Water Cybersecurity: Top 6 Vulnerabilities In A Water Infrastructure Industrial Control System (ICS)

By Darian Slywka

Water and wastewater system owners and operators have challenges associated with control systems. Legacy mechanical equipment is being replaced by electronic controllers and telemetry devices.  Utilities want the benefits of data displayed to operators, owners, and even customers — accessible anywhere, at any time. Remote control, support, and operation are vital to efficiently managing water infrastructure. However, vulnerabilities exist that need to be addressed. 

I have been asked repeatedly about the top vulnerabilities within any water system. Listed below are the top six industrial control system vulnerabilities associated with water systems infrastructure.*

1. Corporate culture: Inadequate procedures, polices, and training related to water control system security
2. Poor design, engineering, and contingency planning: Improperly designed or configured control, engineering controls, and poorly executed SCADA networks, as well as no in-depth contingency planning
3. Lack of adequate user role-based access controls: No secure, global management of operators or users of water control SCADA and reporting networks
4. Lack of reporting, alarming, and detection tools: Poor device, system, and user reporting, alarming, detection, and management systems
5. Unsecured and neglected computers and devices: Poor endpoint security encompassing virus, malicious, and unauthorized applications and hardware, poor software choices, and lack of host-computer protection
6. Unencrypted and unreliable connectivity with little redundancy: Lack of encrypted data connections and poor communications security, reliability, and redundancy

* This list is compiled from professional experience in addition to, but not limited to, the following sources: ANSI/ AWWA G430-09, Security Practices for Operations and Management (G430 standard); AWWA Cyber Security Guide; NIST 800-82, the NIST (National Institute of Standards and Technology) Guide to Industrial Control Systems Security (ICS); NIST Framework for Improving Critical Infrastructure Cyber Security; and ISA/ IEC 62443-2-4: A Baseline Security Standard for Industrial Automation Control Systems. 

About the author: Darian Slywka is currently the Western Channel Manager for eWON, a Belgium-based industrial remote connectivity company providing secure solutions to OEMs, integrators, and infrastructure projects. His background and education includes environmental engineering and water infrastructure, cybersecurity, IT, and business development. He is licensed in water treatment, water distribution and holds certifications in technology, networking, and more. Find him at http://darians.info.