Data Protection and Cybersecurity for Small and Medium Systems

Many water utilities rely on online technology and computer systems to increase their working efficiency. In the office space, data management software, pay roll systems, customer billing programs, utility websites, and social media improve customer services and provide an organized method to retain and access utility information. On the operational side, employees may rely on remote access control systems such as SCADA or smart metering to monitor or control systems while performing maintenance in the field. These control systems allow for improved response times and monitoring.

Yet as we all learned from Spiderman, with great power comes great responsibility. Without sufficient cybersecurity measures, systems risk the health and security of their customers. Successful attackers can steal customer personal data such as credit cards, social security numbers, and contact information. They may attempt to deface utility websites compromising customer confidence. If your system uses online process control systems, hackers could lock out utility access, alter treatment processes, damage equipment, and override alarms. The American Water Works Association (AWWA) has listed a variety of cyberattacks and their consequences in its 2018 Cybersecurity Risk & Responsibility in the Water Sector Report. These attacks resulted in leaked customer information, considerable financial losses, altered chemical dosing, and even source water contamination. Just recently staring in May of 2019 the City of Baltimore has been held hostage by an ongoing three week cyberattack that demands $100,000 in Bitcoin to free city files and water billing data.

There are many types of cyberattacks including password hacking, the exploitation of software vulnerabilities, denial of service, and malware. Common malware includes ransomware, spyware, trojan horse, viruses, and key loggers. Attacks can even happen through opportunity theft, improper disposal of computer equipment, or phishing attempts where thieves pose as legitimate organizations requesting confidential information.

To prevent cyberattacks, start by identifying vulnerabilities, developing a multi-tier security plan, and actively enforcing that plan. The EPA has developed a guide explaining 10 key components for a cybersecurity plan that includes planning worksheets and information on how to respond in the event of an attack. Systems should plan to update software regularly and require strong passwords that are different for each account. Installing anti-virus software and firewalls is also effective. A security plan should include measures to educate employees on cybersecurity awareness and limit access to security information based on job function.

For an in-depth list of security practices, read through WaterISAC’s 2019 guide to reduce exploitable weaknesses or the EPA’s Incident Action Checklist. The AWWA’s guide on Process Control System Security Guidance for the Water Sector can aid systems using smart technology. To improve social media and website security, start with Hootsuite’s social media security tips and Sucuri’s website security tips.

If a data breech does occur, utilities will want to have and established protocol to resolve and mitigate potential damage. The Cyber Security Adviser Program with the Department of Homeland Security (DHS) offers regional affiliates that will assist systems in vulnerability assessments, plan development, and informational support. While the costs associated with response, forensics, and legal fees can be expensive, waiting to take action can incur an even greater cost. Remember to keep an active cybersecurity plan and, if incidents should occur, report them to local law enforcement, the DHS, and WaterISAC.

Websites Offer Conveniences for Utilities and Customers

If you’re reading this, you're probably already aware of the power of the internet to share information and raise awareness of important issues. Hopefully you think some websites (like ours!) are useful. But have you considered getting a website for your own utility? If you don’t have a website already, here are some things to consider.

Benefits of Going Online

A utility website can provide a number of services, both to you and to your customers. At the most basic level, a website can house the information people ask you for all the time: utility fee information, FAQs, maybe some fact sheets on common local concerns like water conservation or winterizing. Not only does this provide a convenient place to direct people for more information, but some people may Google first, and find what they’re looking for before they have to try tracking you down by phone.

Beyond this basic usefulness, websites can be outfitted with customer service contact forms, new service request forms, CCRs, board meeting schedules and minutes, online bill pay options, and other resources. Contact forms usually feed into an email account, which can be used to collect and organize non-emergency customer communication even when you’re not available. Online bill pay is a convenience for your customers, and online CCR distribution, if your utility is eligible, can be a convenience for you.

Website Building Services

If you’d be interesting in gaining the convenience of a website without having to set one up on your own, there are services that can help. As an example (but not an endorsement), Rural Water Impact provides website setup and migration services specifically for small water utilities. GoDaddy also offers a range of website design and hosting packages. And if you’d like to try your hand at a straight-forward design, services like Weebly and Squarespace make it as easy as drag and drop.

As always, we here at WaterOperator.org are happy to help you think through your website needs. You can reach us at info@wateroperator.org or 1-866-522-2681.

Planning for the Future

The convenience and organization of a good website can provide plenty of benefit in the present. But those benefits can stretch into the future, as young people accustomed to cell phones and internet use start getting old enough to pay the bills. In addition to providing convenience to you and your customers now, having an established website can prepare you and your utility for a new, more digital future.

A Few Considerations 

The Americans with Disabilities Act requires that water districts—among others—provide equal access to programs and services. One way to meet these requirements is to ensure that your website makes use of accessible design features. Systems with inaccessible sites may also be able to meet their legal obligations by providing an alternative way for people to access the information provide, such as a staffed telephone line. You can learn more about ADA requirements by calling the Department of Justice's toll-free information line at 800-514-0301. 

State law may also require that public utilities with websites maintained by utility staff post meeting schedules, agendas, and minutes. Your primacy agency should be aware of these requirements and can direct you to the appropriate state office for more detailed information.

If these requirements give you pause, consider talking with city or town officials to see if your system can instead be an active partner on their website. This is also a good option for systems concerned that under-staffing makes maintaining a website impossible. 

Engaging Customers in a Digital World

Like most Americans, your customers probably spend half their day staring at screen—checking emails, commenting on Facebook profiles, scrolling through Twitter feeds. In fact, the Council for Research Excellence recently announced the results of a media study that revealed that 68 percent of us use at least two media platforms—tv, computer, smartphone, audio, print, tablet—at the same time in an average day.

Here’s the take away: joining or becoming more active on social media platforms means meeting customers where they already go to receive information and news.

But, like most things, doing well on social media is much easier said than done. Today we’re sharing a few overarching tips and tricks, but finding the right platform and devising a successful media strategy may require more detailed discussions and a bit of trial and error.

Fortunately, Small Communities #TalkAboutWater is a great place to have these conversations with others who understand the unique challenges faced by small systems. You can also reach out to us directly at info@wateroperator.org or 1-866-522-2681.

1. Define your goals and audience. Are you looking for greater community engagement? Are you in need of easier, more direct ways to share public notices? Maybe you want to connect with local and state officials. The more specific your goals and audience are, the easier it will be to choose the right social media platform and measure success.
2. Remember not all platforms are created equally. If your system doesn’t frequently generate new pictures, graphics, or videos, Pinterest and Instagram are likely not for you. If you want to share more detailed messages—perhaps about road closures due to pipeline repairs or tips for conserving water—Facebook may be a better choice than Twitter. This article from The Next Web has more information about the pros and cons of different platforms.
3. Don’t try to bite off more than you can chew. Time and personnel are precious commodities for small systems. Having a smart social media strategy is worth the time, but don’t feel like you need to join multiple platforms at once or post hourly. Consider starting with a single platform and a more conservative media strategy. The key is sustainability.
4. Make use of your existing network. Invite customers to follow and like your page(s) in your next newsletter or with a bill insert. Put links to your social media pages on your website. Encourage your existing followers to tell their friends.
5. Prioritize customer service. For many people, an organization Facebook or Twitter page is their first stop when they have questions or concerns. Stay on top of customer issues by responding within 12 hours. And be sure to re-share favorable experiences posted by customers across your social channels.
6. Start conversations. It’s called “social media” for a reason. The most successful users ask questions that engage followers and inspire them to weigh in on topics they care about. For example, ask customers to share their favorite water conservation practice.
7. Share your expertise. Customers see water systems as reputable sources for information on water supply and quality issues. Share little-known facts, post links to important information, provide access to reports or relevant research.  
8. Get personal. Social media is a place for genuine engagement. A lot of the communication water systems have with rate payers is prescribed—public notices, bills, etc. But that doesn’t mean you can’t show the personal side of your operations. Talk about what you’re excited about, highlight staff successes, wish people a happy Friday.