Cybersecurity Guidelines for Water, Wastewater, and Water Management Systems
Public sector water is part of the nation’s critical infrastructure, responsible for providing safe and reliable drinking water to millions of citizens. The security and safety of these infrastructures are paramount, as any disruption or compromise can severely impact public health, safety, and economic stability.
That’s why AWWA created cybersecurity guidelines for public-sector Water and Wastewater Operators. Recognizing that public water sector companies often have limited financial and human resources, these guidelines provide a prescriptive approach to cybersecurity.
The goal is enabling utilities to prioritize their efforts in securing their critical systems with emphasis on:
Vulnerability to Cyber Threats
As water utilities rely more on digital technology for monitoring, controlling, and management, they are increasingly exposed to cyber threats. Public water sector companies must protect their assets from a wide range of cyber risks, including data breaches, ransomware attacks, and unauthorized access to sensitive information.
Adherence to AWWA Cybersecurity Guidance can help public water sector operators comply with existing and emerging cybersecurity regulations.
Best Practices and Industry Standards
AWWA Cybersecurity Guidance is based on globally recognized standards such as NIST, ISA/IEC 62443, and industry best practices. By implementing these best practices, public water sector companies can effectively safeguard their critical assets and enhance their overall cybersecurity posture.
Learn more about the requirements within the guidelines that apply to Water and Wastewater owners/operators:
Water utilities must perform a thorough assessment of their cybersecurity risks, which involves identifying critical assets, potential threats, and vulnerabilities. This assessment forms the basis for prioritizing and implementing appropriate security measures to mitigate the identified risks.
AWWA recommends adopting a comprehensive cybersecurity framework, such as the NIST and ISA/IEC 62443. The framework provides a structured approach to managing cybersecurity risks, encompassing five core functions: Identity, Protect, Detect, Respond, and Recover
Public water sector companies are expected to establish clear cybersecurity governance structures and policies, which include defining roles and responsibilities, setting strategic objectives, and allocating resources for cybersecurity initiatives.
Water utilities must maintain an accurate inventory of all hardware and software assets, including configuration information. Regular reviews should be conducted to ensure that unauthorized assets are not connected to the network and that all assets are updated with the latest security patches.
AWWA guidelines require public water sector companies to implement strong access controls and authentication mechanisms to prevent unauthorized access to critical systems and data. This includes enforcing the principle of least privilege, implementing multi-factor authentication, and regularly reviewing user access rights.
Water utilities should establish a robust network security infrastructure, which includes deploying firewalls, intrusion detection and prevention systems, and network segmentation to separate critical systems from non-critical ones. Regular network traffic monitoring and analysis should be conducted to identify potential threats and vulnerabilities.
AWWA guidelines emphasize the importance of developing an incident response and recovery plan to ensure timely detection, containment, and remediation of cybersecurity incidents. The program should outline roles, responsibilities, communication protocols, and procedures for restoring affected systems and data.
Public water sector companies must provide regular cybersecurity training and awareness programs for their employees to help them recognize and respond appropriately to potential cyber threats. This includes training on social engineering, phishing, and safe computing practices.
Water utilities must assess and manage the cybersecurity risks associated with their third-party vendors and partners, ensuring that appropriate security measures are in place to protect sensitive data and critical systems.
AWWA guidelines advocate for a continuous improvement approach to cybersecurity, which involves regularly monitoring and assessing the effectiveness of implemented security measures and updating them to address emerging threats and evolving technologies.