Addressing Cybersecurity Vulnerabilities in Water and Wastewater Systems

Water and wastewater utilities are seeing a continued escalation in malicious cyberattack attempts each year. These assaults pose a severe threat that is capable of disabling water and wastewater systems, potentially resulting in catastrophic environmental and public health consequences. In 2024, the cybersecurity company Forescout reported 57 percent of the 900 million global reported cyberattacks targeted critical infrastructure—an increase of 10 percent from 2023.

The U.S. Environmental Protection Agency (EPA) and the Cybersecurity and Infrastructure and Security Agency (CISA) continue to urge utilities across the United States to take added security precautions, including identifying, assessing, and mitigating system and asset vulnerabilities. In May 2024, the EPA issued an enforcement alert noting that more than 70 percent of inspected water systems were in violation of requirements listed in Section 1433 of the Safe Drinking Water Act.

What is a Cybersecurity Vulnerability Assessment (CVA)?

A CVA identifies weaknesses and deficiencies within a system and provides prioritized recommendations to increase the overall cybersecurity posture of the system and the assets within. Utilities can leverage free self-assessment tools such as the American Water Works Association’s Cybersecurity Risk Management Tool, EPA’s Water Cybersecurity Assessment Tool, and CISA’s Cyber Security Evaluation Tool.

Addressing vulnerabilities

The EPA’s Top Cyber Actions for Securing Water Systems outlines key practices for assessing and mitigating vulnerabilities, including:

• Reducing internet exposure
• Changing default passwords
• Conducting routine assessments
• Backing up operational technology (OT) and information technology (IT) systems
• Implementing cybersecurity awareness training

In addition to these steps, entities can subscribe to vulnerability alerts from CISA and the EPA. Designating personnel to monitor alerts, track software and hardware assets, and regularly check CISA’s Known Exploited Vulnerabilities catalog helps ensure timely mitigation of emerging threats.

Change management and patch management policies help maintain accurate documentation and reduce exposure to known vulnerabilities. Additionally, utilities should consider requiring contractors to identify and mitigate known vulnerabilities in new assets before installation. This can be verified with required vulnerability scanning as part of the Factory Acceptance Test or Site Acceptance Test.

Supporting resilient and cybersecure water systems

Addressing vulnerabilities is not just a regulatory requirement, but critical for safeguarding public health and safety. By prioritizing these measures, utilities can protect their systems from cyberattacks while ensuring resilience and reliability in the service they provide. As we navigate the ever-evolving threat landscape, a proactive and comprehensive approach to cybersecurity is the foundation of a secure and sustainable water future.