RESEARCH DESIGN AND METHODOLOGY
Section 2: Utilisation of process control systems in service delivery
Being a Category A Municipality, eThekwini Municipality offers a variety of services to the public under the jurisdiction of the municipality. The delivery of services is made
possible in some functional areas through the utilisation of ICT. The interconnected ness of municipal computer networks makes it possible for the municipality to:
distribute electricity to the municipality community
distribute water to the Municipality community
provide much needed administrative support across the municipality. ICT systems such as e-mails, Internet system, and enterprise resource planning systems, are examples of support systems in the municipality.
PCS for electricity
Electricity unit: through the use of SCADA system the unit delivers electricity to the citizens. SCADA is a form of a process control system (PCS). ICT is used to improve reliability, intelligent control, optimum operation, and protection of a power system network. The functioning of the PCS is entrenched on ICT. A SCADA system has advanced data collection capability, facilitate s remote monitoring, and automates entire electricity distribution by coordinating, controlling and operating distribut io n components. As a PCS, SCADA enables the operator to monitor and control distributed systems at various remote geographical areas. SCADA is made up of computers, networks, controllers, instruments, actuators, and interfaces to manage automated industrial processes. SCADA systems are economical as they eliminate the visit of personnel to geographically dispersed locations to conduct inspections, make adjustments in the processes, and data collection.
PCS for drinking water
SCADA systems measure, control, and monitor (locally and remotely): water collectio n and extraction, transport water to settling basins, transport water to filtration/purifica t io n processes, monitor and control filtration/purification processes, monitor treated water distribution, and monitor and control pressure boost pumps.
The following diagram shows the electricity distribution SCADA system
In the eThekwini Municipality, the distribution of the essential services such as electric it y and water is largely dependent on the SCADA systems. SCADA systems use open standard protocols of which the description is available on the Internet. A SCADA system uses Internet protocols such as TCP/IP to transfer data, also runs on Linux or Windows operating systems as an application. SCADA systems are becoming vulnerable to hackers around the world. Security of SCADA is a challenge to the organisation. Contractors can
connect to the SCADA network, Worm and virus scans are rarely conducted. Patches are not deployed and if deployed they are deployed late.
Most participants indicated the challenges often experienced when working on SCADA systems, and these included issues raised by various individuals from various business units. These were their individual views and not those of the department or unit.:
No change management policy
No network vulnerability testing conducted
Lack of password policy
No security awareness
Lack of cyber-security policy
Physical security threats such as vandalism and fire
Hardware and software malfunctions due to various factors such as denial- of- service attacks, viruses, etc.
Inadequate risk management processes
Limited audit involvement
Uncoordinated efforts amongst departments and units
Poor support from senior management (sponsorship & buy-in).
Example of Water SCADA system destruction in South Africa
For 11 days, the citizens of Eersterust (Pretoria) and Mamelodi in Tshwane Metropolita n Municipality were left with no drinking water. This was caused by a damaged SCADA system in the reservoir due to vandalism. This happened in August 2006.
The controls that were highlighted to be important by the participants are the following:
SCADA specific cyber-security policy. The municipality has an approved information security policy; however, participants indicated that the approved information security policy is biased towards ICT compared to PCS. This situatio n has led to ad hoc enactment of security measures. It is not known if security gaps exist or the right security measures have been implemented.
Risk management approach. At senior management level, SCADA/PCS forms an integral part of risk management processes. This ensures that all informa t io n security aspects such as confidentiality, integrity, and reliability of SCADA systems, and business continuity planning are considered.
Security awareness. Human element is one of key risk factors that needs attention in the cyber-security environment. Continuous security awareness keeps employees focused. Security aware employees assist to enhance the organisatio na l security posture.
SCADA systems and networks audit. The audit process provides assurance on the security of connections between networks and SCADA systems; security status of
distantly controlled and monitored sites; reporting security incident approach; and status of security relating to physical and logical access of SCADA components.
Supply chain management policy to include SCADA systems. This enhances 24/7 availability of SCADA systems. Service providers and vendors have to be managed based on the SCM policy. After a disaster or malfunction, SCADA systems must be operating as soon as possible, and service providers could be part of the team to make the system functional again. Third parties must provide assurance that their employees are honest and reliable. Consultants working on SCADA systems must be supervised. Faulty equipment replaced by third parties may contain sensitive information. Sensitive information must be erased or the devices must be destroyed or sanitised before leaving the municipal premises.
Defence in depth. SCADA networks are separated from corporate networks and from public networks. Accessibility of SCADA from other networks is a screen with no uncontrolled access able to take place. There are firewalls, separation of networks, and an authentication process. SCADA systems are not directly connected to the Internet.
Controlled access to SCADA systems. Access to SCADA systems and networks is only available to authorised employees. It is controlled through electronic and physical controls.