Cybersecurity Alerts:
Why is cybersecurity important?
Drinking water systems are considered critical infrastructure, because the sector and its assets are so vital that incapacitation would have debilitating effects on national security, public health, and safety. A cyber-attack on a Public Water System (PWS) can have dire effects for the PWS and for customers of the breached system. Adopting cybersecurity best practices is essential to protect water system assets and should be considered an ongoing priority at utilities.
The remainder of this webpage is designed and intended primarily as a directory to cybersecurity related webpages and resources that are available to PWSs, mainly at the Federal level. Pennsylvania DEP’s Bureau of Safe Drinking Water (BSDW) staff are not subject matter experts in the field of cybersecurity, but BSDW is actively encouraging PWSs to utilize any and all resources available and to make cybersecurity a primary and ongoing priority at their systems.
It is important to note that a cyber-attack qualifies as a situation that has the potential to affect the water quality or quantity; PWSs should report to DEP within one hour of learning of a cyber-attack, according to § 109.701(a)(3)(iii).
PWSs experiencing a cyber-attack should also report the incident to the state police, and they are also encouraged to report to the Federal government.
This Cyber Incident Reporting Process fact sheet contains information on why it is important to report a cyber incident, how to contact the various Federal agencies (FBI, CISA, and EPA) to report an incident, when to report to the Federal government, and what to report.
Cybersecurity Resources
The resources listed below are intended to assist PWSs improve their cybersecurity preparedness and adopt cybersecurity best practices. It is important to note that this is not intended to be an exhaustive list, and there may be additional sources of assistance available to PWSs.
Since there are a large number of resources available, which may be overwhelming for some systems, the resources included below are organized according to the source and then further organized according to the following categories:
1. Phase 1: Basic (for PWSs that have taken little to no cybersecurity preventative measures and aren’t sure where to start)
2. Phase 2: Intermediate (for PWSs that have already taken some cybersecurity preventative measures and need next steps)
3. Phase 3: Reporting and Response (planning for who to contact and how to respond in the event of an attack)
EPA Resources
EPA Cybersecurity for the Water Sector | US EPA
This EPA website contains information, tools, and resources to assist water and wastewater systems with cybersecurity preparedness, including the resources listed below.
Cybersecurity 101 Training for Water Systems Webinar - YouTube (30 mins)
This is a recording of a webinar that provides an overview of cybersecurity and basic terms and protections.
EPA’s Water Sector Cybersecurity Evaluation Program (WCAT)
The WCAT is a downloadable spreadsheet tool that helps water systems self-assess the effectiveness of their cybersecurity practices. This spreadsheet was designed by the EPA and contains macros that will auto-complete a custom Assessment Report and a custom Risk Mitigation Plan after answering all questions on the WCAT spreadsheet. The WCAT emphasizes the basic cybersecurity practices needed to build a strong cybersecurity program. Water utilities that have knowledgeable IT staff to accurately answer these assessment questions can use this spreadsheet to get an idea of where they may have weaknesses or gaps in their cybersecurity program.
EPA’s Water Sector Cybersecurity Evaluation Program
Using this link, PWSs can register for a FREE cybersecurity evaluation conducted by an EPA contracted consultant. This free assessment uses the WCAT spreadsheet mentioned above, but it is conducted virtually (via phone interview), taking approximately 2 hours to complete with the guidance of a subject matter expert under contract with the EPA. The benefit to this option over the self-evaluation discussed in the preceding paragraph is the free assistance from a knowledgeable professional in the field of cybersecurity. It is important to note that the assessment is completely confidential; neither EPA nor DEP receives any information about the assessment, other than the fact that it was completed.
EPA Cybersecurity Checklist Fact Sheets
Appendix B of this guidance document contains cybersecurity checklist fact sheets that correspond with the questions in the WCAT. For each of the WCAT questions, the fact sheets contain details about why each cybersecurity control is important, implementation tips, and additional resources.
Cybersecurity Technical Assistance
Signing up at this link will enable water and wastewater systems to request direct technical assistance through the Cybersecurity Technical Assistance Program for the Water Sector. This technical assistance would primarily be for water systems that have completed a WCAT evaluation and want to take some of the recommended actions identified in their assessment. Water and wastewater utilities can submit cybersecurity questions and receive one-on-one remote assistance (by phone or email) from a cybersecurity subject-matter expert. Water utilities can ask any sort of cyber security question to the subject matter expert, including questions about their responses to any of the 33 questions on the WCAT or about details for specific cybersecurity controls that have been recommended to the utility following the WCAT, why particular controls are important, or about recommendations or implementation tips (corrective actions) from their WCAT assessment.
Cyber Incident Reporting Process
This link contains information on when and to whom a public water system should report a cyber incident. Also included is the type of information you can expect to be asked when reporting a cyber intrusion to authorities.
Cybersecurity Resources Fact Sheet
This fact sheet provides an overview of the types of resources that are available to water systems to complete a cybersecurity assessment of their water system. Also covered in this fact sheet is information about cybersecurity funding opportunities for water and wastewater systems and threat briefings and alerts for systems.
Water Sector Incident Action Checklist - Cybersecurity (epa.gov)
This checklist is intended to assist water utilities with cybersecurity preparedness, as well as response and recovery activities in the event of a cyber-attack.
CISA Resources
Water and Wastewater Cybersecurity | CISA
The Cybersecurity and Infrastructure Security Agency (CISA) is the operational lead for federal cybersecurity and the national coordinator for critical infrastructure security and resilience. CISA was created in 2018 as an agency within the federal Department of Homeland Security, with a mission to reduce risk to the nation’s cyber and physical infrastructure. CISA, EPA, and the FBI routinely coordinate on responses to reports of cyber intrusions to water utilities. This link is for the Water and Wastewater Toolkit, which consolidates many CISA and EPA cybersecurity resources for the water sector.
CISA offers a variety of services for both physical security and cybersecurity through its 10 regions. CISA Regional offices are prepared to provide assistance in building resilience and response support in the event of an incident. Pennsylvania is included in CISA Region 3, along with Delaware, District of Columbia, Maryland, Virginia, and West Virginia.
Top Cyber Actions for Securing Water Systems (cisa.gov)
This is a joint fact sheet from CISA, EPA, and FBI, outlining eight actions that water utilities can take to reduce their cyber risk and improve resilience to cyber-attacks. Additional links to services, resources, and tools are included.
4 Things You Can Do To Keep Yourself Cyber Safe | CISA
Basic, common-sense steps water utilities can take to improve their cyber preparedness and protect their systems.
CISA's Free Cyber Vulnerability Scanning for Water Utilities | CISA
CISA’s vulnerability scanning service can help water systems identify and address cybersecurity weaknesses that attackers could use to access their systems. Subscribers receive weekly reports on scanning status and recommendations for addressing vulnerabilities. Access the Cyber Vulnerability Scanning Fact Sheet here.
Cybersecurity and Physical Security Convergence
Information at this link explains the overlap between cybersecurity and physical security and the reasons that converged security operations are more dynamic and versatile in the event of a cyberattack.
A Cyber Resilience Review is an interview-based assessment to evaluate an organization’s operational resilience and cybersecurity practices. Following the review, the utility will receive a confidential, comprehensive final report on their cyber resilience.
Cross-Sector Cybersecurity Performance Goals
This is a link to an extensive checklist to track the current status of 37 critical items in eight different categories following the Cyber Resilience Review. A one-year review is then scheduled to determine progress moving forward and to identify which areas of the eight categories are still lagging. The eight categories are: account security; device security; data security; governance and training, vulnerability management; supply chain/third party; response and recovery; and other.
Cross-Sector Cybersecurity Performance Goals | CISA
CISA’s Cybersecurity Performance Goals (CPGs) are a set of cybersecurity practices that are intended to meaningfully reduce risks. They are recommended steps that are recommended for all critical infrastructure sectors.
CyberSentry is a threat detection and monitoring program that monitors for malicious activity affecting participants’ IT and OT networks.
This link will take you to the CISA Services Portal. At this link, you may register with CISA for a secure account. Your secure account will be a means to report cyber-attacks and incidents, phishing attempts, malware, and more to CISA. You can also use your CISA account to track your report’s progress with CISA.
There is also a link on the CISA Services Portal page that you can use to anonymously report a cyber incident to CISA for review.
AWWA Resources
Home | American Water Works Association (awwa.org)
The American Water Works Association (AWWA) is an international nonprofit organization dedicated to assuring effective management of water. It is the largest organization of water supply professionals in the world.
Cybersecurity & Guidance | American Water Works Association (awwa.org)
The American Water Works Association (AWWA) has numerous resources and guidance on its website to help water systems implement best practices and protect their systems. Resources include an assessment tool, training, risk management guidance, best practices recommendations, and more.
WaterISAC
WaterISAC is the Water Information Sharing and Analysis Center, a nonprofit organization that was formed in 2002 in coordination with EPA. It is an all-threats security information sharing organization for the water and wastewater sector. Note that some of the resources available through WaterISAC require a membership to access. To learn more about WaterISAC membership, visit: Membership | WaterISAC.
This link is for the WaterISAC Resource Center (Water Information and Analysis Center), which is a hub of resources on cybersecurity for the water sector. This Resource Center contains links to various guidance web pages and downloadable guidance documents. Some of the some of the resources at this link may require a membership to access.
Cybersecurity Fundamentals for Water and Wastewater Utilities | WaterISAC (members only)
This guidance contains numerous cybersecurity best practices for water systems to implement to protect their IT and OT systems and reduce risk of a cyber-attack. Note that some of the resources at this link may require a WaterISAC membership to access.
WaterISAC Publications | WaterISAC
At this link you will find semi-annual threat analysis reports and quarterly incident summaries. These reports require a WaterISAC membership for access.