Written by: Sarah Loprieno, Graduate Student Intern, Syracuse University Environmental Finance Center


What are cyber attacks and how do they threaten our water systems?

According to the American Water Works Association (AWWA), cybercrime costs more than $1.1 million and impacts more than 1,800 people every 60 seconds. To make things worse, both the Federal Bureau of Investigation (FBI) and the Department of Homeland Security (DHS) have recently confirmed that cybercriminals are actively targeting water and wastewater utilities to exploit their control systems and computer networks, threatening communities’ access to clean and safe water. So now is a great time to start learning more about cyber security for your utility.

The U.S. Environmental Protection Agency (EPA) explains the harms that cyberattacks pose to utilities. These harms include disrupting treatment and conveyance processes by opening and closing valves, overriding alarms or disabling pumps or other equipment, defacing the utility’s website or compromising the email system, and disabling business enterprise or process control operations through malware or ransomware.

Cybercriminals often gain access to computer systems through phishing attempts, which lure unsuspecting employees into sharing login data, clicking malicious links, or opening emails that appear to come from a reputable source. In March 2018, The City of Atlanta was hit hard by a ransomware attack that took the City’s computer system offline, disrupting utilities, courts, and other operations. It has taken Atlanta months, and estimated costs of $5 million in recovery efforts, to address the attack. In 2013, hackers targeted the Bowman Avenue Dam, a small dam structure located just 30 miles outside New York City. The hackers breached an unprotected computer that controlled sluice gates and used for flood control, resulting in remediation costs that exceeded $30,000. The majority of cyber attacks are made possible by simple errors, like clicking a malicious link or sharing password data, which is why cybersecurity education is increasingly critical for water system operations.

Who is Water ISAC and how do they address system security?

Despite the imminent threat of cyberattacks, cybersecurity practices can be extremely effective. The Water Information Sharing and Analysis Center (ISAC) is the only all-threats security information source for the water and wastewater sector. In coordination with the EPA, WaterISAC provides analysis and resources to support response, mitigation, and resilience initiatives on water security and threats from intentional contamination, terrorism and cybercrime.

Resources Utilities Can Use to Get Started on Cybersecurity

Are you ready to become more cyber-aware, but aren’t sure where to start? We’ve collected some of the best reports, checklists, and tools that are available for free on the WaterISAC website.


WaterISAC’s 15 Cybersecurity Fundamentals for Water and Wastewater Utilities offer a comprehensive set of strategies that water and wastewater utilities can implement to mitigate risks. Do you know how to configure a firewall? Do you have an inventory of your assets and an understanding of risks? Whether you are an experienced information technology professional or just learning about cybersecurity, WaterISAC’s 15 practices can form the foundation to assessing your system and becoming more resilient against cyberattacks.


For water utility managers that are strapped for time, WaterISAC recommends using the Environmental Protection Agency’s Incident Action Checklist to prepare for or respond to cyber threats. The checklist offers an efficient approach for utilities and municipal leaders to identify security leaders, identify vulnerable assets, and train their staff to respond to cyberattacks.


For utilities that are ready to adopt national standards and guidance at their utility, the National Institute of Standards and Technology’s (NIST) cybersecurity framework page offers online learning modules, guidance documents, and written standards for adopting cybersecurity practices. The framework is flexible and can be applied to a company’s unique situation and needs. With the assistance of online training tools, NIST addresses how to manage cyber risks in a cost-effective way. Understanding and adopting national standards for cybersecurity is often very intimidating for smaller utility operations. To offer more industry-specific guidance, the AWWA developed process control guidance for the water sector—available on their Cybersecurity and Guidance resource page—that offers specific examples and practical advice for implementing NIST’s national standards.


Are you concerned about cyber threats in your utility? We are too! Please share your experience and your concerns with our team, so we can link you to a resource or technical assistance provider that can help you move forward.