Cybersecurity has become a leading threat to businesses and organizations, as the frequency of cyber-terrorism and ransom attacks have escalated. According to the United States Environmental Protection Agency (EPA), “Cyber-attacks are a growing threat to critical infrastructure sectors, including water and wastewater systems.” 

In response to this growing threat, the American Water Works Association (AWWA) initiated a project (WITAF #503) to “address the absence of practical, step-by-step guidance for protecting water sector process control systems (PCS) from cyber-attacks.” The initiative, began in 2013, corresponded with a cybersecurity framework which, at the same time, was in development by the National Institutes of Standards and Technology (NIST). This framework by the NIST included “a set of standards, methodologies, procedures, and processes that align policy, business, and technological approaches to address cyber risks.”

The AWWA project resulted in the AWWA Water Sector Cybersecurity Risk Management Guidance (AWWA Guidance) and associated AWWA Cybersecurity Assessment Tool (AWWA Assessment Tool), collectively referred to as AWWA Guidance and Assessment Tool. The intention of this guidance and assessment tool was to provide a voluntary approach for addressing and adopting the cybersecurity framework designed by NIST, through use of a consistent and repeatable assessment tool, which also includes recommended courses of action to reduce vulnerability. The tool also will ideally help water utility owners and operators to comply with section 2013 of America’s Water Infrastructure Act (AWIA) of 2018 (PL 115-270) which requires every community to complete regular, thorough assessments.

Anthony Hays, Computer Services Manager for Alliance, says that although the undertaking of implementation of these new tools will be quite a task, he understands their importance and necessity. Hays sees the threat of ransom attacks as a major concern, and says that when hackers can access a utility system they can cause havoc by turning on and off pumps and/or feeding unnecessary chemicals into systems, ultimately rendering plants inoperable and threatening the availability of clean water access for entire communities.

Alliance has begun the process by first working with their communities’ SCADA companies on upgrades to systems that will work logistically with new technologies to improve cybersecurity. One challenge is the cost of upgrades, often between $20K and $100K, which can be cost prohibitive for smaller communities. Alliance will work with the community IT teams in place, along with district and local managers, to perform assessments and complete their Risk and Resilience plans.  

With many locations, all varying in size and scope, Alliance has a deadline to complete these assessments and plans by June of 2021. Whereas Hays agrees that a turn-key process would be ideal, and acknowledges that AWWA has strived to provide as turn-key of a system as possible, there are many differences throughout the various communities that cause customization of plans. But he says one thing that will be consistent is education.

“A large element of every plan will be education,” says Hays. “We will start by educating the District Managers, who will then take that education to the Local Managers, who will then be responsible to share with the rest of their teams.” Hays says that the best prevention is awareness of the threat and attentiveness to everyday safety and common sense.

According to the Executive Order implemented by President Barack Obama in 2013, “The cyber threat to critical infrastructure continues to grow and represents one of the most serious national security challenges we must confront. The national and economic security of the United States depends on the reliable functioning of the Nation’s critical infrastructure in the face of such threats.”