Cybersecurity
NAWC members care deeply about taking the necessary steps to safeguard critical water and wastewater assets from cyber-related attacks. Water is vital to the health, safety and wellbeing of all Americans, and the security of water and wastewater systems is critical to the economic and national security of the nation.
Protecting the Nation’s Most Valuable Resource
In the United States, hackers have exploited computer programs to illegally access government-run water systems’ controls. In each case, quick-thinking employees and redundancy in the treatment systems saved entire communities from drinking, cooking and showering with dangerously contaminated water.
Unfortunately, the level of cyber sophistication at water systems varies greatly, and because the sector is such a target-rich environment, water utilities can be ripe for cybersecurity attacks. The sector’s complexities create multi-faceted compliance issues as many system operators outside of NAWC members have been lax in their investments in physical and cybersecurity-related areas.
NAWC’s Cybersecurity Pillars can help ensure the country is prepared and protected in a cyberattack. NAWC worked with key stakeholders to develop Cybersecurity Pillars to serve as guiding principles around cybersecurity, compliance and the sector’s path forward on this key issue.
NAWC and its member companies have the technical capability and the financial capacity to tackle these challenges using the Cyber Pillars as our guide. While the risks and threats to the water sector continue to grow and become more sophisticated, NAWC member companies remain committed to continuing efforts to strengthen their cybersecurity defenses. However, NAWC’s members are the exception, not the rule, when it comes to preparedness and cybersecurity in the water sector.
Over 90%
of NAWC members have a cybersecurity plan in place, however, NAWC’s members are the exception, not the rule, when it comes to preparedness and cybersecurity in the water sector
From the experts
Martin Kropelnicki
California Water Group
Water is the only utility that people ingest. And the frontier of water cybersecurity is only going to get bigger, not smaller. It’s not a question of if, it’s a question of when. And we must be prepared.
NAWC Cybersecurity Pillars
State and Federal Initiatives to Create Universal Standards
NAWC member companies support state and federal initiatives aimed at driving uniform cybersecurity compliance for all drinking water and wastewater system operators across the nation.
Efforts to Reexamine Cybersecurity Oversight
NAWC supports the efforts of the Biden Administration and congressional leadership to reexamine the drinking water and wastewater sector’s cybersecurity oversight model and embraces requirements such as mandating risk-based foundational standards.
Establishing North American Water Reliability Council
NAWC supports efforts to establish a North American Water Reliability Council (NAWRC) to manage the development of compliance standards and to audit utility implementation. This entity would mirror the NERC model used by the electric sector. NAWRC would be an independent, sector-led organization, not a government agency.
Creation of Federal Division to Oversee Reliability Council
NAWC supports the creation of a new FERC-like regulatory office within the Environmental Protection Agency’s (EPA) Office of the Administrator to oversee the North American Water Reliability Council’s (NAWRC’s) proposed compliance standards for the drinking and wastewater sector.
Federal Funding to Support Security Information Sharing
NAWC supports federal funding to utilize, and enhance, the Water Information Sharing and Analysis Center (WaterISAC) to directly support drinking water and wastewater companies by providing, promoting, and sharing voluntary operational, physical and cybersecurity-based information and best practices with the sector.
Uniform, Timely Incident Reporting
NAWC supports legislative and administrative measures to protect against ransomware attacks and other known “threat vectors” to information technology and operational technology systems and report cybersecurity attacks to the Cybersecurity & Infrastructure Security Agency (CISA) within prescribed timeframes.
Registration with CISA Hygiene Services
NAWC supports actions that require all drinking water and wastewater system operators to register for CISA’s Cyber Hygiene Services.
Comprehensive Physical and Cybersecurity Strategies
NAWC and its member companies agree that comprehensive physical and cybersecurity strategies must continue to evolve and support the development of effective policies that encourage more collaboration between the energy, water and gas sectors through cross-training, grid exercises and information sharing; and the formation of a cyber-mutual assistance program that would bring industry experts together to support restoration following cyber incidents that impact operations.
Resources
Water companies must step up on cybersecurity
The critical importance of ensuring the safety and reliability of the nation’s water cannot be overstated.
Cybersecurity needs to be top priority in nation’s water utilities
In February 2021, a hacker remotely adjusted the chemicals at a water treatment system in Oldsmar, Fla.
