Multiple organizations over the years have collected and analyzed data on cyber attacks and they all agree on one conclusion: cyber attacks are real and can cause significant damages. This paper presents some recent statistics on cyber attacks and resulting damages. Water and wastewater utilities must adopt countermeasures to prevent or minimize the damage in case of such attacks.
Many unique challenges are faced by the water and wastewater industry while selecting and implementing security countermeasures; the key challenges are: 1) the increasing interconnection of their business and control system networks, 2) large variation of proprietary industrial control equipment utilized, 3) multitude of cross-sector cyber-security standards, and 4) the differences in the equipment vendor’s approaches to meet these security standards. The utilities can meet these challenges by voluntarily selecting and adopting security standards, conducting a gap analysis, performing vulnerability/risk analysis, and undertaking countermeasures that best meets their security and organizational requirements.
Utilities should optimally utilize their limited resources to prepare and implement necessary programs that are designed to increase cyber-security over the years. Implementing cyber security does not necessarily have to be expensive, substantial improvements can be accomplished through policy, procedure, training and awareness. Utilities can also get creative and allocate more funding through annual budgets and reduce dependence upon capital improvement programs to achieve improvements in cyber-security.
. Protecting water and wastewater infrastructure from cyber attacks[J]. Frontiers of Earth Science, 2011, 5(4): 406-413.
Srinivas Panguluri, William Phillips, John Cusimano. Protecting water and wastewater infrastructure from cyber attacks. Front Earth Sci, 2011, 5(4): 406-413.
Abrams M, Weiss J (2008). Malicious control system cyber security attack case study—Maroochy water services. The MITRE Corporation , July23, 2008. Available at: http://www.mitre.org/work/tech_papers/tech_papers_08/08_1145/08_1145.pdf
2
ISO/IEC 27002 (2005). Information Technology — Security Techniques —Code of Practice for Information Security Management (Redesignated from ISO/IEC 17799:2005 in 2007). Weissman O (Germany) Plate A (UK), eds. International Organization for Standardization, Geneva, Switzerland , 2007
3
Panguluri S, Phillips W R Jr, Ellis P (2011). Handbook of Water and Wastewater Systems Protection, Chapter 16—Cyber Security: Protecting Water and Wastewater Infrastructure. Clark R M, et al. eds. Springer Science_Business Media, LLC 2011
Phillips W R Jr (2009a). Typical water/wastewater utility’s business and SCADA infrastructure and network connectivity. Copyright 2009 by CH2M Hill. Reprinted with Permission
6
Phillips W R Jr (2009b). SCADA network attack scenario. Copyright 2009 by CH2M Hill. Reprinted with Permission
7
Phillips W R Jr (2009c). Example DMZ application to improve security. Copyright 2009 by CH2M Hill. Reprinted with Permission
8
President’s Commission on Critical Infrastructure Protection (PCCIP) (1997). Critical Foundations: Protecting America’s Infrastructures. The Report of the President’s Commission on Critical Infrastructure Protection , October1997
9
Repository for Industrial Security Incidents (RISI) (2010). Annual Report on Cyber Security Incidents Affecting Industrial Control Systems—Annual Report 2010. Available from RISI at: http://www.securityincidents.org
