IoT and Security: What does it mean for the water industry
Take a close look at any water utility's system, and it's easy to see that all kinds of small devices - from central operations to the most remote flow controllers in the field - now access the Internet independently.
By Randi Minetor
Take a close look at any water utility’s system, and it’s easy to see that all kinds of small devices - from central operations to the most remote flow controllers in the field - now access the Internet independently.
These Internet-of-Things (IoT) devices may gather data in the field and send the information back to the operations center or they may connect to a field technician’s smartphone, tablet or laptop to download information on a periodic basis. The device itself may log directly into an online network and transmit data via Wi-Fi or cellular service. If it plugs into a technician’s device, that person may collect the data and transmit it the next time he or she logs into a Wi-Fi service. Either way, all of these devices make some kind of connection to a wide area network... and when they do, water utilities may become vulnerable.
“The biggest problem with connecting various devices to your enterprise or industrial control system is that they may carry viruses or malware,” warned Michael Arceneaux, managing director of the Water Information Sharing and Analysis Center (WaterISAC). “They may have been picked up because you clicked on an email or carried it on your USB stick. These devices, even when they’re just plugged in to power up, can transfer these viruses.”
Viruses can do more than slow down or damage a system, Arceneaux said. “A virus can contain ransomware, which can lock up or destroy business information, making doing business impossible until information can be restored. Or it can contain malware that can ‘phone home,’ so to speak, and invite hackers to come in.”
This may sound like paranoid science fiction but a scenario like this took place late in 2015 in the Ivano-Frankivsk region of Western Ukraine. A hacker suddenly took over the entire electrical power grid late one evening, shutting down substations in three different power distribution centers while blocking the operator on duty from using his own computer. The attack left more than 230,000 people without power. Investigators discovered that the attackers were “skilled and stealthy strategists who carefully planned their assault over many months, first doing reconnaissance to study the networks and siphon operator credentials, then launching a synchronized assault in a well-choreographed dance,” noted cybercrime writer Kim Zetter in her coverage for Wired magazine.
So far, a hacking event of this magnitude has not taken place in the water industry, but with so many devices seeking connectivity with public networks, many experts feel that it’s only a matter of time.
Small Devices, Big Issues
“Smart systems are about data,” said Alan H. Vicory, Jr., PE, BCEE, a principal with Stantec Consulting and an expert in the water management industry. “Water utilities need real-time control, the ability to know what the system is doing at any moment in time and have the system adjust itself according to what the needs are or what the risks are.”
Having real-time information means that each device must transmit its data at regular intervals or on demand - and the most efficient and cost-effective way to move this data is over the Internet.
“All you have to do is walk into any large or moderate-sized wastewater plant command center and all you see are computers,” said Vicory. “In our industry, the concerns about security are understandable and legitimate.”
Can a hacker really get into a municipal water system through the Wi-Fi connection on a flow meter? It’s a distinct possibility, said Aravind Yarlagadda, vice president of portfolio strategy and marketing for Schneider Electric, maker of software and measurement, instrumentation, and control devices for the water and power industries.
“The proliferation of devices means we have to think about protection of assets, both from a hardware and from a software point of view,” he said. “The devices are both inside and outside the enterprise, so even if the network is protected, data that you get from a device could be tapped into. Data starts from the device and goes to the wireless network, and then out to the plant enterprise, and then to the enterprise historian. Then it may be in the cloud, which introduces new dimensions of security - or lack thereof.”
Schneider Electric addresses these security issues by hiring hackers of its own - experts at Sandia National Laboratories and Lawrence Livermore National Laboratory - to break into the software and find its vulnerable points. “With the penetration testing that we do, we make sure our software is secure,” said Yarlagadda. “But there are many ways to break software now.”
The software in many devices may be built using open platforms - software systems that use published and fully documented programs that are open for any developer to use free of charge. Just as a developer can use this platform to enable the device to gather data and talk to many other devices, so can a hacker use the same platform to write code to break into that device.
“It’s not the quality but the diversity of platforms,” Yarlagadda said. “There is no standardization when it comes to security.”
Water Quality, Potability at Risk
What kind of damage could a major hack inflict throughout a water system? One of the biggest concerns is the manipulation of the system, turning the water network against itself to change the water in dangerous ways.
For example, a skilled hacker who is familiar with the water system could override the established amounts of chemicals that are added to the water for purification, either preventing one of these chemicals from being added or adding too much. A higher-than-normal dose of chlorine, for example, could poison residents who drink the water.
|VL Flow Control’s demand control valve, shown here installed, has a water quality sensor that takes a reading every fifteen seconds, looking for contamination, irregular amounts of chemicals, and bacterial threats.|
Craig Stanners, founding partner of IVL Flow Control - a designer of water networks based in the United Kingdom - is working to put systems in place to keep the most dire predictions from happening. “We expect terrorists to do the kinds of things happening in France and other countries around the world,” he said, “but a terrorist could just as easily be a teenager with a laptop. We have always seen the threat to be someone putting something into the water supply. Now someone with a Wi-Fi connection can up the dosage of what the water company is already using. We’re taking the lead in this because we are very, very concerned about terrorism.”
IVL Flow Control builds elements into its systems to maintain the security of the water supply, including a demand control valve with a water quality sensor that has built-in parameters. The sensor takes a reading every fifteen seconds, looking for contamination, irregular amounts of chemicals, and bacterial threats. “We relay that information back to the control room or to a PDA [personal digital assistant], and they can override it using SCADA,” said Stanners. “Then the network can be re-adjusted to close off that supply, and other networks can be used to support the required demand.”
Vicory added a global perspective. “We’re less worried than we used to be about someone walking up and pouring botulism into a major water supply’s source water,” he said. “That’s not low-hanging fruit for terrorists - we have cameras and water intake sensors. But we have other risks that are clear and present; we’ve started thinking this through.”
A Work in Progress
The potential IoT has for opening new avenues to cyber attack has not reached top-of-mind awareness for most water utilities, said Cynthia Finley, director of regulatory affairs for the National Association of Clean Water Agencies (NACWA).
“Larger utilities have the staff to deal with security, and they have in-house expertise and the ability to update their security infrastructure regularly,” she said. “Smaller utilities usually don’t have these resources. A lot of awareness needs to be raised and resources need to be made available to them.”
One such resource is WaterISAC (www.waterisac.org). Established in 2002, WaterISAC draws its resources from the U. S. Department of Homeland Security, the FBI, intelligence advisors, the U.S. Environmental Protection Agency and other public and private sources. It keeps its members - drinking water and wastewater utilities, consulting and engineering firms and other agencies and organizations that support utilities - informed about potential threats and risks to water infrastructure from hazards including terrorism, cyber crime, and intentional contamination. It also provides members with mitigation and recovery best practices.
The National Institute of Standards and Technology (NIST) offers a guide for improving cybersecurity at the infrastructure level. Produced in 2014, the Cybersecurity Framework provides a voluntary, standards-based method for assessing and improving cybersecurity practices. It’s one of several resources available from the American Water Works Association’s cybersecurity guidance page.1 In addition, AWWA has its own Cybersecurity Guidance information for the water and wastewater industries, available at www.awwa.org/cybersecurity.
“Employee training is also key,” added Arceneaux. “Explain to employees how they can accidentally download malware, how they can avoid it, and how to use smart mobile devices in a secure manner. They need to know what can and can’t be downloaded onto the network. Teach them what is okay and what is not.”
About the Author: Randi Minetor is a freelance writer and author based in upstate New York.
1. American Water Works Association, “Cybersecurity Guidance & Tool,” www.awwa.org/resources-tools/water-and-wastewater-utility-management/cybersecurity-guidance.aspx.