HomeMy WebLinkAboutMemo - Mail Packet - 07/16/2024 - Memorandum from Jeremy Woolf and Joe King re Cybersecurity Protection for Water Utility SystemUtilities Department
700 Wood St
PO Box 580, Fort Collins, CO 80522
970-397-6761
jwoolf@fcgov.com
CC: Water Commission Page 1 of 4
MEMORANDUM
Date: 07/01/2024
To: Mayor and City Councilmembers
Through: Kelly DiMartino, City Manager
Tyler Marr, Deputy City Manager
Jill Oropeza, Interim One Water Director
From: Jeremy Woolf, Senior Director, Integrated Water Operations
Joe King, Senior Manager, Information Technology
Subject: Cybersecurity Protection for Water Utility System
BOTTOM LINE
This memo is in reply to Councilmember Canonico’s request for information on cybersecurity
protection for the Fort Collins Utilities water system, and provides a general summary of the City
of Fort Collins physical and network security measures and precautions
BACKGROUND
Recent media reports and federal government advisories indicate that cyber attacks on water
utilities are increasing. Although these attacks have primarily focused on smaller and less
sophisticated utilities than that of Fort Collins, the potential for water service interference cannot
be overlooked.
The U.S. Environmental Protection Agency (EPA) requires water utilities to perform a risk and
resilience assessment with results incorporated into an emergency response plan (ERP). The
assessment and ERP are intended to address any potential threat to water service, including
cyberattack. Fort Collins is in compliance with this requirement. Our ERP is also in the process
Docusign Envelope ID: 0E37712D-E791-4156-92CF-205D1E17DA4D
CC: Water Commission Page 2 of 4
of being updated, as required on a five-year interval. Other than the requirement for an ERP,
there are currently no federal or state mandated requirements for the protection of water utility
systems from cyber security threats. The City of Fort Collins uses standards developed by the
National Institute of Standards and Technology to guide our protocols.
During security incidents, IT Information Security follows an Incident Response Plan, which
includes partnering with State and Federal agencies and Law Enforcement as required, and
beneficial.
Water operations equipment is controlled using several methods that have potential risk of
access by threat actors. Access to operational control systems by threat actors can only occur
through physical access (onsite) or network access. Onsite physical access is protected from
threat actors through physical security means such as facility enclosure (fences and gates),
cameras, and security protocol training of facility personnel. Physical security equipment is
maintained and monitored by the operational and maintenance teams of each facility. Facility
access is controlled and maintained by the City department of Emergency Management
Emergency Preparation and Security.
Network and security elements contain redundant components to ensure system availability.
The primary means of protecting the operational environment from threat actors is by restricting
network access. The operational environment is isolated and protected from the enterprise
(business) network by a firewall that is maintained by the City’s Information Technology (IT)
department and restricts communications to only a single path, by design, to allow for
instantaneous isolation of the operational environment, if needed. The operational environment
Docusign Envelope ID: 0E37712D-E791-4156-92CF-205D1E17DA4D
CC: Water Commission Page 3 of 4
is commonly referred to as the Water Supervisory Control and Data Acquisition (SCADA)
system. The SCADA system provides water operators with the ability to monitor and control the
entire water system. Access to on-site SCADA terminals is protected and limited to a set of
authorized users using industry standard access controls. SCADA access controls are unique
from the business network.
Access control is role based on operational needs and is protected by a Privileged Access
Management (PAM) system. Individuals with access to the PAM also require distinct
authentication controls from those of both the enterprise network and the SCADA system.
Access to the PAM requires a user to be connected to the enterprise network. Enterprise
network login requires the user to be connected to the City’s enterprise network. There is no
direct ingress or egress access to or from untrusted zones (including the Internet).
Authentication mechanisms for SCADA are controlled by the water operational technology
team. The technology team reviews access on a frequent basis, to revoke, modify, and add user
access as needed (separation, hiring, etc.).
The City partners with a third-party Managed Detection and Response (MDR) and Managed
Risk partner, which provides active, and continuous monitoring using Artificial Intelligence,
Machine Learning, and Human Driven threat detection, as well as response to cyber threats.
These services leverage advanced security technologies and expert analysis to identify and
mitigate risks before they can lead to significant security incidents, enhancing the organization's
overall cybersecurity posture and resilience against cyber attacks.
Docusign Envelope ID: 0E37712D-E791-4156-92CF-205D1E17DA4D
CC: Water Commission Page 4 of 4
The CyberSecurity and Infrastructure Security Agency (CISA), issues advisories of cyber
security breaches of utilities. Recent advisories include notifications of the infiltration of
Barracuda Email Security Gateway (ESG), and Unitronics programmable logic controllers
(PLCs) by threat actors. The IT and operational technology (OT) departments receive these
advisories and immediately evaluate and react to the presence any of the compromised
systems or software in the Fort Collins Operational environment. To date, no compromised
systems or software have been identified.
NEXT STEPS
City of Fort Collins IT and water operational technology departments will continue to monitor
CISA alerts, assess potential vulnerabilities, update and maintain existing security structures.
Docusign Envelope ID: 0E37712D-E791-4156-92CF-205D1E17DA4D