1. Richard R. Umbrino, Jr. • Instrumentation Controls & Automation Group • Mott MacDonald
09/02/11
Cyber Security for SCADA
In Water and Wastewater Treatment Plants
Executive Summary
Communications technology has advanced significantly since the late eighties when SCADA
(Supervisory Control & Data Acquisition) systems were local with no ability to connect to the
outside world. The latest SCADA systems utilize open protocols in Ethernet networks without
any proprietary constraints. Without adequate protection, technicians, plant operators, IT
personnel or even hackers can easily connect to these networks using laptops or personal
computers and compromise network, equipment or SCADA system operations. While there are
advantages to high speed connectivity within the plant and externally, there is a need to keep
these networks secure. Thus, cyber security is critically important.
Industrial Control Systems have been recently exposed to numerous cyber security attacks
(Trojans), which can take the form of viruses, worms or malware. The most destructive cyber
attack occurred in September 2010 and was directed at Siemens PLC’s in an Iranian nuclear
facility. The worm was found in an infected USB flash drive which was plugged into a local
computer connected to the SCADA network. The worm is known as Stuxnet (considered the most
complex and well engineered worm ever seen) and it caused extensive damage to the nuclear
facility’s control system. The Stuxnet worm changed the executing process logic of the PLC and
ran 1,000 centrifuge motors to failure. While these motors were essentially “blowing up” the
operator at the HMI (Human Machine Interface) level was completely oblivious to the incident.
It was later discovered there were a total of 100,000 infected host PLC’s in the world of which
1,600 were in the United States.
Once a SCADA system in a Water or Wastewater Treatment Plant is infected the
consequences can be disastrous to the operation, equipment and the delivery of quality water.
Some of the many risks associated with an attack are: under or over dosing of chemicals, service
interruption and loss of pressure to fire hydrants. Alarm thresholds could also be changed or
disabled completely, locking out and shutting down key equipment resulting in environmental
and health impacts such as overflow of untreated sewage into public waterways.
Some of the cyber security risks associated with the operations of Water and Wastewater
Treatment Plants include connections to the internet and open protocols such as Modbus/IP.
Weak passwords are also common on equipment such as computers, OIT’s, routers, switches, etc.
Original equipment using open protocols to connect to the internet are often configured with
original factory default passwords. Weak physical plant security including disgruntled, dishonest
or poorly trained employees also presents a threat to the SCADA network.
Mott MacDonald Engineers can assist clients with cyber security risk analysis and prepare a
complete Cyber Security Program which includes: Emergency Contingency Plan, Maintenance
and Integration. The client can then apply for funding assistance under the Homeland Security
Grant Program. If accepted, the Grant would cover approximately 75% of the cost for the Cyber
Security Program. An additional source of federal funding is the Environmental Protection
Agency’s (EPA) Clean Water State Revolving Fund (CWSRF) which has recently provided 5
billion dollars annually to small communities for wastewater projects.
The Iselin Instrumentation Controls & Automation group has performed Cyber Security risk
analyses and has designed solutions for clients. The group is available to assist project managers
in offering their services to existing or prospective clients. Project managers should discuss the
importance of Cyber Security with clients and recommend a Cyber Security risk analysis.