October 8, 2018
Technology often evolves so quickly that it can be difficult to keep pace with every new device and software update, but the world is becoming increasingly connected. Advancements in both technology and convenience mean that nearly everything, from major SCADA systems to consumer products such as smart thermostats, water heaters, appliances and automobiles, is connected to the internet or another network. The global Internet of Things market is expected to reach $457 billion by 2020, growing at a compounded annual growth rate of nearly 30% from 2016 to 2020.
These advancements also are creating new challenges that are growing and evolving with the technology itself, and these challenges affect the water industry at nearly every level. Products and systems are exposed to attack from individual hackers, independent cyber criminal networks, or even nation-state sponsored cyber warfare groups seeking to gain system access for reasons ranging from highlighting their hacking skills to holding systems for ransom. Manufacturers of smart, connected products must work to prevent these products from becoming weak links in larger smart systems (i.e., smart homes, municipalities, etc.), and those maintaining these systems must work to help ensure the continued safe operation of all components. Although working to safeguard against these digital threats can seem daunting, it does not need to be. Taking a proactive approach while sourcing, designing, manufacturing and using these products and systems can help ensure programs are as safe as possible.
In the water industry, connected products range from residential smart meters, pumps and remote sensors to components used in water treatment systems, often considered critical infrastructure. Out of the 295 incidents the Industrial Control Systems Cyber Emergency Response Team responded to in the U.S. in 2015, 57% occurred in the critical manufacturing, energy and water industries. Because critical infrastructure serves a central part of everyday life, it remains an attractive target for cyberattacks. Any attack on critical industry could have sweeping negative effects on civilian health, security or economic well-being.
Smart water devices are susceptible to remote attacks from computer hackers through the embedded wireless network used to connect to other devices and networks. It is estimated that 70% of devices are vulnerable to attack, and that by 2018, 66% of networks will have experienced a security breach. Many of these are known software vulnerabilities that can be easily addressed in the product.
Although the associated risk level may vary from one product to the next, and the potential for damage certainly is higher at the municipal level, all products suffer from the same basic vulnerability: the software. As every one of these products and systems relies on software, this can become a significant challenge. By acknowledging the risks and addressing potential issues early on, it is possible to overcome this challenge.
Security breaches can have catastrophic effects, including unplanned downtime, loss of production, harm to assets, and damage to reputation and to living and working environments. These growing cyber concerns prompted the creation of numerous guidance and best practice documents to help product manufacturers and asset owners improve the security of their products and installations. Manufacturers can take proactive steps toward more secure products by following security practices from the earliest phases of the product development cycle to avoid potential delays and increased costs further on in the process.
Many companies turn to off-the-shelf solutions from third-party software providers in an effort to reduce production time and costs, but this practice also increases risk. Many of the most prevalent applications come from trusted third-party developers, but poor processes exist for the selection, implementation and use of this software. Developing robust internal security specifications can help. These requirements should cover all third-party software products, components and vendors. To simplify the process, these specifications should be provided with every request for proposal and vendor agreement. All potential software suppliers should be evaluated to determine if adequate safeguards are in place and routine audits should be conducted to ensure cybersecurity risks continue to be minimized. Additionally, a third-party review of the software can offer peace of mind.
When a secure architecture is designed and built, security risks and vulnerabilities can be detected and assessed in a number of different ways, including penetration testing, source code reviews and threat modeling. After everything has been assessed, internal processes can help ensure smooth operation moving forward. Continuous training of employees is recommended, as human error is frequently a factor. With this training, limiting access also is important. Keeping critical software information on a need-to-know basis helps ensure only necessary parties—vendors and employees alike—have back-end access, decreasing the potential number of paths for a hacker. Finally, remaining current with software updates and patch releases is one of the best ways to keep software running safely, while also keeping security measures up to speed with the evolution of technology.
Manufacturers must understand the inherent risks of their product being connected to the internet or a network and they must recognize mitigation as their responsibility. To mitigate these risks, the product should be designed with best security practices, continually tested for vulnerabilities, even in production, and maintained and patched as updates are made. The product also can be certified by a third-party, which gives the customer or distributor confidence that the representative samples of the product passed a rigorous third-party security evaluation. With hackers and cyber criminals remaining intent on gaining access, product security will remain an evergreen issue and the easiest way to always stay one step ahead is by keeping security on the top of the mind.
As originally published in WQP April 2018.