Security of Critical Infrastructure Gets National Eye
The CBS News program 60 Minutes, recently aired a story revealing how Stuxnet malware was used to attack Iranian nuclear facilities by exploiting Programmable Logic Controllers (PLCs) that control rotating equipment.
The story discusses vulnerabilities of critical infrastructure to malware, such as Stuxnet, and explains that the program can take control of a PLC while simultaneously producing fake data that makes the system appear to be within normal operational ranges. These faux readings make control screens appear normal so that operators don’t recognize a problem until after a failure occurs. The story also discusses the threat of someone repurposing this malware to target other processes and critical infrastructure that rely on PLCs – such as power and water.
For over 10 years, Westin Engineering has helped water and wastewater agencies build defense in depth for operational and business systems. Here are a few best practices to consider in improving security of both control and utility business systems:
- Security is not a project. Rather, security is an ongoing operational imperative that must be supported by staffing, organization, processes, policy, architecture and technology.
- Security breaches can result from systems that have never been properly secured; new systems that haven’t been reviewed with proven vulnerability assessment methods; or existing systems that have been updated, reconfigured, or incrementally changed to a state that introduces risk.
- Build well-rounded security. There is a temptation to focus on securing systems that control collection and treatment. A utility must also protect its customer data (e.g. name, SS#, address), as well as details about utility infrastructure.
- Security is a moving target. Cyber security requires a commitment to regular reviews and assessments to address changing threats.
- Proven Best Practices: Consider applying the “SANS (NSA) 20 critical security controls for effective cyber defense” to expedite practical and economical security improvements.
Westin’s suite of SMART Integrated Business Solutions helps water, wastewater and electric utilities improve performance in operations, maintenance and assets, customer relations and financial management. Westin has served customers throughout the United States and Canada since 1981. www.we-inc.com