SCADA Cybersecurity Best Practices for Utilities

The alarming news of a cyberattack on a Florida city’s water system has utility workers across the nation wondering if their systems are secure. On the afternoon of February 5th, a water plant operator in Oldsmar, Florida noticed his cursor moving on his computer screen, independent of him. The water utility had been hacked. The operator then witnessed the hacker increase the sodium hydroxide levels to 100 times the correct amount.

When the hacker stopped operating his computer, the operator changed the sodium hydroxide back to the correct levels. The drinking water for the community of about 15,000 people was not compromised. However, the situation shines a light on the immediate need for heightened cybersecurity efforts in the utility sector.  

AE2S Electrical / Instrumentation and Controls (I&C) Division Manager Damon Chmela says utilities can keep their supervisory control and data acquisition (SCADA) systems safe by being diligent in establishing and following standard operating procedures (SOPs) related to keeping their SCADA systems resilient to outside cyberattacks and related threats. SOPs establish procedures for all staff on how best to select and maintain secure, robust passwords and login credentials for SCADA system access.

“Developing and maintaining secure login procedures for all staff should be considered step one in resiliency due diligence. In addition, all SCADA systems – local or cloud-based – should utilize secure firewalls, encryption, and virtual private network (VPN) technology at a minimum, for establishing a baseline defense against outside cyberattacks and threats.  For SCADA systems that require extreme security measures, further enhancements such as two-factor authentication can be incorporated along with other high-end security technology and protocols,” says Chmela.

“Some SCADA systems that may not require remote access from operators or contracted outside system technicians on a regular basis are still utilizing a visible “air gap” between the SCADA network and the internet. This method requires an operator to physically connect the internet source when required for service updates,” says Jason Schuler, AE2S Security Specialist. “While an air gap will undeniably provide a level of intrusion security, most if not all of the same security baselines and procedures should still be in place for those times when they are connected to the internet. Industry trends are pushing SCADA systems to a new level. Most of these trends are introducing more and more system components that are cloud-based and are creating dependencies on internet connectivity. This is not necessarily a bad thing, but it requires more attention to security than ever before,” he explains.

However, Chmela and Schuler say intrusion concerns are not the only threats that should be managed and monitored by establishing SOPs for a SCADA system. Some threats could knowingly or unknowingly come from current or former staff for a variety of reasons. For example, a staff person could unknowingly insert a thumb drive into a USB port on a SCADA server to download report data for their job duties. If the thumb drive was corrupted with malware or ransomware, it could affect or potentially lock out operation and even request a ransom payment to unlock the SCADA system software. Another example could be a former, disgruntled employee looking to do damage and has old access to the SCADA system that was never removed by the employer when the employee was separated from employment.

Chmela advises AE2S clients to have diligently thought out, preset limits on process variable setpoint adjustment ranges locked into SCADA and control system programming. This will prevent unauthorized individuals or less-experienced staff from knowingly or unknowingly making harmful chemical feed adjustments that are out of range. Such out of range adjustments could lead to harmful amounts of a chemical in a water supply, like what nearly happened in Florida. In addition, alarm generation and shutdown control interlocks should be considered and incorporated into the SCADA and control system programming to prevent any chemical injection amounts from ever reaching harmful levels in the water supply system.

For a list of AE2S’ top cybersecurity tips, check out this Cybersecurity flyer, or contact Jason Schuler with questions.