Cybersecurity: Water Utility Security Part 7

This month, it’s time to take a look at both virtual and physical access for process control systems security. When both of these areas are addressed, infrastructure is better protected from on-site and remote attacks. The American Water Works Association (AWWA) offers guidance on these topics. Here’s a quick overview.

Telecommunications, Network Security, and Architecture

The wired and wireless aspects of network infrastructure come under scrutiny in this phase of cybersecurity. On a physical level, computer rooms, network server closets, and individual cables should be secure from tampering. Port level security can serve as a second layer of protection if physical security is compromised. It shouldn’t be possible for anyone to simply plug a device in to an open port and gain access to (and control over) the system.

In the virtual sphere, data must be secure as it travels from point A to point B. On the network level, using dedicated hardware, separate IP subnets, and virtual local area networks (VLANS) can make systems and processes easier to protect both within the server architecture of the organization and where the network must interface with field equipment and 3rd party systems. It may be wise to create an architecture that allows for critical equipment to continue operating in isolation (in the event that other parts of the network are compromised).

More about Physical and Network Security

In the words of the AWAA “Once physical access to a network device or server is achieved, compromising equipment or systems is usually a trivial matter.” That’s a chilling thought given the percentage of malicious security breaches that are carried out by internal parties (about 25% according to a 2014 Forrester survey). For critical infrastructure, it is vital that only authorized personnel have access to hardware—and only for needed activities. Control rooms, removable media, cabinets, ports, and communication pathways should all be hardened against intrusion.

Physical locks and electronic access control help keep unauthorized personnel away from critical equipment while monitoring systems provide an alert of potential trouble. Security information and event management (SEIM) detection within the network can also report on anomalous activity in real time. In some situations, video surveillance may be beneficial for identifying unauthorized entrants. But bear in mind that prevention is always the primary goal. As with all monitoring programs, having personnel in place to evaluate and swiftly respond to incidents is essential.

Operational Security and Service Level Agreements are up for exploration next month!

Driver Performance Monitoring and Workplace Safety

It’s not just insurance companies that use vehicle monitoring to evaluate the performance of drivers. The technology to track speed, location, G-force, and other aspects of vehicle operation is now used by many employers as well. Since auto accidents remain a leading cause of work-related fatalities, implementing a monitoring program is worth consideration. Here’s a look at some of the pros and cons—along with tips for implementing a smart policy.

On the Plus Side

Examining the behavior of drivers operating workplace vehicles offers several benefits. First, knowing that a vehicle is monitored may give drivers a greater sense of accountability, increasing the likelihood that they will use good judgment on the road. This includes staying on schedule and not making unauthorized side trips or stops.

Second, regular evaluation of recorded data may provide insight into additional safety training (such as defensive driving) that is needed to increase the safety of employees on the road. Finally, if an accident does occur, it’s often hard for the people involved to recall precisely what happened. With monitoring, the events that immediately preceded the accident can be examined to discover the facts.

The Downside of Vehicle Monitoring

An improperly implemented program could violate employees’ right to privacy, leading to legal trouble for employers. A monitoring device that is installed in the wrong location in a vehicle may also create blind spots or other hazards, increasing the likelihood of accident or injury.

In addition, stored data that shows a pattern of unsafe driving on the part of workers might also be used against an employer in litigation. This is especially true if no corrective action was taken to curtail risky behavior.

Tips for Getting It Right

  • Know the purpose of your monitoring program (are you seeking to correct driving behaviors, make safe driving a part of employee evaluation, or have a record in case of an accident?)
  • Create a written driver performance monitoring policy that complies with federal and state law.
  • Disclose your driver monitoring policy to employees and explain its purpose as part of the overall workplace safety program.
  • Make sure the monitoring technology meets state requirements and does not interfere with safe operation of the vehicle (e.g., it should not obscure the driver’s view, obstruct windshield wipers, or be placed in the airbag deployment zone).
  • Follow up on any incidents of unsafe driving to take swift corrective action in accordance with agency policy.
  • Retain records on file as required by law since the monitoring data may be subject to subpoena in the event of litigation or workplace safety inspection.

Do you have questions about using technology to increase employee safety? Contact DKF to talk about health and safety in the modern workplace.