America’s Water Infrastructure Act of 2018 (AWIA) has reshaped cybersecurity and resilience requirements for community water systems, by not just focusing on infrastructure, but also physical security and cybersecurity defenses. AWIA mandates that water utilities serving more than 3,300 people periodically conduct risk and resilience assessments and develop emergency response plans (ERPs) to help ensure critical infrastructure protection. With cyber threats increasingly targeting operational technology, water utilities need to adopt proactive measures to safeguard SCADA and process control systems. To help meet regulatory requirements, water utilities should consider some key aspects of AWIA’s cybersecurity implications, available tools, and strategies.
Under AWIA, water utilities must perform a Risk and Resilience Assessment (RRA) every five years to identify vulnerabilities in infrastructure, physical security, and cybersecurity systems. The RRA addresses key aspects of infrastructure, including electronic systems and Supervisory Control and Data Acquisition (SCADA)—which are essential for monitoring and managing water treatment and distribution. Cybersecurity measures must consider both current and emerging threats, with ransomware and phishing attacks posing significant risks to critical infrastructure. Implementing a comprehensive RRA enables water utilities to assess their risk exposure, prioritize resources, and create mitigation strategies that strengthen their security posture and resilience.
Following the RRA, AWIA requires water utilities to develop an ERP. This plan is intended to proactively remediate identified risks and outline strategies to respond effectively to incidents. An ERP should include cybersecurity related actions to take during an incident, from containment and response to recovery and reporting. For example, if a SCADA system was compromised, the emergency response plan would specify procedures for mitigating system access, securing data, and restoring operations. These plans help to ensure that utilities have the framework necessary to respond quickly, minimize service disruptions, and protect public health.
To support compliance, various tools and frameworks are available for conducting cybersecurity assessments. The AWWA Water Sector Cybersecurity Risk Management Tool a strategic component with many questions focused on policies, procedures, frameworks, programs, and standards tailored to the water sector. These particular questions lead utilities to contemplate the formality of their governance and what “right-sizing” means to them. The AWWA also offers guidance with a more focused set of controls tailored to small systems. The EPA’s Water Cybersecurity Assessment Tool (WCAT) is based on fewer control that are more tactical in nature, including direct yes/no questions on current security controls. Utilities can use a combination of both tools to achieve a well-rounded strategic and tactical evaluation. Additionally, more specialized assessments—such as network architecture reviews—can provide water utilities a clearer picture of how SCADA systems interact with non-SCADA networks (including IT networks and the internet) and other external assets and systems. A significant part of cybersecurity is understanding and carefully managing a utility’s network connectivity.
Cyber threats targeting water utilities often exploit human and system vulnerabilities, with ransomware and phishing being the most prevalent. Successful phishing campaigns often lead to ransomware, but ransomware can also infiltrate systems through poorly configured and managed remote access solutions, underscoring the need for strong access controls and monitoring. Additionally, phishing attacks can bypass perimeter defenses—providing malicious actors access to internal networks. Insider threats also pose risks, especially if disgruntled former employees retain access to sensitive systems. Implementing robust access management practices, such as multi-factor authentication and account deactivation/review protocols, can help mitigate these risks. Training programs tailored for utility staff (who most likely don’t have extensive cybersecurity backgrounds) are essential for developing a security-aware workforce capable of recognizing and responding to cyber threats.
The cybersecurity landscape is continually evolving and the EPA is expected to periodically introduce new water sector-specific cybersecurity roadmaps and revised regulations. Staying informed about current and upcoming regulations is crucial for water utilities aiming to maintain compliance. Additionally, water utilities should consider fostering community awareness about the importance of cybersecurity. Public understanding can help drive organizational support for cybersecurity investments, bridging resource gaps and enhancing resilience. For smaller utilities, addressing funding limitations through federal grants and state resources can make compliance with AWIA requirements more achievable, ensuring that utilities of all sizes remain secure.
AWIA brings industrial cybersecurity into the foreground of infrastructure protection for water utilities, demanding regular assessments, strategic planning, and emergency preparedness. Even though the water industry has resources like the AWWA Water Sector Cybersecurity Risk Management Tool and the EPA WCAT, utilities need the support of multi-disciplinary experts to take a structured approach to cybersecurity, including compliance. Black & Veatch’s Cyber Asset Lifecycle Management (CALM) services emphasize the importance of comprehensive and tailored industrial cyber programs to meet the specific needs of the water utility, helping to ensure safe and reliable service for the communities they serve.
