Is Technology Security Keeping You Away From Data You Need?

For the past 20 years, utility managers have worked hard to gain access to valuable data captive in process control systems (PCS) including SCADA. Unfortunately, security precautions implemented in the wake of the 9-11 terrorist attacks have now curtailed access to that data for many utility decision makers. A recent WERF/AwwaRF research project, led by EMA, was designed to determine current vulnerabilities and consequences and to quantify vulnerabilities for water and wastewater utilities. What the research project found may come as a surprise to many utility managers.In the past, automated systems were resilient largely due to complex communication protocols, proprietary real-time operating systems, and limited connectivity. Because of these safeguards and protocols, it was unlikely that an intruder could create commands on the fly to start, stop, open, close, or otherwise disrupt operating equipment. Today's technology has changed that, leaving SCADA and PCS systems vulnerable to intrusions. At the same time, the information contained in these systems is necessary to facilitate effective day-to-day operations of the utility and management decision-making. The data is required throughout the organization to make better decisions while managing the operation.In the wake of 9–11, many utilities have limited access to this data by isolating their automation systems from other networks in an attempt to be more secure, negating the operational benefits of access to SCADA and process control system data. As part of this project, 11 U.S. utilities (small to large) participated in the research, testing, and validation of guidance, recommendations and a self assessment tool. Self-analysis by participating utilities revealed a number of shortcomings in existing security policies, procedures, and practices. Field studies confirmed these results and even further vulnerabilities – i.e., you don't know what you don't know. Most importantly, it was shown that just because the SCADA and PCS systems are isolated from the rest of the utility's computer networks – thus preventing data access – doesn't mean these systems are secure against different sets of threats and scenarios. The research project has produced valuable findings for all utilities, results that give managers the information needed and tools to protect their core business operation of facilities and infrastructure. Just as important, however, is the discovery that adequate protection of automation technology does not require utility managers to forego use of valuable data produced by these systems. This presentation will explain how to keep systems secure and retain access to key data.