Water Utilities: Protect Confidential Information and Guard Against Threats

In January of this year, the U.S. Environmental Protection Agency (EPA) released a 100-day plan to improve the cybersecurity of the nation’s water systems. The plan was intended as a call to action for the country’s 150,000 water systems in response to increasing cyberattacks during the previous 12 months. It called for creating a task force of industry leaders, launching incident-monitoring programs and providing technical assistance to water system managers needing cybersecurity support.

EPA Administrator Michael Regan said cyberattacks are an “increasing threat to water systems and the safety and security of our communities. As cyber threats become more sophisticated, we need a coordinated approach to protect the water systems that provide clean water in America. The EPA is committed to working with federal partners to support the water sector in detecting, responding to and recovering from cyber incidents."

The plan provides owners and operators with “technology that delivers warnings of cyberattacks in close to real-time.” The sector is made up of thousands of systems that range in size from very small to those that service major cities. Many have little or no cybersecurity expertise on staff. The EPA and the Cybersecurity and Infrastructure Security Agency (CISA) will work with water system partners to implement information-sharing protocols to address vulnerabilities.

Because it represents a new sense of urgency on the part of the federal agency that regulates this vital part of U.S. critical infrastructure — a sector that typically operates far removed from the splashy headlines about ransomware attacks on high-profile targets. But now there is a heightened awareness, and water system managers and their information security counterparts share knowledge and expertise in response to threats.

This heightened awareness was presented as evidence at the recent American Water Works Association’s (AWWA’s) 2022 Annual Conference and Exhibition (ACE22), held June 12-15 in San Antonio, Texas. Thousands of water professionals attended to meet with colleagues, review industry best practices and learn about new challenges related to information security in the wake of the increasing digitalization of operating systems and platforms.

The AWWA conference organizers went out of their way to showcase their Innovation Hub offerings; at the top of the list was cybersecurity. Attendees could see firsthand smart technologies and cutting-edge solutions to protect the water flowing through their systems. And they were reminded of the importance of also protecting the data flowing through their operating systems, as well as the challenges that loom when software is outdated, and software patches are not current.

One of the water system professionals attending the AWWA conference in San Antonio was Theresa Bellish, Senior Director of Commercial Water at NSF, a global organization based in Ann Arbor, Michigan. For more than 75 years, NSF has worked with regulators, manufacturers and consumers to develop public health standards and provide certifications designed to protect water, food, products and the environment.

Bellish recommends that water system administrators begin by performing a thorough evaluation of their practices. “The first step in protecting a water utility from a security breach is evaluating current cybersecurity processes,” she says. “The EPA provides a useful checklist. A quality risk assessment helps a water utility understand how to improve its data security processes and systems.”

She also emphasizes the importance of training employees to keep confidential information and operating systems safer by creating and using strong passwords, and she stresses the effectiveness of implementing multifactor authentication (MFA) throughout the organization. “MFA is a great tool, particularly for water utilities that manage their plants from remote locations, to help add a second layer of defense.”

Consider what this water systems professional is recommending. None of it is rocket science — it’s about taking these smart, simple steps to reduce cybersecurity threats to your water utility’s data. And she reminds us of a basic, essential fact we would all do well to remember: “Water is our most precious resource. We all use it every single day. So protecting drinking water from hackers is an essential part of protecting human health.”