rss

WaterOperator.org Blog

Articles in support of small community water and wastewater operators.

Data Protection and Cybersecurity for Small and Medium Systems

Data Protection and Cybersecurity for Small and Medium Systems

Many water utilities rely on online technology and computer systems to increase their working efficiency. In the office space, data management software, pay roll systems, customer billing programs, utility websites, and social media improve customer services and provide an organized method to retain and access utility information. On the operational side, employees may rely on remote access control systems such as SCADA or smart metering to monitor or control systems while performing maintenance in the field. These control systems allow for improved response times and monitoring.

Yet as we all learned from Spiderman, with great power comes great responsibility. Without sufficient cybersecurity measures, systems risk the health and security of their customers. Successful attackers can steal customer personal data such as credit cards, social security numbers, and contact information. They may attempt to deface utility websites compromising customer confidence. If your system uses online process control systems, hackers could lock out utility access, alter treatment processes, damage equipment, and override alarms. The American Water Works Association (AWWA) has listed a variety of cyberattacks and their consequences in its 2018 Cybersecurity Risk & Responsibility in the Water Sector Report. These attacks resulted in leaked customer information, considerable financial losses, altered chemical dosing, and even source water contamination. Just recently staring in May of 2019 the City of Baltimore has been held hostage by an ongoing three week cyberattack that demands $100,000 in Bitcoin to free city files and water billing data.

There are many types of cyberattacks including password hacking, the exploitation of software vulnerabilities, denial of service, and malware. Common malware includes ransomware, spyware, trojan horse, viruses, and key loggers. Attacks can even happen through opportunity theft, improper disposal of computer equipment, or phishing attempts where thieves pose as legitimate organizations requesting confidential information.

To prevent cyberattacks, start by identifying vulnerabilities, developing a multi-tier security plan, and actively enforcing that plan. The EPA has developed a guide explaining 10 key components for a cybersecurity plan that includes planning worksheets and information on how to respond in the event of an attack. Systems should plan to update software regularly and require strong passwords that are different for each account. Installing anti-virus software and firewalls is also effective. A security plan should include measures to educate employees on cybersecurity awareness and limit access to security information based on job function.

For an in-depth list of security practices, read through WaterISAC’s 2019 guide to reduce exploitable weaknesses or the EPA’s Incident Action Checklist. The AWWA’s guide on Process Control System Security Guidance for the Water Sector can aid systems using smart technology. To improve social media and website security, start with Hootsuite’s social media security tips and Sucuri’s website security tips.

If a data breech does occur, utilities will want to have and established protocol to resolve and mitigate potential damage. The Cyber Security Adviser Program with the Department of Homeland Security (DHS) offers regional affiliates that will assist systems in vulnerability assessments, plan development, and informational support. While the costs associated with response, forensics, and legal fees can be expensive, waiting to take action can incur an even greater cost. Remember to keep an active cybersecurity plan and, if incidents should occur, report them to local law enforcement, the DHS, and WaterISAC.

Featured Video: Secure Your Utility

For the last two weeks, we've been talking about sharing the value of water and the reality of hidden infrastructure with your community. These are vital points that will help your community understand where their money goes and the importance of the work you do every day. However, there may be some individuals in your community that you wish understood a bit more about the value of water and a bit less about hidden infrastructure. Vandalism, break-ins, and other security breaches can be a nuisance at best and a public health hazard at worst. Utilities of all sizes in all kinds of communities deal with these issues, but the far-flung nature of rural utilities can make them particularly vulnerable.

So what can you do? This week's video offers some suggestions. It presents a case study of an Arizona utility that took several measures to deal with security issues. Though the utility highlighted is large, many of their practices may work for smaller utilities as well.



You can view a PDF of the handbook mentioned in the video, or use the other navigation and access options offered on the USEPA website. You might also be interested in this top 10 list of water security and emergency preparedness procedures for small groundwater utilities (also a PDF).

Better ERPs Part 2: Templates

So you've held a water emergency roundtable discussion and are ready to put pen to paper, so to speak. Fortunately, you don't have to start with a blank piece of paper. There is a suite of resources available for utilities—and small water suppliers particularly—to help you prepare for the unknown and plan for the rare events.

The free templates provided here will help you get started. If you don't see something that fits your system's needs, search "emergency response plan templates" in our documents database to find more resources.

Emergency Response Planning Template for Public Drinking Water Systems

This 22-page document developed by the Rural Community Assistance Partnership is intended for use by any water system serving a population of 3,300 or fewer and can be modified to fit specific system needs. The template is intended to be used as a starting point based on what is relevant for the type, size, and complexity of the system.

Rural & Small Water and Wastewater System Emergency Response Plan Template

This 47-page template is designed to be a guide for Emergency Response Planning. Emergency response planning should be a coordinated and planned process. Proper planning can lessen the impact of an emergency. All staff should be trained as to their responsibility within the plan and how it will be implemented. This template was designed to address various emergency hazards that may occur in rural and small systems. It incorporates emergencies that may be the result of terrorism. Regardless of the type of emergency whether natural or man-made each system has the responsibility to be prepared to protect the public health and to restore services that may be impacted.

Disaster-Specific Preparedness/Response Plan for Public Drinking Water Systems - XYZ Water System Template

This 69-page template has been developed to help you prepare your Emergency Response Plan. The ERP Guide (see separate document, here) and Template is intended for use by any water system and may be modified to fit the specific needs of each system. The ERP guide follows the outline in the template—section by section

Emergency Response Plan Template
This 26-page form is an outline of an emergency response plan for water operators to fill out and complete. This document is in pdf form, but the fillable Word format of this document can be found here.

Emergency Response Plan of Action
This 40-page template is used to create an emergency response plan for a public water system. There are many situations that may cause impairment of water quality or disruption of service. In Maine, the most common is loss of water pressure or contamination of the water supply, source, or lines. Some common examples include main breaks, power outage, treatment failure, numerous types of contamination, extreme weather and or structural damage, floods, and equipment failure. This template goes over each topic to create the most efficient ERP. 

Better ERPs Part 1: Hosting a Roundtable Discussion

Creating a strong emergency plan is often easier said than done—and the middle of an emergency is the worst time to discover you’ve forgotten something. This is the first of a four-part series with guides and tips to help you build a comprehensive emergency response plan. 

Before you start drafting, though, consider hosting a water emergency roundtable discussion. These events provide a unique opportunity to connect water security with broader preparedness and community resiliency efforts underway in your region. Here’s a quick glance at what you can do to host a successful discussion: 

  1. Consult with partners within your water community to identify the groups that need to be at the table. Some groups to consider include hospitals, schools, farm operations, industrial parks, municipal pools, and first responders.
  2. Set a date and secure a meeting place that meets your meeting needs.
  3. Work with partners or co-hosts to ensure that the room has the equipment needed, such as a laptop, PowerPoint projector, and pens and pads for meeting participants.
  4. Have your water utility manager or superintendent call the groups to invite them to the event. A personal call typically results in a more positive response and can be followed by a formal invite and RSVP request.
  5. Call confirmed participants to outline what types of information participants will need to bring with them, how the discussion will be facilitated, and how sensitive information will be treated.
  6. Confirm with partners or co-hosts who will be responsible for facilitating the discussion, compiling participant data, putting together registration packets, welcoming participants, presenting, taking notes, and writing a meeting summary.
  7. Arrive at least on hour before the event is scheduled to set up materials and manage last minute details.
  8. Use meeting notes and discussed action items to develop a short report for participants.
  9. Write and distribute an internal and external report on progress towards action items approximately six months after the event.
  10. Determine the need for a follow-up meeting.

For more tips and sample invitation scripts, read the Water Emergency Roundtable—Outline for Discussion developed by the Association of State Drinking Water Administrators and EPA Region 5. And check back for part two of our series for free templates you can use when you're ready to write your emergency response plan.