In the realm of critical infrastructure security, it’s easy to get caught up in discussions about smart grid and even oil and gas pipelines. After all, they are making news on a regular basis, with reports of foreign spies infiltrating our electrical grid and smart meter hacks. Additionally, human error or natural phenomena has often been the culprit for explosions that have led to a loss of life, such as the recent tragic pipeline explosion in San Bruno, Calif. It’s easy to forget the resource that none of us can survive without: water. While it is generally plentiful, fresh water is frequently scarce and millions depend upon water systems operated by industrial control systems to ensure that people have the water that they need when they need it.
Unlike electricity, water can be easily stored and unlike natural gas, it doesn’t explode. However, water can be polluted. It can be cut off, and it can do harm in significant quantities. One need look no further than the discussion of the Taum Sauk incident described in my second post to this forum about the damage that large quantities of water can do. Like many other critical infrastructure sectors, policy makers and operators are beginning to take notice of these potential harms and are beginning to appreciate that those looking to do harm may target the water sector. As evidence, the Colorado River Water Users Association Annual Conference is holding a colloquium on cybersecurity.
The question then needs to be asked, just what should operators do? There are currently no cybersecurity regulations targeting water specifically, so the approach will likely have to be risk-based. While poisoning the water supply is always a popular doomsday scenario, the quantities required to do much damage make the scenario less likely, particularly one where the attack was entirely cyber in nature. However, shutting off the supply and doing damage to the pipes, valves and containers associated with the system are clearly viable concerns. In that regard, control system security should be a priority as they are both the first line of defense in detecting problem as well as the potential platform to launch any such attack. The good news is that the computer systems controlling the various pumps and valves are not much different than the ones that control the switches and circuit breakers in an electrical grid. They all rely on receiving accurate information from field devices and provide instructions to those devices based on a real-time operating environment. Following guidance provided for securing industrial control systems that is provided by organizations like the National Institute of Standards and Technology in NIST SP 800-82 and the Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS CERT) is the first step to addressing these challenges and providing appropriate assurance to operators, regulators and the general public.