The Water Industry Knowledge Gap: There Are Risks to Automating Your Control Systems
“I think this is the 800 pound gorilla in the room… We have an infrastructure in the US that is entirely exposed, entirely vulnerable… Any 10 bright students from UC Berkeley could bring down the northeast corridor in a week. And so, everybody knows it’s exposed, and I don’t think anyone is going to do anything about it until there’s kind of a 9/11 type of event. Which will happen.” – Tom Siebel, C3 IoT CEO
Water is perhaps taken for granted in the developed world. Citizens pay their water bill, and they expect to have clean water. Very few people spend their time thinking about the pipelines, water plants, pump stations, and the many other elements which bring water from its source to the consumer. Even fewer people spend their time thinking about the automation of the water industry. Finally, even fewer people spend their time thinking about the cyber vulnerabilities associated with the automation of the water industry.
Instrumentation and controls have always been a part of our critical infrastructure, but only recently have these devices been so heavily integrated to communicate with one another and work together. Only recently have the devices been networked together between various sites to make automated decisions.
The benefits of automation are tremendous. Operators can see and control everything through one interface rather than traveling from site to site and manually checking devices. Data is much more organized. Operators can finally see the big picture with ease, which further drives efficiencies. Every new project seemingly has more automation than the previous one.
Operators are hopefully verifying that a control systems were installed properly and that they function properly. However, are operators verifying that their systems are in compliance with cyber-security best practices? How many facility operators also take time to understand the details of IT networks? How many IT departments also take time to understand industrial control systems? Technology is evolving quickly in both fields, and it can be hard to keep up.
Meanwhile, cyber-attacks are already affecting almost everyone. Most of the cyber-attacks don’t make headlines. There are data breaches, DDoS attacks, and other attacks of all kinds occurring constantly. Nation states, criminal organizations, individuals, and the automated ‘bots’ they design are crawling through the digital world to disrupt computer systems, control devices, and steal valuable intellectual property – and this is simply happening all the time.
The next attack could target any organization from anywhere. Geography hardly matters anymore in the digital world. The attack could come from halfway around the world, or it could come from thousands or perhaps millions of locations simultaneously. It really is a different world that can be difficult to grasp.
These attacks are sometimes even successful against very large companies and government entities with highly sophisticated IT departments. Here are just a tiny portion of the headlines over the last couple of years:
2016: US Department of Justice’s database is hacked, resulting in the release of employee data on 10,000 DHS and 20,000 FBI employees. It took weeks for the DOJ to realize their systems had been compromised.
2016: Yahoo suffers two massive data breaches, where up to 500 million customers may have had data stolen.
2015: The Pentagon email system goes down for weeks after being cyber-attacked by Russians.
2014-2015: US Office of Personnel Management has over 22 million personnel records stolen as a result of a Chinese cyber-attack.
2015: Fiat Chrysler issues a safety recall of 1.4 million vehicles after security researchers showed the cars could be remotely hacked through the internet-connected entertainment system – enabling the remote hackers to shut down the vehicle’s engine, among other things.
Critical infrastructure systems cannot just be thrown together without proper precautions. Like the IT network technology that preceded it, control system technology can be vulnerable to cyber-attacks. These networks control heavy machinery in the physical world. There can be immediate real world consequences when critical infrastructure is taken offline.
Between operators and IT departments, there exists a knowledge gap. IT knows about IT systems but not about control systems. Operators know about control systems but not about IT systems. These previously disparate professions are starting to find that they have much more in common these days.
The benefits to automation are tremendous, undeniable, and perhaps inevitable. Therefore, the water industry must consider cyber-security as part of the project scope. The cyber-security aspects of planning, design, and integration can no longer be an afterthought.
Back to news listing