Cybersecurity at Water Plants

By: Ashley Berfield | Oct 05, 2020

Technological advancements in water plant operations have increased efficiency and decreased labor- intensive activities. Supervisory control and data acquisition (SCADA) and other automated control systems have allowed plants to operate at levels and limits that were once thought impossible. However, with an increase in technology and interconnectivity grows a new threat: cyberattacks. The internet and remote monitoring systems are tools we use every day. These tools are also the pathways to vulnerabilities in our systems and uninvited hackers. Think about what someone could do with your SCADA control access or what would happen if your entire computer or control system crashed? You may think your organizations’ IT department is handling all of this behind-the-scenes computer warfare, and they are, but we will explore how you can be proactive in implementing and understanding cybersecurity at your plant.

Information Technology (IT)

Information Technology (IT) departments focus on the flow and security of information. They are concerned with data protection and confidentiality. Consistent response time and occasional rebooting of the system are acceptable. Save the data and everything is okay because it can be recovered, plus it is not happening in real time anyway. However, a SCADA or other automation control system is much different. In these systems, everything happens in real time. The system goes down, equipment doesn’t function, processes fail, and human lives can be at risk. Uptime and response time are critical, so things like rebooting need to be scheduled and kept to a minimum. Typically, an IT department reboots when there are few users on the system.  This may be in the middle of the night, when a plant also has little to no staffing to make sure everything comes back up properly.   Systems should be maintained, and communication should ensure updates happen smoothly.

Weakest Link

Your system is only as strong as the weakest link. Some areas of common security gaps in water supply are remote access, documented policies and procedures, and trained staff. Cybersecurity does not have to be complicated and technical. Simple steps will increase the security of your system.

  • Simple is more secure. Having a very flexible and user-friendly system increases the likelihood of security breaches.
  • Plant staff should be properly trained on basic cybersecurity. Operators should know what computer hardware is to stay locked, how to create strong passwords, and what to do when confronted with suspicious emails.
  • Each user should have a level of access to the system according to their role. An operator may have limited access while an IT technician may require all access to troubleshoot the system remotely.
  • Also, consider what employees post on social media. Inadvertently, operators could be sharing sensitive information in the background of pictures or other posts.

Resources

For more information on cybersecurity tools and assessments, check out CSET, the Cyber Security Evaluation Tool. This is a downloadable file that guides users through a step-by-step process to assess their control system and IT network security practices against recognized industry standards. The Department of Homeland Security (DHS) National Cyber Security Division’s Control Systems Security Program (CSSP) also offers training and guidance at no cost to utility owners. Taking these simple steps and using free resources is a great way to start a cybersecurity foundation in your organization.

Technological advancements in water plant operations have increased efficiency and decreased labor- intensive activities. Supervisory control and data acquisition (SCADA) and other automated control systems have allowed plants to operate at levels and limits that were once thought impossible. However, with an increase in technology and interconnectivity grows a new threat: cyberattacks. The internet and remote monitoring systems are tools we use every day. These tools are also the pathways to vulnerabilities in our systems and uninvited hackers. Think about what someone could do with your SCADA control access or what would happen if your entire computer or control system crashed? You may think your organizations’ IT department is handling all of this behind-the-scenes computer warfare, and they are, but we will explore how you can be proactive in implementing and understanding cybersecurity at your plant.

Information Technology (IT)

Information Technology (IT) departments focus on the flow and security of information. They are concerned with data protection and confidentiality. Consistent response time and occasional rebooting of the system are acceptable. Save the data and everything is okay because it can be recovered, plus it is not happening in real time anyway. However, a SCADA or other automation control system is much different. In these systems, everything happens in real time. The system goes down, equipment doesn’t function, processes fail, and human lives can be at risk. Uptime and response time are critical, so things like rebooting need to be scheduled and kept to a minimum. Typically, an IT department reboots when there are few users on the system.  This may be in the middle of the night, when a plant also has little to no staffing to make sure everything comes back up properly.   Systems should be maintained, and communication should ensure updates happen smoothly.

Weakest Link

Your system is only as strong as the weakest link. Some areas of common security gaps in water supply are remote access, documented policies and procedures, and trained staff. Cybersecurity does not have to be complicated and technical. Simple steps will increase the security of your system.

  • Simple is more secure. Having a very flexible and user-friendly system increases the likelihood of security breaches.
  • Plant staff should be properly trained on basic cybersecurity. Operators should know what computer hardware is to stay locked, how to create strong passwords, and what to do when confronted with suspicious emails.
  • Each user should have a level of access to the system according to their role. An operator may have limited access while an IT technician may require all access to troubleshoot the system remotely.
  • Also, consider what employees post on social media. Inadvertently, operators could be sharing sensitive information in the background of pictures or other posts.

Resources

For more information on cybersecurity tools and assessments, check out CSET, the Cyber Security Evaluation Tool. This is a downloadable file that guides users through a step-by-step process to assess their control system and IT network security practices against recognized industry standards. The Department of Homeland Security (DHS) National Cyber Security Division’s Control Systems Security Program (CSSP) also offers training and guidance at no cost to utility owners. Taking these simple steps and using free resources is a great way to start a cybersecurity foundation in your organization.

Leave a Reply

Your email address will not be published.