One only has to do a Google News search on cybersecurity to know it is a key concern for businesses across the globe. In a Water Online article, SCADA Cybersecurity: What Every Water Utility Should Do Now To Prevent An Attack, Emerson’s Doug Johnson shares areas of concern and a path for water utilities to follow in their cybersecurity improvement efforts.
Doug notes that security threats are becoming more difficult to detect.
“Fifteen years ago, cybersecurity breaches of SCADA [supervisory control and data acquisition] systems were not that big of an issue because every SCADA manufacture used different technology. Now there is more similarity across the systems, more people are experts, and wireless technology and the Internet have given hackers the ability to connect with computers halfway around the world.”
Putting together a cybersecurity program takes much work. It starts with creating a comprehensive SCADA cybersecurity plan and by understanding to what the SCADA system is connected.
“Evaluate and manage the elements connected to your SCADA system on a regular basis,” said Johnson. “Things get added on all the time, and even just connecting a thumb drive can cause a huge security risk.”
Part of the planning process is to identify gaps and vulnerabilities. Next is to create a defense plan:
…that specifies exactly what to do if a new threat is identified…
- American Water Works Association (AWWA) Cyber Security Guide
- National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cyber Security
- NIST Guide to Industrial Control Systems (ICS) Security
- U.S. Department of Energy 21 Steps To Improve Cyber Security of SCADA Networks
Cybersecurity issues can come from within a water utility:
“We think of security breaches as a bad guy with a truck full of explosives driving through the front gate, but security problems can also come from a disgruntled employee, an untrained employee, or a contractor that has access to the system. It can happen pretty close to home,” said Johnson.
As new employees replace those with years of experience, it is important to train them thoroughly on all SCADA security protocols, so that lack of knowledge doesn’t increase cyber threat risk.
Doug explains the importance of focused efforts and responsibility:
“The ones who do it best recognize that it is an ongoing effort, and it takes people making it a big part of their responsibly,” explained Johnson. “A water utility really needs someone whose job is to be responsible for cybersecurity, someone who understands that SCADA has its own security concerns.”
If there isn’t someone qualified or available at a utility to take responsibility for SCADA cybersecurity, utilities should consider turning to outside experts or consultants. More often SCADA security is becoming an outsourced job function, explained Johnson.
Emerson’s Power & Water Solutions team can help you in this process with a Cyber Security Assessment. Read the full article and visit the highlighted resources to advance your cybersecurity defenses and processes.
You can also connect and interact with other utilities professionals in the Water & Wastewater track of the Emerson Exchange 365 community.