Cybersecurity
Resources for public water systems to prepare for and prevent cyberattacks
A single cyber attack could cause disastrous health, fiscal, and reputational damage, all of which could be avoided when a water system operator, utility director and/or IT team acts to address cyber weaknesses.
Recent incidents across the country have confirmed that malicious actors are deliberately seeking out water utilities of every size, including small community systems, mobile home parks, and municipal systems. Attackers rely on the assumptions systems have, like:
- We are too small to matter as a target.
- City officials won’t care, so I shouldn’t bring up the cyber threat issue.
- We haven’t had issues in the past. If it’s not broken, why fix it?
The threats are not about stealing data; the threats are about disrupting operations, damaging equipment and instilling fear in your constituents, thereby undermining their confidence in drinking water.
Use this webpage as a tool to help inform your decision on addressing cyber security weaknesses.
EPA cybersecurity evaluation program
EPA cybersecurity evaluation program
Performing a cybersecurity assessment could reduce the risk of a cyber attack by up to 45%. The process is simple.
- Fill out the EPA Water Sector Cybersecurity Evaluation Program Information Request
- An EPA contractor will reach out to schedule a time to conduct the assessment and will give you instructions on what to have prepared on the day of the assessment.
- Scheduling the assessment will give you time to invite others who should be in this meeting because they know about your system’s cyber capabilities.
- On the day of the assessment, the EPA contractor will ask you (and your invitees) each of the questions in the EPA Cybersecurity Checklist.
- The contractor provides a template for a Risk Management Plan, which you can use to plan and document actions to address cybersecurity gaps.
U.S. EPA Water Sector Cybersecurity Evaluation Program Fact Sheet
Prepare and prevent
Prepare and prevent
The department highly encourages public drinking water systems to take advantage of the various resources available to help mitigate and prevent exposure to these damaging attacks. Various resources are free, confidential and sole purpose is to give your system the best defense against cyber threats.
- American Water Works Association (AWWA)
- Water Sector Cybersecurity Risk Management Tool, to be used with America's Water Infrastructure Act (AWIA).
- Answer 22 yes/no questions about your water system’s current cyber practices.
- Based on your answers, the tool generates a list of recommended cybersecurity controls your utility should implement to protect your Process Control System against cyberattack.
- Recommended controls are assigned to four levels of priority.
- The tool generates an Excel spreadsheet that you can use to evaluate and track the implementation status of each recommended control.
- Cybersecurity and Infrastructure Security Agency (CISA)
- Environmental Protection Agency (EPA)
- Water Information Sharing & Analysis Center (WaterISAC)
- Wisconsin Water/Wastewater Agency Response Network (WIWARN)
- Free membership
- Become a WIWARN member
Need help answering questions about which resource may be best for your system? Email Martin.Pollard@wisconsin.gov.
Case studies
Case studies
Take a look at these examples of cyber attacks in the United States:
Report an incident
Report any cybersecurity incidents to the following contacts
- Local law enforcement
- FBI 24/7 CyberWatch at 855-292-3937 or CyWatch@fbi.gov
- Department of Homeland Security (DHS)/Cybersecurity and Infrastructure Security Agency (CISA) at 888-282-0870 or Central@cisa.dhs.gov, or through the DHS CISA Incident Reporting System
- It is also recommended that events be shared with WaterISAC at analyst@waterisac.org or 866-426-4722 (866-H2O-ISAC)