Increasing the security awareness in the water sector is a choice of color - Will you take the blue pill or the red pill?

This paper is based upon experiences from security assessments of SCADA-systems, including assessment performed at one of Sweden's larger water facility. The paper highlights findings and examines state-of-the-practice control system models. These models are commonly employed in the water sector and provide an abstract representation of the system architecture. These kinds of models are indeed a powerful tool for the facility owners and other stakeholders that needs to understand the system configuration. However, these abstract representations are seldom aligned with the reality. They are more like a choice of blissful ignorance. This paper is like a "red pill" for your organization since it point out the sometimes painful truth about reality. It takes a closer look on some abstract representations and reveals some cases where they actually makes the world look "nicer" than it is from a security perspective. It looks nicer merely because the deficient abstract representations don't really show system weaknesses that could have critical consequences. The overall consequence is that the operator of a water facility can be deceived to believe that the security level is far better than it is in reality, simply because details of the system are not scrutinized enough in his models.
QC 20140923