AWWA IMTECH57893

A utility's information systems are a critical component of any complete approach to security. In order to identify gaps and areas for improvement in their security, most utilities have or will be conducting a vulnerability assessment of their physical and "virtual" infrastructure through the US Environmental Protection Agency's RAM-W training or other risk assessment methodology. This paper describes that latest methods and tools to implement security for information and control systems once the critical areas have been identified. Security for "virtual" infrastructure is described in terms of a layered approach that identifies potential threats and recommended defenses at many levels. The latest security tools and their often-confusing acronyms are described in ways that are applicable to all utilities. Specific security methods for SCADA, DCS, and control systems are discussed in detail with direct relevance to the information covered by the RAM-W course. Tools to protect against threats that arise from external as well as internal sources are presented and described in terms of their effectiveness and ease of implementation. Finally, this paper gives anonymous examples of security assessments, action plans, and resulting system implementations for several water and wastewater utilities. The detailed methods, tools, and examples presented should allow any organization to properly fortify and secure their information systems.