Utility Security


All-hazards approach to utility security

As stewards of public health and the environment, water professionals have always been aware of the risks associated with securing reservoirs and wells to protect the water supply — to guarding materials at their facilities from theft and sabotage, to planning for response and recovery from events ranging from routine pipe breaks to natural disasters. In this important sense the water sector has embraced an all-hazards approach to security and emergency preparedness that mirrors the multibarrier approach for water treatment.

Today, the threats we face also include the risks of intentional harm through malevolent acts. Due to the changing and interactive nature of security and emergency preparedness, the issues of greatest importance to utilities are difficult to compartmentalize. The information presented here seeks to provide insight on the key drivers that influence the water sector’s activities regarding cybersecurity, physical security and emergency response. 

Roadmap to a Secure and Resilient Water and Wastewater Sector

The Water Sector Coordinating Council, which is comprised of representatives from eight national associations, recently collaborated with government counterparts to update the Roadmap to a Secure and Resilient Water and Wastewater Sector. The Roadmap identifies four Top Priority Activity Areas based on a review of the 2013 Roadmap and related accomplishments, as well as the consideration of recent water and wastewater sector incidents. The priority areas include:

  • Establish the critical lifeline status of the Water and Wastewater Sector and translate that definition into strong support for the sector’s needs and capabilities.
  • Improve detection, response, and recovery to contamination incidents.
  • Advance preparedness and improve capabilities of the Water and Wastewater Sector for area-wide loss of water and power.
  • Advance recognition of vulnerabilities and needed responses related to cyber risk management.

The Roadmap supports collaboration and leveraging of resources among sector partners in an effort to ensure that joint activities contribute to a common vision. The priority activity areas contain actions that seek to address key gaps in the water and wastewater sector’s capabilities relative to key threats to the operation of water and wastewater utilities

Cybersecurity Guidance and Tool
In an effort to provide utilities with more actionable information on cybersecruity, AWWA has released the Process Control System Security Guidance for the Water Sector and a supporting Use-Case Tool. 



key drivers of utility security

Physical security

The physical security of water utilities is the concern that led to the passage of the Bioterrorism Act of 2002. However, physical security is not adequately addressed through the traditional concept of more gates and guards. It is better characterized in two security standards developed by AWWA in collaboration with various stakeholders that have received SAFETY Act designation by the US Department of Homeland Security. These standards are described below.

Key requirements of G430 include:


In 2008, AWWA partnered with DHS to develop a Roadmap for Securing Process Controls Systems in the Water Sector (PDF, 1MB). This report was then endorsed by the Water Sector Coordinating Council as being representative of the sector’s needs to advance the sector capabilities in collaboration with other key partners.

In an effort to provide utilities with more actionable information, AWWA developed the Process Control System Security Guidance for the Water Sector and a supporting Use-Case Tool.  This resource includes a series of best practices that are designed to support a utilities capability to mitigate, detect and recover from potential attacks targeting process control systems. This AWWA guidance provide a sector-based approach that aligns with the principles of Executive Order 13636—Improving Critical Infrastructure Cybersecurity (PDF), and the voluntary Cybersecurity Framework (PDF) prepared by the National Institute of Standards & Technology.

Another resource, which originated in the water sector, is the free Cybersecurity Self-Evaluation Tool, which provides a systematic and repeatable approach for assessing the security posture of their cyber systems and networks. Additional resources are also available from the DHS Control System Security Program.

Also, EPA in May 2014 submitted a letter to the White House (PDF) indicating its intent to "work with the Water Sector Coordinating Council, the Water Government Coordinating Council, DHS, and other sector partners to develop approaches to outreach and training, determine whether there are important gaps in available guidance, tools, and resources, and identify measures of success for adoption ofthe Cybersecurity Framework in the Water and Wastewater Systems sector." 

All utilities are encouraged to report incidents to the FBI for investigation, prosecution and potential alerting of the sector at large.

Read more about cybersecurity in the following articles that have been published in the Journal - American Water Works Association:

A Simple Action Plan for Utilities to Secure Their Process Control Systems

Don't Know Where to Begin With Cyber Security? You May Already Be on Your Way

The Case for Cyber Security in the Water Sector

Robust ICSs Critical for Guarding against Cyber Threats

Security laws

Several laws are important to the water sector’s security and emergency preparedness actions.

USA PATRIOT Act of 2001 (P.L. 107-56)
  • Designates water as one of several “critical infrastructure” sectors, which are defined as "systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety or any combination of those matters" (Sec. 1016(e)).

Bioterrorism Act of 2002 (PL 107-188)
  • Mandates a vulnerability assessment for all public water systems serving 3,300 or more and requires its submission to the Environmental Protection Agency.
  • Mandates an emergency response plan informed by the findings of the vulnerability assessment and requires a letter of verification to the EPA.
  • Makes tampering with a drinking water system a federal offense with maximum civil penalty of $1,000,000 and/or up to 20 years in prison.

Homeland Security Act of 2002 (PL 107-296)
  • Authorized the creation of the Department of Homeland Security.
  • Designates DHS as the lead federal agency for managing the homeland security mission in coordination with other federal agencies, including EPA.
  • Incorporates by reference the PATRIOT Act definition of “critical infrastructure.”

Support Anti-terrorism by Fostering Effective Technologies Act of 2002 (SAFETY Act; part of the Homeland Security Act, PL 107-296)
  • Grants the Secretary of Homeland Security with broad discretion in determining whether to designate a particular technology as Qualified Anti-terrorism Technology.
  • Bestows liability protections to providers and users of certain anti-terrorism technologies and incentives for the development and deployment of these technologies by creating a system of risk and litigation management.
Chemical Facility Anti-Terrorism Standards (Sec. 550 of DHS Appropriations Act of 2007)
  • Directed DHS to issue rules establishing risk-based performance standards for the security of chemical facilities. Public water systems and wastewater treatment facilities as defined by section 1401 of the Safe Drinking Water Act and Treatment Works as defined in section 212 of the Federal Water Pollution Control Act, respectively are excluded from this regulation.

Executive Orders

A number of Presidential orders provide guidance and direction to executive branch agencies for implementation of various policies. A series of these orders have been issued that directly impact the water sector. However, these directives apply to federal agencies do not impose any direct requirements on outside stakeholders unless otherwise mandated by law. Administrations have used differing nomenclature for executive orders related to homeland security: Clinton (PDD), Bush (HSPD) and Obama (PPD).

HSPD-5: National Incident Management System (2003)
  • Directs DHS to develop and administer a National Incident Management System. This system is to provide a consistent national approach for various levels of government to collaborate effectively to prepare, prevent, respond, and recover from domestic incidents.
  • All federal entities are required to adopt the NIMS, which is also a condition for fderal preparedness assistance grants to any state, tribal and local entities as of 2005.
  • NIMS is not an operational incident management or resource allocation plan. It provides a core set of doctrines, concepts, principles, terminology and organizational processes that will support the implementation of the National Response Framework.
  • The NRF established a comprehensive all-hazards approach to enhance the ability of first responders to manage all domestic incidents. The NRF forms the basis for how all federal departments and agencies will work together and coordinate with state, local and tribal governments and the private sector during incidents.
  • Federal agency responsibilities are defined in various Emergency Support Functions. Those most directly related to water sector are described here:
    • ESF #3 - Public Works and Engineering. The U.S. Army Corps of Engineers is the lead agency for providing ESF #3 technical assistance, engineering and construction management resources and support during response activities. EPA, when tasked by USACE, will support infrastructure protection activities for drinking water and water treatment agencies.
    • ESF #8 - Public Health and Medical Service. Tangentially applies to water utilities through the provision of emergency water service. The Department of Health and Human Services is the primary agency responsible.
    • ESF #10 - Oil and Hazardous Materials Response. Tangentially applies to water utilities through the transportation of chlorine gas. EPA is the primary agency.
PPD-21: Critical Infrastructure Security and Resilience (2013).
  • This replaces HSPD-7 and establishes a national policy on critical infrastructure security and resilience. It recognizes that the mission is a shared responsibility among federal, state, local and public and private critical infrastucture owners and operators.
  • Maintains the designation of water and wastewater systems as one of 16 defined critical infrastructure sectors.
  • Designates EPA as the Sector-Specific Agency for drinking water and wastewater treatment systems and tasks all SSAs to:
    • Collaborate with relevant federal departments and agencies, state and local governments and the water sector and conduct or facilitate vulnerability assessments.
    • Encourage risk management strategies to protect against and mitigate the effects of an attack.
    • Promote the continued development of information-sharing and analysis mechanisms in collaboration with the water sector.

The 2013 National Infrastructure Protection Plan (PDF) builds on prior activities, and emphasizes the complementary goals of security and resilience for critical infrastructure. This includes the integration of physical and cyber security planning is consistent with Executive Order 13636, Improving Critical Infrastructure Cybersecurity. The updated NIPP also aligns with the National Preparedness System called for in PPD-8, National Preparedness, with descriptions of activities to manage risks across the five national preparedness mission areas of prevention, protection, mitigation, response, and recovery.

Water Sector Coordinating Council

AWWA is a member of the Water Sector Coordinating Council, which is one of the principle means by which the US water sector interacts with federal agencies regarding homeland security issues. In addition, AWWA is actively engaged in educating Congress and federal agencies to ensure that the utility owner/operator needs and concerns are represented and understood. The WSCC consists of two "owner/operator" representatives and one non-voting association staff member from each of the member organizations. The mission of the WSCC is to serve as a policy, strategy and coordination mechanism and to recommend actions to reduce and eliminate significant homeland security vulnerabilities to the water sector through interaction with the federal government and other critical infrastructure sectors.The WSCC has developed several critical resources for water utilities, including the following:

PPD-8: National Preparedness (2011).

This directive is aimed at strengthening the security and resilience of the United States through systematic preparation for the threats that pose the greatest risk to national security, including acts of terrorism, cyber attacks, pandemics and catastrophic natural disasters. This replaces HSPD-8: National Preparedness Goal.

HSPD-9: Defense of United States Agriculture and Food (2004)

This directive establishes a national policy to defend the agriculture, water and food system against terrorist attacks, major disasters and other emergencies. More specifically, it is the organizing principle for EPA’s Water Security Initiative .

The section on Water Surveillance Monitoring and Lab Networks provides the following:

  • Builds upon and expands current monitoring and surveillance programs for public health and water quality that provide early detection and awareness of disease, pest, or poisonous agents. 
  • Develops nationwide laboratory networks for water quality that integrate existing federal and state laboratory resources.
  • Develops and enhances intelligence capabilities to include collection and analysis of information concerning threats, delivery systems, and methods that could be directed against the water sector.
  • Accelerates and expands countermeasure research and development of methods for detection, prevention technologies, agent characterization and dose-response relationships for high-consequence agents.
HSPD-10: Biodefense for the 21st Century (2004)

This HSPD is focused on the threat of a biological terrorism incident and much of the details of the program are classified. However, the core elements of the program are Threat Awareness, Prevention and Protection, Surveillance and Detection, and Response and Recovery. More specifically the following points are directly related to the water sector and derived from the unclassified version of this document. The following tasks are assigned to DHS unless otherwise noted:

  • Coordinate with federal partners in developing and deploying biodetection technologies and decontamination methodologies.
  • Restate the concepts described in HSPD-9 for monitoring and surveillance to be coordinated by DHS with federal partners.
  • Coordinate the development of a National Response Plan (see HSPD-8) with appropriate federal partners to respond to a biological attack.
  • Coordinate with federal partners on the development of an effective risk communication strategy to facilitate emergency preparedness for a biological attack.

Emergency preparedness

The attacks of Sept. 11, 2001, brought about the Bioterrorism Act of 2002 and the requirement for drinking water systems to prepare emergency response plans. AWWA has always been actively engaged with our federal and state partners in the development of guidance to support this need.

One of the most successful examples of this collaborative effort is embodied in Water/Wastewater Agency Response Networks. In a short period of time, the “utilities helping utilities” principle has evolved into 48 US and 2 Canadian WARNs that provide the foundation for intrastate mutual aid and assistance that is recognized as a model for other sectors to emulate.

Learn more about WARN and access emergency response resources at AWWA's Emergency Preparedness Resource Community.