Free Cybersecurity Assessments Benefit Water Utilities

Horsley Witten Group, U.S. Environmental Protection Agency (EPA)

Blog post by Gemma Kite, P.E.

Cybersecurity is in the news and the news is troubling. Given the recent cybersecurity incident at a drinking water utility in Oldsmar, Florida, the topic is difficult to ignore. Our multidisciplinary staff is working with EPA to provide free cybersecurity preparedness and resilience assessments and technical assistance for water and wastewater utilities across the country. To date, over one hundred utilities have participated in the project.

Image credit: comparitech.com

The Process

The assessments and technical assistance are confidential. We provide the utility with a cyber action plan based on the results of the utility’s assessment. The plan focuses on best practices to prepare for, respond to, and recover from a cyber incident. By adopting these practices, a utility reduces the chances that a cyber-attack will be successful and increases the rate of recovery while lowering costs. The utility receives a clear overview of its cyber vulnerabilities and recommended best practices, like multifactor authentication and password hygiene to help reduce risks to its business enterprise, Supervisory Control and Data Acquisition (SCADA), and communications systems.

Best Practices

We help the utility set-up its cyber action plan so that it is feasible for the utility to implement it. Our staff will follow-up with the utility twice during the project which can last up to a year, to check-in on implementation and to provide additional technical assistance.  It is important to note that all utility information gathered during the assessments is confidential, but trends in the anonymized, aggregated data are shared with EPA and others so that lessons learned from the assessments may benefit others.

Resources

Our emergency preparedness planners developed the assessment and technical assistance materials for the utilities with EPA using free and available resources from organizations such as EPA, Water Information Sharing and Analysis Center (WaterISAC), American Water Works Association, and the National Institute of Standards and Technology. Many utilities find the EPA’s Cybersecurity Incident Accident Checklist to be a good resource to start the process.

Related Links

For more information about the Oldsmar incident including recommendations on how to mitigate the scheme used in the attack, see the Joint Cybersecurity Advisory from the FBI, DHS’s Cybersecurity and Infrastructure Security Agency, the EPA, and Multi-State ISAC.

 Learn more about HW’s Emergency Preparedness