Meeting the EPA’s cybersecurity guidance for water utilities: Why it’s important and how to determine your risk

Eric Suesz Eric Suesz August 21, 2023

5 min read

A quick cybersecurity pop quiz. Which of these three events is based on an actual occurrence?

The correct answer, unfortunately, is “all of the above”. These were all actual events in California, Florida, and Kansas that were thankfully stopped in their tracks by attentive employees. To date, there has been no successful attempt by hackers to poison an American community’s water supply.

However, these types of attacks will inevitably become more sophisticated over time, which has prompted the US government to raise a cybersecurity alarm for the US’s 148,000+ public drinking water systems and 16,000+ publicly owned wastewater treatment systems.

What types of attacks might be directed at water utilities?

The specific details of how hackers might wreak havoc in the water sector vary, but the major threats to water utilities can be grouped into a few basic categories:

Utilities can shore up their defenses against cyberattacks in all of these categories with effective internal employee policies and procedures, but the last two on the list can be harder to accomplish if your workforce relies on older or outdated software and devices without access to the latest firmware updates.

What is the current state of the EPA’s guidance?

Ideally, the EPA wants utilities to assess their own cybersecurity readiness as part of their regular Public Water System (PWS) sanitary surveys. This isn’t yet a requirement, but it could be in the future.

As of the date of publication of this article, the EPA’s plan to fold cybersecurity assessments into sanitary surveys has been temporarily halted by the 8th Circuit US Court of Appeals.

While you might be waiting for the guidance to develop or the guidelines to turn into official regulations, water utilities should not wait to implement cybersecurity improvements. If your utility isn’t performing any regular cybersecurity monitoring or assessments, there is no better time to correct it than ASAP.

In fact, it may be alarming to learn that less than 25% of water and wastewater operators surveyed by the EPA are currently performing these kinds of annual cybersecurity risk assessments. 

Resources for assessing your level of cybersecurity

If you have IT personnel at your water utility who are tasked with watching for cybersecurity threats, we’ve collected a number of checklists that we encourage you to share with them so they can more easily determine your utility’s cybersecurity readiness:

Can the cloud help water utilities with security?

We wanted to talk to an expert with experience for the energy and utility sectors about the EPA’s mandate, so we sat down for a conversation with AWS Principal Security Industry Specialist Maggy Powell. 

Consult with an expert

If you don’t have the benefit of IT personnel on staff, you may be able to tap into these expert resources:

The security benefits of SaaS

We’re building new and innovative services that don’t require users to update their desktop or device’s software. Indeed, in many respects the Software as a Service (SaaS) model – in which you access all of your data, analytics, hydraulic models, etc., via a secure browser – may help to alleviate some of the cyber risks that utilities currently face.

For example, if you are currently an Autodesk customer with a subscription to one of our Info360 SaaS products (Info360 Asset, Info360 Insight, Info360 Plant) or if you utilize our new cloud simulation services within InfoWorks ICM, InfoWorks WS Pro, or InfoWater Pro, determining your compliance may be a little easier.

In addition to Autodesk certifications and compliance, these services are all powered by AWS, which we chose partly because of the enhanced security these cloud services can provide for water utilities who utilize our software. So you may find that some of the boxes in these checklists can be quickly checked off because you aren’t using installed desktop software AND aren’t sharing sensitive files over internal or “on-premises” systems.

Cybersecurity: perhaps the most important reason to update your software

A 2021 CISA survey found that over 80% of major vulnerabilities that surveyed facilities experienced were software flaws discovered before 2017, suggesting that a significant number of employees were not updating their software. If your utility relies on older desktop software (especially outdated legacy operating systems like Windows 7), you are more at risk for cyber incidents and you should carefully and methodically assess your security level.

Stay safe and secure

Going through these checklists can be an eye-opening experience for the smallest utilities who may not have the benefit of IT personnel to guide purchasing or technical assistance needed to implement cybersecurity best practices. But it is always better to enter the cybersecurity waters with your eyes open.

Learn about Autodesk’s security practices and the steps we take to enhance security of our products on the Autodesk Trust Center.

Tags and Categories

Industry news

Fill up on more of the One Water blog

By clicking subscribe, I agree to receive the One Water blog newsletter and acknowledge the Autodesk Privacy Statement.