Cybersecurity: Water Utility Security Part 8

Our series on cybersecurity for critical water infrastructure now focuses on how to ensure ongoing operation based on vendor agreements, procedures, and workflows. While details like contract negotiation and employee policies might not seem like a strong line of defense, they can make a big difference in whether a utility will remain up and running in a crisis.

Service Level Agreements

Although process control systems should be designed to run independently when necessary, the day-to-day operation of a water utility typically involves quite a bit of third party infrastructure. As with the majority of organizations today, public utilities rely on a range of providers for telecommunications, internet connectivity, power, network capacity, data storage, and other resources. The contracts that govern factors such as availability (uptime), bandwidth, and technical support are referred to as Service Level Agreements (SLAs).

Selecting an appropriate level of support is important for a utility. For critical infrastructure, guaranteed uptime and a fast response time in the event of disruption may be two areas of particular concern. As the AWWA points out, the bandwidth required to run PCS equipment is often not high. But it must meet minimum requirements. SLAs should be negotiated with each contracted vendor based on how emergencies might impact process control systems and related infrastructure. Agreements with third party integrators and companies tasked with servicing the PCS equipment itself should also be reviewed to ensure that the utility is appropriately prioritized as a preferred customer when it comes to response times. Limiting the total number of external vendors involved may help simplify this process.

Operations Security

OPSEC, the formidable acronym for Operations Security, can cover almost any area of procedures and workflows in an organization. Limiting access to information is one important aspect of cybersecurity. For example, a utility might have a social media policy that prohibits workers from posting information about internal procedures online. Such policies should be in writing and the accompanying training might give examples of the types of postings that might seem innocent to employees but that could reveal potential vulnerabilities to hacker or parties interested in doing harm. Cybersecurity training should alert employees to suspicious behaviors—such as people fishing for information about security protocols or other protected information (social engineering).

Within the organization, OPSEC should also cover isolation of PCS functions from other business functions. This includes ensuring that the equipment’s interfaces are blocked from accessing the internet, email, and other remote systems—up to and including removable media. IT staff and other involved personnel should receive ongoing training in cybersecurity for PCS and water utilities in general to ensure best practices are kept up to date. As with all areas of security, change is inevitable.

In next month’s post, we’ll wrap up this series with a look at education and personnel security, since a water utility’s security is only as good as its employees. 

Shift Workers Face Increased Crash Risks

Although OSHA’s guidelines for safety and health don’t cover the commute home, employers would do well to consider ways they can assist workers who are at increased risk for accidents from drowsy driving. Getting behind the wheel while sleepy can impair reaction times and judgement in a way that’s comparable to being intoxicated or under the influence of drugs. Yet six out of ten Americans admit to driving drowsy each year (according to the National Sleep Foundation). More than one out of three admit to falling asleep while driving! Here’s a look at some of the troubling facts about this hidden danger.

How Big Is the Problem?

Car crashes caused by sleepy drivers are a persistent problem of incredible scope. The National Highway Traffic Safety Administration suggests that drowsy driving is the primary cause of more than 100,000 accidents reported to the police each year (the actual number is likely much higher). More than 1,550 people die in such accidents each year, and more than 71,000 are injured. The billions of dollars in losses calculated probably don’t take into account lost productivity for businesses whose employees are involved in these tragic accidents.

Which Workers Are at Risk?

Shift workers are at a six-fold greater risk of accidents from sleepy driving compared to the rest of the population. Night shifts, rotating shifts, and double shifts are all linked to a higher risk of drowsy driving crashes. Commercial drivers covering long distances and young males (18-25) are also at greater than average risk of nodding off at the wheel.

In a recent study, 16 participants were given a two-hour driving test in a real vehicle while an observer rode along. Drivers were also monitored using special glasses to track eye movements and blinking as well as EEG electrodes to measure microsleep episodes. After an eight hour sleep with no shift work, none of the participants had a near crash during the test. But after a night shift (and being awake for about 13 hours), the participants experienced much more lane drifting, slow eye movement, and microsleep. Almost half of the participants had to have their tests halted before completion due to near crashes.

What Can Employers Do to Help?

Encouraging workers to drink caffeine before their commute isn’t necessarily helpful in the long run since it can disrupt the ability of shift workers to get to sleep once they arrive home. However, encouraging workers to take a 15-20 minute nap after they clock out may help them stay alert on the way home. Assisting with access to public transportation may also be a remedy. Finally, employers can provide educational resources to make shift workers aware of the facts about drowsy driving. Each individual should be equipped to recognize the signs and know safe ways to reduce the risk of crashes.

Do you want to learn more about ways to help your workers stay safe every day? Contact DKF Consulting to review your safety training resources.