Cybersecurity is the top threat facing business and critical infrastructure in the United States, according to reports and testimony from the Director of National Intelligence, the Federal Bureau of Investigation and the Department of Homeland Security. The criticality of this issue is highlighted in the report Cybersecurity Risk & Responsibility in the Water Sector, which provides an overview of key legal issues and consequences of a cybersecurity incident.
All water systems should act to examine cybersecurity vulnerabilities and develop a cybersecurity risk management program. AWWA’s Process Control System Security Guidance for the Water Sector and supporting Use-Case Tool were specifically developed to provide a voluntary, sector-specific approach to support implementation of applicable controls in the NIST Cybersecurity Framework. The Guidance and Use-Case Tool have been recognized by USEPA, DHS, NIST and several states for aiding water systems in their prioritization of controls necessary to manage cybersecurity risks.
The NIST Cybersecurity Framework was created in response to Executive Order 13636 - Improving Critical Infrastructure Cybersecurity. In addition, America’s Water Infrastructure Act of 2018, requires all community water systems serving more than 3,300 to conduct a risk and resilience assessment that must consider cybersecurity threats.
Cybersecurity requires a commitment to action as part of an all-hazards risk management strategy as recommended in ANSI/AWWA G430: Security Practices for Operations and Management. The AWWA Cybersecurity Guidance & Use-Case Tool are living documents, and it is expected that further revisions and enhancements will be implemented based on input from users.
Email comments and questions about the guidance and/or use-case tool.
Also see and download Cybersecurity Myths article, posted here by permission of EMA.
Access additional AWWA resources on Risk & Resilience