A four-page FBI document distributed to water treatment officials in Chittenden County and across the state Friday lays out steps to avoid cyberattacks such as the one that recently happened in Florida.
The document, forwarded by Jill Draper, an environmental technician at the Vermont Department of Environmental Conservation, carries recommendations for following “Cyber Hygiene.” Some recommendations include, “Update to the latest version of the operating system (Windows 10),” “Install independent cyber-physical safety systems” and “set random passwords to generate 10-character alphanumeric passwords.”
Two weeks ago, unidentified cyber actors gained access to a drinking water system that serves 15,000 people outside of Tampa, Florida. They attempted to raise the amounts of lye in the water system from 100 to 11,000 parts per million.
Joseph Duncan, the general manager of the Champlain Water District (CWD), the wholesale water supplier for approximately 75,000 people in Chittenden County, including many residents in Colchester, Milton and Essex, said he is very familiar with the issue.
“We have been receiving information from state and federal resources regarding this cyberattack, as well as other situations they are monitoring,” Duncan said.
Duncan said the most recent state and federal safety review of Champlain Water District was last summer.
“As a result, CWD has measures in place that do not allow for outside access into our process controls,” he said.
He wouldn’t speculate on what measures are in place or when they were installed, only saying that they include several physical, as well as cyber-security measures.
The FBI document reads, “Cyber actors continue to find entry points into legacy Windows operating systems.” It goes on to state, “Windows 7 will become more susceptible to exploitation due to lack of security updates and the discovery of new vulnerabilities. Microsoft and other industry professionals strongly recommend upgrading computer systems to an actively supported operating system. Continuing to use any operating system within an enterprise beyond the end of life status may provide cyber criminals access into computer systems.”
The America's Water Infrastructure Act of 2018 requires water systems serving more than 3,300 people "to develop or update risk assessments and emergency response plans.”
Last week, a COVID-19 variant was detected in the wastewater in Burlington, according to media reports.
Burlington Water Policy and Programs Manager Jenna Olson said they do manual sampling numerous times every day.
“Since our plant is manned 24/7 we are not required to have remote access so our plant automation system is not connected to the internet,” she said.
St. Albans Public Works Director Martin Manahan says the city is continuously looking for ways to reduce the risk and update procedures.
“We have a very secure cyber security system in place that is continually monitored by IT staff," Manahan said. "The people using the St. Albans City municipal water system can be very confident that we are constantly monitoring and testing our system to provide safe drinking water throughout our community."
The document is a joint advisory co-authored by the FBI, The Cybersecurity and Infrastructure Security Agency — a division of the Department of Homeland Security — the EPA and Multi-State Center for Internet Security.