Combating SCADA Cybersecurity Vulnerabilities with Best Practices
In the age of global connectivity, it is more important than ever for governments, businesses, and individuals to adhere to strict cybersecurity standards. The consequences for failing to do so are just too great. Data—and access to data—is highly sensitive and needs to be protected at all times. This is particularly true in industries that provide essential services to municipalities.
Many who work in our industry are already aware of the Florida treatment plant that was easily hacked last month and became part of a botched attempt to tamper with the city’s water supply. This is a sobering story that highlights the importance of protecting our utility systems from being breached by those with malicious intentions.
The most concerning part about this story is how it could’ve been avoided by implementing some basic cybersecurity measures. The treatment plant was using an unsupported version of Windows with no firewall and was sharing a single TeamViewer password among all of its team members. For context, TeamViewer is a software program that gives third-party users remote access and control of a computer system.
It’s understandable if that makes you cringe a little bit. However, the point of this post isn’t to throw this particular plant under the bus. Many treatment plants are underfunded, which can make it difficult to audit and implement appropriate security measures. Rather, the point of this post is to highlight SCADA security best practices so that access to sensitive data and remote control functionality remain under lock and key.
Cybersecurity Best Practices
In the case of the hacked Florida treatment plant, vulnerability was built into their system and daily workflow. Using TeamViewer for remote access is nowhere near the same thing as having a dedicated cloud-based SCADA system. As for sharing passwords, this should never be done. There is a significant difference between having your lock picked versus handing over the keys directly.
In any case, this unfortunate mishap is a great reason to remind ourselves of just how important it is to keep our data—and remote access to our systems—heavily guarded. In that spirit, here is an actionable list of cybersecurity best practices that will help keep utility providers safe from those with hostile intentions.
Start Using Multi-Factor Authentication (MFA)
Multi-factor authentication is a method of authentication that requires users to provide two or more verification factors before gaining access to an account. It is considered to be a core component of cybersecurity. It typically requires that a user receive a verification code via email or text before being granted system access.
Is it annoying? A little…
Is it effective? Absolutely!
Using multi-factor authentication provides an additional line of defense in the event that the first line falters. This is a great way to strengthen vulnerabilities in your system.
Require the Use of Complex Passwords
Simple passwords don’t have rules for length, capitalization, use of multiple characters types, or symbols. This makes them easy to remember, but also easy to crack. Requiring the use of complex passwords, along with their various rules and qualifiers, provides a much deeper level of security for system access.
Be Smart About User Access Management
There are a couple of important aspects of user management that need to be addressed. The first is hierarchy. Not every employee needs the same level of access permissions. For most, view only access is enough. However your user access hierarchy is structured, it’s safe to say that access should be managed by a shortlist of people who have administrative access.
The second and often overlooked aspect of user management is related to employee offboarding. Access to all systems and accounts should be revoked the moment employment is terminated. Adhering to this practice goes a long way towards preventing a disgruntled employee from exacting their revenge.
Don’t Use Remote Access Software
As mentioned above, the Florida treatment plant was allowing operators to remotely access system functionality using a shared password on a single TeamViewer account. This is not a good idea. Each employee should be a dedicated user with a dedicated password. Using individual logins makes all activity associated with that account trackable. This fosters a sense of responsibility and accountability. Most importantly, it safeguards the system from malicious intent.
The security of any system is ultimately subject to its users. If a utility shares a single login, uses simple passwords, and never conducts audits to test for vulnerabilities, they leave themselves open to cyber attacks that can have devastating consequences.
High Tide Technologies Provides Robust Cybersecurity Features To Users
At High Tide Technologies, we take cybersecurity seriously. We understand the need to inform and empower our clients—and internal team—on the current best practices for keeping your system safe. Our cloud-based SCADA platform includes all of the safeguards mentioned above as well as the assurance of our own strict internal auditing measures. To ensure that we are doing everything we can to keep your system safe, we are SOC 2 Type 2 certified.
SOC 2 Certification
HTT is SOC 2 compliant! SOC 2 is an ongoing auditing procedure that ensures SaaS service providers manage data, security, and privacy in a responsible manner. As part of our SOC 2 certification process, we have slimmed down the list of internal employees who have access to all of our clients. Additionally, we follow SOC 2-compliant procedures to ensure that we have been following best practices for security to mitigate this risk.
These procedures include individual logins for our employees which are terminated upon an employee’s final day with the company, as well as quarterly user access audits where we analyze which employees have access to what systems and revisit whether or not they need continued access.
You really can’t be too careful when it comes to protecting data and access to your system. Cybersecurity threats are among the greatest vulnerabilities that governments, businesses, and individuals face. For municipal utility providers, following the best practices layed out in this post is a necessary first step.
We’re always more than happy to address any questions our clients have about the security features offered by our platform and to provide insight into our own internal auditing measures. We understand that security is important to you, and we’re doing everything we can to offer maximum protection.