[ISN] Water and wastewater SCADA cybersecurity

http://www.isa.org/InTechTemplate.cfm?Section=General_Information2&template=/ContentManagement/ContentDisplay.cfm&ContentID=94400 By Norman Anderson, P.E., and Bill Phillips, P.E. InTech September/October 2013 This article is based on presentations made at the 2013 ISA Water/Wastewater and Automatic Controls Symposium on 7 August 2013 (www.isawwsymposium.com). Network security for water sector process control systems (PCS), such as supervisory control and data acquisition (SCADA) systems, is increasingly important and ever evolving due to the need for secure and reliable control systems. Additionally, PCSs continue to grow, and the management of network-connected devices and the expansion of PCS networks can be difficult and cumbersome. To properly secure PCS networks, a multistage process is needed incorporating risk assessment, planning, design, implementation, and maintenance for a comprehensive defense-in-depth strategy. A critical aspect of defense-in-depth is the overall network system architecture and the network segmentation plan. A properly planned and executed network architecture and segmentation strategy lays the foundation for security and simplifies expansion and maintenance of the network. There are industry-accepted methods for industrial control system (ICS) network architecture and segmentation strategies that can be applied to water sector PCSs and SCADA systems. Industry-standard techniques, based on recently published standards and network design guides, are used to create a layered network architecture approach to security, including the use of logical subnets and virtual local-area networks (VLANs) for segmentation. The advantage of this approach is simpler configuration of network security appliances and simpler management and expansion of the network, leading to increased network availability and a reduction in threat risk. A case study will be used to provide examples of actual methods implemented for a water sector utility. Overview As cyberattacks and the threat of compromised network security continue to rise, so does the need for securing ICSs. ICSs include many different types of systems, with water sector PCSs being one of the higher profile targets because their critical infrastructure affects large populations. Past statistics from the Cyber Emergency Response Team show recorded cataloged vulnerabilities and reported incidents continuing to rise through the years. A set of “honeypot”1 ICS set up by Trend Micro to look like vulnerable power and water plants was attacked by hackers 25 times within 28 days. Security is important for the water sector because attacks can damage critical infrastructure that affects public safety; lead to significant operational downtime; cause financial loss, such as the loss of revenue for the utility and its customers; and attract significant media attention causing loss of confidence and fear from the public. There are many resources available that provide guidance on where to start and how to secure networks. In general, there are four key steps in the process of planning and designing to secure networks for defense-in-depth, as shown in figure 1: […]