SCADA security is the practice of protecting supervisory control and data acquisition networks, a common framework of control systems used in industrial operations. These networks are responsible for providing automated control and remote human management of essential commodities and services such as water, natural gas, electricity and transportation to millions of people. They can also be used to improve the efficiencies and quality in other less essential (but some would say very important!) real-world processes such as snowmaking for ski resorts and beer brewing. SCADA is one of the most common types of industrial control systems (ICS).

These networks, just like any other network, are under threat from cyber-attacks that could bring down any part of the nation's critical infrastructure quickly and with dire consequences if the right security is not in place. Capital expenditure is another key concern; SCADA systems can cost an organization from tens of thousands to millions of dollars. For these reasons, it is essential that organizations implement robust SCADA security measures to protect their infrastructure and the millions of people that would be affected by disruption caused by an external attack or internal error

he diagram below, Figure 1, is a generic model design concept for SCADA networks based on ISA99 standards. The International Society of Automation (ISA) is a non-profit professional association of engineers, technicians, and management engaged in industrial automation. The ISA99 standards development committee brings together industrial cyber security experts from across the globe to develop ISA standards on industrial automation and control systems security.

The proper treatment of water and wastewater is essential in keeping the potable water supply clean and safe to drink. In a similar manner, a stormwater treatment management system is necessary in order to reduce flooding and remove pollutants before they are discharged into a body of water or absorbed through the ground into the aquifer

here are two primary sources of stormwater: point and non-point. Much of the work that was done in the past to reduce stormwater pollution focused on point sources, such as pipes, conduits, tunnels, and ditches. Since the passage of the Clean Water Act, though, there has been an increased emphasis on non-point sources of pollution, which can result from water that flows across streets, parking lots, roofs and farmland. Non-point stormwater typically contains various pollutants and contaminants that the water picked up along the way. You are a cybersecurity analyst for a small utility that is having issues with its water treatment systems. Over the years, the utility has absorbed smaller water service providers and integrated them into its system. This created a patchwork of technologies for monitoring its water system. Operators or service personnel in the field have little access to the data when they are away from the office. At the water plant, some of the aging monitoring equipment is not working due to limited availability of repair parts. Many of the remote locations have no telemetry on them at all and require onsite visits from operations staff to check on status and tank levels. Some sites are checked during daily site visits, while others are checked much less frequently. Because of the long distances from one end of the system to the other, it is becoming more difficult to operate the system reliably and efficiently. The utility has more than 4,800 water customers and more than 200 miles of pipe. The driving distance from the office to the farthest tank is more than 45 minutes.

You have been asked to put together a list of recommendations for improving this situation. You may use the Mid-Size Project template you used earlier in this course, or you may create your own. The requirements are below:

Implement a supervisory control and data acquisition (SCADA) system to optimize the stormwater treatment process. This system should allow vulnerable areas to be monitored on a continual basis, and allow breaches to be immediately reported. This should eliminate the need for continuous security patrols and minimize the number of visits that are needed.

Use the new SCADA system to control pump stations to prevent flooding and to minimize pollution. Install remote terminal units (RTUs) to collect data and send it back to a central processor that has the ability to autonomously make decisions or hand the data off to an operator. This automated reporting will also be useful in performing hydraulic calculations that are used in the design and modification of treatment systems.

Allow field personnel to be able to start and stop a pump or change the operating scheme of a booster station with a click of a button on their smartphone or tablet.

There are three different data historians* that need to be combined into a single system. You will need to recommend a consolidation approach that maximizes the availability and security of the final system.

The final system must consist of a mixture of GSM and CDMA cellular units, as well as direct Ethernet at the water treatment plant and one solar-powered satellite unit at a remote tank site that does not have its own power source.

The utility actually creates some of its own software, and the latest audit report contains a finding that the production network is not sufficiently separated from the development or test systems. In other words, they are all on the same network, and developers have administrative access to not only their Dev systems, but also some of the Prod systems, thus resulting in a segregation of duties (SoD) issue. This needs to be rectified.

Cloud resources may be used but this is not required. If you choose to utilize cloud resources then be prepared to justify that decision. One argument in favor of using the cloud is that this would allow access to the data by the plant operators, field service personnel and management anytime from wherever they are. When you document your recommendations, be sure to include details regarding the cloud (if used), firewalls, RTUs, the data historian, remote access, cellular communications, network segmentation, logging and monitoring, and separation of the development and production environments. Use images and graphics anywhere you feel the need to illustrate a particular point or concept.

A data historian is a software program that records the data of processes running in a computer system. Data historians are commonly used where reliability and uptime are critical. The programs are used to gather information about the operation of programs in order to diagnose failures.