Protecting our country’s clean drinking water starts with strong cybersecurity strategies

A proactive cybersecurity program is necessary to safeguard critical infrastructure.

CAI had the pleasure of attending and speaking at the Association of California Water Agencies (ACWA) Conference & Exhibition this May. A total of 1,397 attendees participated in sessions covering water management, innovation, public communication, affordable drinking water, energy, finance, federal forum, and ACWA introduced its first-ever session focused on cybersecurity. During our cybersecurity presentation, we highlighted current challenges for the water sector, recent legislation, as well as recommendations on how to address cyber threats strategically and within budgets.

Cybersecurity concerns for our nation’s critical infrastructure remain a top federal concern. Last January, President Biden revealed plans to secure U.S. water systems from cyberattacks.1 This would be part of the broader effort to defend critical infrastructure announced in the Executive Order on Improving the Nation’s Cybersecurity. This included the Environmental Protection Agency (EPA) announcing the Industrial Controls System (ICS) Cybersecurity Initiative – Water and Wastewater Sector Action Plan to better protect the water sector from cyberattacks.2 This action was much needed, especially after the water plant cyber attack in Oldsmar, Florida in February 20213, as well as the hacker attacks on two water purification plants in Pennsylvania in the summer of 20214.

According to the study by the Ponemon Group and IBM in 2021, it takes 213 days to identify a breach, with another 75 days to contain.5 That gives hackers plenty of time to corrupt an environment, allowing them to map the network, gain information, and plan a sophisticated attack. For example, in the context of a water sector cyberattack, hackers can attempt to manipulate water chemical levels which could cause extensive harm.

“Cyberattacks represent an increasing threat to water systems and thereby the safety and security of our communities,” said EPA Administrator Michael S. Regan. “As cyber threats become more sophisticated, we need a more coordinated and modernized approach to protecting the water systems that support access to clean and safe water in America. EPA is committed to working with our federal partners and using our authorities to support the water sector in detecting, responding to, and recovering from cyber-incidents.”6

The Water and Wastewater Sector Action Plan goals include the adoption of a strategy and early detection of cyber threats in the water sector. It was developed by the EPA, the National Security Council (NSC), the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), and the Water Sector Coordinating Council and Water Government Coordinating Council (WSCC/GCC).

The EPA has also announced the Drinking Water State Revolving Fund (DWSRF). This fund is designed to provide financial assistance to publicly and privately owned community water systems, as well as non-profit, non-community water systems, and for drinking water infrastructure projects.7 Each of the 50 states and Puerto Rico operate their own DWSRF program.

As the water sector begins to make plans to address cyberattacks, here are six things they should consider in developing, improving, and maintaining their cybersecurity program:

  1. Assign a cybersecurity coordinator
    Select someone who has appropriate knowledge of the technical environment and management authority to implement sound practices, manage incidents, and serve as a principal point of contact with the federal government on cyber matters. This individual should also work closely with your cybersecurity partner and vendors to ensure that the needs of the organization are met.
  2. Build and maintain a security awareness program
    Overseen by the cybersecurity coordinator, an effective security awareness program can prepare an organization for preventing or mitigating a cyberattacks impact. The program should include an annual training event with meaningful messaging throughout the year, usually in the form of bulletins, newsletters, or other forms of internal communications. This will improve awareness of suspicious activities by internal employees and help address threats before they happen.
  3. Develop an incident response plan
    You may not be able to prevent a breach, but you can prepare. A cybersecurity contingency and incident response plan reduce the risk of operational disruption when a breach happens. This plan can be done in the form of tabletop exercises and walk-throughs with key stakeholders and should be reviewed and updated annually. This ensures that everyone knows their role during a cyberattack and can minimize the damage and impact on the organization.
  4. Conduct periodic risk assessments
    A regular check-in will help you understand your current cybersecurity maturity. While internal reviews are very useful, having an annual assessment by an external organization and cybersecurity partner can provide an independent and unbiased view. These can go through a planned rotation to provide a broader reach, so different types of cyber risk assessments are performed each year within a realistic budget.
  5. Select a Managed Detection and Response (MDR) provider
    Find a partner to help you track and prevent malicious actors from causing harm. Unless you can monitor everything in your environment and detect false positives, it is extremely difficult to do this with internal solutions.

    Effective MDR services include:

    • Containment & investigation: Effective MDR providers will quickly take control of an infected system and isolate it for advanced forensic analysis.
    • Incident response: In addition to containment, effective MDR providers should disable all known operational capabilities of the threat actor and support your incident response plan.
    • Threat hunting: This is more than identifying known vulnerabilities but discovering zero-day and new advanced threats. Allowing you to continuously evolve and remain proactive in protecting your environment.
  6. Chose a trustworthy cybersecurity partner
    The costs of trying to internally scale cybersecurity procedures across an organization while hiring full-time staff can be steep. Finding the right partner to serve as your trusted cybersecurity advisor can provide a budget-conscious way to have the expertise on a part-time basis when needed. This partner will be able to work with the Cybersecurity Coordinator for strategy, planning, and implementation of the steps listed above.

With the challenges and threats faced by America’s local infrastructure departments, having a robust cybersecurity program for the water sector has never been more crucial. A proactive approach means threats can be detected faster and incidence response can be deployed to stop cyber threats before they have a significant operational impact. Organizations that don’t have the capacity with internal teams should look to external providers for cost-effective cybersecurity services without sacrificing service quality and operational performance.

Our cybersecurity experts have ample experience working with infrastructure departments and local governments. Let’s talk about how we can start protecting your organization and constituents.


  1. Chalfant, Morgan. “Biden Administration Moves to Boost Cybersecurity of Water Systems.” The Hill. The Hill, January 27, 2022.
  2. “EPA Announces Action Plan to Accelerate Cyber-Resilience for the Water Sector.” EPA. Environmental Protection Agency, January 27, 2022.
  3. Rasmussen, Jeremy. “Lessons Learned from Oldsmar Water Plant Hack.” Security Today, April 5, 2021.
  4. Mares, Octavio. “Hackers Break into Two Government Water Purification Systems in Pennsylvania.” Information Security Newspaper | Hacking News. Information Security Newspaper, May 11, 2021.
  5. “Cost of a Data Breach Report 2022.” IBM. IBM.
  6. “EPA Announces Action Plan to Accelerate Cyber-Resilience for the Water Sector.” EPA. Environmental Protection Agency, January 27, 2022.
  7. “Supporting Cybersecurity Measures with the Drinking Water State ...” EPA.

Let's talk!

Interested in learning more? We'd love to connect and discuss the impact CAI could have on your organization.

All fields marked with * are required.

Please correct all errors below.
Please agree to our terms and conditions to continue.

For information about our collection and use of your personal information, our privacy and security practices and your data protection rights, please see our privacy policy and corresponding cookie policy.