Cyber threats have been a critical risk for all organizations, including public entities. For small water systems, the threat has grown significantly over the past decade. While large utilities often have dedicated IT and cybersecurity teams, small water systems are especially vulnerable. Constraints related to funding, obsolete infrastructure, and staffing can render these critical services vulnerable to cyber threats, thereby posing risks to public health and safety.
Recognizing this risk, agencies like the U.S. Environmental Protection Agency (EPA), Cybersecurity and Infrastructure Security Agency (CISA), American Water Works Association (AWWA), and U.S. Department of Agriculture (USDA) have developed guidance and tools to help small systems strengthen their cybersecurity posture. This blog summarizes why cybersecurity is critical for these systems and provides practical steps to start building resilience.
Why Cybersecurity Matters for Small Water Systems
Water systems often rely on Operational Technologies (OT) – Supervisory Control and Data Acquisition (SCADA) systems to manage pumps, valves, and treatment processes. In addition, many may use Information Technology (IT) systems for billing, customer records, and communications. As these technologies become more interconnected, vulnerabilities in one system can quickly affect the other.
For small utilities, even a minor disruption can have serious consequences, including:
- Public health risks from compromised water treatment
- Service outages that can severely affect households, schools, and businesses
- Financial losses from recovery and regulatory penalties
- Loss of public confidence in the safety of drinking water
- Additional costs burden for requirements
Key Challenges for Small and Non-Urban Utilities
Small water systems face unique hurdles compared to larger counterparts:
- Limited resources: Few have dedicated IT staff or cybersecurity budgets.
- Aging infrastructure: Legacy systems often lack modern security features.
- Shared responsibilities: Operators juggle multiple roles, making cybersecurity one of many competing priorities.
- Low awareness: Cyber threats may be underestimated until an incident occurs.
These challenges make it critical to adopt cost-effective, scalable strategies tailored to small systems.
Practical Steps for Small Water Utilities
Even with limited resources, small systems can take meaningful actions to reduce cyber risks. Here are five key steps drawn from federal guidance:
1. Conduct a Basic Cybersecurity Assessment
- Use tools like EPA’s assessment checklist or AWWA’s online tool.
- Identify critical assets (e.g., SCADA controls, billing systems).
- Determine potential threats and vulnerabilities.
2. Develop an Incident Response Plan
- Outline steps for detecting, responding to, and recovering from cyber incidents.
- Include contact information for local law enforcement, EPA, and CISA.
- Train staff on reporting suspicious activity.
3. Implement Low-Cost Security Controls
- Enforce strong passwords and change them regularly.
- Segment networks so that administrative IT systems are separate from OT systems.
- Keep software and firmware up to date with patches.
4. Provide Staff Training
- Conduct basic cybersecurity awareness training.
- Emphasize phishing prevention and proper handling of suspicious emails or USB drives.
5. Leverage Federal and State Support
- Seek free technical assistance from CISA and state rural water associations.
- Explore USDA grants or loans for infrastructure improvements.
6. Building a Culture of Cyber Awareness
Cybersecurity isn’t just a technology issue—it’s about people and processes. Creating a culture of cyber awareness means:
- Making cybersecurity part of routine operations
- Encouraging staff to report anomalies without fear of blame
- Regularly reviewing and updating security policies
Communities rely on small water systems not only for safe drinking water but also for fire protection, agriculture, and economic stability. By proactively addressing cybersecurity, these systems protect both public health and local economies.
Looking Ahead
Cybersecurity threats facing the water sector are expected to continue evolving. For smaller utilities, resilience does not necessitate enterprise-scale spending; rather, it depends on informed awareness, comprehensive planning, and gradual enhancements, utilizing guidance from reputable organizations such as the EPA, AWWA, USDA, and CISA.
Taking the first step—whether completing a self-assessment, adopting basic password policies, or scheduling operator training—can significantly reduce risks and ensure the continued delivery of safe, reliable water.
Resources to Explore:
- EPA Cybersecurity for the Water Sector
- AWWA Cybersecurity Guidance and Tool
- CISA Water and Wastewater Sector Services
- USDA Cybersecurity for Rural Water and Wastewater Systems
[1] Image Source: Daniel, I., Ajami, N.K., Castelletti, A. et al. A survey of water utilities’ digital transformation: drivers, impacts, and enabling technologies. npj Clean Water6, 51 (2023). https://doi.org/10.1038/s41545-023-00265-7