On January 31, 2012 MassDEP received the following alert from the Association of State Drinking Water Administrators (ASDWA):

Late last week, the WaterISAC shared an alert from ICS-CERT about an increasing risk to Internet-accessible industrial control systems. State drinking water security coordinators with a WaterISAC subscription are encouraged to read the alert and help support the needs of their water systems as appropriate. If your state does not have a subscription to the WaterISAC, you may wish to contact your state's Homeland Security Advisor or the DHS Protective Security Advisor for your area to obtain additional information about this alert. The alert is just that - a precautionary warning. No specific incident response is warranted at this time.

Meanwhile, all states should remind their water utilities to adopt common-sense protective actions related to their SCADA systems:

  • Minimize network exposure for all control system devices. Control system devices should not directly face the Internet.
  • Locate control system networks and devices behind firewalls, and isolate them from the business network.
  • If remote access is required, employ secure methods, such as Virtual Private Networks (VPNs), recognizing that VPN is only as secure as the connected devices.
  • Remove, disable, or rename any default system accounts wherever possible.
  • Implement account lockout policies to reduce the risk from brute forcing attempts.
  • Implement policies requiring the use of strong passwords.
  • Monitor the creation of administrator level accounts by third-party vendors.

Further, DHS recommends that water system owners and operators also perform a comprehensive control system cybersecurity assessment using the DHS Control Systems Security Program (CSSP) Cyber Security Evaluation Tool (CSET). CSET is a free, downloadable, stand-alone software tool that is designed to assist owners and operators to:

  1. Determine their current security posture
  2. Identify where security improvements can/should be made
  3. Map out the existing component/network configuration
  4. Output a basic cyber security plan.

The tool can be downloaded online or organizations can contact CSSP to request onsite training and guidance. A CSET fact sheet is available on the CSSP web page at http://www.us-cert.gov/control_systems/satool.html

If you have any questions about this alert, please contact Paul Niman at 617-556-1166 or at paul.niman@state.ma.us.