This is how an automatic meter reading (AMR)/advanced metering infrastructure (AMI) network is configured.
Sensus This is how an automatic meter reading (AMR)/advanced metering infrastructure (AMI) network is configured.

Updated Oct. 17, 2017.

Last year, a coworker installed a “smart” HVAC system that begins cooling or heating her condo when her cellphone “tells” the boiler or air conditioner that she’s on her way home from the office. Neat, huh? She pays less for gas and electricity and feels virtuous about her environmental impact on the world.

That was the first “Internet of Things (IoT)” example that I could wrap my head around. To me, “IoT” is a marketing buzzword: Everyone’s heard of it, but no one really knows what it means. Not even the Institute of Electrical and Electronics Engineers. In fact, the organization’s 2015 document titled “Toward a Definition of the Internet of Things (IoT)” defines two IoTs: small- and large-environment.

I had the same problem wrapping my head around the “cloud.” Why not just say it’s a server farm that programmers own or rent upon which to run their software, thus saving customers the expense of buying, configuring, and hardening equivalent in-house capabilities? Put that way, the risks are easier to see: You’re vulnerable to cyberattacks on your own network as well as attacks on your vendor’s equipment and networks.

Is it likely to happen? No. Could it happen? Yes.

The Internet of Things (IoT) is a self-configuring system that interconnects objects in a way that makes them programmable and more capable of interacting with humans.

However, water utilities that migrated to automatic meter reading (AMR)/advanced metering infrastructure (AMI) have been using the IoT for years with no negative impact. Now other assets are joining the party: pumps, pipes, valves, tanks, etc. In 2011, the American Society of Civil Engineers’ “Bridging the Water Gap: Investing in America’s Water Infrastructure” estimated that main breaks, overflows, and leaky pipes will cost $147 billion by 2020, prompting utilities to raise rates by $59 billion. Wireless network providers, sensor manufacturers, and software developers are partnering like crazy on solutions that flag problems as they develop so operators can take action to keep them from happening: the Holy Grail for utility managers.

Sensus, which supplies equipment and technology, says “smart” networks can save utilities almost $13 billion a year. Utilities are identifying components that are readily accessible for instrumentation and where real-time data can deliver meaningful value. Integrate data flowing from an inexpensive sensor in a water tank with a SCADA system so control room operators can see and immediately react to system fluctuations. Analyze water quality in real time instead of sending samples to the lab. Monitor performance parameters, such as vibration, to repair something before it breaks.

These are great benefits, but not understanding potential threats is risky for government employees whose decisions will be closely scrutinized if the public is in any way endangered. In the rush to market, many manufacturers aren’t building security into smart devices. Lisa Monaco, President Barack Obama’s homeland security adviser, says it’s unlikely that Congress will ever require them to.

“Each one represents an on-ramp for bad guys,” she told American Public Works Association (APWA) convention attendees in August 2017. “You cannot make yourself impenetrable.”

Supervisory control and data acquisition (SCADA) systems are particular targets. In 2013, an Iranian computer-security company accessed the program that automatically raises and lowers the sluice gate of a dam owned by the City of Rye Brook, N.Y., via a cellular modem that processes water level, temperature, and flow sensor data. The system was offline for repair, so nothing happened. But it’s unclear whether the incident was a dry run or the hackers were targeting a similarly named structure in Oregon and missed. In 2016, the Lansing (Mich.) Board of Water & Light paid cybercriminals $25,000 to unlock its internal communications systems. Service wasn’t affected, but the board paid $500,000 of the $2.4 million spent on restoration and guards against future ransomware attacks. This year, Georgia Institute of Technology researchers proved that programmable logic controllers (PLCs) are vulnerable to ransomware.

The Importance of Cyberhygiene
An APWA attendee whose GIS had been the victim of ransomware asked whether or not to pay the ransom. Monaco says you pretty much have to, but that you may not get all your data back. (Remember: You’re dealing with criminals.) Because the benefits of real-time operational insight are too great not to explore, she offered tips that go beyond firewalls:

  • Cybersecurity isn’t an IT issue; it’s an enterprisewide risk.
  • Know what’s in and on your network so you can prioritize components and data to be protected and levels of protection.
  • Know who can access what parts of the network and how much access they have so you can look for anomalous behavior by employees, vendors, and consultants. Edward Snowden was a National Security Agency “super user” who had access to multiple programs and portals.
  • Plans often get thrown out the window during a crisis, but they’re important because employees have visualized and thought through response to various scenarios.

Fortunately, the American Water Works Association (AWWA) can help you plan for an attack. Unlike generic tools that have to be tweaked for potable water treatment and distribution, the association's Cybersecurity Guidance turns National Institute of Standards and Technology Cybersecurity Framework gobbledygook into a step-by-step process that matches control system configuration and practices to the most appropriate cybersecurity measures. It's free AND you don't have to be a member to access it. Also, the association's chapters have begun providing four-hour training on using the tool. Just what the doctor ordered!