Date
Tuesday, September 10, 2024
Time
9:45 AM - 10:15 AM
Location Name
M105/106
Name
Covering Your Utility Assets: Cybersecurity in an Insecure World
Track
Safety & Security
Description

Recent Tennessee legislation called for water and wastewater utilities to address cybersecurity issues for protection of facilities from hackers seeking to access and disrupt operations, potentially with negative environmental and public health impacts. Cyber-attacks on water and wastewater systems have been well documented in recent years, raising concerns about the current state of security of in-plant control and remote monitoring systems. This presentation will describe a project for the City of White House Public Services Department that addressed the regulatory requirement to assess current cybersecurity features and the development of a prioritized plan to implement cybersecurity technology improvements within a larger wastewater facility upgrade. The assessment phase of the project utilized an analysis tool developed by the United States Department of Homeland Security. The assessments involved site visits to the treatment plant and offsite pumping facilities to observe both physical and remote monitoring/control system security features. An intrusion detection tool was connected to the facility’s online control system to monitor activity by outside entities attempting to access the system over a 1-month period; numerous attempts by external entities to access the SCADA system were observed, highlighting the need for enhanced protections against outside actors. Workshops were conducted with utility operators and managers and the community’s IT consultant to discuss daily facility operations; needs and approaches to remote monitoring during hours of unattended operation; connectivity of business IT (inter-department communications, access to financial resources, human resources information) and utility control systems; and the extent that features incorporated into the SCADA system improvements project supported enhanced cybersecurity. The recommendations of the assessment included a distinct separation of the business IT system and the facility SCADA system (meaning separate non-connected workstations for each); improved controls on log-ins and access to all systems; enhanced firewalls; permanent intrusion detection monitoring; upgraded physical security at remote sites; and discontinuation of the remote access to respond to facility alarms by cell phone. These improvements require changes to the way operations staff interact with the facility SCADA system and the business IT systems while on duty at the plant and during hours when the facility is unattended; required additional features to be incorporated as the SCADA system improvements were being commissioned; and added a second set of workstations to provide the recommended protection of the facility SCADA system from attacks via the community’s IT system for non-SCADA functions.