Cybersecurity & How One Utility Is Protecting Its County’s Most Precious Resource

By Sielen Namdar

Traveling through the dry desert of the American west, no ponds, lakes, creeks or even puddles to be seen, you might never expect a sprawling system of thousands of miles of water supply pipelines sitting just under your feet. These pipelines are bringing water to large metropolitan cities, with hundreds of thousands of people, a stark comparison to the barren land just surrounding it.

In a county that sees less than half the annual rainfall of other counties across the United States, water is a precious commodity that must be protected. Most U.S. states get about 30 in. of rain per year; but here, they get less than 12.

Welcome to Bernalillo County, New Mexico.

No Shortage of Challenges

The most populated county in the state, just under 680,000 people, including the city of Albuquerque, call Bernalillo County home. Serving the water needs of the county falls to the Albuquerque Bernalillo County Water Utility Authority (Water Authority) – the largest water utility in New Mexico.

“Out here, water isn’t taken for granted,” says Kristen Sanders, the utility’s chief information security officer.“It’s scarce. We need systems in place to make sure that every drop makes it to the faucets of our customers.”

With more than 3,000 miles of pipeline, these protections extend beyond traditional measures such as advanced metering infrastructure and leak detection. It has to include cybersecurity as well.

Knowing how precious their water supply is, the Water Authority is taking these threats seriously, working with Cisco to modernize its network infrastructure so they can fight an uphill battle on two fronts.

Non-revenue water (NRW) continues to be a constant challenge for water utilities across the United States, and Bernalillo County’s Water Authority is no exception. A 2019 report from the American Society of Civil Engineers and the Value of Water Campaign found that the United States loses an estimated 2.1 trillion gallons of treated water per year. In 2019 alone, leaks cost a whopping $7.6 billion.

But cybercrimes are also on the rise and an incident in Oldsmar, Florida, in February 2021 made it clear: water utilities are not immune to this growing trend.

Cybercrimes on the Rise

In the Florida incident, hackers took advantage of a remote-access system to gain access to a water treatment plant, attempting to change the quantity of lye to poisonous levels. Thankfully, an employee noticed that something wasn’t right and was able to quickly stop the change.

While a major crisis was diverted, someone still gained unauthorized access to the utility’s network. A recent report from the FBI suggests they won’t be the only victims, with a 69 percent total increase in cybercrime complaints in 2020 over 2019. Perhaps most importantly is that on average, cybercriminals had unauthorized access to networks for 56 days before they were detected.

Since Florida, utilities have taken note and recognize that the key to thwart threats like this in the future is to have visibility across their entire operation, from the water supply pipelines, to their meters, to their communication networks. Operators need early warnings on everything from leaks, to pressure changes, to pump malfunctions so they can stay ahead of anomalies, cyberattacks, breaches, and physical threats.

“There’s no telling what it would cost if there were an undetected intrusion that shut down your operation for any amount of time.”

Modern Problems Require Modern Solutions

“We couldn’t see across our whole network,” says Cody Stinson, the Water Authority’s chief information officer. “There were gaps in our physical security and cybersecurity. Even if we knew there was a problem, we couldn’t necessarily identify where it was to stop it. We certainly didn’t have the predictive analytics in place to proactively address issues before they occurred.”

That’s when Stinson and his team started working with Cisco to completely rebuild the Water Authority’s network and add cutting-edge solutions including Cisco Cyber Vision. Cyber Vision is designed to bring full visibility into industrial control systems, giving operators a view into everything that is happening across their entire operation. Coupling this with extensive IoT sensors to monitor the physical infrastructure and water conditions, the Water Authority successfully converged operational and information technology.

“Operationally, knowing where pressure is dropping or where a leak is happening is a big deal,” Sanders says. “We’re in the desert. Every drop counts. Being able to fix it immediately, not a month later, saves a lot of water.”

On the network front, Stinson says the visibility is key to prevent cyberattacks like the one that could have been so devastating in Oldsmar.

“We know cybercriminals are always looking for new ways to gain access to networks and keep it concealed for as long as possible before they’re discovered,” Stinson continues. “With Cyber Vision in place we feel pretty good about our chances to quickly detect attempted break-ins.”

No Cost for Peace of Mind

Beyond NRW and cyberthreats, the pandemic has forced its share of problems for water utilities. Across the United States, they’ve had to tighten their wallets as revenues decrease. The American Water Works Association suggests that on average, drinking water utilities could lose as much as 17 percent of revenue this year due to the pandemic, since some unemployed residents can’t pay their water bills and at the same time many businesses aren’t consuming as much due to closures.  

When budgets are shrinking, security upgrades can be hard for shareholders to stomach. But, both Stinson and Sanders say peace of mind is priceless when it comes to protecting the public.

“Taking the steps now to secure your operations could save a lot of money down the road,” Stinson says. “There’s no telling what it would cost if there were an undetected intrusion that shut down your operation for any amount of time.”

Sanders agrees, saying the pandemic may have been more difficult, and more costly to navigate, if not for their prior security investments.

“Sending our workforce remote expanded our digital footprint. That’s a larger attack surface for cybercriminals to take advantage of,” she explains. “Our investment in Cisco Duo Security, which lets us validate everyone who accesses our network, with their exact geo location, made that transition seamless.”

Preparing for the Future

As cyberthreats continue to grow, and business operations for water utilities continue to digitize, the threat posed to them by cybercriminals will only increase.

To stay a step ahead, these utilities need to partner with trusted cybersecurity providers like Cisco who are pushing the envelope, constantly innovating on the latest and greatest solutions, preparing utilities not for the threats that have already happened, but guiding them through the threats that are yet to come.

Sielen Namdar, P.E., is an industry solutions executive with Cisco’s smart & connected communities organization. At Cisco, she leads teams to bring smart solutions to water, transportation and energy customers leveraging IoT and real-time data analytics.

Leave a Reply

Your email address will not be published. Required fields are marked *