rss

WaterOperator.org Blog

Webinar Recording: Cybersecurity for Wastewater Operators

cybersecurity webinar title.png

Watch this webinar recording to discover some of the most helpful cybersecurity resources and to learn how to use our search tools at WaterOperator.org to find additional resources and training events. This is the first webinar in our new series for wastewater operators!

The webinar answers questions such as:

  • What is WaterOperator.org and how is it a useful tool for wastewater professionals?
  • What are the best resources we have relating to cybersecurity in the water and wastewater sector?
  • How can you find more cybersecurity resources and other similar resources on WaterOperator.org?

This free series will cover topics relevant to wastewater operators, including funding, asset management, compliance, and water quality. Upcoming events in the series include:

  • Source Water Protection for Communities with Decentralized Wastewater (April 23)
  • Funding Wastewater Infrastructure Projects (June 25)

Certificates of attendance for each session will be delivered upon request. Check with your certification body for acceptance criteria.

Here is the recording of the first webinar, held in February 2024. We cannot provide certificates of attendance for watching the webinar recording.

Resources and Tools to Help Secure Your Utility's Infrastructure

Blog Post Template - Infrastructure Security Resources.png

Infrastructure Security Month is held annually in November to promote the vital role of critical infrastructure and to remind us why it is important to strengthen the security and resilience of America's critical infrastructure. Below are some useful resources and tools to help your utility secure your infrastructure and increase resilience to natural disasters and malevolent acts that threaten the water sector.

Water Contaminant Information Tool (WCIT)
WCIT is a secure database containing information on priority contaminants of concern for drinking water and wastewater systems to help systems prepare for, respond to, and recover from contamination incidents.

Creating Resilient Water Utilities (CRWU)
CRWU initiative assists drinking water and wastewater utilities in building resilience to climate impacts.

Resilient Strategies Guide for Water Utilities
The Resilient Strategies Guide introduces drinking water, wastewater, and stormwater utilities to the adaptation planning process. Utilities can use the Guide to identify their planning priorities, vulnerable assets, potential adaptation strategies and available funding sources.

Incident Action Checklists for Water Utilities
These 12 checklist templates help with emergency preparedness, response and recovery activities. Incidents include wildfires, flooding, power outages, cybersecurity, and more. 

Federal Funding for Water and Wastewater Utilities in National Disasters (Fed FUNDS)
Fed FUNDS provides information tailored to water and wastewater utilities on federal disaster and mitigation funding programs from FEMA, USDA, EPA, HUD, SBA, and USBR.

EPA Mandates Cybersecurity Reporting for the Water Sector

Newsletter Top Story Graphic- Cybersecurity1.png

Public water systems are increasingly at risk from cyberattacks that threaten public health. U.S. EPA has issued new guidance that states are required to evaluate and report on cybersecurity threats for systems that use industrial control systems or other operational technology.

“Cyberattacks against critical infrastructure facilities, including drinking water systems, are increasing, and public water systems are vulnerable," said EPA Assistant Administrator Radhika Fox. “Cyberattacks have the potential to contaminate drinking water.”

This expectation is outlined in a memo that interprets sanitary survey requirements, accompanied by a detailed guidance document aimed at state programs and technical assistance providers. It was released as part of the Biden administration's updated National Cybersecurity Strategy

U.S. EPA offers resources that can help water systems understand and address cyber vulnerabilities including this video on basic cybersecurity concepts that can be used by water systems as a part of an annual cybersecurity training program. Our database on WaterOperator.org also has resources on this topic, including this 56-page guide from WaterISAC on cybersecurity best practices to reduce exploitable weaknesses and attacks.

Defend Your Water System Against Drought

drought-water-cracked.jpg

Many states across the United States are currently experiencing one of the worst droughts in American history. Some are even experiencing a "megadrought", meaning that they have been experiencing drought conditions for many years. Climate change also exacerbates drought conditions by increasing the average global temperature and causing irregular weather patterns. Westerns states such as CaliforniaArizonaMontanaNevadaNew Mexico, and Idaho are experiencing some of the most extreme effects. Drought is particularly devastating because it is slow coming but its effects are widespread.

Increased drought conditions can result in:

  • Loss of water pressure and supply 
  • Poor water quality 
  • Limited access to alternative water sources 
  • Increased customer demand 
  • Increased costs and reduced revenues 

For example, in Nevada, the drought has had disastrous impacts on Lake Mead, the largest water reservoir in the United States that currently provides water for over 20 million people across California, Nevada, Arizona, and some of Mexico. The reservoir is now at the lowest it has been since it was filled in 1937 and the situation is so extreme that the federal government is expected to declare an official Lake Mead shortage by the end of the summer. Drought can also negatively impact drinking water providers that rely on lakes because they can increase the number of algal blooms in freshwater. Algal blooms not only contain chemicals that are toxic to humans but large amounts of algae can also clog water filters and damage the water treatment process. 

A total of 31 states are currently experiencing moderate to severe drought across the country. Research also shows that the drought has become progressively worse over the past few decades. The U.S. Drought Monitor website has a feature that allows you to monitor the level of drought happening in your area.

Like most natural disasters, rural and low-income communities are often hit the hardest by drought conditions because of their lack of access to resources and infrastructure. Rural farmers are also greatly impacted by drought because of the lack of water available for irrigation, making it very difficult to support themselves. 

Droughts are a public health issue because they affect access to clean and safe drinking water. Practicing emergency response and preparedness is the best way to minimize severe impacts from drought. To avoid serious impacts from droughts, water utilities should:

  1. Conduct observation and monitoring 
  2. Practice planning and preparedness  
  3. Predict and forecast 
  4. Maintain good communication and outreach with customers 
  5. Use interdisciplinary research and applications 
We've gathered some of the best resources from our library to help you dig in further to this topic.

Resources for Drought Assessment and Resilience

Incident Action Checklist – Drought
This checklist from the U.S. EPA provides various ways for water and wastewater utilities to prepare for, respond to, and recover from a drought. 

10 Ways to Prepare for a Drought Related Water Shortage
This resource from the Rural Community Assistance Partnership lists ten ways to prepare your small water system for water shortages.

Small Water Systems and Rural Communities Drought and Water Shortage Contingency Planning and Risk Assessment
This report can be used to help strengthen your water shortage vulnerability assessments and risk scoring. 

Drought Contingency Plan for a Retail Public Water Supplier
This is a sample form that can be used as a model of a drought contingency plan for a retail public water supplier. 

Drought Management Plan A Template for Small Water Systems
This document outlines mitigation measures that water managers can take to greatly minimize the effects of drought. 

100 Water Saving Tips from “Water. Use it wisely.” 
Communicate some of these water-saving tips to your customers to help them conserve water during a drought. 

AWIA Section 2013 Compliance Check

awia-certification.png

Small community drinking water systems (CWSs) that serve between 3,301 and 49,999 must submit Risk and Resilience Assessment (RRA) certifications by June 30, 2021 and an Emergency Response Plan (ERP) by December 21, 2021 in order to stay in compliance with America’s Water Infrastructure Act (AWIA). Certification must be completed every five years and the ERP updated within six months of that recertification. You can confirm if your water system is impacted by the AWIA on the U.S. EPA website. 

In this era of unpredictability, it is increasingly important to adapt water systems to the ever changing and intensifying events that threats like climate change pose. Building a strong water resilience plan is the best way to prepare yourself and your community against these events. In order to stay ahead of the game, utilities should conduct an assessment to reduce risk, plan for and practice responding to emergencies, and monitor systems for contaminants. 

The AWIA does not require utilities to use any specific tools or methods when conducting these assessments. It does however require utilities to meet all requirements listed in Section 2013 and throughout the act. The U.S. EPA also has more information on how to certify your risk and resilience assessment and your emergency response plan. There is also more information on our website about how to complete your RRA and ERP, as well as information about the AWIA Small Systems Certificate Program.

Florida Security Incident Highlights Need for Cybersecurity Precautions

oldsmar-water-cybersecurity.jpg

Oldsmar, Florida made national headlines after experiencing a remote breach of their chemical control system earlier this year.

The hacker, whose identity and intent has not yet been identified, increased the sodium hydroxide feed by more than 100-fold, but the change was quickly overridden by the operator who saw the breach occur. The operator then disabled remote access and contacted local authorities.

This technical brief from the U.S. Department of Homeland Security (shared via Michigan WEA) provides an in-depth overview of incident as well as potential broader impacts, including attacks inspired by the methods used in Oldsmar.

This is just the most recent example of hackers exploiting utility cybersecurity vulnerabilities and undoubtedly you may be wondering if your system is doing enough to prevent this type of intrusion or has the safeguards in place to respond in the event of a breach.

The U.S. EPA released a new Cybersecurity Best Practices page and we recommend the Cybersecurity Incident Action Checklist as the best place to begin your own self-assessment.

Preventing & Responding to Security Threats

Facility and infrastructural security are an important component of any emergency response plan. Whether the outcome can result in vandalism, theft, terrorism, or a threat to staff or community safety, suspicious activity should always be taken seriously. When the city of Woodland Hills was alerted of trespassing at their water storage tank, the utility promptly issued a boil order until they could confirm that their water was safe to drink. These actions prevented any potential harm due to contamination leaving community members safe and reassured that their utility was taking an active role in water security. Evaluating risk to malevolent acts will allow your system to initiate or upgrade preventive measures and develop an appropriate response plan to protect staff and the community.

To prevent malevolent acts, start by taking an assessment of your facility’s vulnerabilities. Consider entry points, security code accessibility, chemical tanks, storage tanks, vehicles, utility equipment, hazardous chemicals, and infrastructure within the distribution or collection system. Infrastructure essential to operations and limited in redundancy or identified to be at greater risk to malevolent acts may require more meticulous security measures. To assess physical security threats, check out the Security Vulnerability Self-Assessment Guide for Small Drinking water Systems.

The goal in a vulnerability assessment is to determine where prevention measures can be implemented and develop a response plan to suspicious activity.  According to the Minnesota Department of Health, many facilities increase security by locking entry points, using external lighting, posting warning signs, requesting law enforcement patrol, fencing in critical infrastructure, or installing motion sensors, alarm systems, and video cameras. Once all preventive measures have been taken, develop a response protocol for each potential threat. The Association of State Drinking Water Administrators has developed response guidelines for security violations. In each response scenario, utilities should plan for how they can maintain internal, interagency, and external communication.

Utilities should practice emergency response exercises regularly and keep track of necessary changes to response protocols. During these exercises reserve time to monitor which staff have access to key entry points at the utility. Successful security programs will also build and maintain a close relationship with local law enforcement. This relationship will allow utilities to respond swiftly and efficiently in coordination with law enforcement when suspicious activity does occur.

Remember that final goal of these measures is to prevent any interruption in services, damage to infrastructure, and safety threats to staff and the community. For more information on Malevolent Acts check out the EPA’s Baseline Information on Malevolent Acts for Community Water Systems.

Data Protection and Cybersecurity for Small and Medium Systems

Specify Alternate Text

Many water utilities rely on online technology and computer systems to increase their working efficiency. In the office space, data management software, pay roll systems, customer billing programs, utility websites, and social media improve customer services and provide an organized method to retain and access utility information. On the operational side, employees may rely on remote access control systems such as SCADA or smart metering to monitor or control systems while performing maintenance in the field. These control systems allow for improved response times and monitoring.

Yet as we all learned from Spiderman, with great power comes great responsibility. Without sufficient cybersecurity measures, systems risk the health and security of their customers. Successful attackers can steal customer personal data such as credit cards, social security numbers, and contact information. They may attempt to deface utility websites compromising customer confidence. If your system uses online process control systems, hackers could lock out utility access, alter treatment processes, damage equipment, and override alarms. The American Water Works Association (AWWA) has listed a variety of cyberattacks and their consequences in its 2018 Cybersecurity Risk & Responsibility in the Water Sector Report. These attacks resulted in leaked customer information, considerable financial losses, altered chemical dosing, and even source water contamination. Just recently staring in May of 2019 the City of Baltimore has been held hostage by an ongoing three week cyberattack that demands $100,000 in Bitcoin to free city files and water billing data.

There are many types of cyberattacks including password hacking, the exploitation of software vulnerabilities, denial of service, and malware. Common malware includes ransomware, spyware, trojan horse, viruses, and key loggers. Attacks can even happen through opportunity theft, improper disposal of computer equipment, or phishing attempts where thieves pose as legitimate organizations requesting confidential information.

To prevent cyberattacks, start by identifying vulnerabilities, developing a multi-tier security plan, and actively enforcing that plan. The EPA has developed a guide explaining 10 key components for a cybersecurity plan that includes planning worksheets and information on how to respond in the event of an attack. Systems should plan to update software regularly and require strong passwords that are different for each account. Installing anti-virus software and firewalls is also effective. A security plan should include measures to educate employees on cybersecurity awareness and limit access to security information based on job function.

For an in-depth list of security practices, read through WaterISAC’s 2019 guide to reduce exploitable weaknesses or the EPA’s Incident Action Checklist. The AWWA’s guide on Process Control System Security Guidance for the Water Sector can aid systems using smart technology. To improve social media and website security, start with Hootsuite’s social media security tips and Sucuri’s website security tips.

If a data breech does occur, utilities will want to have and established protocol to resolve and mitigate potential damage. The Cyber Security Adviser Program with the Department of Homeland Security (DHS) offers regional affiliates that will assist systems in vulnerability assessments, plan development, and informational support. While the costs associated with response, forensics, and legal fees can be expensive, waiting to take action can incur an even greater cost. Remember to keep an active cybersecurity plan and, if incidents should occur, report them to local law enforcement, the DHS, and WaterISAC.

Featured Video: Secure Your Utility

For the last two weeks, we've been talking about sharing the value of water and the reality of hidden infrastructure with your community. These are vital points that will help your community understand where their money goes and the importance of the work you do every day. However, there may be some individuals in your community that you wish understood a bit more about the value of water and a bit less about hidden infrastructure. Vandalism, break-ins, and other security breaches can be a nuisance at best and a public health hazard at worst. Utilities of all sizes in all kinds of communities deal with these issues, but the far-flung nature of rural utilities can make them particularly vulnerable.

So what can you do? This week's video offers some suggestions. It presents a case study of an Arizona utility that took several measures to deal with security issues. Though the utility highlighted is large, many of their practices may work for smaller utilities as well.



You can view a PDF of the handbook mentioned in the video, or use the other navigation and access options offered on the USEPA website. You might also be interested in this top 10 list of water security and emergency preparedness procedures for small groundwater utilities (also a PDF).

Better ERPs Part 2: Templates

So you've held a water emergency roundtable discussion and are ready to put pen to paper, so to speak. Fortunately, you don't have to start with a blank piece of paper. There is a suite of resources available for utilities—and small water suppliers particularly—to help you prepare for the unknown and plan for the rare events.

The free templates provided here will help you get started. If you don't see something that fits your system's needs, search "emergency response plan templates" in our documents database to find more resources.

Emergency Response Planning Template for Public Drinking Water Systems

This 22-page document developed by the Rural Community Assistance Partnership is intended for use by any water system serving a population of 3,300 or fewer and can be modified to fit specific system needs. The template is intended to be used as a starting point based on what is relevant for the type, size, and complexity of the system.

Rural & Small Water and Wastewater System Emergency Response Plan Template

This 47-page template is designed to be a guide for Emergency Response Planning. Emergency response planning should be a coordinated and planned process. Proper planning can lessen the impact of an emergency. All staff should be trained as to their responsibility within the plan and how it will be implemented. This template was designed to address various emergency hazards that may occur in rural and small systems. It incorporates emergencies that may be the result of terrorism. Regardless of the type of emergency whether natural or man-made each system has the responsibility to be prepared to protect the public health and to restore services that may be impacted.

Disaster-Specific Preparedness/Response Plan for Public Drinking Water Systems - XYZ Water System Template

This 69-page template has been developed to help you prepare your Emergency Response Plan. The ERP Guide (see separate document, here) and Template is intended for use by any water system and may be modified to fit the specific needs of each system. The ERP guide follows the outline in the template—section by section

Emergency Response Plan Template
This 26-page form is an outline of an emergency response plan for water operators to fill out and complete. This document is in pdf form, but the fillable Word format of this document can be found here.

Emergency Response Plan of Action
This 40-page template is used to create an emergency response plan for a public water system. There are many situations that may cause impairment of water quality or disruption of service. In Maine, the most common is loss of water pressure or contamination of the water supply, source, or lines. Some common examples include main breaks, power outage, treatment failure, numerous types of contamination, extreme weather and or structural damage, floods, and equipment failure. This template goes over each topic to create the most efficient ERP.