Cyber Security

Overview
   Relevant Activities
   Role of Local Governments
U.S. EPA Resources
Other Resources 
   Other Federal Agencies & Programs
Funding & Financing

Overview

The water and wastewater sector is part of the nation's critical infrastructure, defined in the USA PATRIOT Act as "systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters." The supply of safe drinking water and treatment of wastewater are both considered National Critical Functions.

Public water systems (PWS) and publicly owned treatment works (POTW) increasingly depend on cyber-physical systems (CPS), incorporating both information technology (IT) and operational technology (OT) into their operations. The COVID-19 pandemic further accelerated movement to remote operations.

These developments make the sector an attractive target for cybercriminals, particularly when a PWS or POTW depends on outdated operating systems, has insufficient controls or lacks a robust training program. Threat actors targeting water systems include nation-state political actors, cybercriminal financial actors and current and former employees. Their motivations range from stealing sensitive data and disabling network components to disrupting operations.

The consequences of cyberattacks can be dire, ranging from operational disruption and system component damage to the theft of customers' personal data. Most significant is compromising the ability of a PWS or POTW to provide clean, safe drinking water, protect the environment and maintain the confidence of the public.

Three federal agencies play key roles in supporting the cybersecurity of the water and wastewater sector:

• The Environmental Protection Agency (EPA) is the Sector Specific Agency (SSA) designated responsibility for supporting the security and resilience of the Water and Wastewater Systems Sector;
• The Cybersecurity and Infrastructure Security Agency (CISA) within the Department of Homeland Security provides training and other tools and resources related to critical infrastructure security; and
• The Federal Bureau of Investigation (FBI) is the lead federal agency for investigating cybercrime.

Additionally, the Office of the National Cyber Director is the White House's principal advisor on cybersecurity policy and strategy and the National Institute of Standards and Technology (NIST) develops standards, best practices and tools and public guidelines on cybersecurity measures.

CISA, FBI and EPA collaborate in responding to significant cybersecurity incidents, from notification and assessment to making recommendations to avoid future attacks.

• CISA leads the response, collecting reports of cybersecurity and incidents and providing technical assistance to protect assets and reduce the impacts of attacks. The agency helps with restoring affected systems, coordinating federal assistance and improving security after the fact;
• FBI handles the law enforcement and investigative activity; and
• EPA directs water and wastewater sector requests for assistance to CISA, confirms requests are fulfilled and communicates alerts, coordinates cyber incident response among appropriate federal agencies, facilitates sharing of information and intelligence, and maintains open lines of communication to affected utilities and other stakeholders.

EPA and CISA collaborated with the National Security Council, Water Sector Coordinating Council and Water Government Coordinating Council to develop the Water and Wastewater Sector Action Plan to promote early cyber-threat detection and information sharing across the federal government and critical infrastructure community. 

Relevant Activities

• Drinking Water Systems Operations
• Wastewater Management & Sewage Treatment

Role of Local Governments

The America's Water Infrastructure Act of 2018 requires community water systems (CWS) serving more than 3,300 people to develop or update risk assessments and emergency response plans (ERPs), which must address "electronic, computer, or other automated systems (including the security of such systems)."

PWSs and POTWs are urged to reduce the risk of a successful cyberattack by implementing best practices, training staff, implementing a monitoring plan and updating technology. EPA and other federal and state agencies offer multiple cybersecurity capacity-building resources specifically for PWSs and POTWs. EPA also published a memo clarifying that states must assess PWS cybersecurity practices as part of their sanitary surveys.

There are many resources on best practices, preparation and response and funding that even the smallest utilities can leverage to effectively counter cybercriminals. EPA and other federal and state agencies offer multiple cybersecurity capacity-building resources specifically for PWSs and POTWs.

PWSs and POTWs can stay informed about potential threats impacting the water and wastewater sector, by:

• Monitoring the National Cyber Awareness System.
• Subscribing to the Cybersecurity & Infrastructure Security Agency's mailing list.
• Taking advantage of WaterISAC's free membership.

PWSs and POTWs should immediately report any cyber incident to the following entities:

• Local law enforcement and the primary oversight agency (typically the state).
• Local FBI field office or contact the Cyber Watch (CyWatch) at either the 24/7 support line at (855) 292-3937 or CyWatch@fbi.gov.
• CISA Incident Reporting System.
• WaterISAC online, at analyst@waterisac.org or 866-H2O-ISAC.

U.S. Environmental Protection Agency Resources

EPA Cybersecurity for the Water Sector. Provides multiple resources, including a Cybersecurity Incident Action Checklist, Water Sector Cybersecurity Training and Response Exercises, the Vulnerability Self-Assessment Tool 2.0 (VSAT Web 2.0), Water Resilience Tabletop Exercise and more.

• Cybersecurity Technical Assistance for Water Utilities. Users can submit questions or a request for consultation regarding implementation of cybersecurity measures.
• EPA Water Laboratory Alliance. Offers resources on contamination preparedness, including workshops, assessment tools and scenario exercises—an overview is available here.

EPA's Water Sector Cybersecurity Evaluation Program. Allows water utilities to submit requests for further information about EPA's Cybersecurity Evaluation Program, which conducts free cybersecurity assessments of water systems to identify gaps and potential vulnerabilities.

Other Resources

• Cybersecurity Guidance and Tool. Supports the water sector in implementing the NIST Cybersecurity Framework.
• Water Sector Cybersecurity Risk Management Guidance. Provides a sector-specific approach for adopting the NIST Cybersecurity Framework in addition to aiding CWSs in complying with America's Water Infrastructure Act of 2018.
• Water Information Sharing and Analysis Center. Offers physical and cyber threat alerts and best practices specifically for the water and wastewater sector, along with guidance such as 15 Cybersecurity Fundamentals for Water and Wastewater Utilities.
• Cybersecurity Assessment Tool and Guidance. Includes step-by-step guide by the American Water Works Association to identify cyber risks, set goals and effectively execute cybersecurity strategy. 
• Water and Wastewater Systems Cybersecurity 2021 State of the Sector. This report provides the results of a survey of utilities across the country to develop a picture of current cybersecurity practices in the sector to better articulate the challenges and needs of the sector. 

Other Federal Agencies & Programs

• State, Local, Tribal, and Territorial Government Program. Main landing page for CISA programs targeted to State, Local, Tribal and Territorial Governments featuring news articles, regional office contact information, and services.

• Assessment Evaluation and Standardization Program. Educational modules provide government-affiliated assessors with the knowledge and skills to administer cybersecurity assessments using CISA standards and methodologies.

Multi-State Information Sharing and Analysis Center. Resource for cyber threat prevention, protection, response and recovery for state, Tribal, local and territorial government entities. 

• Cyber Essentials Toolkits. A set of modules, each focusing on recommended actions to build cyber readiness, aimed at non-technical leadership.

• Stopransomware.gov. Resource center containing news, alerts, reporting mechanism and best practices for preventing or responding to ransomware.

Cybersecurity Framework. A flexible and performance-based voluntary framework of cybersecurity standards by the National Institute of Standards and Technology and procedures that sets out a risk-based approach to managing cybersecurity. 

Funding & Financing

Drinking Water State Revolving Fund and Clean Water State Revolving Fund loans and set-asides may be used to build managerial, technical, and financial capabilities, conduct vulnerability assessments and trainings, develop effective cybersecurity measures and plans, upgrade IT and OT technology and more.

For more information on funding & financing programs and options, please see the Cybersecurity section of LGEAN's Funding & Financing page.

Back to Top