Is your utility vulnerable to cyberattacks?

Cybersecurity is top of mind for many water utility leaders — and for good reason. As threats evolve, the consequences of inaction grow more severe, potentially disrupting essential services and endangering public health.

Historically, utilities have braced for cyberattacks that affect information technology, or IT — much like the ransomware attack on St. Paul, Minn., this summer. But attacks are increasingly targeting operations technology, or OT, that can affect water treatment and storage. While digitization and remote accessibility have made operations more efficient, they have also made systems more vulnerable.

Last year, a small plant in Indiana had to switch to manual controls when it was hacked, and a Texas facility had a tank overflow for 30 minutes before it was recovered. In 2023, a cyberattack took control of a remote booster station at a Pennsylvania water authority. 

“There is a clear and evolving cybersecurity threat to the water sector’s business and operational systems,” said Kevin Morley, federal relations manager at AWWA. “It is essential for water utilities of all sizes to recognize the threat and assess their vulnerabilities.”

The U.S. Environmental Protection Agency (EPA) reports that 55% of U.S. water utilities have critical vulnerabilities, and it launched a program in August to help utilities defend against cyberthreats. The EPA also be hosting webinars this month on best practices and other tools to enhance cyber resilience.

“To best be prepared, utilities must integrate cybersecurity into their risk management plans by regularly conducting cyber risk assessments and taking inventory of their information technology and operational technology assets so they can secure them,” Morley said.

This National Cybersecurity Awareness Month, which began Oct. 1, AWWA encourages utility leaders to champion a culture of cyber readiness. Whether you are just beginning your cybersecurity efforts or refining an existing program, these AWWA resources can help:

• The Getting Started Guide helps systems of all sizes address a fundamental set of controls that eliminate common threats. This is based on the Cybersecurity Framework 2.0 provided by the National Institute of Standards and Technology (NIST).
• The Cybersecurity Assessment Tool generates a customized, prioritized list of controls for addressing vulnerabilities. This tool is also aligned to NIST’s framework and the U.S. Environmental Protection Agency’s cyber checklist used in inspections under the Safe Drinking Water Act.
• A new handbook, Resilience Through Cyber-Informed Engineering: An Engineering and Operations Approach to Cybersecurity, includes case studies of cyber-informed engineering in practice.

Additionally, the Cyber Readiness Institute is providing cybersecurity coaches to small water and wastewater utilities to help with basic training and cyber readiness.