Cybersecurity & Guidance

Cybersecurity

cyber

Cybersecurity is the top threat facing business and critical infrastructure in the United States, according to reports and testimony from the Director of National Intelligence, the Federal Bureau of Investigation and the Department of Homeland Security.

All water systems should act to examine cybersecurity vulnerabilities and develop a cybersecurity risk management program.

Related Resources

Risk & Resilience


April 11, 2024

U.S. House representatives introduce legislation supporting a collaborative approach to cybersecurity

Cybersecurity

Legislation that supports AWWA’s recommendation for a collaborative approach to cybersecurity in the water sector was introduced in the U.S. House of Representatives today. Spearheaded by Reps. Rick Crawford (R-AR) and John Duarte (R-CA), H.R. 7922 authorizes an independent, non-federal entity to lead the development of cybersecurity requirements in the sector.

“Foreign adversaries such as Russia and China have utilized cyber-attacks to target critical infrastructure such as water systems. This bill is a more proactive approach to safeguarding our drinking and wastewater from these types of attacks. These protections are vital at a time where cyber threats are constant and technology is evolving quickly,” Rep. Crawford said.

“With the constant threat of cyberattacks by our adversaries, the United States’ water infrastructure must be secured and defended properly,” Rep. Duarte said. “I am proud to help lead this crucial legislation with Rep. Crawford to ensure that our wastewater and drinking water systems are adequately prepared to deal with potential cybersecurity threats.”

“Strong and effective cybersecurity oversight is critical for the water sector,” said American Water Works Association CEO David LaFrance. “Reps. Crawford and Duarte’s vision for a collaborative model that leverages the knowledge of the sector is the right approach for protecting water utilities from cyber-attacks.”

This WRRO leverages the technical knowledge of utilities, cybersecurity experts and regulators to implement a comprehensive cybersecurity risk management strategy. Federal oversight and approval of requirements would be provided by the U.S. Environmental Protection Agency, which already regulates drinking water and wastewater utility operations.

The proposed collaborative approach builds on a similar model that has already been successfully applied in the electric sector. The recommendation also aligns with calls for greater public-private collaboration included in the National Cyber Strategy.

AWWA has prepared a summary of the major bill provisions.

Advertisement
Advertisement

Cybersecurity: What Water Utility Leaders & Professionals Should Know

Cybersecurity is now a mission-critical function for water utilities. AWWA has developed a robust suite of guidance to help water utilities understand policies, comply with requirements and implement best practices.

To suggest updates and clarifications to this information, please email Kevin Morley, AWWA Manager of Federal Relations at kmorley@awwa.org.

 

Cybersecurity Oversight Options Explored

AWWA recently commissioned a report that explores industry-led regulatory options to support water sector cyber resilience, including the option of creating industry-wide cyber standards with oversight from a federal body, similar to what exists within the energy sector.

Read The Full Report

CISA Shields-Up Campaign

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) urges everyone to protect themselves online and adopt a heightened posture when it comes to security.  CISA stands ready to help organizations prepare for, respond to, and mitigate the impact of cyber attacks.

Learn More

Cybersecurity in the Water Sector Micro-learning

Water and wastewater systems have been targeted by cyber attacks across the United States. Utilities need to achieve cyber resilience to protect against growing threats and bad actors.

The micro-learning below provides a high-level summary of the current state of cyber security, what utilities should expect and details of our Awareness-Analysis-Act Framework. The course also provides a directory of cybersecurity resources available from AWWA. These resources include manuals, standards, helpful links, tools, and checklists, and longer eLearning courses.

Click on the white arrow below to get started.

AWWA Cybersecurity Assessment Tool and Guidance

Are you a community water system or do you support community water systems? If so, federal legislation requires systems serving 3,300 or more persons to consider cybersecurity threats in your risk and resilience assessment, as well as in your emergency response plan. This may sound daunting, but AWWA is here to help systems of all sizes.

AWWA has developed some essential planning resources to start water utilities on the path to cyber resilience. They are designed to help you clarify your utility’s exposure to cyber risks, set priorities, and execute an appropriate and proactive cybersecurity strategy.

  1. START HERE: Water Sector Cybersecurity Risk Management Guidance. Practical, step-by-step guidance from AWWA for protecting process control systems used by the water sector from cyberattacks. Following this guidance saves time and yields more comprehensive, accurate and actionable recommendations from the Assessment Tool. 
  2. Assessment Tool. This interactive tool asks utilities to examine how they are using various technologies. Based on responses, the tool generates a customized, prioritized list of controls that are most applicable to the utility’s technology applications. Utilities can use this output to determine the implementation status of critical controls designed to mitigate cybersecurity vulnerabilities. AWWA website login is required for access
  3. Small Systems Guidance. A getting-started guide to help small rural utilities improve their cybersecurity practices. For water utilities serving fewer than 10,000 people, and especially those serving fewer than 3,300 people. 

About these resources. AWWA’s Cybersecurity Guidance and Assessment Tool have been updated and revised to maintain alignment with the NIST Cybersecurity Framework (the key set of standards, methodologies, procedures, and processes designed to align policy, business, and technology solutions to cyber risks), and with Section 2013 of America’s Water Infrastructure Act of 2018 (AWIA). 

Together, these resources constitute a voluntary approach for how a utility can implement applicable cyber controls from the NIST Cybersecurity Framework, and also fulfill the cybersecurity provision in AWIA §2013.

AWWA’s guidance and tools have been recognized by the U.S. EPA, Cybersecurity and Infrastructure Security Agency (CISA), NIST and several states for aiding water systems in evaluating cybersecurity risks.

Growing your utility’s cybersecurity maturity. This figure shows the levels of cybersecurity maturity (adapted from SANS), and how AWWA cybersecurity resources fit within this model.

AWWA Cybersecurity Maturity

Help AWWA keep our Guidance and Assessment Tool up to date! To suggest updates and clarifications to this tool, please email Kevin Morley, AWWA Manager of Federal Relations at kmorley@awwa.org.

AWWA Report: Cybersecurity Options for the Water Sector 

In August 2021, AWWA published a research report that recommends an industry-led regulatory option to enhance cybersecurity readiness and resilience across the water sector. This effort is an alternative to direct federal action, which would likely be highly prescriptive, rather than risk-based. 

Read the report: Strengthening the Cyber Resilience of America’s Water Systems: Industry-Led Regulatory Options  

Key recommendations from this report: 

  • Establish an entity (Water Risk & Resilience Organization, or WRRO), led by the water community, to set minimum requirements for cybersecurity. 
  • WRRO’s audit process would provide third-party accountability for cyber risk management. 
  • U.S. EPA would provide oversight on minimum requirements. 

This report was researched and written for AWWA by Dr. Paul Stockton, who advises critical infrastructure organizations on ways to strengthen preparedness against emerging cyber threats. From May 2009 to January 2013, he served as Assistant Secretary of Defense for Homeland Defense and Americas’ Security Affairs. Currently, he chairs the Grid Resilience for National Security subcommittee of DOE’s Electricity Advisory Committee. He also serves on the Strategic Advisory Council of the Idaho National Laboratory, and is a Senior Fellow of the Johns Hopkins University’s Applied Physics Laboratory.  

Latest policy actions on cybersecurity from AWWA  

April 5, Congressional Testimony. Mobilizing Our Cyber Defenses: Securing Critical Infrastructure Against Russian Cyber Threats, presented by Kevin M. Morley PhD, Manager of Federal Relations, American Water Works Association, before the House Committee on Homeland Security. (Video)

Morley said the water community could model a regulatory approach that is similar to the electric sector, with a tiered set of requirements based on risk and performance. EPA would provide federal oversight and approval of requirements would be provided, given its existing statutory role in the water community. (Press release)

More policy guidance on cybersecurity from AWWA: 

  • Building Cybersecurity Resilience in the Water Sector. Brief summary of five key areas where greater collaboration is needed between owner/operators and federal, state and local partners. 
     
  • Journal AWWA: What Does More Look Like? by Kevin Morley (AWWA Manager of Federal Relations) and Paul Stockton. EXCERPT: “There is intense federal attention on what various sectors are doing to manage the risk from cyber threats. This raises questions on what more should be done to ensure that water systems are taking appropriate actions to implement cybersecurity controls. We are therefore at a rare inflection point when it comes to informing a new oversight structure for cybersecurity in the water sector.” 

AWWA e-learning, standards, publications, training and webinars on cybersecurity for water systems. Members receive a significant discount. 

AWWA's Utility Risk & Resilience eLearning Certificate Program

AWWA eLearning courses include cybersecurity: 

Utility Risk and Resilience. Earn an industry-recognized certificate relevant to cybersecurity and other key areas of water utility risk. Includes this cybersecurity eLearning course: Cybersecurity in the Water Sector (EL264), which covers: 

  • Cybersecurity risk management 
  • Recognizing cybersecurity gaps 
  • Using AWWA’s Cybersecurity Assessment Tool 
  • See full list of courses

Small Systems eLearning Courses

Small Systems Resiliency. Free for people who work for a water system serving fewer than 10,000 people. Includes this cybersecurity eLearning course: Cybersecurity for Water Systems (EL276), which covers: 

  • Best practices for critical infrastructure 
  • Using AWWA’s cybersecurity risk management guidance and Assessment Tool to identify gaps in current cybersecurity practices  
  • See full list of small systems courses

How to access any small systems course for free (intended for small systems only): 

  • Log in to your AWWA.org account 
  • Select your name (top right corner) to view your account information. 
  • In the menus on the left, select My Courses (under Education). 
  • Under Small Systems Course Access, enter code: AWWASMSY. 
  • All available free courses will be placed in your enrollments. To access any free course, click on the course title, or click Go next to the title. 

Risk Management: Key Context for Cybersecurity

AWWA offers a variety of resources on risk and resilience -- including our Utility Risk & Resilience Certificate program.  

Cybersecurity is one of many risks that water utilities must manage. Several AWWA Standards, Manuals and other publications offer guidance on risk management. The following AWWA resources provide valuable context for managing cyber risks alongside other risks. 

NOTE: Cyber is not the exclusive focus of any of these resources, but rather an element of all of them. Collectively, these standards facilitate compliance with AWIA and provide a foundation for demonstrating due diligence. 

Standards: 

Guidance documents: 

  • Cybersecurity Risk & Responsibility Guide. The utility has a fiduciary responsibility to manage cyber risks. Covers the scope and significance of cyber threats, system operator responsibility to anticipate threats and address vulnerabilities, additional risks (reputational, regulatory, civil liability), strategy to manage risks and prioritize solutions, insurance, and more. 
  • Water Sector Cybersecurity Risk Management Guidance. Practical, step-by-step guidance from AWWA for protecting process control systems used by the water sector from cyberattacks. Includes a summary of information to gather before using the Assessment Tool (below). Supports voluntary adoption of the NIST Cybersecurity Framework, and also addresses the cybersecurity provision of AWIA Section 2013
     

Manuals: 

Related AWWA Resources: 

  • Cybersecurity Assessment Tool and Guidance. AWWA’s interactive tool for assessing your utility’s unique cybersecurity considerations, and guidance for conducting and using this assessment. 
  • Report: Protecting the Water Sector’s Critical Infrastructure Information: Analysis of State Laws. Many states have taken steps to exempt critical water infrastructure information from public release. As of 2020, 34 states had disclosure exemption laws that specifically address the type of information that utilities much develop and prepare to comply with AWIA. States without such laws have some protections which may, or may not, apply to critical infrastructure information. This report is a review and summary of the protections available for the information developed by a water utility, per AWIA at the state level. 
  • Journal AWWA: Engineering Cyber–Physical Resilience, by Andrew Ohrt, Daniel A. Groves, et al. SUMMARY: Consequence-driven, cyber-informed engineering (CCE) adds another layer to cybersecurity strategies and helps utilities establish organizational and engineering practices that ensure resilience. 

Additional Resources for Water-Sector Cybersecurity Information

Beyond AWWA, many organizations and agencies have created helpful cybersecurity resources relevant to protecting water systems.

Environmental Protection Agency (EPA) 
Cybersecurity Best Practices for the Water Sector: EPA’s central list of water cybersecurity resources, including:  

Resource Guide: America's Water Infrastructure Act: Risk Assessments and Emergency Response Plans. The 2018 AWIA requires that water system emergency response plans address cybersecurity. This EPA list of resources covers important compliance deadlines and other essential information, plus: 

Drinking Water and Wastewater Resilience resources, including: 

Water Information Sharing and Analysis Center (WaterISAC) 

U.S. Cybersecurity Infrastructure and Security Agency (CISA) 

National Institute of Standards & Technology (NIST) 

  • NIST Cybersecurity Framework. The based set of standards, methodologies, procedures, and processes designed to align policy, business, and technology solutions to cyber risks. AWWA’s Guidance and Assessment Tool provide a sector-specific approach to using the NIST CSF. 

Idaho National Laboratory 

  • Consequence-Driven Cyber-Informed Engineering. Security methodology for critical infrastructure systems. Assumes that if a critical infrastructure system is targeted by a skilled and determined adversary, the targeted network can and will be penetrated. This "think like the adversary" approach offers infrastructure owners and operators a four-step process for safeguarding operations. 

Congressional Research Service 

January 25, 2023 - Joint association letter to EPA regarding the Sanitary Survey Program

Advertisement