August 2009, Vol. 21, No.8

Safety Corner

Keeping Water/Wastewater Control Systems Secure

Candace Sands

For water and wastewater facilities, the same control equipment and electronic communications capabilities that bring greater efficiency and productivity also can leave utilities vulnerable. This is especially true with automated systems, where a compromise can lead to serious consequences, not only in public and environmental well-being and economic loss but in a loss of confidence.

Balancing Access and the Right Level of Security
Real-time access to operational data is a must for today’s utilities. Much of the data utilities have come to rely on is found in process control and supervisory control and data acquisition systems. Because these automated systems hold such vital information, it is critically important for utilities to ensure that such systems are secure from unwanted intrusions. However, while trying to secure these systems, some utilities have cut off access to valuable data required for sound decision-making.

To strike a balance between buttoning down security and having the freedom and ability to function, a new “control system cyber security self-assessment tool” is now available. It was developed under the direction of the U.S. Department of Homeland Security with input from national labs, subject experts, and such industry organizations as the Water Environment Research Foundation (WERF; Alexandria, Va.) and the Water Research Foundation (WRF; Denver), along with assistance from the U.S. National Institute of Standards and Technology.

The Cyber Security Self-Assessment Tool
The Control System Cyber Security Self-Assessment Tool (CS2SAT) provides users with a systematic, repeatable approach for assessing the cyber security posture of their industrial control system networks. The water and wastewater sector provided input, field validation, and cooperation during the tool development phase through a collaborative research effort sponsored by the U.S. Environmental Protection Agency through WERF and WRF. This research effort, which was led by EMA Inc. (St Paul, Minn.), began in September 2004 and included 11 partner utilities, as well as representatives from the Gas Technology Institute (Des Plaines, Ill.); the Electric Power Research Institute (Palo Alto, Calif.); the Instrumentation, Control, and Automation Committee of the International Water Association (London); and the U.S. National Science Foundation.

Four Steps to Increased Control Systems Security
The CS2SAT tool simplifies the security assessment process, providing four steps that utilities can follow to reduce their security exposure.

Step 1. Analyze consequences. To begin, users must provide information to establish a baseline for their utility. This information includes regulatory compliance data, as well as details on the effects (environmental, health, etc.) that a cyber attack could have on a facility. The goal is to establish a “security assurance level” (SAL), or the necessary degree of security a utility needs to maintain, based on the consequences of a cyber attack.

Step 2. Identify network components. In Step 2, users provide information about their network components as they relate to cyber security. The end result is a diagram that closely matches control system network topology.

Step 3. Determine security gaps. In this phase, a customized requirements questionnaire is generated automatically, based on the SAL from Step 1 and the control system configuration from Step 2. Answers provided on the questionnaire help identify security gaps that may exist between a network and the practices used to attain certain performance standards.

Step 4. Prioritize recommendations. Considering the information provided in steps 1 through 3, CS2SAT produces a list of customized recommendations to help users reduce risk in their facilities. Security recommendations are ranked in order of priority, indicating which recommendations will offer the greatest reduction in risk against a cyber attack.

Getting the Program
Idaho National Laboratories has licensed WERF to distribute the tool free to its subscribers, as well as to WRF members. WERF members can obtain a free copy of the tool by contacting Daniel Woltering at WRF members can obtain a free copy by contacting Jill Estabrook Wisehart at

Others interested in the tool can purchase a copy from licensed distributors; see for a listing. For general information about the tool, contact Candace Sands at

© 2009 Water Environment Federation. All rights reserved.



Candace Sands is the principal investigator for the joint Water Environment Research Foundation (Alexandria, Va.) and Water Research Foundation (Denver) research project to help develop the Control System Cyber Security Self-Assessment Tool and is a program manager at EMA Inc. (St. Paul, Minn.).