America’s Water Infrastructure Act (AWIA) of 2018 “improves drinking water and water quality, deepens infrastructure investments, enhances public health and quality of life, increases jobs, and bolsters the economy” declared the Environmental Protection Agency (EPA). It also provides critical cybersecurity framework for the nation’s over 50,000 separate water facilities. Let’s look together at how AWIA aims to improve the security posture of the nation’s facilities, and what can happen without it.
Why America needs AWIA
They knew this day would come. It was described as “the kind of breach that has been warned about for years but is rarely seen” by a national news outlet, and following it, a joint advisory was issued by the FBI, the Cybersecurity and Infrastructure Security Agency (CISA) and others warning that U.S. water and wastewater systems are being targeted by “known and unknown” malicious actors. A municipal water plant in Florida had fallen victim to a cyberattack, but three years earlier a mandate was put in place that could have done much to mitigate – and even prevent – the vulnerable cybersecurity protocols leading to the incident.
America’s Water Infrastructure Act (AWIA) of 2018 was passed to improve the current state of American drinking and wastewater management and rolled out with over 30 mandated programs. There had been no new national water provisions since the 1996 amendments to the Safe Water Drinking Act, and a lot had changed in that time. Threats facing the water supply and critical national infrastructure (CNI) in 2018 were vastly different from those over twelve years earlier. And, additional updates to general water availability, usage and safety had to be made. But besides extending subsidies to disadvantaged communities and expanding source water protection eligibilities, it made very important provisions for cybersecurity.
Namely, AWIA “requires community water systems serving more than 3,300 people to develop or update risk assessments and emergency response plans (ERPs).” It’s no wonder, when potential nation-state attacks would target bigger and more critical national water supplies just a few years later. Some organizations read the writing on the wall. Others failed to properly defend and were victims of SCADA attacks. So, what’s in AWIA that’s designed to keep the US water sector safe?
What’s in the Act
AWIA includes the following requirements for the nation’s water utilities:
- “Conduct a Risk and Resilience Assessment (RRA)
- Prepare or revise an Emergency Response Plan (ERP)
- Submit a certification letter upon completion to the U.S. Environmental Protection Agency (U.S. EPA) for each (RRA and ERP)
- Review, update, revise as necessary and submit recertification for both at least every 5 years thereafter
- Maintain records (keep copies of RRA and ERP and any updates for 5 years after certification submittal)”
When it comes to the Risk and Resilience Assessment (RRA), capital and operational needs are determined and the following are assessed:
- Risk posed to the system by malicious acts
- Resilience of the water facility’s physical components (pipes, source water, storage) and technological assets (computers, automated systems, cybersecurity posture)
- Monitoring practices
- Financial infrastructure
- Chemical use and handling
- System operation and maintenance
AWIA and beyond
In addition to the recent additions, lawmakers are thinking ahead with future updates to the act, such as this one yet to be implemented. The Infrastructure Investment and Jobs Act was signed into law in November of last year and “launched a new era of significant investment in rehabilitating and updating the nation’s water infrastructure”.
It will, along with AWIA, further aid the nation’s water utilities in maintaining a secure and modern architecture, allocating more money for infrastructure and lead line replacement. In addition to protecting physical resources, it will double down on technology, identifying water systems that would lead to significant public safety hazards if they were to fail. Then, the Environmental Protection Agency (EPA) and CISA will submit a list to Congress of facilities needing technical support and develop a technical cybersecurity support plan for public water systems.
Thanks to AWIA and the amendment it inspired, the country’s separately run 50,000 plus water facilities are finally on the way to a Congressionally approved cybersecurity support plan for public water systems. Undersupported technologically, and at the mercy of increasingly emboldened cyberattacks, these changes come not a moment too soon.
How the water sector can comply with AWIA
In addition to reading through the act and implementing the security recommendations wholesale, WaterISAC has provided 15 Cybersecurity Fundamentals for Water and Wastewater Facilities that are designed to aid organizations in passing AWIA requirements. More can be found on those here.
However, is every utility at liberty to review and implement changes in their spare time, much less take time from vital management efforts and day-to-today security demands? “Most [IT staff] are … just drowning,” says Leslie Carhart, principal threat analyst at Dragos. “They don’t know how to accomplish all the things they’re required to do to both keep things running from an IT perspective and also fill compliance checkboxes.” And yet the singular importance of water as a critical national interest does not decrease.
Needed in manufacturing, in agriculture, in public waste management and in the creation of energy, water underlays a significant portion of our first world economy. Adopting essential security frameworks like AWIA combats the water sector’s cybersecurity dilemma and acts as a stepping-stone to achieving the kind of impenetrable security posture expected of any sector critical to national interests, health and safety.
To maintain strong cyber defenses when nation state attacks threaten the water supply, water utilities need strong CISO leadership and key functional support from experts who know the landscape. As funding diminishes and cyber talent becomes more difficult to buy, facilities can look to managed solutions to fill in the gaps, stay in budget, provide accumulated security expertise, and force-multiply the effectiveness of existing teams.
Find out how ITEGRITI’s managed services can help you comply with your industry’s essential security frameworks.