Technological advancements in water plant operations have increased efficiency and decreased labor intensive activities. Supervisory control and data acquisition (SCADA) and other automated control systems have allowed plants to operate at levels and limits that were once thought impossible. However, with an increase in technology and inter-connectivity grows a threat that was once also never conceived: cyber attacks. The internet and remote monitoring systems are tools we use every day. These tools are also the pathways to vulnerabilities in our systems and uninvited hackers. Think about what someone could do with your SCADA-control access or what would happen if your entire computer or control system crashed? You may think your organizations’ IT department is handling all of this behind-the-scenes computer warfare, and they are, but we will explore challenges to this statement and how you can be proactive in implementing and understanding cyber-security at your plant.
Information Technology (IT) departments focus on the flow and security of information. They are concerned with data protection and confidentiality. Consistent response time and occasional rebooting of the system are acceptable. Save the data and everything is okay because it can be recovered, plus it is not happening in real time anyway. However, a SCADA or other automation control system is very different. In these systems, everything happens in real time. The system goes down, equipment doesn’t function, processes fail, and human lives can be at risk. Up-time and response time are critical, so things like rebooting need to be scheduled and kept to a minimum. Typically, an IT department reboots when there are few users on the system. This is often done in the middle of the night, when a plant also has little to no staffing to make sure everything comes back up.
Your system is only as strong as the weakest link. Some areas of common security gaps in water supply are remote access, documented policies and procedures, and trained staff. Cyber-security does not have to be complicated and technical. Simple steps will increase the security of your system. Having a very flexible and user-friendly system increases the likelihood of security breaches; simple is more secure. Plant staff should be properly trained on basic cyber-security. Operators should know what computer hardware is to stay locked, how to create strong passwords, and what to do when confronted with suspicious emails. Each user should have a level of access to the system according to their role. An operator may have limited access while an IT technician may require all access to troubleshoot the system remotely. Also, consider what employees post on social media. Inadvertently, operators could be sharing sensitive information in the background of pictures or other posts.
For more information on cyber-security tools and assessments, check out CSET, the Cyber Security Evaluation Tool. This is a downloadable file that guides users through a step-by-step process to assess their control system and IT network security practices against recognized industry standards. (www.us-cert.gov/control_systems). The Department of Homeland Security (DHS) National Cyber Security Division’s Control Systems Security Program (CSSP) also offers training and guidance at no cost to utility owners. Taking these simple steps and using free resources is a great way to start a cyber-security foundation in your organization.