Cybersecurity: Water Utility Security Part 1

Public utilities are a vital part of national and local infrastructure. No corporation, organization, government, or residence can operate for very long without essentials like running water, sanitation, electricity, and communications. Yet in an increasingly computerized and connected world, the convenience associated with these necessities also poses a risk.

The delivery processes for utilities are increasingly automated. Relying on modern software and remote communication is a benefit overall because it makes systems much more efficient. Web-based software and cloud computing deliver highly scalable and reliable management of critical applications at a low cost. With the advent of the “internet of things”, systems can be monitored, diagnosed, and even repaired remotely. Yet these advances also open up new areas of risk. Any system that is not completely isolated on its own network can be remotely hacked.

Who Would Attack a Water Provider?

Public sector organizations like water and wastewater utilities might not appear to be likely targets. Compared to a major retailer, a local water company simply doesn’t process enough transactions to be an attractive victim. The Dallas Water Utility, one of the largest public water utilities in the U.S., has only 300,000 meters in its system. Even the largest private water utility in the U.S. (American Water) only serves 15 million customers. As a comparison, the Target data breach exposed the financial data of 40 million customers and the name and contact information of 70 million more.

But if the goal is disruption of infrastructure rather than profit, hacking a water/wastewater agency’s computer network makes a lot of sense. A city without water could turn into a disaster zone in short order in the event of a security breach. If the cyberattack on a utility managed to damage the infrastructure itself, the results could be devastating for a community or region.

What Challenges Do Water Utilities Face in Preventing Attacks?

For utility companies seeking to increase the security and reliability of services, the very criticality of undisrupted service is a barrier to implementing appropriate safeguards. Banks have been called “too big to fail.” In the same way, utilities might be considered “too essential to take offline for upgrades.” Unfortunately, that way of thinking could lead to disaster.

In Part 2 of this series, we’ll take a closer look at why so few water utilities make security a top priority.

California Wastewater Employee Accidents: Part 1

Cal/OSHA guidelines talk in general terms about the hazards facing employees in various industries. But what types of accidents do wastewater and sewage treatment industry workers get into on the job?

In this series, we’ll take a look at a number of reported accidents from 2005-2010. These reports show the wide variety of injuries that can be sustained when working in a typical wastewater work environment. They also highlight common mistakes that make injuries more likely or increase the amount of harm when an injury does occur.

Story #1: The Domino Effect

A worker was standing on the back of a flat-bed truck and using a hook to move heavy catch basin plates. The hook slipped and hit the worker in the face, lacerating his skin just under the eye. Upon being struck, he fell over a stack of catch basin plates. The next day, the worker saw his personal doctor for the facial injury. But within a week or so, he also developed shortness of breath and severe pain in his side. He was admitted to the hospital and diagnosed with two broken ribs and a staph infection in the lungs. He spent a month in a hospital and recovery center.

Takeaway: In this case, the initial injury (getting hit in the face) led to the second, hidden injury (broken ribs from falling). This worker should have been evaluated thoroughly for injuries after the incident. The broken ribs could have been detected and treated before they led to infection in the lungs.

Story #2: Lockout/Tagout Isn’t Enough

Four workers were performing preventive maintenance on fans at a wastewater treatment plant. The fans were shut down, locked, and tagged before the metal guards enclosing the fans were removed to expose the belts and pulleys. However, the room below contained exhaust fans that had not been stopped and the blades on the fans being serviced had not been blocked. The operation of the lower exhaust fans created airflow that caused the blades on the LOTO fans to spin. One of the workers got a hand caught in the in-running nip point of the fan he was servicing, and his middle finger was amputated.

Takeaway: In this incident, workers assumed the fan blades would not move because the power was off. But they failed to physically prevent the blades from moving. LOTO procedures are not effective unless ALL potential ways that parts may move are addressed.

Next month, we’ll look at how being at the wrong place at the wrong time can lead to accidents on the job in the wastewater industry.