There are approximately 52,000 community water systems and approximately 16,000 wastewater systems in the United States. With threats from increasingly sophisticated and destructive attackers, cybersecurity has become a top priority for water and wastewater systems. Recent incidents have added urgency to discussions within the sector and with Congress and in federal agencies on how best to help utilities improve their cybersecurity.
To help guide discussions with policymakers and to inform the sector’s own cybersecurity programs, the Water Sector Coordinating Council (WSCC) – an advisory body comprising the national water and wastewater associations, the sector’s research foundation and the Water Information Sharing and Analysis Center (WaterISAC) – collaborated on a utility survey to develop a picture of current cybersecurity practices in the sector to better articulate the challenges and needs of the sector.
This voluntary survey was distributed to utilities across the country by the nation’s water and wastewater associations. The results represent a first-of-its-kind snapshot of the Water and Wastewater Systems Sector cybersecurity posture.
The survey, conducted in April 2021, resulted in 606 responses from water and wastewater utilities.
The responses demonstrate that many utilities are implementing cybersecurity best practices, but many others’ cybersecurity programs are incomplete.
The survey found:
- Nearly 60% of respondents address cybersecurity in their overall risk assessments.
- 38% of utilities have identified all IT-networked assets, with an additional 22% working to identify all IT-networked assets.
- 31% of utilities have identified all OT-networked assets, with an additional 23% working to identify all OT-networked assets.
- Among those that have identified networked IT and OT assets, nearly 75% of respondents report they have implemented efforts or are in some stage of progress.
Survey respondents also identified a number of areas where the federal government can support the sector. The top four categories are:
- Training and education specific to the water sector,
- Technical assistance, assessments, and tools,
- Cybersecurity threat information, and
- Federal loans and grants.
Both the sector and its federal partners have already developed resources for most of these areas, with the exception of federal loans and grants. Additional resources, including loans and grants, are clearly needed to reach a wider audience within our large and diverse sector. The development and promotion of these resources must recognize the range of resources and capabilities within the sector and will require a combined effort between the sector, government agencies, and other partners.
What is the sector doing?
- WaterISAC issues cybersecurity advisories about water sector-relevant threats and vulnerabilities and has published its 15 Cybersecurity Fundamentals for Water and Wastewater Utilities.
- The American Water Works Association has published its Cybersecurity Guidance and Tool, prepared training and tailored guidance for small systems.
- Sector associations promote awareness and best practices via newsletters and conferences.