AWWA IMTECH64730

For the past 20 years, utility managers have come to rely on valuable data that is found in process control systems including supervisory control and data acquisition (SCADA). While trying to secure these systems from security violations, however, many utilities have cut off their own access to valuable data that is required for sound decision making. A recent WERF/AwwaRF research project, led by EMA, was designed to provide utilities with the tools to accurately determine current vulnerabilities and consequences and develop a set of leading practices that will enable utilities to ensure both effective security and real-time access. This presentation examines the Control System Cyber Security Self Assessment Tool (CS²SAT) that has been developed, reviewed, and tested via a collaborative effort with the Department of Homeland Security's Control System Security Program and Idaho National Labs. This portable, self-assessment tool will enable any water or wastewater utility to conduct effective vulnerability assessments, determine their state of readiness, and develop corrective measures to close the vulnerability gap for their control systems. Utilities will be able to create a baseline and use the tool periodically (i.e., annually) or when a system component is modified or added. This presentation will explore the specifics of the self-assessment tool, its capabilities, what sorts of vulnerabilities it can typically locate, the resulting products and information, its reporting capabilities, and how utilities will be able to use the tool. The project team has also developed a set of leading practices, guidance, references, and recommendations that have been incorporated into the tool and can be used as a stand-alone reference. The material produced from this research project will provide the necessary approaches, options, guidelines and specifications to utilities on how to assess computerized and automated system vulnerabilities, determine acceptable risk and countermeasures, and develop a transition plan to attain secure and protected control systems. The first step is an assessment of a utility's current circumstances to develop a clear understanding of the existing gaps. Only then will it be possible to develop a plan to close those gaps and secure access to valuable data for those who need it, while ensuring there is no way to penetrate these systems by those who don't. This presentation provides vital insight for utility decision-makers who care about secure access to automated systems.