About LGEAN Resources News Calendar of Events Webinars Podcast Contact LGEAN
Facebook Twitter Linked In

Cyber Security

Issue Summary
Water and Wastewater Sector Roles and Responsibilities
Federal Agency Roles


Issue Summary

Public-Private Cybersecurity Partnership Extended to Water Sector

Jan 27, 2022—The White House announced extension of the Industrial Control Systems (ICS) Cybersecurity Initiative to the water sector as part of the Water Sector Action Plan to improve cybersecurity. The Initiative is a private-public partnership between the federal government and the critical infrastructure community to promote cybersecurity monitoring and information sharing. EPA and CISA will invite water utilities to participate in a pilot program

Current Cybersecurity Risks

Oct 14, 2021—CISA, FBI, EPA and NSA released a joint advisory on Ongoing Cyber Threats to U.S. Water and Wastewater Systems, along with two new infographics on IT and OT risks to the water and wastewater sector and an extensive set of resources to strengthen both operational resilience and cybersecurity practices

Cybercriminals Are Increasingly Targeting the Water and Wastewater Sector...

Jan 2021 – San Francisco, California water treatment plant hacked by an attacker using a former employee's stolen credentials to delete programs used for water treatment

Feb 2021 – Oldsmar, Florida water treatment plant targeted by an attacker exploiting TeamViewer software, who accessed the plant's OT systems and significantly increased the levels of sodium hydroxide, a corrosive and potentially toxic chemical

Mar 2021 – Nevada POTW's SCADA and backup systems impacted by ransomware attack

Apr and July 2021 – Two Maine POTWs suffered ransomware attacks exploiting outdated computer operating program

The water and wastewater sector is part of the nation's critical infrastructure, defined in the USA PATRIOT Act as "systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters." The supply of safe drinking water and treatment of wastewater are both considered National Critical Functions (NCFs).

Public water systems (PWS) and publicly owned treatment works (POTW) increasingly depend on cyber-physical systems (CPS), incorporating both information technology (IT) and operational technology (OT) into their operations. The COVID-19 pandemic further accelerated movement to remote operations.

These developments make the sector an attractive target for cybercriminals, particularly when a PWS or POTW depends on outdated operating systems, has insufficient controls or lacks a robust training program. Threat actors targeting water systems include nation-state political actors, cybercriminal financial actors and current and former employees. Their motivations range from stealing sensitive data and disabling network components to disrupting operations.

The consequences of cyberattacks can be dire, ranging from operational disruption and system component damage to the theft of customers' personal data. Most significant is compromising the ability of a PWS or POTW to provide clean, safe drinking water, protect the environment and maintain the confidence of the public.

Fortunately, there are many resources on best practices, preparation and response and funding that even the smallest utilities can leverage to effectively counter cybercriminals.

Back to Top

Water and Wastewater Sector Roles and Responsibilities

The America's Water Infrastructure Act of 2018 requires community water systems (CWS) serving more than 3,300 people to develop or update risk assessments and emergency response plans (ERPs), which must address "electronic, computer, or other automated systems (including the security of such systems)."

PWSs and POTWs are urged to reduce the risk of a successful cyberattack by implementing best practices, training staff, implementing a monitoring plan and updating technology. EPA and other federal and state agencies offer multiple cybersecurity capacity-building resources [link to Resources below] specifically for PWSs and POTWs. Drinking Water State Revolving Fund and Clean Water State Revolving Fund loans and set-asides may be used to build managerial, technical, and financial capabilities, conduct vulnerability assessments and trainings, develop effective cybersecurity measures and plans, upgrade IT and OT technology and more.

PWSs and POTWs can stay informed about potential threats impacting the water and wastewater sector, by:

PWSs and POTWs should immediately report any cyber incident to the following entities:

Back to Top

Federal Agency Roles

Three federal agencies play key roles in supporting the cybersecurity of the water and wastewater sector:

Additionally, the Office of the National Cyber Director is the White House's principal advisor on cybersecurity policy and strategy and the National Institute of Standards and Technology (NIST) develops standards, best practices and tools and public guidelines on cybersecurity measures.

CISA and EPA both offer numerous resources on preparing for and responding to cyberattacks [link to Resources below]

CISA, FBI and EPA collaborate in responding to significant cybersecurity incidents, from notification and assessment to making recommendations to avoid future attacks.

  • CISA leads the response, collecting reports of cybersecurity and incidents and providing technical assistance to protect assets and reduce the impacts of attacks. The agency helps with restoring affected systems, coordinating federal assistance and improving security after the fact

  • FBI handles the law enforcement and investigative activity

  • EPA directs water and wastewater sector requests for assistance to CISA, confirms requests are fulfilled and communicates alerts. The agency coordinates cyber incident response among the appropriate federal agencies, facilitates the sharing of information and intelligence and maintains open lines of communication to affected utilities and other stakeholders

EPA and CISA collaborated with the National Security Council and the Water Sector Coordinating Council and Water Government Coordinating Council (WSCC/GCC) to develop the Water and Wastewater Sector Action Plan to promote early cyber-threat detection and information sharing across the federal government and critical infrastructure community. 

Back to Top




  • CISA Assessment Program. Provides resources, guidance and tools (including the Cybersecurity Evaluation Tool (CSET)) to assist critical infrastructure facilities with mitigating and managing cybersecurity risk.

  • National Cybersecurity Assessments and Technical Services. Local governments and owners/operators of critical infrastructure can obtain services including Cyber Hygiene Vulnerability Scanning, Phishing Campaign Assessment (PCA), Risk and Vulnerability Assessment (RVA) and Validated Architecture Design Review (VADR). Request information directly at vulnerability_info@cisa.dhs.gov.

  • Cyber Essentials Toolkit. A set of modules, each focusing on recommended actions to build cyber readiness, aimed at non-technical leadership.

  • CISA Services Catalogue. Interactive collection of information on services available to local and tribal governments. Includes guidance and tools to assist critical infrastructure facilities, including water and wastewater systems, with cybersecurity. 

  • CISA-Multi-State Information Sharing and Analysis Center (MS-ISAC). Resource for cyber threat prevention, protection, response and recovery for state, tribal, local and territorial government entities. Includes 24/7 Security Operation Center, Incident Response Services, Advisories and Notifications, Cyber Alert Map, Joint Ransomware Guide, Cybersecurity Table-top Exercises and a variety of educational materials.

  • Stopransomware.gov. Resource center containing news, alerts, reporting mechanism and best practices for preventing or responding to ransomware.

Other Agencies and Organizations


Back to Top