AWWA repeats call for strong cybersecurity measures after EPA withdraws rule
October 19, 2023
AWWA Articles
AWWA repeats call for strong cybersecurity measures after EPA withdraws rule
The American Water Works Association (AWWA) and other water organizations repeated their call for strong cybersecurity measures in the water sector following last week’s decision by the U.S. Environmental Protection Agency (EPA) to withdraw its new Cybersecurity Rule.
Citing litigation from three states, AWWA and National Rural Water Association (NRWA), EPA announced it was retracting the March 2023 rule on Oct. 12. The rule required cybersecurity at water utilities to be evaluated through State Sanitary Surveys, which AWWA has stressed “are not the right tool for the job.”
In a statement following EPA’s decision, AWWA and the NRWA renewed their recommendation of a collaborative approach to cybersecurity similar to an existing framework in the electric sector. This approach maintains EPA oversight, ensures engagement of water sector experts and protects sensitive information.
“AWWA strongly supports efforts to strengthen the water sector’s cybersecurity,” said Kevin Morley, AWWA’s manager of federal relations. “We want to find the right solutions for utilities to protect themselves from bad actors. We are working collaboratively with federal partners on a smart path forward to provide cybersecurity for all water systems.”
This month is the 20th Cybersecurity Awareness Month with a theme of Secure Our World: 2023 and Beyond. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is encouraging businesses and individuals to incorporate the following four simple steps into their daily online routines to avoid online dangers:
- Use strong passwords and a password manager
- Turn on multifactor authentication
- Recognize and report phishing
- Update software
Two recent cybersecurity incidents, involving water utilities in California and Kansas, were preventable, Morley said. The incidents involved former employees and contractors using credentials to manipulate operational controls after their access should have been revoked by the utility.
AWWA encourages utilities to take advantage of CISA’s recently published fact sheet on its Free Cyber Vulnerability Scanning for Water Utilities. The free service identifies a utility’s internet-accessible assets, detects vulnerabilities, and provides weekly reports with recommendations for mitigating the identified vulnerabilities during the initial month of scanning.
“The service provides water systems with real-time information,” Morley said. “Utilities can think of the service as getting a report on what the bad actors see when they do a virtual drive-by of your system. Enrolled utilities have found immediate benefits in mitigating network vulnerabilities and improving their cybersecurity posture.”
AWWA resources help water utilities understand cybersecurity policies, comply with requirements, and implement best practices. They include:
- Water Sector Cybersecurity Risk Management Guidance, a step-by-step guide to protect process control systems from cyberattacks
- Water Sector Cybersecurity Risk Management Tool, which helps utilities develop a cybersecurity risk management strategy and facilitates compliance with cybersecurity provisions included in America’s Water Infrastructure Act of 2018
- Water Sector Risk Management Guidance for Small Systems, a guide to help small utilities serving fewer than 10,000 people improve cybersecurity practices
CISA and the National Cybersecurity Alliance have promoted Cybersecurity Awareness Month each October since 2004 to reduce online risk within the public and private sectors.