We’re just over three years out from the AWIA being passed, and the deadlines have come and gone for compliance. Let’s review this law and see where we are, what it covered and why it’s more relevant now than ever. And, for all those water utilities who’ve submitted their risk assessments: now what?
What is the AWIA of 2018
America’s Water Infrastructure Act (AWIA) was signed into law in October of 2018. AWIA section 2013 stipulates that any water system serving over 3,300 people must develop or update risk assessments and emergency response plans (ERPs) that account for both physical and cybersecurity threats. Those risk assessments should cover:
- Risks from malevolent acts (like cyber threats) and natural hazards
- Infrastructure resilience, both physical (pipes, source water, intake processes) and electronic (computers, automated systems and network security)
- Monitoring practices
- Financial infrastructure
- Chemical use, storage and handling
- Operation and maintenance
Notably, the emergency response plan “shall include…strategies and resources to improve the resilience of the system, including the physical and cybersecurity of the system,” requiring “community water systems to assess their cybersecurity vulnerabilities in a comprehensive fashion.”
Why did we need a cybersecurity law for water?
If anyone needs a reminder, the US water sector is in hot water and has been for some time. As one of sixteen critical national infrastructure (CNI) sectors within the United States, it’s on the front lines of attack when it comes to cyberwarfare. Evidence of first shots has already been found, with more expected to come. Aside from the AWIA, we’ll list the drumbeats here:
- Joint advisory by the FBI, CISA, EPA and NSA on Ongoing Cyber Threats to U.S. Water and Wastewater Systems
- CISA’s Fact Sheet on the Rising Ransomware Threat to Operational Technology Assets
- APT Cyber Tools Targeting ICS/SCADA devices, a joint advisory alert (Department of Energy, CISA, FBI, NSA) stating that Advanced Persistent Threat (APT) actors have exhibited the ability to gain full access to industrial control systems, such as the ones used by the water industry.
Add to this the Biden Administration’s 100-day push to “Expand Private-Public Cybersecurity Partnership to the Water Sector” and it’s no secret that the US is in an urgent race to shore up our cybersecurity defenses for critical national infrastructure agencies like the water sector. Bad actors, sophisticated malware and nation-state attackers aren’t slowing down – so neither should we.
Ways to stay compliant with the AWIA
There was a myriad of resources published to help US water facilities get their bearings and stay compliant, such as the AWWA Assessment Tool and Guide, and the EPA’s Vulnerability Self-Assessment. However, some common-sense best practices for AWIA compliance include:
- Network segmentation as a stop-gap until your cybersecurity posture is sufficiently hardened. Resist the urge to dive headlong into an IT/OT integration, as legacy OT infrastructure (of which the water industry is largely built) carries with it some lingering vulnerabilities and considerable risks)
- System patches. It’s understandable that you wouldn’t want to do a full system update because it can take down the network and disrupt service but applying system patches as available is mandatory. If you get infiltrated by a piece of malware, your network and service will be disrupted anyway.
- Train on new technology. As you rush out to make new technology investments to bolster your cybersecurity risk management profile, make sure you take the time to train and hire experts. Or, consult with a firm who can.
- Invest in visibility. You can only protect what you can see, so invest in cyber solutions that are going to provide you visibility across tools, platforms, vendors and environments (cloud, hybrid) so your risk assessment covers the full scope of your enterprise.
You’ve made the risk assessment: Now what?
Now comes the fun part. You put it into practice. But it’s one thing to have everything sorted on paper and entirely another to be able to turn those risk assessments into hard, actionable steps with the right tooling, the right talent, and the expert advisory your municipal water org may or may not have.
That’s why ITEGRITI is here to help. We understand that most water facilities are understaffed, overworked and lacking the funding to hire the cybersecurity experts needed to run CNI-level defense right. And, even if you were looking to outsource to an MSP, MSSP, EDR, EPP, MDR or XDR provider – how do you know which one you need, or how much is too much for your operation?
Our Virtual CISO (vCISO) can help. It’s like CISO-as-a-Service, and you get all the benefits of an accredited C-level cyber expert without the cost of bringing one on full-time. Our vCompliance team does the same, bolstering your current staff and providing expertise from external compliance audits to third-party vendor assessments. And, if you want to build your own team, take advantage of our Workforce Support, a cybersecurity-minded HR team that can help you do anything from finding and screening capable candidates to providing training, background checks and cyber-awareness materials.
Now that 100% of large-sized community water systems have certified their Risk and Resilience Assessment (as of April 14), it’s time for the next steps. A plan is only as good as its practice, so look to ITEGRITI to leverage existing staff and gain the C-level cybersecurity consulting you need to implement your cybersecurity posture with confidence.
Find out how ITEGRITI can turn your Risk and Resilience Plan into action.