Meeting the EPA’s cybersecurity guidance for water utilities: Why it’s important and how to determine your risk

A quick cybersecurity pop quiz. Which of these three events is based on an actual occurrence?

• A malicious cyber actor deploys a SCADA-based ransomware attack against a water and wastewater system.
• A hacker accesses the computer systems for a water treatment facility, modifying the sodium hydroxide (lye) levels from 100 ppm to an extremely poisonous 11,100 ppm.
• A former employee at a water treatment plant remotely accesses a computer and shuts down the cleaning and disinfecting procedures that make water potable.

The correct answer, unfortunately, is “all of the above”. These were all actual events in California, Florida, and Kansas that were thankfully stopped in their tracks by attentive employees. To date, there has been no successful attempt by hackers to poison an American community’s water supply.

However, these types of attacks will inevitably become more sophisticated over time, which has prompted the US government to raise a cybersecurity alarm for the US’s 148,000+ public drinking water systems and 16,000+ publicly owned wastewater treatment systems.

What types of attacks might be directed at water utilities?

The specific details of how hackers might wreak havoc in the water sector vary, but the major threats to water utilities can be grouped into a few basic categories:

• Spearphishing using social engineering to attempt to deploy malware such as ransomware
• Insider threats from current or former employees who maintain improperly active credentials
• Exploitation of unsupported or outdated operating systems and software
• Exploitation of control system devices with vulnerable firmware versions

Utilities can shore up their defenses against cyberattacks in all of these categories with effective internal employee policies and procedures, but the last two on the list can be harder to accomplish if your workforce relies on older or outdated software and devices without access to the latest firmware updates.

What is the current state of the EPA’s guidance?

Ideally, the EPA wants utilities to assess their own cybersecurity readiness as part of their regular Public Water System (PWS) sanitary surveys. This isn’t yet a requirement, but it could be in the future.

As of the date of publication of this article, the EPA’s plan to fold cybersecurity assessments into sanitary surveys has been temporarily halted by the 8th Circuit US Court of Appeals.

While you might be waiting for the guidance to develop or the guidelines to turn into official regulations, water utilities should not wait to implement cybersecurity improvements. If your utility isn’t performing any regular cybersecurity monitoring or assessments, there is no better time to correct it than ASAP.

In fact, it may be alarming to learn that less than 25% of water and wastewater operators surveyed by the EPA are currently performing these kinds of annual cybersecurity risk assessments. 

Resources for assessing your level of cybersecurity

If you have IT personnel at your water utility who are tasked with watching for cybersecurity threats, we’ve collected a number of checklists that we encourage you to share with them so they can more easily determine your utility’s cybersecurity readiness:

• The EPA provides an extensive list of resources, including a downloadable water Cybersecurity Assessment Tool and Risk Mitigation Plan Excel Template that you can use to assess your cybersecurity.
• The Cybersecurity and Infrastructure Security Agency (CISA) has a Cyber Security Evaluation Tool (CSET) which you can download and install on a PC to help assess your security posture.
• The American Water Works Association (AWWA) provides Water Sector Cybersecurity Risk Management Guidance, as well as an online Cybersecurity Assessment Tool you can use to assess your readiness and comply with §2013 of America’s Water Infrastructure Act (AWIA) of 2018.

Can the cloud help water utilities with security?

We wanted to talk to an expert with experience for the energy and utility sectors about the EPA’s mandate, so we sat down for a conversation with AWS Principal Security Industry Specialist Maggy Powell. 

Read the Q&A

Consult with an expert

If you don’t have the benefit of IT personnel on staff, you may be able to tap into these expert resources:

• Consult with a CSA: CISA offers a range of cyber and physical services throughout 10 regions. You can contact your regional office and ask about consulting with a Protective Security Advisor (PSA) or Cyber Security Advisor (CSA).
• Ask a circuit rider: USDA Rural Development has contracted with the National Rural Water Association to provide circuit riders in each US state and territory who are experienced in managing issues that arise in the day-to-day operations of rural water systems. Read all about it and submit an application online.
• Guidance for smaller utilities: If your water utility serves less than 10,000 people, the AWWA’s Water Sector Cybersecurity Risk Management Guidance for Small Systems that serve less than 10,000 people can help streamline your self-assessment.
• CISA’s State and Local Cybersecurity Grant Program may provide important resources to offset some of the burden.
• Secure a grant: CISA and FEMA recently announced the availability of $374.9 million in grant funding for the FY 2023 State and Local Cybersecurity Grant Program. The deadline to apply is October 6.

The security benefits of SaaS

We’re building new and innovative services that don’t require users to update their desktop or device’s software. Indeed, in many respects the Software as a Service (SaaS) model – in which you access all of your data, analytics, hydraulic models, etc., via a secure browser – may help to alleviate some of the cyber risks that utilities currently face.

For example, if you are currently an Autodesk customer with a subscription to one of our Info360 SaaS products (Info360 Asset, Info360 Insight, Info360 Plant) or if you utilize our new cloud simulation services within InfoWorks ICM, InfoWorks WS Pro, or InfoWater Pro, determining your compliance may be a little easier.

In addition to Autodesk certifications and compliance, these services are all powered by AWS, which we chose partly because of the enhanced security these cloud services can provide for water utilities who utilize our software. So you may find that some of the boxes in these checklists can be quickly checked off because you aren’t using installed desktop software AND aren’t sharing sensitive files over internal or “on-premises” systems.

Cybersecurity: perhaps the most important reason to update your software

A 2021 CISA survey found that over 80% of major vulnerabilities that surveyed facilities experienced were software flaws discovered before 2017, suggesting that a significant number of employees were not updating their software. If your utility relies on older desktop software (especially outdated legacy operating systems like Windows 7), you are more at risk for cyber incidents and you should carefully and methodically assess your security level.

Stay safe and secure

Going through these checklists can be an eye-opening experience for the smallest utilities who may not have the benefit of IT personnel to guide purchasing or technical assistance needed to implement cybersecurity best practices. But it is always better to enter the cybersecurity waters with your eyes open.

Learn about Autodesk’s security practices and the steps we take to enhance security of our products on the Autodesk Trust Center.