How safe are public utilities?
From obvious risks like burst pipes or a power grid failure caused by severe winter weather in Texas to the water system hacking breach in Olsmar, Florida, reliable and secure public utility services require constant vigilance.
More sophisticated technology drives the need for trained professionals at the controls. Hard infrastructure investment along with current technology creates a three-legged approach to service safety and ultimately success.
“It’s an investment in infrastructure, in technology and in people,” said JT Hand, president and CEO at The York (Pennsylvania) Water Company, a private water and waste water utility.
Professionals said the best response to avoid utility disruptions is concerted and holistic – whether a breach is prompted by Mother Nature or malicious hackers.
In Florida, remote access by employees – meant to keep the Olsmar system running smoothly, left the water supply vulnerable to hackers on February 5, a Scientific American website report said.
It was the trained operator, who saw and responded to the hacker’s remote attempt to poison the water for about 15,000 customers that saved the system from potential catastrophic consequences.
Remote access to such systems is where the potential for cybercrime can occur.
“The larger number of people now working remotely has expanded the number of possible avenues for cyber-attacks and further emphasized the need for constant vigilance by everyone,” said Pennsylvania Public Utility Commission Chair Gladys Brown Dutrieuille.
She said regular conversations and information sharing about cybersecurity and cyber threats to utilities include reviews of incidents and events on the national and global stages.
The PUC had issued a cybersecurity advisory to regulated water utilities in Pennsylvania because of preliminary information about the event in Florida, including recommendations about “strong cyber hygiene.” The report also recommended a cybersecurity and physical risk assessment of critical infrastructure at utility plants.
“Every PA PUC regulated utility is required to have a cybersecurity plan for their operations… because a cyber threat that appears in one sector may be part of a broader effort to penetrate another type of utility or business,” Dutrieuille said.
The state Department of Environmental Protection’s Bureau of Safe Drinking Water monitors water purity in the commonwealth. Those municipal operators and authorities outside the PUC’s jurisdiction also have cybersecurity countermeasures in place.
“They have not reported any significant issues,” Dutrieuille said.
Providing and sharing information about developing cyber threats and connecting utility companies with resources is another role the PUC serves. Hand said the convenience and efficiency of digital technology – including remote access by plant operators into systems for regular monitoring – is part of its Achilles’ heel.
“These cyber actors are sophisticated and good at what they do. They find and then exploit those vulnerabilities,” he said.
A proactive approach
Being proactive, thinking ahead and protecting vulnerabilities, as well as continued facility investments, is the best approach. Being prepared means ensuring there is no single point of failure gaps for a cybercriminal to exploit.
High tech Supervisory Control and Data Acquisition (SCADA) systems are the front line of defense in preventing hacking events. SCADA systems allow operators to interact with a plant system’s hardware and software including sensors, valves, pumps and motors.
The system allows controls of water flow, temperature, the probability of rain precipitation [and] chemicals. “There are thousands of nodes you can incorporate into it to optimize water quality, quantity and availability,” Hand said.
As the oldest investor-owned utility in the United States, York Water has provided service to customers for more than 200 years with only one 12-hour disruption in service during its history.
It was during Hurricane Agnes in 1972. Equipment was moved out of the flood plain and power and water service was restored, Hand said.
By investing in employee training as well as other resources – like infrastructure and technology companies can make sure any security breaches don’t become utility disasters, he said. “It doesn’t matter how good your IT tech or infrastructure is if you don’t have the right people to take care of it. In Florida that operator was the last, best line of defense.”
In Emmaus, five nationally certified water plant operators make sure the taps are running for the borough’s roughly 11,200 residents and its business community.
Emmaus Borough Manager Shane Pepe, said the municipal operated public water system has a combination of technology and manual shutoffs to maximize security for the plant and protect the borough’s five wellheads. The manual shut off valves protect the wells and the water supply from outside “bad actor” interference.
The Florida breach happened because the security systems meant to protect it, along with a pandemic-produced mass exodus to working remotely, created an entry point that allowed hackers to access the system.
According to the PUC, an estimated 500,000 U.S. cybersecurity jobs are unfilled, representing a 350% spike in the sector’s employment since 2013. Getting people into those positions is a constant challenge, Dutrieuille said. Like manufacturing and the skilled trades, public utilities face a workforce shortage, expected to get worse as baby-boom workers near retirement age.
While the most visible utility work might be construction and storm repair there is high-tech work at utilities that happens out-of-sight. Competition for the same young talent by high profile companies such as Apple or Google is fierce, she said.
“Recent cybersecurity breaches serve as a reminder for us to maintain our sharp focus on the cyber safety of our employees and customers,” said Mark A. Miller, director of communications for PPL Electric Utilities in Allentown.
A coordinated defense to protect the bulk electric system, as well as customers’ data and privacy from cyber attacks was layered, constantly updated and “tested and strengthened, he said.
The following steps are part of the PUC’s recommendations for maintaining cyber security:
- Update all computers operating systems.
- Use strong passwords and multiple-factor authentication.
- Ensure that anti-virus, spam filters and firewalls are updated, properly configured and secure.
- Train users to identify and report attempts at social engineering. Social engineering includes phishing schemes or hacking scams aiming at getting people to reveal their passwords, bank accounts or other personal information with the intention of gaining control over a computer or breaking into a secure system.
- Identify and suspend access of users exhibiting unusual activity.
- Conduct physical and cybersecurity risk assessments on their critical infrastructure.
Larger utilities may be more attractive targets for cybercrime, but they also have larger cyber expert teams and tighter safeguards to fend off attacks, Dutrieuille said. Mid-sized and smaller systems may not offer big “paydays” for cybercriminals, but smaller utilities can be more vulnerable if fewer cybersecurity resources are available to them.
“Everyone, regardless of their specific job, plays a role in keeping data and infrastructure secure,” Miller said.