Keeping water/wastewater systems safe from cyber attacks.
Safety is always our first priority at PeopleService – the safety of our staff, the people in the communities we serve and the safety of the water and wastewater plants we maintain, operate and manage. While it’s easy to recognize that necessary chemical handling protocols are in place, people often don’t consider implications from cyber attacks that could impede the plant’s ability to run safely. Add this knowledge and skill to what our operators must know to perform their day-to-day jobs and you’ll know why communities around the Midwest rely on the power of PeopleService. We interviewed Iowa Region Manager Steve Robinette, and expert on the cybersecurity of the plants.
“PeopleService deploys the Supervisory Control and Data Acquisition (SCADA) system that monitors and controls the cybersecurity of our plants. SCADA systems are critical in helping maintain efficiency by collecting and processing real-time data. It’s a constant activity to keep the SCADA systems we operate secure but, given the events the past year, we have had to double up our efforts to ensure our systems are safe. Here are some of the things we’ve done:
- We start by making sure that each individual operator qualified to operate the SCADA system has their own username/password. It is important to know who is logging in and when and if they are on-site or remote. We have a protocol in place to ensure that user names and passwords are erased when staff changes hands. This task is assigned to just one individual with administrative control.
- We created a database per region of the systems that have SCADA systems. In this database we examined each system to determine if they were closed/open systems, if they were password-protected, if they have firewalls and antivirus, which IT company manages and maintains each system and what the SCADA system allows an operator to do if logging in remotely and/or locally.
- More often than not, when an operator is off duty and an alarm condition exists at a plant, he needs to physically respond to the alarm. There are instances where the operator can log in to the SCADA system first to determine if they need to go in or handle the issue remotely. It really depends on the plant and the city’s comfort level on whether operators should have access to the SCADA system off-site. So the first thing we do is determine that if remote access is not acceptable to the city, we disengage any program or software that allows all outside parties from accessing the SCADA system. There are times when we do access the system remotely, which is both convenient and cost-effective, but we schedule these times and only connect to the internet for the time needed for that work and disconnect when it is done.
- If a SCADA system is accessible off-site, we make a determination of what things an operator can control remotely. We hold that an operator should only be able to acknowledge alarms, change very specific level set points and turn specific equipment on or off. With the nature of the plants we operate, operators should not be making chemical adjustments or performing certain other tasks remotely.
- We then got with IT to ensure they installed the latest firewalls and antivirus software and follow up with them periodically to make sure that is done.
- Finally, as always, we train our staff to operate the facilities without the use of a SCADA system. We make sure every plant has the capability to run without the use of computers and develop SOPs on how to do that. Cybersecurity is one way to take down a SCADA system but, more often than not, they will go down due to a whole host of other reasons.