Water utilities are classified as critical infrastructure under the Presidential Executive Order issued in 2013. About one-third of the water systems in the State of Delaware use Supervisory Control and Data Acquisition (SCADA) systems. These systems are vulnerable to cyber attack. AWWA guidelines, developed in 2014, recommend that utilities establish a certain minimum level (“AWWA Priority 1 Controls”) of cyber protections. Utilities can use AWWA’s Cyber Security Tool to generate recommendations tailored to their particular SCADA configurations. Four Delaware water utilities were surveyed using the AWWA tool in an effort to enable a self-assessment of their current security posture. The SCADA systems in these test utilities varied signinficantly in complexity, however, the study found that there were only minor differences in the Priority 1 Controls. The report, also available at the DPH link above (under “Applications and Information”), recommends that a common set of controls be initially adopted by the State as an across-the-board baseline. An appendix to the report (“Cyber Security Policy for Managers of Drinking Water Systems”) is available as a stand-alone download.
Since this early work, the NIST has moved ahead with developing recommendations specifically targeted towards SCADA systems. The State commissioned KSG to conduct workshops with interested utilities and also develop a cybersecurity assessment tool based on the NIST recommendations (Publication SP 800-82) that could be utilized for self-assessments by utility managers.