“Your people are your largest vulnerability,” said Bill McKelvey, director of information technology and telecommunications for the Piedmont Municipal Power Agency, a joint agency formed by 10 municipal electric utilities in the northwest corner of South Carolina. “But they are also your first line of defense.”
Still, there are some best practices that cities can use to keep the hackers out and keep the lights on.
The risks to cities and towns fall primarily into two categories: the technology that runs the systems, often called the integrated control systems, and the technology that keeps track of customer billing, including bank account numbers and other sensitive information.
Understanding the distinct threats to each system are key to protecting them.
“We’re trying to catch a bad connection before something bad happens,” he said.
For its water services, the City of Florence has a fully automated surface water treatment facility that operates on a closed-loop system for security, said Utilities Director Michael Hemingway.
“You can only make a change or adjustment or get those readings from inside the facility,” Hemingway said. “There is no external access.”
Jermaine Holmes, water operator for the City of Florence, monitors groundwater pumps, elevated tank levels and surface water treatment filters in the control room at the city’s Surface Water Treatment Plant. Photo: City of Florence.
That is key to protecting those systems from outside hackers, McKelvey said.
“It is extremely important that we protect those resources and keep them segregated from the regular network,” McKelvey said.
Florence’s surface water treatment facility is staffed 24 hours a day, and workers monitor chemical treatments to the water and keep an eye on sensors that measure water pressure that can signal a break in the line. Hemingway said technology makes the job of providing dependable service a little easier, but workers still must be vigilant.
“The computer system does allow for some complacency where you just sit and watch the monitor rather than verifying that the computer is right,” he said. “Anything can lose its calibration, so you always need to do verification.”
Verifying before acting is also important on the other system side — protecting private customer information. Most often when those systems have been breached, leading to the exposure of information such as credit card or bank account numbers, it is the humans operating the systems that let the hackers in.
“The vast majority of ransomware cases are due to breaches caused by an employee or vendors and more often than not, it’s a phishing email sent to an employee who clicked a link and got their computer compromised,” McKelvey said. “From there, an attacker could move horizontally from workstation to workstation and hide themselves all over the place.”
Laurens Commission of Public Works Operations Director Keith Wood handles a drone
used to inspect water towers. Laurens CPW also uses infrared cameras to find hot spots
in the electrical system.
At the Laurens Commission of Public Works, IT systems monitor the load on the electric system and can help control electrical demand, especially on days with peak usage.
Keith Wood, operations director for the Laurens Commission of Public Works, said his team stresses vigilance among workers, but he also uses an outside firm that tries to break into his system to find weak spots.
“You’ve got to spend some money to protect against that,” Wood said. “These guys keep up with how the hackers work and they try to get in like a hacker, but they are the white-hat guys.”
For utility services like water and electricity, reliability is extremely critical. As technology has helped in the process of running utility systems, it has also opened up careful IT work as another factor for keeping the systems operating and safe.