Protect Your Plant: Cybersecurity 101

Protect Your Plant: Cybersecurity 101
External threats to SCADA and corporate computer systems include viruses, malware and ransomware.

Interested in Instrumentation?

Get Instrumentation articles, news and videos right in your inbox! Sign up now.

Instrumentation + Get Alerts

We are becoming too familiar with the external threats our SCADA and corporate computer systems suffer on a day-to-day basis: viruses, malware and ransomware. Proposed legislation could offer some long-term solutions, but how will it protect current corporate and SCADA systems, and can facilities afford to wait? 

Introduced in July, the Cybersecurity Act of 2013 would “amend the National Institute of Standards and Technology Act to permit the Secretary of Commerce, acting through the Director of the National Institute of Standards and Technology (NIST), to facilitate and support the development of a voluntary, industry-led set of standards and procedures to reduce cyber risks to critical infrastructure.” 

The general intent of this legislation appears to advocate voluntary participation in programs with emphasis on public/private partnerships that encourage education and provide incentives to develop standards and effective measures to guard against attacks. I applaud this long-term effort but encourage utilities to act now for the present threats and not wait for legislation as the proverbial silver bullet. 

Three-legged stool

Information security is based on three tenets: confidentiality, integrity and availability. In their book “Fundamentals of Information Systems Security,” David Kim and Michael G. Solomon define confidentiality as guarding information from everyone except those with rights to it. Integrity means data validity and accuracy. Availability means authorized users can access data whenever they request it. 

The challenge is to balance these tenets like a “three-legged stool.” For example, if data is too freely available, confidentiality and data integrity may be compromised. On the other hand, if confidentiality is too tight, it will hinder availability and make operators less effective and productive. 

SCADA systems originated as closed systems so external threats were a rarity. Today, we have the convenience of affordable high-speed Internet, thumb drives, smartphones, remote connectivity, and wireless access to all points of our networks. The three-legged stool becomes more unbalanced with each wave of new technology. 

Dealing with constant threats

We should not ignore the latest wireless PLC or the integrator who brings a thumb drive with an updated PLC program or the employee who wants to remotely connect from home into the SCADA system to save time during an emergency in the middle of the night. 

Wastewater agencies can implement some basic and cost-effective measures to ensure their SCADA and corporate computer systems are more secure or at least recoverable. Start with simple awareness of the issues and extend to technology policies, procedures and risk analysis. 

First-hand encounter

A recent event that took place at our agency demonstrates the various precautions necessary to avoid or mitigate the threat when — not if — it happens to you. 

CryptoLocker is a new variant of ransomware that restricts access to infected computers and demands the victim provide a payment to the attackers in order to decrypt and recover their files. One of our corporate network users contracted this bug via a non-descript email. Our antivirus program knew it was malicious but could not positively identify it, but proceeded to quarantine the bug. The user received 219 electronic antivirus notices that something was wrong but assumed the notices meant the problem was isolated and therefore was not an issue.

That evening, the user proceeded to log off his system but left it running. Throughout the night, 32,000 files on his local drive and mapped network drives became encrypted. The following morning, the red CryptoLocker screen popped up telling him he had to send $300 or his encrypted files would be useless to him. 

The IT department proceeded to physically isolate the system and research the extent of the damage. Deleting the bug was easy, but undoing the damage was a far greater task. Not knowing how far the ransomware had spread internally was a greater concern; did it reach the SCADA systems at the nine treatment plants? 

Success or failure?

This ransomware was new to our staff even though we thought we were well versed on the latest threats. We needed to determine how a virus could be quarantined but still have the ability to conduct so much damage and how we could have prevented such a problem in the first place. After further research and failed attempts at repair, restoring a backup of the infected files was the only solution. 

Here are the lessons that protected our corporate data and our SCADA systems:

  • Backup, backup, backup

Have a well-defined backup plan that is monitored by a designated individual and periodically exercised to see if it actually works.

  • Review the rights/privileges of your users

Be sure that only the people who should have access to certain data or systems do, and all others are excluded.

  • Maintain your SCADA system as a ‘closed’ system

Using IP subnets or a secondary security level authentication (firewall) provides added isolation to the SCADA system portion of the wide area network.

  • Risk assessment starting with your SCADA system

Our first SCADA Cybersecurity audit for all nine plants will be complete this year. The OCTAVE method (Operationally Critical Threat, Asset and Vulnerability Evaluation) is relatively easy to use, free and effective. These audits help IT staff members look for obvious issues and resolve them immediately. Plant staff members gain a better understanding of the potential ‘holes’ in the system and are more aware of the risks and how to reduce or avoid them.

  • Maintain awareness and ongoing education

IT staff members need to stay informed, and monthly email blasts from the IT department will keep all employees informed of the latest risks and threats. Unfortunately, US-CERT, the monitoring and reporting services of the National Cyber Awareness System, gave us notice of this threat three months after we were infected. However, this free service is worth the registration as one of many avenues for the latest threat information. Educating your users on how to respond to a ‘friendly’ virus warning can circumvent the long-range impact, especially with new variants of bugs. An immediate phone call to IT at the first sign of trouble (first antivirus warning) would have substantially minimized the impact.

  • Implement a BYOD (Bring Your Own Device) policy or procedure

Six months ago, we implemented a new procedure that made our users, especially our plant personnel who utilize the SCADA systems, very aware of the risks associated with convenience. Our new procedure met with some resistance until the CryptoLocker outbreak provided an example of the devastation created by a single outbreak. 

Being better prepared

I applaud any legislation that attempts to secure our SCADA and corporate networks. Unfortunately, most federal programs, especially dealing with technology, seem to have long lead times and don’t address specific issues that utilities deal with on a daily basis. 

Although legislation is in the works to improving the cybersecurity of critical infrastructure (including water and wastewater), don’t wait for a legislative solution when you can protect your systems with some reasonable effort. 

Remember, when addressing cybersecurity issues related to SCADA, the three tenets of data must be balanced: confidentiality, integrity and availability. By addressing these you will become better prepared to respond to all types of disasters, making your agency more resilient, sustainable and efficient.  

About the Author

Blake Visin is the information systems director at Renewable Water Resources (ReWa), a special-purpose district that provides wastewater treatment to five counties in South Carolina.

How do you ensure your facility is protected from cyber threats like viruses, malware and ransomware? Post a comment below.



Discussion

Comments on this site are submitted by users and are not endorsed by nor do they reflect the views or opinions of COLE Publishing, Inc. Comments are moderated before being posted.