Building a Sustainable and Secure SCADA System

Setting up your water utility’s SCADA system for long-term success requires a sustainable architecture that allows the system to evolve and scale. It’s also critical to incorporate strong cybersecurity into your SCADA system to guard against rising security threats.

We’ve compiled two articles from Water & Wastes Digest detailing five simple steps for sustainable SCADA and three crucial SCADA security recommendations. Together, these guidelines form a well-rounded approach that will lead the way to a less problematic, more profitable, and better protected future.

Sustainable SCADA: 5 Practical Steps for Long-Term Improvement

Water utilities face many challenges, whether it is pressures to adopt new technologies with shrinking resources, aging infrastructure, or obsolete technology. To succeed in this environment, a utility’s approach to their SCADA system is critical.

The conventional thinking about SCADA is that the technology is a closed system that will be used for 15 to 20 years until it needs to be replaced, said Kent Melville, Sales Engineering Manager at Inductive Automation. Requirements inevitably change, however, and utilities often look for short-term, budget-friendly fixes. This can lead to haphazard add-on technologies and hardware from multiple vendors, often resulting in expensive, long-term consequences.

“What might have been a really fast, cohesive system at the beginning, by the end is so convoluted with all this different hardware that it's impossible to maintain,” Melville said. The utility then needs to replace the SCADA system, and the process starts over again. Instead of using a rip-and-replace approach with short-term solutions in between, Melville recommends a sustainable architecture that enables the SCADA system to adapt and grow over time. Through the five incremental steps below, utilities can save time and money while improving uptime and reliability.

Step 1: Collecting Data from Remote Sites More Efficiently

The first step toward a more sustainable SCADA system is to set a standard protocol for PLCs. By choosing equipment that supports a certain protocol, everything can speak the same protocol, and software can swap in more easily. To ensure flexibility, Melville recommends an open protocol like OPC, MQTT, or Modbus, rather than a proprietary protocol.

In addition to choosing a new standard protocol, address issues like bandwidth, latency, and connection that can impact data collection from remote sites. Melville strongly recommends installing edge devices at remote sites to poll locally and report by exception. That way, data is not lost when the network goes down, because it can buffer data that is polling locally.

Step 2: Saving Time and Money with a Server-Centric Architecture

A sustainable SCADA system should have a server-centric architecture, Melville said. Rather than maintaining many installs across many machines, a server-centric system only requires that software be installed on a centralized server. Since all data collection and visualization go through that server, it is a single point of failure, so redundancy is key to maintain uptime in the event of a server failure.

A big feature of server-centric architecture is the licensing possibilities they present, with the system being licensed by the server and unlimited for everything else. There are currently multiple options for SCADA systems that are licensed by the server. Melville recommends you speak with your SCADA provider to get a system that will meet specific sizing needs.

Step 3: Avoiding Upgrade Headaches with Cross-Platform SCADA

Traditional SCADA systems that are tied to specific operating systems can cause challenges for utilities when these versions reach their eventual end of life and force organizations to make costly upgrades.

To avoid this issue, Melville recommends leveraging a SCADA system that is fully cross-platform. The system can then run on Linux, Mac, or on any version of Windows. “In a sustainable SCADA architecture, the OS and the SCADA should both be able to be upgraded independently,” Melville said.

To achieve this, Melville said, leverage newer versions of .NET, Java, or other programming languages that are cross-platform out of the gate. “Then they’re running in a virtualized environment on the computer rather than running directly against the iOS,” he said. “With each version of the iOS that comes out, they’re already doing testing on their side to make sure that the virtualized environment is still consistent and compatible with the programming language that’s being used behind the scenes. Since it’s running against the virtualized environment rather than the actual OLS, now you’ve got some more flexibility, and so things don’t break as much.”

Step 4: Getting More Data with IIoT

The Industrial Internet of Things (IIoT) is all about how you get your data. Getting large amounts of data from remote sites connected over radio, satellite, or cellular requires a lightweight protocol. That’s where MQTT comes in, Melville said.

By using edge devices, the system can publish data with MQTT, an ultralight protocol that has only a two-byte overhead. MQTT is very secure and uses a pub/sub protocol that publishes by exception. It also uses the Sparkplug specification for store-and-forward and auto-discovery of tags.

Centrally it requires an MQTT broker, where data is published and then line-of-business applications (including SCADA) can subscribe to it. The result is really powerful, Melville said, since you can decouple your data backbone from your applications.

“If your SCADA system gets replaced, gets swapped out, or any other application gets swapped out, you didn't break your chain of that data backbone, because you once again decoupled your infrastructure from your applications,” Melville said.

Step 5: Sustaining Your System with Alarming and Reporting Tools

A sustainable SCADA approach requires a quick response when something goes wrong. The best notification is a text message or phone call, since staff can be notified immediately whether they are on-site or at home. Melville also recommends an alarm pipeline that elevates notifications if alarms are not responded to in a specific timeframe.

Reporting efficiency is also an important key. Many organizations still utilize manual reporting of data, which can be rife with human error, Melville said.

Automatic reporting reduces errors and allows you to receive reports immediately, saving time. Organizations can still perform manual checks to ensure the machines are collecting data correctly. However, if an organization chooses this path, Melville recommends having staff use a tablet where they can directly input data into the system instead of writing information down and transferring the information to reduce the number of steps in the process.

3 Security Recommendations to Elevate Your SCADA System

Implementing cybersecurity best practices has never been more critical for water and wastewater utilities. Recently, the EPA focused new attention on the issue with the launch of its Industrial Systems Cybersecurity Initiative – Water and Wastewater Sector Action Plan, which is driving deployment of technologies that protect against cyber-related threats.

The need for vigilance at water utilities is clear. Yet, a 2021 State of the Water Industry survey of U.S. water utilities found that only 20% of respondents had fully implemented some form of plan to address cyber intrusion.

Designing Security into Your SCADA System

The availability of your SCADA system is critical for monitoring and controlling your systems. With the increasing convergence of OT and IT, paying close attention to who should and should not have access to the data your system provides is more important than ever. Today, UX design involves much more than design and flow; it is now a critical component of effective cybersecurity. That’s why a solid cybersecurity system should be baked into your UI and UX design.

Following are three critical steps to take when designing a system that provides secure access to data to credentialed users.

1. Understand All Connections and How You Can Secure Them

Start by identifying all the connection points in your system early in the design process. You can do this by building an architecture diagram that includes all connection points, together with all routers and switches. Then, conduct a comprehensive audit of all connections – to staff, clients, databases, applications, the SCADA system, PLCs, and more – so that you can determine how to encrypt them.

TIP: With applications that are accessed by a client, you will need to leverage HTTPS. Without that lock, your connection is not secure.

When you have a complete understanding of how everything works, you will be better able to set up the firewalls needed to protect the network.

To ensure that your OS is protected, do the following:

• Enable firewalls to restrict network traffic
• Remove any programs that are not needed
• Limit the ports in your system
• Close any ports in the firewall that are not needed (open ports that are not being used are vulnerable to attack)

TIP: Be sure to keep all your patches and services up to date. There are many automation tools that can help.

Be sure to conduct regular system audits to ensure that you have a detailed understanding of your network traffic and can quickly identify suspicious activity.

TIP: There are many tools that you can use to scan your network and get reports on activity. While they can be expensive, they provide significant benefits, especially as systems become more and more complex.

2. Employ Two-Factor Authentication and Single Sign-On

When users access your systems or applications, they should have the highest possible authorization. You can add an extra layer of security by requiring users to provide a password and a second authentication factor to a separate device.

TIP: There are many identity providers that employ industry-leading encryption protocols to support two-factor authentication and single sign-on (SSO), including Ping Identity, Okta, Duo Security, and ADFS.

3. Leverage a DMZ Network

A demilitarized zone (DMZ) network is a perimeter network that keeps the local area network separate from untrusted networks. This provides many benefits, including the improved security that results from preventing traffic from entering various network segments; and improved access, control, monitoring, performance, and containment.

TIP: If a risk is identified, you can turn off or eliminate the DMZ and maintain security and local functionality.

Ensure Secure Access to Data

As data becomes more critical to water utility operations, the more you will need to ensure fast and efficient access to that data, while ensuring that your systems are secure. The good news is that there is technology available that can help OT and IT work together to take these steps to apply cybersecurity best practices – and to reap the benefits.

Level Up Your SCADA System

When creating a sustainable and secure SCADA system, choosing the right software is paramount. Inductive Automation’s Ignition software is an ideal option, since it’s an open, scalable universal platform with an unlimited licensing model, and supports modern cybersecurity protocols.

To learn about building a secure SCADA system that will survive the test of time, discover Ignition SCADA software.