HomeMy WebLinkAboutStaff Report 2401-2509Item No. {{item.number}}. Page 1 of 1
Utilities Advisory Commission
Staff Report
From: Dean Batchelor, Director Utilities
Lead Department: Utilities
Meeting Date: February 7, 2024
Staff Report: 2401-2509
TITLE
Disscussion of the Supervisory Control and Data Acquisition Cyber Security Update
RECOMMENDATION
Staff is informing UAC of SCADA (Supervisory control and data acquisition), Cyber Security
Updates, and Advanced Metering Infrastructure (AMI).
ATTACHMENTS
Attachment A: Presentation
AUTHOR/TITLE:
Dean Batchelor, Director of Utilities
Darren Numoto, Director of Information Technology
www.cityofpaloalto.org
Cyber Security Update
Utilities Advisory Commission
January 5, 2022
Scada Cyber Security Update
Utilities Advisory Commission
February 7, 2024
2
Agenda
1.) Cybersecurity Overview and Priorities
2.)Supervisory Control and Data Acquisition (SCADA)
3.) Advanced Metering Infrastructure (AMI)
3
Cybersecurity Overview
Human Layer
•Humans are the
primary target.
Perimeter Security
•Physical & digital
security
•SCADA Access
Network Security
•Secure access to the
network
•SCADA
User End point
Security
•Computers & mobile
devices
Application
Security
•Access to applications
& digital infrastructure
Data Security
•Protect & secure data
at rest and in transit
•Utilities
Critical Assets
•Sensitive data
•SCADA
4
Cybersecurity Priorities
•Organization wide approach
•Interdepartmental
dependencies
•Cross functional teams
•Internal policies and procedures
•Data Governance
•Continual improvements
5
Scada Security Overview
•Servers are on-premise
•Login requires VPN and 2 factor authentication
•Limited user access
•Multi-layer VPN, DMZ, and firewalls
•After hours laptop for Water/Gas SCADA access only, no internet access
once connected to VPN.
•Utilities SCADA Cybersecurity Red Team.
•Manual override mode: Isolate SCADA from network access.
•Disaster recovery (within 48 hours)
•Planned: Perimeter Security Enhancements, SCADA device upgrades
6
AMI – Security Overview
•Enterprise DC – DMZ, VPN, Firewalls
•OS/App hardening, patching, EDR
•Remote access requires multifactor
authentication
•Role based access control
•Intrusion detection/prevention,
auditing/logging, SEIM
•Message encryption, HSM
•256-bit encryption
7
Q&A