Association (AWWA), the National Institute of Standards and Technology (NIST), the U.S. Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA), Water Information Sharing & Analysis Center (WaterISAC), and Payment Card Industry Data Security Standard (PCI). Each framework provides guidance on best practices for cybersecurity countermeasures and updated defense-in-depth strategies. INFORMAL REPORT TO CITY COUNCIL MEMBERS No. 21-10552 To the Mayor and Members of the City Council March 23, 2021 Page 2 of 2 SUBJECT: CYBERSECURITY AND WATER TREATMENT PROCESSES ISSUED BY THE CITY MANAGER FORT WORTH, TEXAS Fort Worth Water’s Cybersecurity Measures – Specific cybersecurity measures implemented to protect SCADA systems used by the utility include: • The Water Utility network is segmented from the City’s network to add another level of protection from threat actors. (Each entity is a unique target.) • Firewalls and port restrictions limit connectivity to only “allowed” network communication. • Fort Worth Water has eliminated all Windows 7 computers and there are no shared passwords. • There is no public internet access to the SCADA system. • Threat detection via continuous monitoring provides alerts that are spread among multiple teams to ensure quick response. • System hardening cleanses components before they are added to the network. • Formal change management protocols are enforced to maintain system continuity during planned system updates. • Least-privilege user credentials allow permissions only as appropriate for the job function. • Administrative rights are only granted if the user has appropriate training, follows established protocols, and maintains an audit trail of activities while using elevated rights. • Remote system access is highly restricted and only enabled via secure VPN links with encryption and multi-factor authentication to qualified personnel. Connections are monitored. • A formal incident response plan has been developed that can be enacted to manage events. • Security awareness training for all employees is conducted annually with reduction of credentials for those who do not complete the training. • Physical security controls exist to restrict access to SCADA terminals and hosts, data centers, and network closets. Activity is monitored on a 24 x 7 x 365 basis. • Security reviews are conducted periodically to assess the continued application of best practices and identify exceptions. • Monthly threat intelligence briefings educate technology and business representatives of risks. • Key security personnel also participate in monthly forums offered by WaterISAC, MS-ISAC, and CISA, the federal cybersecurity agency. These efforts emphasize the importance of protection and mitigation activities as well as prepare the organization for incident identification and response, if necessary. Should you have any questions, please contact Chris Harder, P.E., Water Director, at 817-392-5020. David Cooke City Manager