The Office of Drinking Water strongly encourages waterworks to assess their cybersecurity practices and implement cybersecurity controls appropriate to the technologies they utilize. For a waterworks new to cybersecurity, simply implementing basic cybersecurity practices can greatly reduce their exposure to cyber-attacks that may threaten their water system, billing/financial software, or other critical systems. Examples of basic cybersecurity practices include utilizing antivirus and malware software, updating software regularly, setting strong passwords, utilizing multi-factor authentication, backing up data regularly, conducting cybersecurity awareness training, and securing wireless networks. To ensure implementation of cybersecurity practices, waterworks should designate a cybersecurity lead for the organization.
Waterworks should routinely assess their existing cybersecurity measures to determine where additional controls are needed to address vulnerabilities. A cybersecurity assessment should also be performed when implementing new Supervisory Control and Data Acquisition (SCADA) systems, billing/financial software, or other technologies that are subject to cyber-attacks and critical to the waterworks.
For waterworks wishing to perform a cybersecurity self-assessment, the American Water Works Association (AWWA) has developed an Assessment Tool to evaluate how utilities are using various technologies and generate a customized, prioritized list of controls that are most applicable to the utilities’ technology applications. The AWWA has also developed Small Systems Guidance to help small rural utilities improve their cybersecurity practices. More information on AWWA cybersecurity resources can be found at https://www.awwa.org/Resources-Tools/Resource-Topics/Risk-Resilience/Cybersecurity-Guidance
For waterworks seeking assistance to perform a cybersecurity assessment, the U.S. Environmental Protection Agency (EPA) offers free cybersecurity assessments to waterworks through its Water Sector Cybersecurity Evaluation Program. This program will conduct a cybersecurity assessment using the EPA’s checklist in their guidance on Evaluating Cybersecurity in PWS Sanitary Surveys, and develop a risk mitigation plan identifying recommended cybersecurity controls. To obtain this assistance from the EPA, complete the EPA’s Water Sector Cybersecurity Evaluation Program request form here.
- USEPA Water Cybersecurity Assessment Tool and Risk Mitigation Plan – This 33-question form is designed to be completed by moderately computer savvy individuals without a background in IT. In addition to serving as a cybersecurity assessment targeting items that the EPA considers a priority, this tool also aids the development of a risk mitigation plans to address gaps identified by the assessment.
- CIS RAM v2.1 for CIS Critical Security Controls v8 and NIST Cybersecurity Framework v1.1 are additional assessment tools utilized by the cybersecurity industry with applications beyond drinking water systems. These tools require a much greater degree of expertise in information technology than the AWWA Assessment Tool or the USEPA Water Cybersecurity Assessment Tool and Risk Mitigation Plan.
- Additional links
- EPA – EPA Cybersecurity for the Water Sector | US EPA
- AWWA Cybersecurity & Guidance | American Water Works Association (awwa.org)
- CISA Home Page | CISA
- WaterISAC Tools | WaterISAC
- NIST Cybersecurity | NIST
- Idaho National Laboratory Critical Infrastructure Protection – Idaho National Laboratory (inl.gov)
- MS-ISAC – MS-ISAC (cisecurity.org)
- National Cybersecurity Strategy https://www.whitehouse.gov/wp-content/uploads/2023/03/National-Cybersecurity-Strategy-2023.pdf
Implementing Cybersecurity Controls
Following completion of a cybersecurity assessment, a waterworks should implement cybersecurity controls to address gaps identified by the assessment. A risk mitigation plan may be developed to identify the controls to be implemented and the timeline to implement them. Controls should be prioritized based on the degree of the hazard and the cost to implement the control.
The Department of Homeland Security (DHS) Cybersecurity Grant provides funding for state, local, and territorial governments to address cybersecurity. This grant is administer in Virginia by the Virginia IT Agency (VITA), the Virginia Department of Emergency Management (VDEM), and the Virginia Cybersecurity Planning Committee (VCPC). As of August 2023, the VCPC was working to develop grant priorities and application criteria. To receive updates about this grant, visit https://www.vaemergency.gov/divisions/finance/grants, click “Sign Up”, and complete the registration form, selecting the ”State & Local Cybersecurity Grant Program (SLCGP)” email list check box.
Responding to a Cybersecurity Incident
If a waterworks experiences a cybersecurity incident, ODW recommends that the waterworks does the following:
- Inform the Virginia Fusion Center, Cyber Intelligence Team of the incident through their Cyber Incident Form. The Code of Virginia requires public bodies to report cyber incidents to the Virginia Fusion Center.
- Contact the regional ODW field office to inform them of the incident. Contact information is available here.
- Inform the Cybersecurity and Infrastructure Security Agency (CISA) of the incident through their Incident Reporting System.
Waterworks may wish to use the EPA Cyber Incident Reporting Factsheet to assist their efforts to report cyber incidents to the federal government.