Water System Cybersecurity
Resources for addressing vulnerabilities and risks for system operations.
Cybersecurity is one of the top threats facing business and critical infrastructure in the United States. All drinking water systems should examine cybersecurity vulnerabilities and develop a cybersecurity risk management program, thus mitigating a cyberattack from impacting system operations. Breaches in cybersecurity practices can compromise the ability of drinking water and wastewater utilities to provide clean and safe drinking water to customers, erode customer confidence and result in financial and legal liabilities. All drinking water systems should examine cybersecurity vulnerabilities and develop a cybersecurity risk management program, thus mitigating a cyberattack from impacting system operations.
Pilot Program - Overwatch Foundation
Overwatch Foundation is a nonprofit organization based in Concord, New Hampshire working with NHDES and the New Hampshire Department of Information Technology (DoIT) on a pilot project called “Cyber in a Box.” This project is funded by the American Rescue Plan Act of 2021 (ARPA) and was put together to assist public water systems with their cybersecurity needs and concerns. Public water systems are selected for this project based on need and amount served. If you are interested in being considered for this project please contact Brenda.J.Leonard@des.nh.gov.
Reporting an Incident
Improve Cybersecurity with Emergency Planning
It's important to have a cybersecurity action plan in place to help plan for, respond to, and recover from a cybersecurity attack. This can be included in your community water system emergency plan.
Tips to Improve Cybersecurity:
- Incorporate phrases into passwords along with numbers and symbols (recommended minimum 16 characters).
- Implement vulnerability scanning.
- Conduct a cybersecurity assessment.
For more information on water system emergency planning, visit the Public Water System Emergency Planning webpage.
Assessing the risks to cybersecurity practices is a federal requirement for community drinking water systems under EPA's America’s Water Infrastructure Act (AWIA). Specifically, the water system shall evaluate components of the water system that uses electronic, computer, or other automated systems including the security of such systems.
Cybersecurity Assessments
NHDES recommends community water systems conduct a cybersecurity assessment to identify gaps in cybersecurity practices. If you have not already completed a cybersecurity assessment, the EPA and CISA are offering the following FREE assessments for drinking water and wastewater systems:
DHS CISA is available to help drinking water and wastewater systems improve resiliency against cyber threats. CISA cybersecurity assessments are a free resource. If your system is interested in an assessment, please review the DHS CISA assessments and contact Richard Rossi at richard.rossi@cisa.dhs.gov. For any additional questions please contact:
Richard F. Rossi
Cybersecurity Advisor – New Hampshire
Cybersecurity and Infrastructure Security Agency
U.S. Department of Homeland Security
Mobile: 202-770-8991 | Email: richard.rossi@cisa.dhs.gov
EPA is offering free cybersecurity assessments and technical assistance to drinking water systems. For more information and registration, please visit the EPA Water Sector Cybersecurity Evaluation Program.
Additional Resources
Below are resources to help maintain a safe and secure water utility while reducing risks and mitigating potential impacts.
- EPA Cybersecurity Incident Action Checklist
- EPA Baseline Information on Malevolent Acts
- EPA Cybersecurity Best Practices for the Water Sector
- AWWA Cyber Guidance
- WaterISAC's 15 Cybersecurity Fundamentals for Water and Wastewater Utilities
- CISA Bad Practices Guidance
- CISA Known Exploited Vulnerabilities Catalog
- CISA Shields Up Technical Guidance
- CISA Cyber Safety Video Series (for training)
- CISA Cyber Essentials
- CISA Stuff Off Search
- CISA Free Cybersecurity Services and Tools