Asset Control: SCADA Security
Security threats to water companies' SCADA systems are an ongoing concern for facility managers worldwide.
Security threats to water companies' SCADA systems are an ongoing concern for facility managers worldwide. Here's how major utility United Water, which has over 300 remote sites company-wide, secured its automation networks and reduced IT challenges.
As an essential part of critical infrastructure worldwide, providing and protecting water supplies has become an crucial mandate for governments and municipalities worldwide. It was in 2006 that the importance of water security was highlighted.
A hacker seized control of a water treatment facility's SCADA (Supervisory control and data acquisition) system in Australia. This security breach resulted in the dumping of millions of gallons of raw sewage onto a resort hotel's grounds for a period of three months.
Since this incident, water providers realised how important it is for industrial controls to benefit from Virtual Private Network (VPN) connectivity. In light of the raised concerns, one utility recently looked to secure its extensive network infrastructure.
Suez Environnment subsidiary, United Water, which manages water and wastewater systems that serve around seven million people across the U.S., has been using a variety of methods to connect to its remote sites over the last 30 years, including modems, leased lines and licensed radio. Supporting over 300 remote field sites company-wide, this network has to be kept up to date.
While the firm planned to increase the security of its SCADA system in 2009, there were other considerations.
Keith Kolkebeck, systems engineering project manager for United Water, said: "We needed an industrial solution, particularly for our remote sites. We needed a solution that was easy to configure, powered by 24 VDC, met our IT security standards, and could hold up to years of operation in a harsh environment. In the past, we had mixed results using office network-grade products that were expensive, required special skills to configure, and failed frequently."
A year later and United Water was introduced to the mGuard® industrial network security devices from Phoenix Contact, created and developed by subsidiary Innominate Security Technologies.
The system includes small, industrial-rated modules that incorporate router, firewall, encrypted VPN tunnels, filtering of incoming and outgoing connectivity, authentication and other functions to provide layers of distributed "defense-in-depth".
After reviewing the technology, United Water installed 12 devices as part of a trial.
"The ability for the mGuard to do AES-256 encryption along with its industrial design was key," added Kolkebeck. "By default, the mGuard is configured in its most secure configuration. Previously, it would require a day's time of an experienced IT technician, whereas now we can rollout a new VPN device in 10 minutes."
In "Stealth Mode", the manufacturer says these products aim to operate invisibly and transparently, monitoring and filtering traffic to the protected systems by providing a Stateful Packet Firewall according to rules that can be configured via templates from a centrally located server.
"We were implementing multiple measures into our SCADA network in order to activity monitor our system. We utilise network segmentation, VLANS, and centralised firewalls and were looking to introduce intrusion detection (IDS) and intrusion prevention (IPS) systems into our network."
United Water needed to protect Remote Terminal Units and Programmable Logic Controllers, remote card access and video systems.
As industrial systems migrate toward an Internet Protocol (IP) network, more timely information and control is available. All new PLCs have IP capability.
Power monitoring is another example. All new Variable Frequency Drives for motors, switchgear, pumps and generators have power monitoring capabilities that need to be tied into the SCADA systems. Following field trials, the mGuard appliances were used to provide protection from vulnerabilities through firewall, VPN, routing and trap functions.
"We have used the products [mGuard] both for our SCADA networks and our security networks at remote unmanned locations. We have interfaced the mGuard devices with our existing CISCO infrastructure. We are saving money on remote support from our staff and outside contractors. Site visits are no longer required for minor code changes and troubleshooting," Kolkebeck concluded.