Cybersecurity toolkit for water utilities to adopt CISA, FBI and EPA guidance

Eric Suesz Eric Suesz February 8, 2024

7 min read

A quick cybersecurity pop quiz. Which of these three events is based on an actual occurrence?

The correct answer, unfortunately, is “all of the above”. These were all actual events in California, Florida, and Kansas that were thankfully stopped in their tracks by attentive employees. To date, there has been no successful attempt by hackers to poison an American community’s water supply.

However, these types of attacks will inevitably become more sophisticated over time, which has prompted the US government to raise a cybersecurity alarm for the US’s 148,000+ public drinking water systems and 16,000+ publicly owned wastewater treatment systems.

What types of attacks might be directed at water utilities?

The specific details of how hackers might wreak havoc in the water sector vary, but the major threats to water utilities can be grouped into a few basic categories:

Utilities can shore up their defenses against cyberattacks in all of these categories with effective internal employee policies and procedures, but the last two on the list can be harder to accomplish if your workforce relies on older or outdated software and devices without access to the latest firmware updates.

What is the current state of the EPA’s guidance and CISA’s recommendations?

Ideally, the EPA wants utilities to assess their own cybersecurity readiness as part of their regular Public Water System (PWS) sanitary surveys. This isn’t a requirement, but it – or something like it – could be in the future.

The EPA issued a memorandum in March 2023 with plans to fold cybersecurity assessments into sanitary surveys, but this was temporarily halted by the 8th Circuit US Court of Appeals in July and then withdrawn in October.

While you might be waiting for the guidance to develop or the guidelines to turn into official regulations, water utilities should not wait to implement cybersecurity improvements. If your utility isn’t performing any regular cybersecurity monitoring or assessments, there is no better time to correct it than ASAP.

In fact, it may be alarming to learn that less than 25% of water and wastewater operators surveyed by the EPA are currently performing these kinds of annual cybersecurity risk assessments. 

Although the EPA’s attempt at encouraging momentum for cybersecurity among utilities failed in 2023, and although the US Congress hasn’t yet proposed specific national legislation, this does not mean the issue will go away.

Indeed, this has ramped up efforts by CISA and other government bodies. Recently, FBI Director Christopher Wray testified before Congress about the dangers of Chinese hackers infiltrating US infrastructure systems. Only a few days later, Iranian officials were targeted by US sanctions for attacks last year. All of this points to an increasing urgency for action around cybersecurity issues in the water sector, which means water utilities can either wait for guidance or take proactive steps to assess their risk and close holes in their systems.

Resources for assessing your level of cybersecurity

If you have IT personnel at your water utility who are tasked with watching for cybersecurity threats, we’ve collected a number of checklists that we encourage you to share with them so they can more easily determine your utility’s cybersecurity readiness:

Can the cloud help water utilities with security?

We wanted to talk to an expert with experience for the energy and utility sectors about the EPA’s mandate, so we sat down for a conversation with AWS Principal Security Industry Specialist Maggy Powell. 

Consult with an expert

If you don’t have the benefit of IT personnel on staff, you may be able to tap into these expert resources:

The security benefits of SaaS

We’re building new and innovative services that don’t require users to update their desktop or device’s software. Indeed, in many respects the Software as a Service (SaaS) model – in which you access all of your data, analytics, hydraulic models, etc., via a secure browser – may help to alleviate some of the cyber risks that utilities currently face.

For example, if you are currently an Autodesk customer with a subscription to one of our Info360 SaaS products (Info360 Asset, Info360 Insight, Info360 Plant) or if you utilize our new cloud simulation services within InfoWorks ICM, InfoWorks WS Pro, or InfoWater Pro, determining your compliance may be a little easier.

In addition to Autodesk certifications and compliance, these services are all powered by AWS, which we chose partly because of the enhanced security these cloud services can provide for water utilities who utilize our software. So you may find that some of the boxes in these checklists can be quickly checked off because you aren’t using installed desktop software AND aren’t sharing sensitive files over internal or “on-premises” systems.

Cybersecurity: perhaps the most important reason to update your software

A 2021 CISA survey found that over 80% of major vulnerabilities that surveyed facilities experienced were software flaws discovered before 2017, suggesting that a significant number of employees were not updating their software. If your utility relies on older desktop software (especially outdated legacy operating systems like Windows 7), you are more at risk for cyber incidents and you should carefully and methodically assess your security level.

Stay safe and secure

Going through these checklists can be an eye-opening experience for the smallest utilities who may not have the benefit of IT personnel to guide purchasing or technical assistance needed to implement cybersecurity best practices. But it is always better to enter the cybersecurity waters with your eyes open.

Learn about Autodesk’s security practices and the steps we take to enhance security of our products on the Autodesk Trust Center.

CISA fact sheet

Editor’s note: This article’s original publication date was August 21, 2023 and is being updated whenever there is new information to share.

Fill up on more of the One Water blog

By clicking subscribe, I agree to receive the One Water blog newsletter and acknowledge the Autodesk Privacy Statement.