Using a Risk-Based Approach for Protecting Against SCADA System Cyber Threats to Municipal Drinking Water Facilities
A Talk by Graham Nasby (Co-Chair, ISA112 SCADA Systems Management Committee)
About this Talk
Abstract:
Cyber threats, both malicious and unintentional, represent a significant and growing threat to our collective critical water/wastewater infrastructure. This is particularly the case with OT (operational technology systems), such as SCADA, which are responsible for not only controlling and monitoring water systems, but also ensuring regulatory compliance by way of 24/7 data logging, automated control, operator alarms, and protective shutdown interlocks. Cyber threats can take many forms. These include ransomware, denial of service, data theft, unauthorized changes, data falsification, and interruption to core functionality such as process control, data logging, alarms, operator screens, reporting systems, communications, and protective interlocks. Cyber threats can also come from many sources, including not only a malicious attacker but also unintentionally when internal staff or vendors inadvertently cause cyber incidents.
The frequency and breath of cyber incidents continue to rise. In the last 5 years there have been more than 50 documented cases of cyber incidents involving water/wastewater SCADA systems. This includes several in Ontario. In addition, there also have been a growing number of cyber incidents affecting municipal IT systems and other public infrastructure. In other critical sectors, cyber incidents and ransomware are now considered to be one of the top risks to business operations and regulatory compliance. Cyber threats are not going to go away – instead they continue to increase in both frequency and sophistication. For water/wastewater utilities, it is imperative that cyber risks be proactively identified, and programs be implemented to control and mitigate the associated risks.
In this talk, the presenter will provide an overview of what the most common types of cyber incidents are and various scenarios of how they can impact water a water utility, ranging from the relatively benign to those severely impacting operations. The talk will then outline the essential components of an effective cybersecurity program, including outlining several ways in which a cyber program can be implemented. Lastly, the talk will provide an overview of the ISA/IEC-62443 series of industrial control system cybersecurity standards and how they can be leveraged, along with the NIST 800 series and AWWA GW430 standards, to develop a comprehensive strategy to counter the ever-growing risk of cyberattacks.