News & Company Updates
|
ah designs 25 (70)

The Real Risks of SCADA on the Internet

We drove out to the water plant outside of town. It was a remote access road with a large fence, an automated keypad and cameras monitoring the outside. As we drove up, the facility was immaculate. The plant had modern panels, updated HMI screens and a control room behind a second set of badge access doors. From the outside, everything about the plant signaled order, professionalism, and control.

However, it did not take long to realize that portions of the SCADA were accessible from the public internet. There was a firewall in place and there had been changes made to allow for remote access. This was not through a VPN or controlled remote access, rather the SCADA was on the public internet. Inside a well-secured facility, key control systems were reachable from beyond the fence line. Making them vulnerable to cyber risk that was not visible onsite.

This paradox is not unique to water utilities – it spans electric, gas, water, wastewater, manufacturing, and oil/gas facilities. And it is more common than you’d think.

How Does SCADA Get on the Internet?

In water and wastewater, understanding how a client ends up with SCADA open on the public internet is vital to reducing risks. And the answers tend to follow a similar pattern. These are rarely one-off decisions and are often inherited over time. They are responses to real operational, staffing and budget constraints.

When we ask how SCADA became reachable from the internet, the answers tend to sound like:

  • During the last storm, people stayed at the plant to keep things running. Without this access, we would have to sleep at the plant every time it rains.
  • We no longer have 24×7 coverage and remote access is needed.
  • We are a small plant and didn’t think we would be a target.
  • It’s  what the engineering firm designed; they scoped the system components and architecture for us.
  • We only have remote monitoring on the SCADA, there is no remote control.
  • Security was offered as an optional feature and the budget would not allow it.
  • The vendor needed this access for support and it was intended to be temporary.

Recommended Actions

Over time, the cybersecurity community has developed strong guidance on this issue, shaped by real-world incidents. The consistent recommendation is to segment networks, remove unnecessary public exposure, and use controlled remote access rather than open connectivity.

The scenarios above illustrate the decisions made under operational and budgetary pressure. There is often a gap between what guidance recommends and what seems doable in the moment – that gap is where risk accumulates over time. Many water and wastewater facilities find themselves in what seems like an unworkable position. Not because of neglect but because of practical constraints. Creating a path towards foundational controls that is efficient, staged, and realistic can significantly reduce risk without disrupting operations. Open, transparent discussions, supported by foundational assessments, provide a practical starting point for improvement. If we want SCADA off the internet, we have to address the conditions that put it there in the first place.

-Stephen Chasko | General Manager, Cybersecurity

Similar Posts