The days of hand-generating log sheets in the field are being increasingly replaced with AMI technology that is creating time and financial efficiencies for water utilities. It also creates the need to maintain data security.
“Having data online is a far superior solution to hand-generating log sheets,” points out Keith Frazier, president of BirdNest. “But it requires a certain amount of diligence on the part of the users.”
BirdNest is a Software as a Service (SaaS) designed to offer the water and wastewater industry smartphone-based data collection devices integrated with a hosted data management and automated reporting system to replace hand-written field logs.
Its purpose is to help water operators decrease operational costs, improve data accuracy, respond quicker to incidents, and minimize non-compliance risks.
The data comes through cellular networks to the Internet where it is gathered into the BirdNest database and served back up to an office through a browser for end-users to access reports and log sheets.
“We gather data in the field, digitize it, and hand it back to the end-user in any format location needed,” says Frazier.
Keeping that data secure is based on both provider and user strategies, says Frazier.
Provider strategies focus on using a secure https website and mobile apps, he says. “We don’t encrypt as encryption might be envisioned, but since BirdNest is a proprietary service, an account with us is not open context.”
“Water data tends to be redundant, production-style data,” adds Frazier. “We’re not transmitting financial or contract-type data. It’s a data string without any identifiers on it that we are popping on XML. If you were to interrupt the stream, you could probably capture the string, but it wouldn’t mean anything to you. It would be just a long string of numbers.”
Users must have login credentials before receiving the data in a pre-set, pre-agreed format.
“You can’t get into the browser except through the front door and then you can’t go from page-to-page without credentials,” says Frazier.
Environmental Development Partners (EDP), a contract water and wastewater utility operating company, serves more than 200,000 customers in the Houston, TX, area in the residential and commercial sector and uses BirdNest software for its facility logs as well as for some internal process controls.
Mary Domask, a senior compliance analyst for EDP, notes that the company started using BirdNest for some of its chemical standards “so that we know the devices we use in the field for chemical testing are adequately calibrated.”
To ensure data security, EDP always uses the most current BirdNest version, says Domask.
“We occasionally have password changes, but most importantly one of those things that’s nice about BirdNest is the user names are randomized, so it’s not something as simple as the operator’s first name and last name,” says Domask. “Having randomization and credentials is nice.”
Frazier says from what he has observed in the industry in general, “password security is still pretty poor. Most end-users do a very good job of credentialing. There are very few policies out there on updating, refreshing, and changing passwords. I still see 1234 come in as a password.”
His company will occasionally send a message to an end-user suggesting a password change.
“There’s going to be some level of human error that you can’t guard against,” adds Domask. “It can be hard to control everything people in the field do. But you can encourage a good understanding. You can encourage people using their work phones to use them only for work purposes and treat sensitive information appropriately. It’s not just handing out your user name and password to everyone.”
Another potential weakness is in poor controls around the understanding of taking caution before opening up an email.
“Just because somebody sent you an email, be very careful about where it came from before you open it,” he emphasizes. “If somebody goes in and steals your credentials, it makes it very hard for service providers like BirdNest to protect you if you shared your password with somebody else. That to me is the singular big issue.”
Jason Bethke, president and chief growth officer for FATHOM, notes that the fragmentation of the water industry means that protecting data cannot be executed in the same fashion as is done on large-scale industries such as banking and telecommunications.
“Things like data security and hosting become a significant burden to each individual water utility,” he says. “The best way through that is to adopt some of the tools that allow the public sector to scale, which is in partnership with some of the private sector activities.”
That would include managed services, such as those FATHOM provides, that includes a combination of the software, hardware, and the services necessary to deliver the outcomes that communities seek, he says.
FATHOM designs and develops SaaS-based solutions for the water industry and owns and operates water and wastewater utilities. The company’s Smart Grid for Water is designed to transform utility data into information needed to increase revenue, decrease costs, and improve customer service.
Bethke says he encourages water utility managers to focus more on outcomes than securing the “latest and greatest product for things like cybersecurity.”
“That’s the way we as a water sector are going to be able to tackle the problem of cybersecurity and technology as we scale, because it’s changing so rapidly,” he adds. “There isn’t one that you’re going to buy today that is going to be perfect in five to ten years, which is typically the scale that we as water utilities tend to think about.”
Bethke adds that the water utility sector has historically been infrastructure-focused “and technology is changing far more rapidly than that. If you want to have a good cybersecurity program, then really focus on the outcome and find the partners who can continually bring the latest products to bear, but in a services way, so then you as a city aren’t always having to buy the next thing. You let that cost be shared by the organizations that can provide some scale.”
Bethke concurs that in-house training by water utilities is important for keeping security tight.
“It goes to the point of people opening up attachments,” he says. “We’ve all heard stories of communities being shut down while they deal with ransomware issues. There is a training activity that has to happen. There are data systems that need to be put in place. There are security systems that need to be put in place. If we all try to figure that out by ourselves, we are never going to stay ahead of the hackers and the various actors out there who mean to cause us harm.
“Just keeping a record and knowing that you put that in front of everybody on a consistent basis and trained everybody is critical to solving the issue as well,” he adds. “It is a partnership between someone who can claim the expertise and provide the shared service so the utility doesn’t have to spend as much money and also the actions of the utility to commit to making this a priority.”
Bethke notes that AMI is the gateway to smart cities.
“We are doing a lot of smart city and security in the water sector because that’s where a lot of the financial benefit is,” he says. “The AMI data is being combined with the customer data and is being communicated out to those customers. Suddenly, the AMI data provides a pathway to customer records and financial records and as you move forward, those systems are going to get closer together and become a larger target for the cybersecurity issue.
“In that way, partnering with companies that do that specifically is a good pathway for communities to resolve the issue, not to mention just simply transferring the risk away from the city and onto a third party.”
