1.3.1 Create snapshot of existing SCADA system a. Document the existing SCADA system and its interfaces to external systems. The SCADA system is defined as 1. The computer applications and hardware used by operators to control the water treatment process 2. The controllers to which the software applications are connected 3. The network hardware and protocols connecting the servers and devices 4. Related cybersecurity policies, procedures, and controls 5. The application logging SCADA data for historical, reporting, and modeling purposes 6. The supporting applications and hardware that compose the operating environment for the previously listed items b. Document the software, hardware, and protocol versions and configurations of the SCADA system. c. Document the functions and capabilities that the SCADA system provides to its user groups, including but not limited to the operations group, water quality group, the OT group, the IT group, and the data users group. This documentation should describe as completely as necessary the SCADA system’s operation and method of implementation for its user groups. 1.3.2 Requirements Elicitation a. Elicit requirements from the SCADA-related support and user groups. Examples of the elicitation are workshops or surveys. b. The requirements elicitation should collect, discover, extract, and define requirements that are necessary to be imposed on the future SCADA system. c. The following subsections list topics that should be covered. The chosen firm will determine the complete list of topics and groups. 1.3.2.1 IT group a. Elicit requirements from the IT group to determine IT and SCADA system requirements necessary for compliance with the cybersecurity framework. b. Work with the IT group to determine IT and SCADA system requirements to posture our IT and SCADA systems to be compliant with upcoming government regulations on cybersecurity. c. Present relevant trends and technologies related to IT security and reliability in industry.
