Securing wastewater facilities from accidental and intentional harm: A cost-benefit analysis

https://doi.org/10.1016/j.ijcip.2013.05.002Get rights and content

Abstract

It has been widely reported that industrial control systems underpinning critical infrastructures ranging from power plants to oil refineries are vulnerable to cyber attacks. A slew of countermeasures have been proposed to secure these systems, but their adoption has been disappointingly slow according to many experts. Operators have been reluctant to spend large sums of money to protect against threats that have only rarely materialized as attacks. But many security countermeasures are dual-use, in that they help protect against service failures caused by hackers and by accidents. In many critical infrastructure sectors, accidents caused by equipment failures and nature occur regularly, and investments for detecting and possibly preventing accidents and attacks could be more easily justified than investments for detecting and preventing attacks alone. This paper presents a cost-benefit analysis for adopting security countermeasures that reduce the incidence of sewer overflows in wastewater facilities. The paper estimates the expected annual losses at wastewater facilities due to large overflows exceeding 10,000 gallons using publicly-available data on overflows, cleanup costs, property damage and regulatory fines. Also, it estimates the costs of adopting security countermeasures in wastewater facilities in eight large U.S. cities. The results of the analysis indicate that, in many cases, even a modest 20% reduction in large overflows can render the adoption of countermeasures cost-effective.

Introduction

Supervisory control and data acquisition (SCADA) systems and industrial control systems (ICSs) are widely used to control systems such as water supply systems, wastewater collection and treatment facilities, refineries, oil and gas pipelines, factories, ships and subways. These systems have evolved from direct human control to computer-based control over the last several decades. Once computer-based control became common practice, a migration from proprietary to standards-based systems, protocols and interfaces occurred. Today, many systems have adopted standard wireline and RF physical interfaces, and the TCP/IP protocol is commonly used to move command and status messages within these systems. To ease management, the trend has been to connect these control networks to company intranets, which are normally connected to the Internet.

Unfortunately, SCADA systems and ICSs were not designed to defend against even the simplest network attacks. Operational commands, controller software updates, and operational status messages are not authenticated [32]. As a result, these systems are vulnerable to command injection [9] and middle-person attacks [18]. A programmable logic controller (PLC) attack was at the heart of the Stuxnet virus that targeted Iranian uranium hexafluoride centrifuges [15]. Effectively, Stuxnet used a middle-person attack to change the PLC logic to report normal centrifuge operations to plant operators while issuing control commands that damaged the centrifuges.

Research efforts focused on control systems security typically take for granted that an attack will occur and instead focus on adopting security countermeasures to thwart attacks. However, attacks have been so rare in practice that asset owners and operators are reluctant to invest in adequate defenses. This paper studies one particular critical infrastructure sector – wastewater collection and treatment systems – and investigates whether the expense of security countermeasures can be justified, provided that they can also be used to prevent accidents as well as attacks. The wastewater sector is selected precisely because the intended effect of a cyber attack is the same as a relatively common failure mode – a sewer overflow. Furthermore, systems for detecting malicious overflows in wastewater systems can also detect accidental ones.

The next section, Section 2, outlines the threat model for wastewater facilities and explains how security countermeasures can be deployed in a representative system to detect and prevent sewer overflows. Section 3 presents a framework for calculating the expected costs of large sewer overflows. Detailed public data from the California Water Board is used to estimate the incidence of large sewer overflows. Reports of legal settlements are collated to estimate the cost of property damage, and EPA data on Clean Water Act violations are examined to estimate the cost of regulatory fines as well as the probability of drawing the ire of regulators. Also, an estimate for the cost of comprehensive security countermeasures is provided. Section 4 presents a cost-benefit analysis based on the findings discussed in Section 3. The net expected utility is assessed by comparing the costs with the benefits of experiencing fewer overflows. Because wastewater facilities vary greatly in complexity, a detailed analysis is provided for facilities in eight U.S. cities, with the results demonstrating that some cities are likely to view the costs as acceptable whereas other cities will not. Section 5 reviews related work in the field and Section 6 discusses key limitations of the analysis and outlines opportunities for future research.

Section snippets

System model

This section describes the threat model for wastewater facilities considered in this paper. It explains the countermeasures that have been proposed and how a representative wastewater facility may be secured using the available countermeasures.

Empirical estimation of expected sewage overflow costs

A number of costs are incurred when a wastewater facility experiences a sewer overflow. We follow the approach of Anderson et al. [2] and divide these costs according to the direct losses experienced by the facility, indirect losses imposed on society, and defense costs that mitigate SOs. Direct losses associated with an overflow incident include cleanup costs, collateral property damage (buildings/environmental/property), regulatory fines and penalties, and adverse health impacts sustained by

Cost-benefit analysis

Having estimated the various costs associated with sewer overflows and the associated countermeasures, we are now in a position to evaluate the effectiveness of the countermeasures. We can calculate the current expected annual loss by inserting the empirically-derived estimates into Eq. (1). Upon doing this, we find that ALE0=$217,675 for a utility managing 1300 miles of sewer lines, the average for large U.S. cities. Fig. 3 (left) plots the expected annual loss ALE0 as a function of the number

Related work

Critical infrastructures are susceptible to disruption. While failures triggered by accidents and acts of nature have long presented a challenge, during the past decade researchers and practitioners have become cognizant of the threats posed by malicious parties with regard to exploiting vulnerabilities in industrial control systems [11]. The vulnerabilities in control systems affect a broad range of industries, including electric utilities, refineries and wastewater facilities.

Researchers have

Conclusions

Detecting non-malicious failures could make security countermeasures economically viable for wastewater facilities. Absent improved failure detection mechanisms, we estimate that the expected annual loss due to sewer overflows exceeding 10,000 gallons is approximately $200,000 for U.S. cities with populations exceeding 100,000. The cost to a utility depends on the complexity of its wastewater facility. Some utilities will find that investing in security mechanisms that improve early detection

References (34)

  • V. Igure et al.

    Security issues in SCADA networks

    Computers and Security

    (2006)
  • M. Abrams and J. Weiss, Malicious Control System Cyber Security Attack Case Study: Maroochy Water Services, M. Abrams...
  • R. Anderson, C. Barton, R. Böhme, R. Clayton, M. van Eeten, M. Levi, T. Moore, S. Savage, Measuring the cost of...
  • R. Anderson et al.

    The economics of information security

    Science

    (2006)
  • R. Böhme et al.

    Economic security metrics

  • California Sanitation Risk Management Authority, Pooled Liability Program Committee Agenda, San Francisco, California...
  • California Sanitation Risk Management Authority, Member Directory, San Francisco, California...
  • S. Cheung, B. Dutertre, M. Fong, U. Lindqvist, K. Skinner and A. Valdes, Using model-based intrusion detection for...
  • Environmental Protection Agency, Environomics, Benefits of Abating Sanitary Sewer Overflows (SSOs), U.S. , Washington,...
  • W. Gao, T. Morris, B. Reaves, D. Richey, On SCADA control system command and response injection and intrusion...
  • Globe Business Publishing, Lexology, London, United Kingdom...
  • LawyersandSettlements.com, Knoxville Utilities Board, Santa Cruz, California...
  • O. Linda, T. Vollmer, M. Manic, Neural network based intrusion detection system for critical infrastructures,...
  • M. Majdalawieh et al.

    DNPSec: Distributed Network Protocol Version 3 (DNP3) security framework

  • P. Marks, Stuxnet Analysis Finds More Holes in Critical Software, New Scientist, March 25,...
  • S. Papa, W. Casper, S. Nair, Availability-based risk analysis for SCADA embedded computer systems, Proceedings of the...
  • S. Papa, W. Casper, S. Nair, Placement of trust anchors in embedded computer systems, Proceedings of the IEEE...

    • Cited by (0)

    View full text
    Copyright © 2013 Elsevier B.V. All rights reserved.