October is National Cybersecurity Awareness Month, and the American Water Works Association (AWWA) is offering updated resources to help water systems with cybersecurity risk management.
The newly-revised Water Sector Cybersecurity Risk Management Guidance, and a supporting Assessment Tool, help water systems evaluate and improve their cybersecurity risk management. The revisions incorporate cyber provisions in America’s Water Infrastructure Act (AWIA) of 2018, which mandates that drinking water systems serving more than 3,300 people conduct risk assessments and update emergency response plans, including addressing the resilience and security of electronic, computer and other automated systems.
The update also maintains the resources’ alignment with the National Institute of Standards and Technology (NIST) Cybersecurity Framework prepared in response to Executive Order 13636. AWWA’s Cybersecurity Guidance & Assessment Tool is recognized by the U.S. Environmental Protection Agency, the Department of Homeland Security and NIST as a voluntary, sector-specific approach for helping water systems evaluate and implement cybersecurity controls.
Training on the new Cybersecurity Guidance & Assessment Tool is part of AWWA’s Utility Risk & Resilience Certificate Program.“Given the frequency of attacks of varying degrees of sophistication, every utility should assume they will be attacked,” said Kevin Morley (pictured left), AWWA’s manager of federal relations. “This is about risk management, so it’s critical to take appropriate precautions and implement best practices to mitigate the consequences.”
AWWA’s new complementary report, Cybersecurity Risk & Responsibility in the Water Sector, was prepared to support utility leaders. The report notes that “cyber risk is the top threat facing business and critical infrastructure in the United States.” It urges utility leadership to devote considerable attention to ensuring that the necessary resources are devoted to cybersecurity preparedness and response, both from a technical and a governance perspective.
The report, authored by Judith Germano, professor and distinguished fellow at New York University’s Center for Cybersecurity, provides legal and risk management insights for integrating cybersecurity into an enterprise risk management process. The executive summary notes that the water and wastewater sector is under a direct threat from multiple adversaries, including foreign governments and criminal actors who threaten the security of the water sector’s operations and data.
“All combined, AWWA’s risk and resilience resources provide a utility with a robust framework that facilitates compliance with AWIA and provided the means by which it can demonstrate due diligence,” Morley added.