Water and Wastewater Cybersecurity
Americans rely on the supply of safe drinking water and wastewater treatment every hour of every day for personal use as well as for supporting other critical infrastructure sectors and the nation’s economy. The Water and Wastewater Sector depends on the digital world, leveraging technology for monitoring, operations and communicating with customers. Any disruption to a drinking water or wastewater system digital ecosystem could have significant impacts to the community its serves as well as to other critical infrastructure.
The Cybersecurity and Infrastructure Security Agency (CISA) and the Environmental Protection Agency (EPA) developed the toolkit below to highlight the most relevant CISA and EPA resources to protect against, and reduce impacts from, threats posed by malicious cyber actors looking to attack water and wastewater systems. CISA brings technical expertise as the nation’s cyber defense agency and EPA, as the Sector Risk Management Agency, offers extensive sector expertise and resources.
How to Use this Toolkit
This toolkit consolidates key resources for water and wastewater systems at every level of cybersecurity maturity. For organizations that are just starting to develop their cybersecurity strategies, the fundamental cyber hygiene steps are basic, low or no cost steps that every organization and individual should take to improve their security. The toolkit can help water and wastewater systems build their cybersecurity foundation and progress to implement more advanced, complex tools to strengthen their defenses and stay ahead of current threats.
CISA and EPA are providing this toolkit because cybersecurity is one of many areas where the Water and Wastewater Sector faces persistent challenges. The toolkit provides resources to enable sector stakeholders to proactively assess vulnerabilities and implement solutions to reduce risk and increase resilience. CISA and EPA will update the toolkit periodically to include new resources and respond to the evolving needs of the sector.
CISA's Free Cyber Vulnerability Scanning for Water Utilities fact sheet explains the process and benefits of signing up for CISA’s free vulnerability scanning program.
EPA’s help desk is available 24/7 and responds to water cyber inquiries within two days. The help desk provides guidance to help prevent, detect, respond to and recover from cyber incidents.
EPA conducts free cyber assessment for drinking water and wastewater utilities using EPA’s Cybersecurity Checklist derived from CISA’s CPGs. Utilities receive a summary report and a Risk Management Plan to help in prioritizing cybersecurity efforts.
Cybersecurity Performance Goals are a common set of protections that all critical infrastructure entities - from large to small - should implement to meaningfully reduce the likelihood and impact of known risks and adversary techniques.
EPA has a wide range of services and tools to help drinking water and wastewater systems increase their cybersecurity, including assessments, planning, training and response.
This guide outlines how water utility owners and operators can collaborate with federal partners as they prepare for, respond to and mitigate the impact of a cyber incident.
CISA provides best practices and guidance to water entities to reduce the impact and likelihood of ransomware incidents and data extortion.
Secure Our World provides numerous tools and resources to help keep water systems safe online, including teaching employees to avoid phishing.
There are several resources drinking water and wastewater systems can use to increase their cyber resilience, including the Clean Water State Revolving Fund, Drinking Water State Revolving Fund, and CISA State and Local Cybersecurity Grant Program.
Share Information and Report Cyber Incidents
Voluntarily sharing information about cyber-related events that threaten critical infrastructure organizations is critical to creating a better, more holistic understanding of the threat environment in the Water and Wastewater Sector. Reporting incidents enables CISA to rapidly deploy resources and render assistance to impacted entities and quickly share that information to warn potential victims and prevent future attacks.
Report suspicious activity such as:
- Unauthorized access to systems
- Email or mobile messages associated with phishing attempts or successes
- Ransomware incidents
Connect with CISA's Regional Team for Cyber and Physical Services
CISA offers a range of cyber and physical services to support the security and resilience of critical infrastructure owners and operators - including water and wastewater systems - and state, local, tribal and territorial partners.
EPA has extensive tools, resources, and training for drinking water and wastewater systems on emergency preparedness and response and physical and cyber resilience.
This toolkit focuses primarily on cybersecurity resources, but CISA has a wide array of offerings to help the Water and Wastewater Sector and other critical infrastructure organizations improve their security and resilience.
Ensuring Priority Telecommunications Services (PTS) for water and wastewater utilities is vital during a crisis. Priority Services provides three priority telecommunications services to ensure uninterrupted communication.
Learn more about making resilience during incidents a reality by taking action before incidents occur.
It's time to build cybersecurity into the design and manufacture of technology products. Find out here what it means to be secure by design.
As the nation’s cyber defense agency and the national coordinator for critical infrastructure security and resilience, CISA plays a key role in addressing and managing risks at the nexus of AI, cybersecurity and critical infrastructure.
CISA's ChemLock program is a voluntary program that provides facilities that possess dangerous chemicals no-cost services and tools to help them better understand the risks they face and improve their chemical security posture.
Advisories, Alerts, and Other Information
Sign up to receive EPA Water Sector alerts.
View and search CISA’s Cybersecurity Alerts and Advisories.
CISA’s Automated Indicator Sharing (AIS) platform provides a public feed for real-time sharing of cyber threat indicators and defensive measures.
The Water and Wastewater System page provides sector information and resources such as the sector specific plan and roadmap.
EPA Webinar on Recent Unitronics Programmable Logic Controllers Hacked at US Water and Wastewater Systems
Speakers from the EPA, CISA and the Federal Bureau of Investigation (FBI) discuss the hacks and recommended mitigations.