Connections Article

AWWA repeats call for strong cybersecurity measures after EPA withdraws rule

October 19, 2023

image

AWWA Articles

AWWA repeats call for strong cybersecurity measures after EPA withdraws rule

The American Water Works Association (AWWA) and other water organizations repeated their call for strong cybersecurity measures in the water sector following last week’s decision by the U.S. Environmental Protection Agency (EPA) to withdraw its new Cybersecurity Rule

Cyber security image of computerCiting litigation from three states, AWWA and National Rural Water Association (NRWA), EPA announced it was retracting the March 2023 rule on Oct. 12. The rule required cybersecurity at water utilities to be evaluated through State Sanitary Surveys, which AWWA has stressed “are not the right tool for the job.”

In a statement following EPA’s decision, AWWA and the NRWA renewed their recommendation of a collaborative approach to cybersecurity similar to an existing framework in the electric sector. This approach maintains EPA oversight, ensures engagement of water sector experts and protects sensitive information.

“AWWA strongly supports efforts to strengthen the water sector’s cybersecurity,” said Kevin Morley, AWWA’s manager of federal relations. “We want to find the right solutions for utilities to protect themselves from bad actors. We are working collaboratively with federal partners on a smart path forward to provide cybersecurity for all water systems.”

Cybersecurity Awareness Month 2023This month is the 20th Cybersecurity Awareness Month with a theme of Secure Our World: 2023 and Beyond. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is encouraging businesses and individuals to incorporate the following four simple steps into their daily online routines to avoid online dangers:

  1. Use strong passwords and a password manager
  2. Turn on multifactor authentication
  3. Recognize and report phishing
  4. Update software

Two recent cybersecurity incidents, involving water utilities in California and Kansas, were preventable, Morley said. The incidents involved former employees and contractors using credentials to manipulate operational controls after their access should have been revoked by the utility.

AWWA encourages utilities to take advantage of CISA’s recently published fact sheet on its Free Cyber Vulnerability Scanning for Water Utilities. The free service identifies a utility’s internet-accessible assets, detects vulnerabilities, and provides weekly reports with recommendations for mitigating the identified vulnerabilities during the initial month of scanning.

Kevin Morley“The service provides water systems with real-time information,” Morley said. “Utilities can think of the service as getting a report on what the bad actors see when they do a virtual drive-by of your system. Enrolled utilities have found immediate benefits in mitigating network vulnerabilities and improving their cybersecurity posture.”

AWWA resources help water utilities understand cybersecurity policies, comply with requirements, and implement best practices. They include:

CISA and the National Cybersecurity Alliance have promoted Cybersecurity Awareness Month each October since 2004 to reduce online risk within the public and private sectors.
 

aria advertisement

Advertisement