An official website of the United States government.

EPA Cybersecurity Best Practices for the Water Sector

Like other critical infrastructure, the water sector can be a target of cybersecurity threats and hazards. Implementing cybersecurity best practices is critical for water and wastewater utilities. The resources below can bring your utility one step closer to cyber resilience.

Person on laptop

Cyber Resilience Resources 

Water Sector Cybersecurity Brief for States: This guide can assist state technical assistance (TA) providers with assessing cybersecurity practices at water and wastewater systems and developing an improvement plan to reduce cyber risks.

Cybersecurity Incident Action Checklist: This guide provides steps for water and wastewater systems to prepare for, respond to, and recover from a cybersecurity incident.

Water Sector Cybersecurity Training and Response ExercisesThis program offers courses both online and at locations nationally that address water sector cybersecurity threats, vulnerabilities, consequences, best practices, resources, and program development. The courses also include guided response exercises for water sector cybersecurity incidents. For more information, please contact safewater@epa.gov.

Water Sector Cybersecurity Technical Assistance Provider Program:  This program trains state and regional water sector TA providers to assess cybersecurity practices at water and wastewater systems and guide systems through developing a cybersecurity action plan to reduce risks and enhance resilience. The program includes follow-up assistance opportunities after the original assessment.  For more information, please contact safewater@epa.gov.

Vulnerability Self-Assessment Tool 2.0 (VSAT Web 2.0)This online tool leads water and wastewater systems through an all-hazards risk assessment, including risks from cybersecurity incidents, and the assessment of costs and benefits of additional countermeasures to reduce risks. Note: This tool includes the capability to analyze cyber threat scenarios.

Develop and Conduct a Water Resilience Tabletop Exercise (TTX) with Water Utilities: This tool provides water and wastewater systems with the resources to plan, conduct and evaluate tabletop exercises for all-hazards scenarios, including cybersecurity incidents. Note: This tool includes the capability to analyze cyber threat scenarios.

EPA Homeland Security Research Program: EPA is researching the ability of hackers to take over the control and operation of pumps, valves, and hydrants, or to provide incorrect operational and water quality information to the water system operators, thus compromising pipe integrity water quality and fire protection. Results from this work will be incorporated into future EPA guidance, tools, and training.

Cybersecurity Incident Response

In responding to a significant cybersecurity incident, the federal government leverages its resources and expertise to provide the targeted infrastructure with a unified, coordinated response as detailed in PPD-41. The Department of Homeland Security's (DHS) Cybersecurity and Infrastructure Security Agency (CISA) leads asset response by recieving reports of cybersecurity and incidents and providing technical assistance to affected infrastructures (e.g., water utilities) to protect assets, mitigate vulnerabilities, and reduce impacts.

The Federal Bureau of Investigation (FBI) leads the law enforcement and investigative activity aspects of the response.  Pursuant to Presidential Policy Directive 21 (PPD-21), EPA is the Sector Specific Agency (SSA) for the Water and Wastewater Systems Sector. As the SSA for the Water and Wastewater Systems Sector, EPA has an important role in coordinating the cyber incident response; ensuring all appropriate Federal agencies are incorporated into the incident response; facilitating the rapid and appropriate sharing of information and intelligence on the incident response and recovery activities; and coordinating consistent, accurate, and appropriate communications regarding the incident to affected parties and stakeholders.

During a cybersecurity incident, CISA, FBI, and EPA work closely in notifying a targeted entity, assessing the consequences of the cyber incident, and formulating recommendations to the targeted entity. EPA also plays an important part in incident response by directing sector requests for assistance to CISA, confirming these requests are being fulfilled, communicating alerts to the sector, and providing critical “steady-state” support through water sector-specific cybersecurity tools, exercises, and technical assistance.

Alerts - National Cyber Awareness System

CISA Alerts provide timely information about current security issues, vulnerabilities, and exploits. Find DHS CISA Alerts here.

See information regarding the recent SolarWinds incident:

The FBI Cyber Division provides information regarding the SolarWinds incident:

CISA Cybersecurity Resources