HomeMy WebLinkAbout(0004) IR 21-10552 - Cyber Security and Water Treatment ProcessINFORMAL REPORT TO CITY COUNCIL MEMBERS
No. 21-10552
To the Mayor and Members of the City Council March 23, 2021
Page 1 of 2
SUBJECT: CYBERSECURITY AND WATER TREATMENT PROCESSES
#Z rn
Y@7'a
This report is to respond to the City Council's request for information on cybersecurity strategies for water
treatment facilities and processes. Recent cybersecurity attacks on water systems in Oldsmar, Florida,
and other communities around the country have raised awareness and concerns about the security of
water treatment processes from unauthorized actors. The Fort Worth Water Utility embraces a defense -in-
depth security risk mitigation strategy for water treatment process control systems that leverages
components of multiple best -practice frameworks.
The Oldsmar, Florida, Attack
Specifically, the attack in Florida centered on unauthorized access to the water treatment plant's
Supervisory Control and Data Acquisition (SCADA) controls via remote access software used by staff to
conduct system status checks and to respond to alarms or other issues that arise during the water
treatment process. In the Oldsmar case, all computers used by water plant personnel were connected to
the SCADA system and used the 32-bit version of the Windows 7 operating system. Further, all computers
shared the same password for remote access and appeared to be connected directly to the internet
without any type of firewall protection installed.
SCADA Process Control Systems
Water treatment plants use electronic process control systems commonly known as SCADA systems,
which electronically monitor and control the components of the treatment process. These systems monitor
equipment functions and collect data on performance. Using an HMI, or Human Machine Interface,
SCADA systems can also control the functions of equipment used in the process, maintain settings that
define allowed parameters, and trigger alarms that notify a trained operator when settings are changed or
components malfunction.
Fort Worth Water's Approach: Fort Worth Water uses a comprehensive approach for effective
cybersecurity that combines the assessment of people, procedures, new technologies, systems, and
adversarial awareness to reduce risks posed to the process control systems used in the water treatment
process.
Ongoing Process Monitoring — Fort Worth Water staff actively manage the water treatment process on a
24 x 7 x 365 basis. Following regulatory guidance for the water sector, daily monitoring and field
inspections occur at multiple points in the water treatment process to ensure quality. Alarms are set to
detect parameters that are out of acceptable ranges. Licensed and highly trained water operators provide
ongoing system monitoring. SCADA system data are recorded and incorporated into monthly regulatory
reports that are submitted to the Texas Commission on Environmental Quality.
Defense -In -Depth Approach Using Multiple Frameworks — Fort Worth Water segments the utility's network
from the City's larger business network in order to deter business threat actors from impacting the process
control system and utility business operations. Fort Worth Water also leverages guidance from
cybersecurity frameworks provided by the American Water Works Association (AWWA), the National
Institute of Standards and Technology (NIST), the U.S. Department of Homeland Security Cybersecurity
and Infrastructure Security Agency (CISA), Water Information Sharing & Analysis Center (WaterISAC),
and Payment Card Industry Data Security Standard (PCI). Each framework provides guidance on best
practices for cybersecurity countermeasures and updated defense -in-depth strategies.
ISSUED BY THE CITY MANAGER FORT WORTH, TEXAS
INFORMAL REPORT TO CITY COUNCIL MEMBERS
No. 21-10552
To the Mayor and Members of the City Council March 23, 2021
4. . Page 2of2
a
SUBJECT: CYBERSECURITY AND WATER TREATMENT PROCESSES
r Yn
rer�
Fort Worth Water's Cybersecurity Measures — Specific cybersecurity measures implemented to protect
SCADA systems used by the utility include:
• The Water Utility network is segmented from the City's network to add another level of protection
from threat actors. (Each entity is a unique target.)
• Firewalls and port restrictions limit connectivity to only "allowed" network communication.
• Fort Worth Water has eliminated all Windows 7 computers and there are no shared passwords.
• There is no public internet access to the SCADA system.
• Threat detection via continuous monitoring provides alerts that are spread among multiple teams to
ensure quick response.
• System hardening cleanses components before they are added to the network.
• Formal change management protocols are enforced to maintain system continuity during planned
system updates.
• Least -privilege user credentials allow permissions only as appropriate for the job function.
• Administrative rights are only granted if the user has appropriate training, follows established
protocols, and maintains an audit trail of activities while using elevated rights.
• Remote system access is highly restricted and only enabled via secure VPN links with encryption
and multi -factor authentication to qualified personnel. Connections are monitored.
• A formal incident response plan has been developed that can be enacted to manage events.
• Security awareness training for all employees is conducted annually with reduction of credentials
for those who do not complete the training.
• Physical security controls exist to restrict access to SCADA terminals and hosts, data centers, and
network closets. Activity is monitored on a 24 x 7 x 365 basis.
• Security reviews are conducted periodically to assess the continued application of best practices
and identify exceptions.
• Monthly threat intelligence briefings educate technology and business representatives of risks.
• Key security personnel also participate in monthly forums offered by WaterISAC, MS-ISAC, and
CISA, the federal cybersecurity agency.
These efforts emphasize the importance of protection and mitigation activities as well as prepare the
organization for incident identification and response, if necessary.
Should you have any questions, please contact Chris Harder, P.E., Water Director, at 817-392-5020.
David Cooke
City Manager
ISSUED BY THE CITY MANAGER
FORT WORTH, TEXAS