Charting a course toward an all-hazards approach to sustainability
By Angela Godwin
In October 2018, a key piece of water legislation, America’s Water Infrastructure Act of 2018 (AWIA), was signed into law. The bipartisan bill addresses a litany of water and wastewater infrastructure improvement initiatives, including the authorization (and reauthorization) of a variety of grant programs and funding mechanisms, such as the Water Infrastructure Finance and Innovation Act and the Drinking Water State Revolving Fund. Of particular note are new requirements around risk and resilience.
AWIA requires water systems serving over 3,300 people to take steps to improve the overall sustainability of their systems. “There are two major components: the risk and resilience assessment and the emergency response plan,” said Kevin Morley, federal relations manager for the American Water Works Association (AWWA). “So, figure out where your threats and risks lie and take those findings and develop strategies and procedures to [address] them.”
Threats include both man-made, malevolent acts such as terrorism and cyber intrusion, as well as natural hazards like earthquakes, hurricanes and extreme storms. “We’ve been seeing more storms inland as well, more tornadoes and natural disasters,” noted Sarah Deslauriers, climate change lead for Carollo Engineers. “We need to start figuring out how to plan for and respond to [them].”
There is a compliance aspect of AWIA that utilities need to be aware of. “There’s a risk and resilience assessment (RRA) requirement and then six months later, there’ll be an emergency response plan (ERP) required,” Deslauriers said. In the RRA, you’re planning for the long term, she explained, while in the ERP you’re planning for what happens right after an event occurs.
In both cases, compliance is proven via certified letter to the U.S. Environmental Protection Agency (EPA). The deadlines are tiered based on the size of the water system and must be updated every five years.
Table 1. Compliance Timeline
Community Water System (pop. served)
|Certify RRA||Certify ERP|
|>100K||March 31, 2020||September 30, 2020|
|50,000 – 99,900||December 31, 2020||June 30, 2021|
3,300 – 49,999
June 30, 2021
|December 30, 2021|
According to AWIA Section 2013, the following must be assessed in the RRA:
• the risk to the system from malevolent acts and natural hazards;
• the resilience of the pipes and constructed conveyances, physical barriers, source water, water collection and intake, pretreatment, treatment, storage and distribution facilities, electronic, computer, or other automated systems (including the security of such systems) which are utilized by the system;
• the monitoring practices of the system;
• the financial infrastructure of the system;
• the use, storage, or handling of various chemicals by the system;
• the operation and maintenance of the system.
The ERP must include:
• strategies and resources to improve the resilience of the system, including the physical security and cybersecurity of the system;
• plans and procedures that can be implemented, and identification of equipment that can be utilized, in the event of a malevolent act or natural hazard that threatens the ability of the community water system to deliver safe drinking water;
• actions, procedures, and equipment which can obviate or significantly lessen the impact of a malevolent act or natural hazard on the public health and the safety and supply of drinking water provided to communities and individuals, including the development of alternative source water options, relocation of water intakes, and construction of flood protection barriers;
• strategies that can be used to aid in the detection of malevolent acts or natural hazards that threaten the security or resilience of the system.
The penalties for non-compliance are quite stiff. “It can be up to $25,000 per day if you have not submitted,” warned Deslauriers. “So, it’s a costly impact to any water system, especially those smaller ones.”
That said, it’s important for water systems to recognize (and account for) work they’ve already done. “Actions you’ve already taken could be useful,” she noted. “Folks need to be aware of that so they don’t have to reinvent the wheel.”
For instance, some states have adopted legislation to address natural hazards and compliance with those regulations may be applicable to AWIA. “In Florida, for example, the Peril of Flood Act looks at sea level rise as a cause of flood risk,” said Deslauriers. Under that legislation, water systems must now put into their comprehensive plans how they’re going to address that — and those efforts could already be in compliance with AWIA.
Protecting Against Cyber Threats
AWIA’s risk and resilience components include specific reference to malevolent acts, which include both physical attacks and cyber ones. Much of the language will sound familiar to water systems; it’s almost directly lifted from the Bioterrorism Act of 2002.
“The same universe of utilities that had to comply with the Bioterrorism Act have to comply with this,” said Morley. “The difference is, under the Bioterrorism Act the focus was almost exclusively on terrorism-generated threats.” Electronics, computers, and automated systems were included, but as Morley noted, “seventeen years ago the complexity and sophistication of computer systems wasn’t what it is today. And the interconnectedness is absolutely not the way it was.”
As a result, AWIA is explicit in its inclusion of cybersecurity both in the RRA and in the ERP. “It’s like, it isn’t all about physical; don’t forget about cyber,” Morley added.
A Numbers Game
For an individual (or group of individuals) with nefarious intent, committing a cyberattack is, simply put, a matter of statistics. While some attacks may indeed be directed at a specific target, many more are random and seek to exploit security weaknesses. Just because you’re not a high-profile target doesn’t mean you’re not at risk.
“There is still a misconception that nobody cares about some small-town utility,” said Morley. “But it’s not about geography; it’s ones and zeros. They are going through an electronic database, knocking on doors. And if the IP address happens to be a water utility’s elevated storage tank or a dam spillway or the HVAC system at Home Depot — they don’t really care.”
If that’s not enough to keep you up at night, there are databases, such as Shodan, that provide an index of public-facing IP addresses. “It’s like the yellow pages of IP addresses,” said Morley.
There is no reason why water utility IP addresses should be public-facing but that’s the default setting and, bear in mind, many network components were set up at a time when the notion of being on the Internet wasn’t a big concern. Changing the setting isn’t rocket science, but as Morley noted, “it does require a utility to do something, some sort of curation or management of the system.”
When it comes to cyber threat, hackers are all about equal opportunity. “Largely, the vulnerabilities and threats that water utilities face are many of the same threats that the rest of critical infrastructure industries face,” said Matthew Bohne, vice president and chief product security officer with Honeywell Building Technologies. “Some of the key challenges we see include having systems that are exposed to the Internet, not having good separation between a business network and process control networks, and managing removable media (such as USB sticks) that are used to support these operations.”
The list of cities, large and small, impacted by ransomware attacks in recent months is growing: Atlanta, Ga.; Baltimore, Md.; Naples, Fla.; Riviera Beach, Fla.; and others. Often propagated through phishing emails, these attacks can cripple business functions, forcing systems to either pay a ransom or undertake the arduous process of manually rebuilding their entire business history.
In October 2018, as Onslow Water and Sewer Authority (ONWASA) in North Carolina was still reeling in the aftermath of Hurricane Florence, a computer virus made a bad situation much worse. Although no customer information was compromised, many of ONWASA’s business systems and databases were locked up. Hackers later demanded payment in return for decryption; ONWASA refused to negotiate. “Ransom monies would be used to fund criminal, and perhaps terrorist, activities in other countries,” said ONWASA CEO Jeffrey Hudson in a statement. “Furthermore, there is no expectation that payment of a ransom would forestall repeat attacks … ONWASA will undertake the painstaking process of rebuilding its databases and computer systems from the ground up.”
Launching a ransomware attack is the easiest thing for a bad actor to do, Morley noted. “Unlike a physical type of intrusion attempt, [cyber attackers] don’t need to be present,” he said. “The amount of energy it takes to propagate the attack is de minimis. [Hackers] can go on some dark web website, buy some code, and send it.” And sending an email to one person, he observed, is just as easy as sending it to 1,000 people.
“Think about the pay day for this guy,” said Morley. “If they send out a million emails and they get 20 people to pay $50,000 in bitcoin, it’s a pretty good day … or year!”
All it takes is for one employee to fall victim to increasingly compelling click bait: an urgent mail, appearing to be from someone you know or related to a program or business service you use, might be realistic enough to convince you to click, forward, or download something.
The More You Know
One of the most critical protections against cyberattack are employees themselves. “You can have 10 employees or 1,000 employees,” said Morley. “Every single one of them is the front line because they all have the potential to either plug something in or click on something, totally innocently, that could open up some malware in the background.” They are also your number one best source when it comes to seeing weird stuff that doesn’t look right, he added. Training employees on how to spot fraudulent emails or how to secure their personal devices (such as cell phones) will go a long way toward safeguarding business systems against intrusion.
Do This Right Now
It is absolutely vital to understand the critical digital assets that a water utility has, said Bohne. “And make sure you have the appropriate (cybersecurity) controls and protections in place to protect them,” he added.
Morley agreed. “Make sure you have a clear and thorough understanding of your system architecture, just as you’d expect to have a thorough understanding of your physical pipe network. You need to know what you’ve got.”
This is not without its challenges, as network systems have likely evolved over time and utility managers may not have a clear understanding of how all the parts interrelate. “Going through that kind of review would reveal that there are probably more connections than you realized,” said Morley.
Maintaining good separation between the business network and control system network is critical in minimizing cyber events that can impact the availability of operations, added Bohne. He underscored the importance of employing good behaviors when using process control such as:
• Educating your OT and engineering teams on the importance of cybersecurity and specifically how it can impact availability and reliability of your operations.
• Encouraging a culture of vigilance with your team.
• Patching and updating your systems in accordance with vendors’ guidance
Tools and Guidance
There are many different commercial tools available to better understand and manage cyber risk, noted Honeywell’s Bohne. One is the Cyber Security Evaluation Tool (CSET) from the U.S. Cybersecurity and Infrastructure Agency (CISA). Available at us-cert.gov, the free desktop software tool “guides asset owners and operators through a step-by-step process to evaluate industrial control system (ICS) and information technology (IT) network security practices,” according to the website.
Another free resource, developed specifically for water utilities, is AWWA’s Cybersecurity Guidance and Assessment Tool. Available at awwa.org/cybersecurity, the recently updated guidance and tool help utilities assess their level of cybersecurity, how their doing, and how they can improve. It aligns with the National Institute of Standards and Technology (NIST) Cybersecurity Framework but with a user-friendly interface that’s easy to navigate. It also addresses requirements outlined in AWIA, such as the business enterprise considerations.
“It’s a set of 22 use-case questions that are oriented toward a broad spectrum of technology applications at the utility,” explained Morley. Depending on your responses, it generates a prioritized list of controls that would most likely be applicable to your system. “The things that are priority one, no matter the size or shape of your utility, these are foundational practices,” he explained. “If you’re doing X, you should be doing Y. Period. No exceptions.”
It is designed to help utilities focus, said Morley, and create a means for utility leadership to assess how their doing. “It allows them to have more informed budgetary conversations and develop more structured requests for proposals from prospective contractors.” It won’t solve the world’s problems, Morley noted, “but it’s a really good starting point.” WW
About the Author: Angela Godwin is the editorial director of Endeavor Business Media’s water group of publications.