According to the “2018 State of the Water Industry Report” put out by the AWWA, the most dramatic shift in concerns regarded cybersecurity, which jumped from 26th in the rankings from the prior year to 13th for 2018. Today’s business data and computer controls are just a few of the key systems running your operation. Each of these systems is vulnerable to attacks and must be properly protected from cybersecurity threats. Most organizations have a person or department responsible for keeping these systems safe, but in many cases – including smart pumps – is it enough?
How Does Cybersecurity Affect Pumps?
The DHS has begun to create a defense model to protect our nation’s infrastructure, including in the private sector. Increasing hyper-connectivity among systems requires that measures be taken to protect critical infrastructure from an ever-increasing cyber security threat. And they aren’t the only ones. The National Institute of Standards and Technology has identified a set of security requirements in nonfederal information systems and organizations. They include:
- Access control
- Security assessment
- Risk assessment
- Audit and accountability
- Awareness and training
- Configuration management
- Incident response
- Identification and authentication
- Personnel security
- Media protection
- Physical protection
- System and communication protection
- System and information integrity
AWWA’s manager of federal relations believes the threat is clear and prevalent across all sectors. He urges that all facilities make cyber security a top priority to protect their systems, not to mention the health of public in general and to protect against lost production, service interruptions, erasure of data, litigation, recovery costs, and more.
Cybersecurity for Smart Pumps in the Cloud
The industry is moving towards smart pumps and equipment operating information that are housed in the cloud. They allow users to better understand operations and maintenance activities, but there are concerns that plants aren’t necessarily adopting them the correct way. Manufacturers know this and develop pumps, analyzers, and their connected components to ensure a secure cloud. This includes consistent software updates, app security, along with the products themselves.
New cyber security standards are coming into play to meet the demand of all sorts of operations who are looking to protect their systems. One such standard is the UL 2900 that recognizes products that go above and beyond and constantly go under re-evaluation. The FDA is also taking part in cyber security and has issued security recommendations, such as multifactor authentication, advanced passwords, user access limits, layered authorization, and advanced breach detection procedures.
Cybersecurity for In-House Servers & End Users
Even if your system isn’t on the cloud, it can still be subject to Internet of Things and other similar attacks. The UL 2900-2-3 Outline of Investigation for Software Cybersecurity for Network-Connectable Products: Particular Requirements for Security and Life Safety Signaling Systems was developed for manufacturers, integrators, and owners to secure their in-house servers, as well as their end users.
One of the most successful ways to secure smart pumps is through penetration testing. It does not involve certification, but is an immediate solution for facilities concerned about their current state of security. Contractors can perform these tests or they can even show your staff how to perform these tests themselves. This is a useful strategy for testing the vulnerability of current pumps and systems, as well as any that may be implemented in the future.
There are also systems that can encompass the entire operation with cyber security protections. One such option is Schneider Electric’s EcoStruxure Plant that is IIoT-enabled with an open and interoperable system architecture. In addition to providing security measures, it helps maximize process efficiency, and offers real-time control of other variables such as safety risk, reliability risk, environmental risks, and operational profitability.
Webcast of the National Cybersecurity Summit https://www.us-cert.gov/event/dhs-national-cybersecurity-summit
Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations https://www.awwa.org/Portals/0/AWWA/Development/Managers/2018_SOTWI_Report_Final_v3.pdf
2019 State of The Water Industry Report https://www.awwa.org/Portals/0/AWWA/ETS/Resources/SOTWI_Exec_Report_19.pdf
US Federal Register: UL 2900-1 Ed. 1 2017 https://ctech.ul.com/en/industries/connected-medical-devices/