Sophisticated AMI water management solutions bring tremendous benefits to both water utility operators as well as water consumers. Water utilities gain significantly deeper insight into and control over operations in general and non-revenue water in particular. Consumers gain unprecedented transparency into their water bills and can profit from incentives to conserve water usage. But along with these well-documented and widely acknowledged benefits comes increased exposure to malicious or accidental unauthorized access to the streams of data flowing from smart water meter end-points to base stations and from there to the utility’s data center.
What’s At Stake
If we take the issue immediately to its extreme, imagine an organization or individuals that want to dramatically disrupt the flow of daily life by hacking into a water network. With the increased use of commoditized operating systems (such as Windows) as well as IP-based IT systems (such as HTTP or SNMP), smart water networks are increasingly vulnerable to attack. A STUXNET-like scenario – where a computer worm is used to monitor and disrupt the operation of industrial control systems – is not inconceivable.
Somewhat less dramatic yet still troubling security vulnerabilities would include tampering with transmitted data in order to undermine the data analytics that water utilities increasingly rely on for smooth and efficient operations, or in order to compromise the privacy of water utility customers.
Typical IT Security Measures Not Always Suitable for Water Networks
There are, of course, advanced technologies and methodologies that have been developed to secure data-rich IT systems such as e-commerce. These security solutions are based on a priority paradigm of Confidentiality first, Integrity second and Availability third (CIA). However, as Amin Rasekh et al point out in their very recent and excellent article “Smart Water Networks and Cyber Security”, this CIA paradigm is not appropriate for a water network where the availability of potable water for consumption or for critical services such as firefighting is paramount. In fact, the priority paradigm for water networks has to be exactly the opposite of the typical IT model, with Availability first, Integrity second and Confidentiality third (AIC).
A Real-Life Example of Secured AMI Communications
Tal Zur, VP Software & IT at Arad Technologies, has been instrumental in the design and implementation of Arad’s cutting-edge and highly secure AMI water management solutions. In a recent discussion he explained the measures that Arad takes to secure the data being transmitted from the smart water meter itself to the base station, and then from the base station to the utility’s data center:
- In the case of the Dialog 3G AMI platform (which uses existing cellular base stations), Arad has implemented a proprietary, virtually hack-free protocol.
- In the case of the Allegro AMI fixed network, the proprietary protocol is further protected by very robust 256-bit AES encryption.
- For the TCPIP communications between the base station and the utility’s data center, Arad employs the same Secure Sockets Layer (SSL) protocol that is used to secure payments and other sensitive transactions over the internet.
- In addition, Arad uses IP addresses specifically allocated to the fixed network that are not publicly visible.
A Look to the Future
Although the security measures described above are state-of-the-art and highly effective, as smart water networks become universal and smart water meters become IoT end-points, the security challenges will only grow. As Rasekh et al note “A fundamental shift in approach toward system security, both its design and implementation, is needed…This requires establishing data provenance and governance frameworks, engineering trust across devices and protocols, and deploying robust, end-to-end security controls to ensure data confidentiality and integrity from edge (devices) to cloud (platforms).”
 Sugwon Hong, Development of Security Module for Smart Water Meter in the Advanced Metering Infrastructure, Journal of Security Engineering, 2014
 Amin Rasekh et al, Smart Water Networks and Cyber Security, Journal of Water Resources Planning and Management, Vol 142 Issue 7 (July 2016)
 CySWater 2016