Cybersecurity for Water Systems

Cybersecurity Best Practices

  • Multifactor Authentication: Enforce multifactor authentication on cloud email services, VPN access, and external applications.
  • Endpoint Protection: Deploy endpoint protection on workstations and servers.
  • Intrusion Detection: Implement a network intrusion detection system.
  • Patch Management: Use an automated patch management system for workstations and servers on a routine schedule.
  • Strong Passwords: Ensure all default system passwords are changed to a complex and unique 16-character (or more) password.
  • Backups: Implement system backups and periodically test recovery processes.
     
Learn more

Cybersecurity is crucial for water systems to protect against threats that could disrupt water treatment and distribution. A cyberattack could lead to contamination, service outages, or manipulation of water pressure, posing serious public health and safety risks. As water infrastructure becomes more connected through digital controls, the risk of cyber intrusions increases, making strong security measures essential. Implementing robust cybersecurity protocols will help safeguard critical systems.

GEFA offers financing through the Drinking Water State Revolving Fund (SRF) and Clean Water SRF to help water systems with cybersecurity improvements, including:

  • Upgrading computers, servers, and software;
  • Creating secure network backups;
  • Enhancing the security of operational technology systems;
  • Installing or updating SCADA systems;
  • Providing on-site back up power generation;
  • Installing threat detection and monitoring systems; and
  • Implementing access control systems.

To promote cybersecurity measures in infrastructure projects, GEFA provides additional scoring points during the pre-application evaluation process.

Cybersecurity resources available to water systems

  • Drinking water and wastewater systems can request a free cybersecurity assessment through the U.S. Environmental Protection Agency (EPA).
  • EPA also offers technical assistance provided by cybersecurity subject matter experts.
  • The Cybersecurity and Infrastructure Security Agency (CISA) offers cyber hygiene services to state, local, tribal, and territorial governments. To sign up for CISA’s cyber hygiene services, a system can email [email protected] with the subject line “Requesting Vulnerability Scanning Services.” The email should include the name of the utility, a point of contact with an email address, and the physical address of the utility’s headquarters.
  • The American Water Works Association has developed essential planning resources to start water utilities on the path to cyber-resilience.