By Andrew Chastain-Howley, Matt Kirchner and Joe Zhou
There’s no doubt that the technological advances of the past decade — artificial intelligence, cloud-based software, autonomous equipment, drones, remote sensors, mobile devices, machine learning and virtual reality — have improved operational efficiency, productivity and resiliency, moving us into the digital age faster and farther than we ever imagined.
Twenty years ago, these technologies seemed more at home in the pages of a science fiction novel than in a utility’s control room or on a construction or mining site. But today, these innovations come together under the umbrella of the Internet of Things (IoT), with its cloud-based ability to collect, process, manage and analyze extravagant amounts of data.
Analytics Strengthen Digital Intelligence
Across all industries and sectors, forward-thinking organizations are using data to inform a new sense of “digital intelligence” that balances technological opportunity with safety and security.
Data is everywhere, and our digital footprint is only growing larger. Digital information, exchanged at staggering rates, is actionable and predictive, giving operators better oversight of their assets. Paired with digital analytics platforms, digitalization offers incredible amounts of situational awareness, better monitoring, more accurate diagnostics and faster response rates.
Rather than remaining trapped in the reactive posture of the past, scrambling to respond to situations at hand, organizations now have the tools to proactively plan and assess, positioning themselves for a more resilient and sustainable future. Those who don’t risk being left behind, overtaken by the agile.
The growing reliance on data analytics to manage assets is a continuing theme throughout Black & Veatch’s ongoing Strategic Directions report series, which are based on extensive surveys of utility and commercial and industrial leaders. A recent survey of water utility leaders, for example, found that two-thirds of them are exploring or have deployed smart technologies, while nearly three of every 10 respondents — 28 percent — have turned to cloud-based software, up from just 10 percent last year.
Of the more than 500 individuals surveyed, a combined 64 percent see their investment in digitalization as positive in that it has helped enable improved asset performance.
The power of predictive analytics is significant across power, water and telecommunications. For instance, industrial water plant managers can deploy advanced sensors able to reveal previously undetectable changes in infrastructure performance. These technologies, in tandem with predictive analytics, will help industrial water facilities anticipate equipment issues and failures, as well as build a roadmap to improved maintenance and programmatic equipment replacement.
A major industrial client recently approached Black & Veatch with a vexing challenge, asking us to monitor its mechanical infrastructure and water and wastewater systems. Power systems and feedwater were the initial concerns, but as the system analytics were developed, it became obvious that the system also could manage some of the industrial processes.
Data is consistent in these circumstances, provided subject matter expertise is available to develop the initial calculations and understand the workflow. Such software platforms can be utilized across the industry from the water supply to the wastewater effluent discharge and almost everything between.
But with these heightened opportunities comes heightened risk. Organizations are facing a classic Catch-22: With every new device added to a network — every remote sensor, iPad, drone or autonomous vehicle — the more vulnerable that system becomes to outside intrusion. Supply chain risk mitigation becomes more difficult.
This new world of increased connectivity is introducing new vulnerabilities, and organizations must balance technological opportunity with safety, security and robust supply chain risk management.
Digital Intelligence Backed by Security
As these new levels of digitalization and IoT continue to embolden and shape our modern lives, cybersecurity postures are coming under intense scrutiny by security professionals, regulators and the federal government, who have seen firsthand how pervasive — and crippling — cyberattacks can be.
Few cybersecurity professionals and regulators haven’t lost sleep over the thought of a large-scale cyberattack on critical American infrastructure. Instances of such attacks include the hackers who infamously shut down the Ukrainian power grid in 2015, affecting 250,000 people, or those who hacked and attempted to sabotage a Saudi petrochemical plant in 2017.
More recently, hackers have begun weaponizing ransomware and using it to attack municipal computer systems and data networks.
In October 2019, CNN reported that over the previous 10 months alone, 140 local and state governments, police stations and health care providers had fallen prey to and been held hostage by ransomware attacks, released only upon payment of hundreds of thousands of dollars in Bitcoin. These attacks have paralyzed networks in Atlanta, Baltimore, several Florida cities and towns, the Georgia courts system and even the email and baggage systems at Cleveland Hopkins International Airport.
There’s no doubt that criminal individuals and anonymous groups will continue to use cyberattacks to disrupt operations, damage equipment, compromise sensitive data and threaten lives. Utilities, with their complicated infrastructure and core services, acknowledge their vulnerabilities — a 2018 study by financial services group KPMG found that 48 percent of power and utility executives expect that a cyberattack is inevitable.
To combat this, security professionals, regulators and the federal government are considering every option to stem the tide of cyber warfare and ensure optimal supply chain risk mitigation. So it’s no surprise that an ongoing theme in Black & Veatch’s Strategic Directions reports is that U.S. utility leaders view a cyber security strategy that includes processes, procedures, governance, technology and overall threat management to be a leading industry concern.
The Weakest Links in the Cybersecurity Chain
The magic of IoT and data analytics lies in their intricate systems of connected digital devices. But because these manufactured devices connect directly to sensitive networks, organizations need to prioritize supply chain risk management and ensure their critical systems are protected from rogue devices manufactured or modified by dishonest players. More specifically, they need to implement a cyber security strategy that includes security controls to decrease the risk that a malicious actor could install malware or backdoor access directly onto these devices.
Organizations should know their manufacturers and ensure that security and supply chain risk mitigation are part of the manufacturing process. If supply chain risk management appeared on a spectrum, it would look something like this: On the safest end, organizations use trusted manufacturers with complete control over the manufacturing process and chain-of-custody controls. On the opposite, more dangerous side, equipment gets crafted in an unknown factory using unknown chipsets, firmware and software that the end user has no visibility into or control over. With no optics into the manufacturing process, these untrusted devices present great risk when connected to sensitive networks.
The more practical supply chain risk management approach — somewhere on the middle of the spectrum — is to partner with well-known, trusted suppliers who abide by published and auditable supply chain security programs and employ a robust cyber security strategy. Such suppliers have established physical security at all facilities, logical security for production systems, production certifications, a strict scrap handling process that prevents counterfeiting protection labels, and security technology such as smart chips and security labels that prevent unauthorized tampering.
The Human Element of Supply Chain Risk Management
Human error presents a more complicated challenge to an organization’s cyber security strategy. The ransomware attacks that crippled those municipalities and civil services started with what appeared to be an innocent email. But the instant the intended recipient — an unsuspecting employee — clicked the link inside, it unleashed a chain of events that allowed hackers to quickly take control. Essentially, a company’s cyber security strategy is only as strong as its most gullible employee.
With each ransomware attack borne from a single click, human error continues to be a major vulnerability in the cybersecurity chain. For example, nearly half of electric utility leaders — 47 percent — believe that cybersecurity training and education programs will play a critical role in mitigating human error, according to a recent Black & Veatch survey.
Managing and optimizing security products and platforms ranked second, according to 46 percent of respondents. Considering that human error is inevitable, cybersecurity professionals can offer a backstop by installing backend email protection systems to disable or remove unsafe links.
Protecting access through access controls will also help shore up defenses. Of the cyber security strategy options presented, nearly one-third of survey respondents named access control as the largest vulnerability when it comes to ensuring cyber and physical security.
Access control means both physical access (where someone physically enters a facility) and logical access (where someone obtains remote access to a networked system). Organizations can control physical access through background checks, risk assessments and permissions-based badging. They can control logical access through user-level authentication controls, two-factor authentication and even advanced technologies such as biometrics.
For utilities and industries using computers to control their systems through supervisory control and data acquisition (SCADA), one additional method of cybersecurity is to further separate the data from the source. Using one-way data feeds with no connectivity for remote access is an important step for the analytics industry, as it will help unlock operational intelligence at reduced risk. If you cannot control a system, it becomes a lower grade target. Data breaches are still a big issue that need to be guarded against, but they are not generally as catastrophic if the control link is removed.
Data Delivers Great Things, If We Are Smart
Technology is changing the game rapidly, but the threat of cyber intrusion will grow stronger, and companies will need to step up their supply chain risk mitigation efforts to address the danger. To navigate through these challenging times, organizations need to arrange their data analytics and cybersecurity strategies around digital intelligence designed to keep data safe, secure and protected.
About the Authors
Andrew Chastain-Howley is Director of Water Solutions for Atonix Digital, a Black & Veatch software subsidiary. He specializes in reducing water loss and managing water demand. He is based in Fort Worth, Texas, and has 26 years of experience in the fields of water loss control and water conservation.
Matt Kirchner is Director of Product Management for Atonix Digital, where he leads the product management, industry management, customer support and implementation teams. Prior to this, he was an ASSET360™ product manager and supervisor for the monitoring and diagnostics center.
Joe Zhou is Managing Director of the Business Technology and Architecture offering group for Black & Veatch management consulting, where he oversees business development, client delivery and strategy. Prior to this, Zhou held senior-level roles at Ernst & Young LLP, BearingPoint and Convergent Group.