The Rivanna Water and Sewer Authority says it is protected against cyberattacks like those that have happened to other water suppliers across the country.
Earlier this year, a hacker broke into a computer program at a Florida water treatment plant and increased the amount of sodium hydroxide, also known as lye, to poisonous levels, but was stopped nearly immediately by an employee. According to news reports, the hacker got in through a remote-access system used for troubleshooting.
Steven Miller, information systems administrator for the authority, told members of the authority’s board at their meeting Tuesday that the RWSA doesn’t allow that type of access.
“We specifically don’t allow that type of access to any of our control facilities, even for our own employees, and all of our regular remote access, which is for administrative purposes, we require the two-factor authentication,” he said.
It was later reported that in January a hacker tried to poison a water treatment plant that serves parts of the San Francisco Bay area using the same remote-access system. Other water systems also have been targeted.
Miller said the RWSA, which provides water wholesale to the Albemarle County Service Authority and the city of Charlottesville, has a layered approach called the “defense-in-depth” strategy to protect against cyberattacks.
“We don’t rely on just one thing or one type of defense — we use many different types of software and other things to defend against attacks, and we have them at different parts of where you hit them, different layers, effectively,” he said.
For physical protection, Miller said the RWSA restricts access to its plants and devices. The presentation said the authority will be implementing software that will allow it to block devices, users and traffic from a centralized dashboard.
Rivanna also uses a next generation, or adaptive, firewall.
“Our first set of firewalls are in our routers — we call them our outer firewalls, and they are smart and they adapt,” Miller said. “We are in the process of installing new software and systems that will camouflage our networks and hide us from the outside world, so that we become very hard to find. Then if you do find us, you’re not sure what you’ve got.”
He said software also will allow geofencing, which will allow the authority to block all traffic from a specific area. The IT team also will be adding firewalls to the industrial computers that run everything at RWSA plant sites.
The authority’s routers contain built-in antivirus software that inspects data from the outside world before allowing it to pass, Miller said, and all devices have an added layer of antivirus/malware scanning software.
“All of our communication between our sites … is done by encrypted tunnels, created by each router. So you need a key at each end in each router, and … even if somebody could possibly intercept them, they wouldn’t have anything they could use,” Miller said.
Another layer Rivanna has is access restrictions, and everybody needs a username and password to get onto the network.
“All remote authentication requires two factors, which means, not only do you have to put in a username and password, you have to enter a token information,” Miller said. “That makes it so even if somebody has stolen one of our users’ usernames and passwords, they still can’t use our remote access because they won’t have the token to go with it.”
He said the authority also does trainings and simulations for system users, performs system and data backups in numerous ways and does various types of threat monitoring
Albemarle County Supervisor Liz Palmer, who serves on the RWSA board, said officials have been getting a lot of questions about the authority’s cybersecurity.
“We have always been rather paranoid, which is, based on what’s happening in the world at the moment, a good posture, and we are constantly evaluating and looking at new strategies and adding them as we can,” Miller said.