Cyberthreats to Water and Wastewater Utilities

Cyberthreats are a growing concern for water and wastewater utility organizations. Antivirus programs are no longer enough and attackers can intentionally or unintentionally threaten public health and the environment.

This month’s featured article in the Journal of the American Water Works Association (Improving Security for SCADA and Administrative Networks with Limited Financial Resources, Journal AWWA, June 2019, page 52 to 56) is a great article on this topic and we think it is worth another look. Click here to read the article.

James Norcross (the author) is the Network Administrator for the City of Corinth, Texas, USA and deserves praise for this thoughtful and topical article.  We think his main points are worth emphasis.

Norcross’s article focuses on updated, cost-effective solutions for segregating and improving a water utility’s SCADA (Supervisory Control and Data Acquisition Systems) and administrative computer networks and then he summarizes a cyber threat prevention process applied to a medium-sized water utility.

Norcross listed the following recommendations:

  1. Changing to the Internet Protocol version 6 (IPv6) which increases the bit length of addresses from 32 to 128 which limits the ability of an intruder to penetrate a secure computer network.
  2. Adding data encryption and hash algorithms to the network transmission protocols and requiring password authentication protects even compromised data by making it virtually unreadable without the decryption key.
  3. Creating internal virtual subnetworks within an organization. Called Virtual Local Area Networking (VLAN), this approach uses switch configurations that create virtual subnetworks in a main network to separate information and operator access.
  4. Firewall upgrades. These upgrades can be simple devises or more costly specially designed firewalls; regardless, they continue to be effective tools to prevent access to hackers to SCADA and administrative networks.

Norcross next demonstrates that it is possible to minimize the cost and time of installing effective SCADA and administrative network security with a case study of a medium-sized water utility.  The process included these steps:

Stage One: Determining what Needed to be Changed

Stage Two: Planning and Design of the Changes

Stage Three: Implementation

The implementation of the security upgrades took approximately six weeks and the results of the work were confirmed from network and data users, multiple test queries of the connectivity using ‘pings’, ‘echoes’ and then making necessary adjustments.

Norcross’s conclusions noted that some nontraditional thinking can create cost-effective improvements to the overall security of a network.  He also cautions that network attacks and defenses continue to evolve and so future upgrades may also need to change.

Lastly, a significant cyberthreat prevention tool continues to be awareness training with staff and anyone else with normal or periodic access to the system.  Many threats continue to be activated by email scams and ploys that prey on unsuspecting or mistaken employees of the organization.  Although not discussed in this AWWA article, we at Walden have seen that consistent reminders and creative internal exercises can be effective at preventing problems in the first place.

Walden Environmental Engineering can help assess vulnerabilities and cyberthreats to your utilities’ SCADA and network systems.  Walden has both the extensive familiarity of water and wastewater systems and the reach to state, regional and national experts in cybersecurity to make sure your residents and ratepayers remain safe and uninterrupted.

Call us today at 516-624-7200 (Long Island), (518) 698-3012 (Capitol District) or (845) 253-8025 (Hudson Valley).  to discuss your concerns.