Cybersecurity Blog: The Cyber Scene is evolving, are you?

Return to blog

Primary objectives of hydroelectric control systems operators include ensuring operational stability and simplifying the task of meeting federal security and compliance requirements.

What's standing in their way? We've compiled a list of 10 major concerns facing operators in assuring the operational stability of all water management assets, as well as compliance with Federal Energy Regulatory Commission and NERC standards. These challenges can be broadly grouped into three major areas:

  • Business Practices
  • Infrastructure Management
  • Policy Considerations

Business Practices

1. Asset Management: There is no complete or accurate inventory of IT and OT control assets, nor is there an understanding of what is connected within the system.

2. Back Doors: There are risks to networks from interconnections with industry partners in different domains as well as with different security models and risk-impact levels.

3. Tunnel Vision I: Cybersecurity and assessment of SCADA security has historically been IT-centric with limited or no capability on the ICS OT side.

4. Tunnel Vision II: Regulatory compliance applies to both IT and OT; you can’t drop one for the other.

Infrastructure Management

5. Situational Awareness: There is little ability to centrally monitor, assess, and report ICS vulnerabilities and provide event alerts.

6. The Grand Menagerie: Hundreds of hydroelectric dams built in different eras contain a hodgepodge of ICS equipment that is likely unprotected against modern attacks.

7. Safety Not Guaranteed: There currently is no good or quick way to ensure that NERC CIP and DOE standards are being enforced across an entire enterprise that generates hydroelectric power.

Policy Considerations

8. Sparing Some Change: Centralized configuration and change management controls are needed to ensure a properly functioning environment across the enterprise.

9. Policing Good Policy: Operators of hydroelectric power generating facilities need to be able to implement new policies and then eliminate any and all deviations from them.

10. Knowing is Half the Battle: Limited access to the cybersecurity risk posture of legacy ICS equipment is preventing proactive defensive planning.

So how can you manage these concerns?
Managing the Challenges of Securing Hydroelectric Control Systems

How can these unique environments ensure operational stability and simplify the task of meeting federal security and compliance requirements?

This whitepaper explores experience-based suggestions and plans of attack for key challenges facing operators.

New Call-to-Action