National Critical Functions - Supply Water and Manage Wastewater
Ensuring the supply of safe drinking water and treatment of wastewater is essential to modern life and the Nation's economy. Every day, more than 150,000 public water systems provide drinking water to millions of Americans and U.S. wastewater treatment facilities process approximately 34 billion gallons of wastewater. Considered National Critical Functions (NCFs), both the ability to "supply water" and "manage wastewater" are functions of government and the private sector so vital to the U.S. that their disruption, corruption, or dysfunction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof.
To enhance the security of these functions, CISA's National Risk Management Center is working with the private sector, government agencies, and other key stakeholders to manage the most significant risks to these important functions.
The Water and Wastewater Systems Sector provides essential services that support the operation of all U.S. critical infrastructure. To enhance operations, water and wastewater facilities are increasingly integrating information technology (IT) and operational technology (OT) systems into their operations. At the same time, the integration of IT/OT systems have created new vectors through which adversaries can exploit vulnerabilities in assets, networks, systems, and devices.
Risks vary from cyber adversaries stealing sensitive data, disabling network components, disruption of operations, and more. These risks can also have cascading impacts to other critical services (e.g., hospitals operations, firefighters, and food production) as well as to dependent and interdependent critical infrastructure sectors and NCFs (e.g., energy sector, produce and provide agricultural products, produce chemicals, etc.).
SECURING THE SUPPLY WATER AND MANAGE WASTEWATER NCFS
Good cybersecurity posture means taking a comprehensive view of all IT and OT systems and using a layered approach with risk-informed analysis to determine the applicability of a range of mitigations (including policies, security practices, and people) to prevent, detect, and respond to cyber threats and ensure physical and cyber critical infrastructure remain secure and resilient. Some measures include:
- Implementing cyber hygiene and best practices within IT networks can protect water and wastewater management systems from cyber attacks such as ransomware and data theft, and reduce the risk of lateral movement within systems or networks.
- Systems owners should ensure that OT systems that help control valves and pumps, and conduct monitoring are properly protected through patching and proper network mapping.
- Properly segmenting IT/OT systems to ensure that no part of OT systems can directly connect to the internet can greatly reduce the possibility of a successful attack upon industrial control systems (ICS) and Supervisory Control and Data Acquisition (SCADA) systems.
CYBER RISKS & RESOURCES FOR THE WATER & WASTEWATER SYSTEMS SECTOR
CISA developed two infographics on Cyber Risks and Resources for the Supply Water and Manage Wastewater National Critical Functions to provide water and wastewater systems managers and state, local, tribal, and territorial partners with an overview of the cyber risks they may face and to highlight resources available to help them enhance their cybersecurity.
Each infographic focuses on risks to the Water and Wastewater Systems Sector, and identifies risks under three categories—IT, OT, and IT/OT convergence—to demonstrate the potential risks that can be caused by malicious cyber-attacks.
- Download/share the Cyber Risks & Resources for the Supply Water NCF Infographic.
- Download/share the Cyber Risks & Resources for the Manage Wastewater NCF Infographic.
- CISA's Cyber Hygiene Services
- CISA Tabletop Exercise Packages including one specifically tailored to Water Systems.
- Critical Industrial Control Systems Cybersecurity Performance Goals and Objectives
- Insider Threat Mitigation Resources
- Joint Ransomware Guide
- Rising Ransomware Threat to Operational Technology Assets Fact Sheet
Please note: These resources are provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide warranties of any kind regarding this information, nor does it endorse any commercial product, service, or subjects of analysis. Any references to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by DHS.
- Joint Cybersecurity Advisory: Compromise of U.S. Water Treatment Facility
- WaterISAC: 15 Cybersecurity Fundamentals for Water and Wastewater Utilities
- American Water Works Association: Cybersecurity Guidance and Assessment Tool
- Environmental Protection Agency (EPA): Cybersecurity Incident Action Checklist
- EPA: Cybersecurity Best Practices for the Water Sector
- EPA: Supporting Cybersecurity Measures with the Clean Water and Drinking Water State Revolving Funds
- National Security Agency: Stop Malicious Cyber Activity Against Connected OT
- National Institute of Standards and Technology (NIST): Special Publication (SP) 800-167, Guide to Application Whitelisting
- NIST: SP 800-82 Rev. 2, Guide to Industrial Control Systems (ICS) Security (Section 6.2.1)
If you have a question or comment, please email us at NCF@hq.dhs.gov.