The Office of Drinking Water strongly encourages waterworks to assess their cybersecurity practices and implement cybersecurity controls appropriate to the technologies they utilize.  For a waterworks new to cybersecurity, simply implementing basic cybersecurity practices can greatly reduce their exposure to cyber-attacks that may threaten their water system, billing/financial software, or other critical systems.  Examples of basic cybersecurity practices include utilizing antivirus and malware software, updating software regularly, setting strong passwords, utilizing multi-factor authentication, backing up data regularly, conducting cybersecurity awareness training, and securing wireless networks.  To ensure implementation of cybersecurity practices, waterworks should designate a cybersecurity lead for the organization.

Assessing Cybersecurity

Waterworks should routinely assess their existing cybersecurity measures to determine where additional controls are needed to address vulnerabilities.  A cybersecurity assessment should also be performed when implementing new Supervisory Control and Data Acquisition (SCADA) systems, billing/financial software, or other technologies that are subject to cyber-attacks and critical to the waterworks.

For waterworks wishing to perform a cybersecurity self-assessment, the American Water Works Association (AWWA) has developed an Assessment Tool to evaluate how utilities are using various technologies and generate a customized, prioritized list of controls that are most applicable to the utilities’ technology applications.  The AWWA has also developed Small Systems Guidance to help small rural utilities improve their cybersecurity practices.  More information on AWWA cybersecurity resources can be found at https://www.awwa.org/Resources-Tools/Resource-Topics/Risk-Resilience/Cybersecurity-Guidance

For waterworks seeking assistance to perform a cybersecurity assessment, the U.S. Environmental Protection Agency (EPA) offers free cybersecurity assessments to waterworks through its Water Sector Cybersecurity Evaluation Program.  This program will conduct a cybersecurity assessment using the EPA’s checklist in their guidance on Evaluating Cybersecurity in PWS Sanitary Surveys, and develop a risk mitigation plan identifying recommended cybersecurity controls.  To obtain this assistance from the EPA, complete the EPA’s Water Sector Cybersecurity Evaluation Program request form here.

Other Resources

Implementing Cybersecurity Controls

Following completion of a cybersecurity assessment, a waterworks should implement cybersecurity controls to address gaps identified by the assessment.  A risk mitigation plan may be developed to identify the controls to be implemented and the timeline to implement them.  Controls should be prioritized based on the degree of the hazard and the cost to implement the control.

The Department of Homeland Security (DHS) Cybersecurity Grant provides funding for state, local, and territorial governments to address cybersecurity.  This grant is administer in Virginia by the Virginia IT Agency (VITA),  the Virginia Department of Emergency Management (VDEM), and the Virginia Cybersecurity Planning Committee (VCPC).  As of August 2023, the VCPC was working to develop grant priorities and application criteria.  To receive updates about this grant, visit https://www.vaemergency.gov/divisions/finance/grants, click “Sign Up”, and complete the registration form, selecting the ”State & Local Cybersecurity Grant Program (SLCGP)” email list check box.

Responding to a Cybersecurity Incident

If a waterworks experiences a cybersecurity incident, ODW recommends that the waterworks does the following:

  • Inform the Virginia Fusion Center, Cyber Intelligence Team of the incident through their Cyber Incident Form. The Code of Virginia requires public bodies to report cyber incidents to the Virginia Fusion Center.
  • Contact the regional ODW field office to inform them of the incident. Contact information is available here.
  • Inform the Cybersecurity and Infrastructure Security Agency (CISA) of the incident through their Incident Reporting System.

Waterworks may wish to use the EPA Cyber Incident Reporting Factsheet to assist their efforts to report cyber incidents to the federal government.