Cybersecurity & Guidance
Cybersecurity & Guidance
Cybersecurity is the top threat facing business and critical infrastructure in the United States, according to reports and testimony from the Director of National Intelligence, the Federal Bureau of Investigation and the Department of Homeland Security. All water systems should act to examine cybersecurity vulnerabilities and develop a cybersecurity risk management program.
Cybersecurity News
AWWA UPDATE: U.S. House representatives introduce legislation supporting a collaborative approach to cybersecurity
Legislation that supports AWWA’s recommendation for a collaborative approach to cybersecurity in the water sector was introduced in the U.S. House of Representatives. Spearheaded by Reps. Rick Crawford (R-AR) and John Duarte (R-CA), H.R. 7922 authorizes an independent, non-federal entity to lead the development of cybersecurity requirements in the sector.
“Foreign adversaries such as Russia and China have utilized cyber-attacks to target critical infrastructure such as water systems. This bill is a more proactive approach to safeguarding our drinking and wastewater from these types of attacks. These protections are vital at a time where cyber threats are constant and technology is evolving quickly,” Rep. Crawford said.
“With the constant threat of cyberattacks by our adversaries, the United States’ water infrastructure must be secured and defended properly,” Rep. Duarte said. “I am proud to help lead this crucial legislation with Rep. Crawford to ensure that our wastewater and drinking water systems are adequately prepared to deal with potential cybersecurity threats.”
“Strong and effective cybersecurity oversight is critical for the water sector,” said American Water Works Association CEO David LaFrance. “Reps. Crawford and Duarte’s vision for a collaborative model that leverages the knowledge of the sector is the right approach for protecting water utilities from cyber-attacks.”
This WRRO leverages the technical knowledge of utilities, cybersecurity experts and regulators to implement a comprehensive cybersecurity risk management strategy. Federal oversight and approval of requirements would be provided by the U.S. Environmental Protection Agency, which already regulates drinking water and wastewater utility operations.
The proposed collaborative approach builds on a similar model that has already been successfully applied in the electric sector. The recommendation also aligns with calls for greater public-private collaboration included in the National Cyber Strategy.
AWWA has prepared a summary of the major bill provisions.
Cybersecurity: What Water Utility Leaders & Professionals Should Know
Cybersecurity is now a mission-critical function for water utilities. AWWA has developed a robust suite of guidance to help water utilities understand policies, comply with requirements and implement best practices.
To suggest updates and clarifications to this information, please email Kevin Morley, AWWA manager of federal relations, at kmorley@awwa.org.
Cybersecurity Oversight Options Explored
AWWA commissioned a report that explores industry-led regulatory options to support water sector cyber resilience, including the option of creating industry-wide cyber standards with oversight from a federal body, similar to what exists within the energy sector.
CISA Shields-Up Campaign
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) urges everyone to protect themselves online and adopt a heightened posture when it comes to security. CISA stands ready to help organizations prepare for, respond to, and mitigate the impact of cyber attacks.
Advertisement
AWWA Cybersecurity Assessment Tool & Guidance
Are you a community water system or do you support community water systems? If so, federal legislation requires systems serving 3,300 or more persons to consider cybersecurity threats in your risk and resilience assessment, as well as in your emergency response plan. This may sound daunting, but AWWA is here to help systems of all sizes.
Planning Resources
AWWA has developed some essential planning resources to start water utilities on the path to cyber-resilience. They are designed to help you clarify your utility’s exposure to cyber risks, set priorities, and execute an appropriate and proactive cybersecurity strategy.
- START HERE: Water Sector Cybersecurity Risk Management Guidance. Practical, step-by-step guidance from AWWA for protecting process control systems used by the water sector from cyberattacks. Following this guidance saves time and yields more comprehensive, accurate and actionable recommendations from the Assessment Tool.
- Assessment Tool. This interactive tool asks utilities to examine how they are using various technologies. Based on responses, the tool generates a customized, prioritized list of controls that are most applicable to the utility’s technology applications. Utilities can use this output to determine the implementation status of critical controls designed to mitigate cybersecurity vulnerabilities. AWWA website login is required for access.
- Small Systems Guidance. A getting-started guide to help small rural utilities improve their cybersecurity practices. For water utilities serving fewer than 10,000 people, and especially those serving fewer than 3,300 people.
About These Resources
AWWA’s Cybersecurity Guidance and Assessment Tool have been updated and revised to maintain alignment with the NIST Cybersecurity Framework (the key set of standards, methodologies, procedures, and processes designed to align policy, business, and technology solutions to cyber risks), and with Section 2013 of America’s Water Infrastructure Act of 2018 (AWIA).
Together, these resources constitute a voluntary approach for how a utility can implement applicable cyber controls from the NIST Cybersecurity Framework, and also fulfill the cybersecurity provision in AWIA §2013.
AWWA’s guidance and tools have been recognized by the U.S. EPA, Cybersecurity and Infrastructure Security Agency (CISA), NIST and several states for aiding water systems in evaluating cybersecurity risks.
Growing your utility’s cybersecurity maturity. This figure shows the levels of cybersecurity maturity (adapted from SANS), and how AWWA cybersecurity resources fit within this model.
Cybersecurity in the Water Sector Micro-learning
Water and wastewater systems have been targeted by cyber attacks across the United States. Utilities need to achieve cyber resilience to protect against growing threats and bad actors.
The micro-learning below provides a high-level summary of the current state of cyber security, what utilities should expect and details of our Awareness-Analysis-Act Framework. The course also provides a directory of cybersecurity resources available from AWWA. These resources include manuals, standards, helpful links, tools, and checklists, and longer eLearning courses.
Click on the white arrow below to get started.
External Resources
Beyond AWWA, many organizations and agencies have created helpful cybersecurity resources relevant to protecting water systems.
EPA – Cybersecurity Best Practices for the Water Sector
EPA – Water Sector Cybersecurity Brief for States
EPA – Cybersecurity Incident Action Checklist
EPA – Drinking Water or Wastewater Cybersecurity Risk Assessment Tool
EPA – Water Resilience Tabletop Exercises
EPA and the Bipartisan Infrastructure Law Fact Sheet
EPA – Cybersecurity Assessment and Technical Assistance and Assessment for Water and Wastewater Utilities
America’s Water Infrastructure Act: Risk Assessments and Emergency Response Plans
Baseline Information on Malevolent Acts for Community Water Systems
Small System Risk and Resilience Assessment Checklist
Drinking Water and Wastewater Resilience Resources
Route to Resilience 2020 for Drinking Water and Wastewater Utilities
Cybersecurity: 2021 State of the Sector Industry Survey Report
15 Cybersecurity Fundamentals for Water and Wastewater Utilities
Report Incidents, Phishing, Malware, or Vulnerabilities
US-CERT Current Activity
Cybersecurity Evaluation Tool (CSET)
Implement Cybersecurity Measures Now to Protect Against Potential Critical Threats
Incident Response Guide: Water and Wastewater Systems (WWS) Sector
NIST Cybersecurity Framework
Critical Infrastructure Policy: Information Sharing and Disclosure Requirements After the Colonial Pipeline Attack
AWWA Policy Statements
AWWA’s policy statements are brief statements on protecting and improving water supply, water quality, management, and the interests of the public and the environment. They are written by consensus, subject to review and comment by AWWA committees, councils, and members. Because they represent AWWA’s position on these matters, they are approved by the AWWA Executive Committee of the board of directors.
- Strengthening the Cyber Resilience of America’s Water Systems: Industry-Led Regulatory Options
- AWWA Congressional Testimony – Mobilizing Our Cyber Defenses: Securing Critical Infrastructure Against Russian Cyber Threats
- Building Cybersecurity Resilience in the Water Sector
- What Does More Look Like (Journal AWWA)
Technical Committee Engagement
AWWA members are recognized globally for their industry expertise and their generosity in sharing that expertise for a better world through better water. AWWA members participate in committee activities, developing conference programs, writing technical manuals, developing standards, creating educational content and contributing to AWWA publications. Committee members primarily interact through conference calls, emails, and face to face meetings at conferences and events.
Inorganics Committee
Inorganic Contaminants Research Committee
Emerging Water Quality Issues Committee
Advertisement