Evaluating Or Testing Utility SCADA Security?

EncryptedBit writes "I am a local elected official involved in bringing new water and waste water treatment plants online in a small town. The new plants will incorporate SCADA, which can be used to change operational aspects at the plants, up to forcing a shutdown or changing operational parameters. Can any Slashdotters recommend ways to make sure it is secure? Any testing recommendations? The operational engineers are oblivious to security and SCADA is a new factor, so this concerns me. Any pointers would be appreciated."

Re:From what I understand

[Da_Biz]

The systems I work on feed data to our SCADA systems. The entire network is completely walled off from the Internet, and even connectivity to our internal (non-operations) network is mediated by extremely secure bastion hosts.

I can understand that there may be a need for some access (e.g., system pages an operator to send a warning or emergency message), especially as this is a small town. Keep these sorts of connections absolutely to a minimum, and wrap several layers of security around it.

Re:Don't put it on the Internet!

[crossmr]

The short answer is, every SCADA system in the Americas is Internet connected, and no one has the balls to tell them to stop

That's incorrect.
I used to build SCADA systems and we often included a separate "work terminal" that was connected to the corporate network for workers to access anything outside they needed. It was not connected to SCADA and the SCADA system was not connected to the main corporate network or the internet.

Re:Don't put it on the Internet!

[denobug]

Wonderware InTouch happens to be one of the most popular flavor of local supervisory system platform. There are very few supervisory system NOT implemented with Windows platform. Even DCS nowadays runs on them as well.