Dams and Civil Structures

Dams Sector Roadmap to Secure Control Systems

This U.S. Department of Homeland Security document provides a beginning point and a template for action as industry and government work together to achieve a common objective for securing control systems within the dams sector.

Prepared by: U.S. Department of Homeland Security

The Dams Sector Roadmap to Secure Control Systems describes a plan and strategic vision for voluntarily improving the cybersecurity posture of control systems within the Dams Sector. Designing, operating, and maintaining a facility to meet essential reliability, safety, and security needs require careful evaluation and analysis of all risk factors, including physical, cyber, and human.The interaction of both internal and external process and business systems must also be considered.  A cyber event, whether caused by an external adversary, an insider threat, or inadequate policies and procedures, can initiate a loss of system control resulting in negative consequences.  This roadmap recognizes this interconnectivity, but restricts its scope by addressing the cyber issues of control systems.

Many of the control systems used today were initially designed for operability and reliability during an era when security received low priority. These systems operated in fairly isolated environments and typically relied on proprietary software, hardware, and/or communications technologies. Infiltrating and compromising these systems often required specific knowledge of individual system architectures and physical access to system components. However, newer control systems are highly network-based and use common and open standards for communication protocols; this interoperability has the potential to expose network assets to cyber infiltration and subsequent manipulation of sensitive operations.

Challenges to cybersecurity consist of the direct risk factors that increase the probability of a successful cyber attack and the factors that limit the ability to implement ideal security enhancements. A majority of owners and operators within the Dams Sector do not have adequate inventories of their critical assets and associated control systems, or a good understanding of the risks (threats, vulnerabilities and consequences) of a cyber attack.The growing number of nodes and access points has also made identifying vulnerabilities more complex; widely accepted industry standards, consistent metrics and reliable measuring tools are not readily available.

Some control systems will have poorly designed connections between control systems and enterprise networks, use unauthenticated command and control data, and do not provide adequate access control for remote access points.  Security improvements for legacy systems are limited by the existing equipment and architectures that may not be able to accept security upgrades without degrading performance.

An additional challenge is the lack of information sharing among owners and operators and other cyber stakeholders regarding cybersecurity threats, events, and their consequences due to concerns as to how the information will be used, disseminated, and protected. Possibly, as a result of this lack of information sharing, the return on investment for vendors to sustain control system and security tool improvement, including R&D to advance the technology, is unclear. A further complication is that vendors currently do not have adequate requirements or standards to design, build and maintain cybersecurity into control systems. Evolving cyber threats, changes in cyber-intrusion technologies, and developments in information technology can pose challenges to building security into control systems with long lifecycles.

While sector partners actively manage the risk to their operations through monitoring and mitigation activities designed to prevent daily incidents from becoming significant disruptions, increasingly sophisticated threats require a more thorough examination of risks associated with cybersecurity.

The control systems roadmap provides an opportunity for the Dams Sector community to identify its concerns, communicate recommended strategies for improvement, and provide a venue for government assistance. It also provides the Dams Sector with specified milestones on which to focus specific efforts and activities to achieve key goals over the next 10 years, while addressing the sector’s most urgent challenges.  These challenges include developing mitigating solutions, defining longer-term needs, and articulating control system security guidelines and practices for improvement.

Download Now!