Skip to main content

Roxborough Water and Sanitation District Cybersecurity Update

On Monday morning Roxborough Water and Sanitation District (RWSD) received notice that a water utility in Oldsmar, Florida, had suffered a cyberattack during which a hacker was able to access their supervisory control and data acquisition (SCADA) system software and altered the amount of sodium hydroxide, a chemical routinely used in small doses during water treatment, to levels that would have made the water unsafe to use. We know that given the cyberattack RWSD suffered in August, we have a lot of trust to rebuild with the community, but we want to assure everyone that we have made significant improvements to the security of our IT system, specifically including our SCADA system. Today the Federal Bureau of Investigation (FBI) and the Department of Homeland Security (DHS) provided details on exactly what happened and provided specific recommendations that all water systems implement. The hackers in the Florida case accessed the water treatment plant’s SCADA controls via remote access software, TeamViewer, which was installed on one of several computers the water treatment plant personnel used to conduct system status checks and to respond to alarms on issues that arose during the water treatment process. All computers used by water plant personnel were connected to the SCADA system and used an old version of Windows 7. In addition, all of the computers shared the same password for remote access and appeared to be connected directly to the internet without any type of firewall protection installed.

FBI/DHS Recommended Mitigation

  • Restrict all remote connections to SCADA systems, specifically those that allow physical control and manipulation of devices within the SCADA network. One-way unidirectional monitoring devices are recommended to monitor SCADA systems remotely.
  • Install a firewall software/hardware appliance with logging and ensure it is turned on. The firewall should be secluded and not permitted to communicate with unauthorized sources.
  • Keep computers, devices, and applications, including SCADA/industrial control systems (ICS) software, patched and up-to-date.
  • Use two-factor authentication with strong passwords.
  • Only use secure networks and consider installing a virtual private network (VPN).
  • Implement an update and patch management cycle. Patch all systems for critical vulnerabilities, prioritizing timely patching of Internet-connected systems for known vulnerabilities and software processing Internet data, such as Web browsers, browser plugins, and document readers.

RWSD System
RWSD follows these recommendations. There are sensors and alarms throughout the treatment process that notify operators immediately if there is something outside of normal operating parameters, and chemical doses have locked set points that can only be changed by the Operator in Responsible Charge.  In addition, we are currently in the process of completing an independent, third-party review of our cybersecurity system through the District’s insurance provider. The entire team at RWSD is committed to the #1 priority of providing safe drinking water to the community.


Join our mailing list