Cyber Security

Cyber Security and the 4th Annual Water Data Summit: 5 Takeaways on Open Water Data

By: Victor Miao, Software Engineer

Water’s greatest minds coalesced from all over the world at the 4th Annual Water Data Summit on August 22 and 23, at the University of California, Davis. Hosted by the California Data Collaborative, water experts from all sectors gathered to discuss and collaborate on water data. With one of the main themes being California’s AB 1755 (the Open and Transparent Water Data Act), speakers addressed the current state of water data and its challenges. Here are some of the main takeaways.

Summit panelists discuss economic impacts of irrigation reduction

Summit panelists discuss economic impacts of irrigation reduction

Open Data

California Governor Gavin Newsom’s Citizenville describes one example outcome of open data: the efforts of a single programmer mapping public police data directly led to reform and behavioral changes. Similarly, one speaker cited public road data as the initial spark for Google Map. Hoping to invoke similar ingenuity, many water experts believe that open water data will empower people to make better-informed decisions regarding sustainable water management.

Jesper Elkjær Christensen, Senior Advisor of the Water Technology Alliance of the Consulate General of Denmark, presented an enlightening case study on the benefits of open water data in Denmark. Public, private, and academic organizations have long collaborated on public groundwater data, mapping groundwater since 1999 and creating other tools to help guide important water decisions. Jesper’s conclusion from Denmark’s success: “make water data useful, public, standardized, and collaborative”.

Denmark’s publicly available and interactive groundwater maps

Denmark’s publicly available and interactive groundwater maps

Establish Trust (in the Internet of Water)

The Internet of Water (IoW) is a project started at Duke University, designed to enable open water data to help guide sustainable water management. One example goal depicted the ability to look up local water quality on Google. According to IoW’s co-founder and panelist Martin Doyle, most of the breakthrough water technology already exists in AMI and improved water sensors. However, the issue remains in spreading these technologies as the industry standard. Many organizations still maintain legacy infrastructure and data.

On the same IoW panel and from a different perspective, Deven Upadhyay represented the Metropolitan Water District of Southern California. He discussed his vision of publicly accessible and trusted water data for every locale. However, he cited trust and cyber security as the most important challenges for an open data platform. Cyber security, as another main summit topic, is covered in more detail in the section below.

No Utility Left Behind

One recurring issue of the conference addressed small water utilities that would not be able to comply with proposed open water data policies, much less be well-equipped to protect their data against cyber attacks. Hoping to address such issues, the Aspen Institute Dialogue Series convened in 2017, acting as a neutral space. The Dialogue gathered a diverse group including public and private sectors, water experts, and academics to discuss national policy, water data, and sustainable water management. Accordingly, IoW aims only for voluntary participants in producing open data, instead of focusing on influencing public policy on open data.

Water Data Needs Work

“Water and data have not been married for long,'' stated one presenter. It is a fledgling field that necessitates adopting present and newly available technology to be robust, secure, and useful. Surprisingly, 2019 is the first year that all California water utilities were able to provide aggregate monthly water usage, and only as a direct result of an emergency measure due California’s 2011-2017 drought. 

Joaquin Esquivel, Chair of the California State Water Board, presented similar findings on the state-level. Citing both his current position and his previous position as Director of Information and Technology under California Senator Barbara Boxer, he acknowledged that while California is progressive, its data infrastructure still needs much work.

Open Data Works

As open data helped empower everyday people to innovate, open source tools and software aim to do similar good. The California Data Collaborative hosts a plethora of open source tools and software on their GitHub, such as an evapotranspiration estimator, real-time snow water estimator, and real-time reservoir visualization.

Similarly, many other organizations presented open source projects or research on open data:

  • Sacramento State’s open source tool for mapping groundwater quality, designed to help water managers identify disadvantaged communities with contaminated groundwater

  • One Stanford University PhD candidate’s research on Google search trends appears to show a correlation between media coverage of the 2011-2017 California drought and state-wide voluntary water usage reduction. Mandatory water restrictions seemed to correlate less with water conservation.

  • University of California, Irvine presented a disturbing recent trend of increasingly unsafe water in rural and low-income areas, especially in Oklahoma and Texas. In 2015, 9% of water systems in 2015 violating the Safe Water Act and affecting 21 million people.

  • FlowWest showcased their open source software such as a salmon life cycle model, supporting the efforts of the Central Valley Project Improvement Act to protect fish and wildlife.

Cyber Security

Online privacy and security have become increasingly important topics in more recent years, and for good reason. Data breaches and ransomware seem to occur far too often. However, the rising public awareness should hold agencies more accountable for our private and sensitive data. Indeed, cyber security cemented itself as a keystone topic at the 4th Annual Water Data Summit as well. This year, speakers at the summit helped us better understand the full stack of data security.

Your data is in good hands…

Despite, or perhaps because of, the recent prevalence and awareness of data breaches, many organizations have been actively preparing for and defending against the worst. Listed here are a few cyber security best-practices brought up during the summit.

Cyber Security panel. Pictured (L-R): William Johnson, David Wegman, Rocky Smith

Cyber Security panel. Pictured (L-R): William Johnson, David Wegman, Rocky Smith

William Johnson, Information System Division Manager at East Bay Municipal Utility District (EBMUD), outlined their best practices as a business-to-consumer entity that uses consumer data:

  • Defend against infiltration: EBMUD regularly performs penetration assessments both internally as well as through third party auditors, in order to find and fortify any weak points.

  • Defend against exfiltration: employees must abide by clear protocols (e.g. no sending cleartext via email, correctly storing and transferring data, etc.) and participate in random phishing tests that automatically enroll them into anti-phishing programs if they fail.

  • Cloud security: EBMUD employs a cloud-first approach, knowing that Amazon and other cloud providers often employ the best specialist teams in cyber security that other organizations generally cannot match with on-site solutions.

David Wegman, our very own CTO at Valor Water Analytics (a Xylem brand), presented Valor’s guidelines as a business-to-business agency that receives data from other businesses:

  • Minimize data: sometimes, clients send Valor extraneous data and personally identifiable information that we do not want nor ask for. Valor does not store this data, so that there is no possibility of such sensitive information leaking.

  • Grant as little access as necessary: users are only given access to what they need, and in the form of temporary access tokens that expire shortly afterwards. This reduces the damage of a potential breach by forcibly limiting its duration.

  • Layering approach: in addition to minimizing data, blocking unwanted visitors with a firewall, and granting only temporary access, Valor encrypts sensitive data so that it cannot be traced back to its origins. This layered security addresses the worst case scenario, lessening the impact of any stage of a potential breach.

  • Cloud security: Valor shares EBMUD’s sentiments on the cloud, understanding that an on-site solution would likely be less secure and more difficult to maintain.

Rocky Smith, Business Solutions Architect at Cisco, and Internet of Things (IoT) expert, stated, “You have not been attacked yet, are being attacked, or in the aftermath of an attack”. With this mindset, Cisco prepares for every scenario, designing the best possible outcome.

  • Establish perimeters everywhere: extend firewalls and permissions barriers frequently - even between internal tools, to mitigate potential breaches.

  • Minimize data: even if IoT or other connected devices are compromised, they should not have any sensitive data to leak, only anonymous or useless strings of numbers.

  • Properly back up data: ransomware only has leverage against an organization when, by definition, they hold hostage something valuable. With proper backups, an agency protects itself by being able to recover their valuable data without the need to comply with a malicious entity’s demands. long as it is prioritized

Given these industry-standard practices, one might ask “why are there breaches at all?”. Frankly, organizations need to understand and prioritize security in the first place to even have these measures in place. Instead, some organizations may be far too small, too large and slow-moving, or simply unaware of security threats. Fortunately for everyone, we do have some brilliant individuals and unbiased organizations hoping to tackle some of these issues.

Related Links

California Data Collaborative

Internet of Water

Aspen Dialogue on Sustainable Water Infrastructure

Denmark’s Groundwater Maps and Data 

Sacramento State - California Groundwater Contamination Risk Index