Open Secure Plant Migration | WWD – Water & Wastes Digest

Migrating from legacy system to modern controls

The PLCs that the East Cherry Creek Valley (ECCV) Water & Sanitation District had been using to control the potable water treatment facilities and pump stations that supplied water to 50,000 people in the Denver suburbs were becoming obsolete. It was time for an automation upgrade and the utility’s operations managers saw this as an opportunity to deepen cybersecurity protection, as well.

“Like most other public utilities, we must adapt to an ever-changing world and that includes cybersecurity,” said Shay Geisler, I&C administrator for ECCV Water & Sanitation District. “We’ve always had robust physical security and required usernames and passwords for access to critical systems and controls, but we saw the world around us changing quickly. Many of today’s automation technologies are not as secure as they could be because they were developed long before security was a major issue in the industry. Most of the security added to them was an afterthought.”

SCADA network
Figure 1: Bedrock OSA remote control units provide a secure proxy server between the data concentrators and the SCADA server.

Legacy System

ECCV’s existing plant control architecture was comparable to what many municipal water systems use: a dedicated Windows Desktop or Windows Server OS. The top end SCADA software system is housed on a dedicated Windows desktop or server along with a communications driver, in this case an OPC Server that speaks to the PLCs via legacy Bristol Standard Asynchronous/Synchronous Protocol (BSAP) and to some Ethernet IP devices.

Data concentrators sat above the PLC network to help manage data communications and aggregation across a serial radio network involving about 80 sites running a mixture of RTU and PLC types and generations. These radios functioned like firewalls separating the SCADA Network and the PLCs in the field, but signals were not encrypted.

“We knew security could not be limited to the SCADA software only,” Geisler said. “There were too many downstream systems and assets that, if left untouched, would present a huge vulnerability. We determined that the vast majority of these potential vulnerabilities could be solved by addressing the PLC and SCADA communications system.”

Figure 2: Bedrock control modules in ECCV enclosure.

Geisler and his team decided it had to focus on securing three communications paths: SCADA software to PLC; PLC to PLC; and the radio network.

The team explored several strategies to secure those communications, including adding firewalls and network cloaking, but ultimately determined that getting the depth of security needed required upgrading the PLCs, RTUs and network radio. Working with automation solutions supplier Process Control Dynamics and system consultant RSI Company, ECCV chose Bedrock Automation’s Open Secure Automation (OSA) to provide PLC/RTU functionality because of its intrinsic security along with a new ethernet radio solution to provide high data encryption capabilities.


Software Upgrade

Supporting the new capabilities required upgrading the current 32-Bit SCADA Software to a 64-Bit solution, which enabled ECCV to leverage the latest Windows Server and Windows-10 based OS capabilities.

“Just upgrading the software provided a much higher level of confidence within both our IT and OT Departments,” Geisler said. “We also gained valuable operational features and functions, along with many new and powerful security features in the SCADA software itself. This addressed some of the security issues we had with our legacy systems, but it was not enough. We still saw those possible security holes downstream of the SCADA System and we wanted to address those.”

Geisler and his team concluded that the most secure and cost-effective approach would be to connect the SCADA network and control networks with a secure communications channel. However, fully implementing this would have required ripping and replacing the entire system, which would have been costly and would require significant disruption of operations. Instead, ECCV adopted a phased-in approach, which began by deploying Bedrock OSA remote control units as a secure proxy server between the data concentrators and the SCADA server.

“A cyber-secure data concentrator functions as a proxy server that secures communications from the SCADA software and the PLC network,” Geisler said. “Downstream the data concentrator speaks BSAP or Modbus directly to the existing unit in the field, as well as some Ethernet/IP for smart devices.”

Because the OSA remotes support BSAP, the utility could continue communicating with its remaining legacy devices while transitioning to new controls, this avoided any significant interruption of service.

Figure 3: Flow chart of security measures with the OSA system.

Moving Downstream

The next phase was to secure a direct connection between the SCADA software and the well sites, the pump stations and the water treatment facilities. This would be done with PLCs and controllers that have intrinsic cyber security along with new Ethernet radios. Covering so many input and output (I/O) points — roughly 9,000 — required scaling to a Bedrock OSA platform that scales infinitely through the addition of 5, 10 and 20 control module racks, depending on the number of I/O at each site.

With these Bedrock units installed, the utility can leverage new SCADA features that extended a root of trust from the PLC controllers to the HMI/SCADA System, thereby limiting all communications with the PLC/controllers to certificated programs and users only.

This enabled the district to execute standard IT certificate practices such as time limitation, revocation, etc. to individual users or groups with ease. The result is secure, certificated communications from the SCADA software all the way down to the remote PLCs and RTUs.

Figure 3 above shows the target completed architecture. The 64-bit SCADA software connects directly and securely to a peer-to-peer network of scalable Bedrock OSA control systems connected with an encrypted radio network.


The intention was to complete the final architecture within five years, but COVID-19 related delays may extend this. As the team builds the system out, ECCV has the option to keep the OSA remote concentrator/proxy nodes in place or remove them because the system will be secure all the way to the field level PLC and RTU devices. This is one of the advantages to transitioning in this manner. The district is now evaluating the operational pros and cons of the data concentrator model and will decide later on, but either way, it will not break the security model. Geisler feels that the plant is well-equipped to weather the next round of changes.

“We expect the technology for industrial systems to be ever evolving and improving. With this open architecture and technology, we will be able to continually improve and upgrade as we need to, so we don’t have to face this type of wholesale transition again,” Geisler said, adding that ECCV expects to get more than 30 years of useful life from the new PLC and RTU systems, and because Bedrock manufacturers most of its own chips and controls its secure supply chain, the company offers a non-obsolescence policy if maintenance requires new hardware.

Source of this news:

Related posts:

Home's windows 11 Receives April 2022 Security Update KB5012592 and also Wccftech
Microsoft has released mandatory Patch Tuesday features for Windows 11. Recognized the "B" release, the several update focuses on security immobile and improvements. Windows 11 KB5012592 (Bui...
What to do if the camera keeps spinning in Valheim -
by Sinziana Mihalache Author Sînziana loves getting people to better understand products, processes, and experiences beyond a simple user guide, either in writing or making use of images...
How to wreck Nelson Mandela's legacy - POLITICO - Politico
Send tips and thoughts to [email protected] or follow Ryan on Twitter. EMBASSY ROW — BIDEN’S REAL THINKING BEHIND HARTLEY NOMINATION FOR U.K. AMBASSADOR: Friday’s headlines about the White House...
Become S-1/A F45 Training Groupe - StreetInsider. com
Promotional Assimilation In connection with the MWIG investment decision, on March  15, 2019, we entered into the Resources Agreement with Mark Wahlberg, a member of our board including ...
Proxy vs. VPN: What's the Difference? Proxy vs VPN: Find out Which is Better - Sprout Wired
Today, people spend a lot of their time online. They use the Internet for work, fun, and communication. This means that a lot of our private data is collected each time we go online which can le...
Best Endpoint Security and EDR Tools for MSPs - Channel Insider
Whether they want to or not, Managed Service Providers (MSPs) are being forced to pick up more and more security functions. An endless stream of malware attacks followed by the recent rash of ransomw...
How to Unblock YouTube - How-To Geek
Alex Yeung/ YouTube may be blocked for multiple reasons. Individual videos are sometimes region-blocked in some countries, while the entire YouTube website is blocked in some countri...
1 / 4 of UK Parents Apply Content Filters from High speed ISPs - ISPreview. corp. uk
A new Ofcom report has found that 61% of parents are aware of the existing network-level internet filtering (Parental Control) tools provided by big U broadband ISPs, yet singular 27% have a...
N-vidia deflates God of A huge PC and Half-Life regarding Remastered rumors, says leaked data was 's...
Rumors of a Half-Life second remaster and a God relating to War PC port moving spreading on Monday wedding and reception contents of an Nvidia applications leaked. Don't get too restless, though:...
The meaning of proxy server because why you should use it - Techstory
A proxy — is a server that runs between the patient and the web, encrypting actual address of a client. It can benefit to prevent cyberattacks, protecting registered users from malware and ann...
Capitol, symbol of democracy, off-limits on Independence Day on the list of New York Daily News
“What has become heartbreaking about it is that the Capitol has been forever our symbol of democracy — going through through the Civil War, implies of world wars, through strife of all kinds, ” s...
Nasty Malware Targeting Linux Computer hardware - Tech Gaming Have
A new class of malware just appeared in addition to the attacks systems running by Linux . Malware lurks in legitimate-looking Linux utilities and provides hackers stolen oscilloscopes...
Court Awards Proxy Server Connections $7. 5M In IP Win Over Rival - Law360
By Sawzag Simpson (November 5, 2021, 11: 47 PM EDT) -- A Texas federal government jury ruled that a Lithuania-based proxy server network managed knowingly infringe patents toted by an Israeli pla...
Lincoln Star Concept: Could a sport tourer be in Lincoln's electric future? - Yahoo Entertainment
Lincoln unveiled Wednesday at an event in Hollywood its first fully electric concept vehicle: The Lincoln Star Concept, a crossover that looks a lot like a Corsair or Nautilus crossover with a longer...
What's Microsoft Defender for Identity and Why Should I Use It? - Virtualization Review
What's Microsoft Defender for Identity and Why Should I Use It? By Paul Schnackenburg02/28/2022 As the threat of increased cyberattacks looms, many businesses are looking at different tools to ...
10 of the best Best (and Worst) Browsers for Privacy - WRCB-TV
Larger-than-life is a unique, secure web browser that streets ads, trackers, fingerprinting, cryptomining, and more. Epic routes every one of the web traffic through a proxy host that automatic...
2020 Best proxy server - Business MattersBusiness Matters
@media screen and (min-width: 1201px) { .sekcc6121a152d954e { display: none; } } @media screen and (min-width: 993px) and (max-width: 1200px) { .sekcc6121a152d954e { display: none; } } @media screen...
New Bug Could Let Attackers Hijack Zimbra Server by Sending Malicious Email - The Hacker News
Cybersecurity researchers have discovered multiple security vulnerabilities in Zimbra email collaboration software that could be potentially exploited to compromise email accounts by sending a malici...

IP Rotating Proxy Onsale


First month free with coupon code FREE30