Reducing Cybersecurity Risks in the Water Sector: A Voluntary Partnership Approach

Last year, President Obama took an important step to improve the security and resilience of the nation’s critical infrastructure against cyber attacks by issuing Executive Order 13636 – Improving Critical Infrastructure Cybersecurity. This order calls for the development of a voluntary Cybersecurity Framework, which should provide flexible, performance-based and cost-effective approaches to help owners and operators of critical infrastructure assess and manage cyber risk. It must also include provisions to protect business confidentiality, individual privacy and civil liberties.

The National Institute of Standards and Technology (NIST) issued the Cybersecurity Framework on February 12, 2014. The Framework, which NIST developed in collaboration with the private sector and other federal agencies, provides guidance to organizations on managing cybersecurity risk. A key objective is to encourage organizations to make cybersecurity risk a priority, similar to financial, safety, and operational risk. The Framework relies on existing standards, guidance, and best practices. It provides a common method for organizations to assess their cybersecurity posture, describe a cybersecurity target state, prioritize opportunities for improvement, assess progress toward the target state, and foster communications among stakeholders.

The Department of Homeland Security (DHS) has established the Critical Infrastructure Cyber Community (C3) Voluntary Program as a public-private partnership to increase awareness and use of the Cybersecurity Framework.  The C3 Voluntary Program will connect companies, as well as federal, state, local, tribal, and territorial partners, to DHS and other federal government programs and resources that will assist their efforts in managing their cyber risks.  Participants will be able to share lessons learned, get assistance, and learn about free tools and resources that can help them.

EPA encourages water and wastewater utilities to use the Cybersecurity Framework and participate in the DHS Voluntary Program.  As the Sector Specific Agency for the Water and Wastewater Systems sector, EPA will continue to partner with the Department of Homeland Security (DHS), as well as the Water Sector Coordinating Council and Water Government Coordinating Council, to support for Framework implementation. EPA will promote training for water and wastewater utilities on potential threats, vulnerabilities, and consequences from cyber threats, coupled with approaches to and benefits from adopting the Cybersecurity Framework.

This voluntary partnership between EPA, other government agencies, and the private sector to encourage use of the Cybersecurity Framework continues the proactive work that the Water and Wastewater Systems sector has done to reduce cybersecurity risks. Notably, the American Water Works Association has just issued Process Control System Security Guidance for the Water Sector, which can assist water and wastewater utilities with implementing the Cybersecurity Framework. The Water and Wastewater Systems sector recognizes that cyber threats are an important threat that should be addressed as part of an all-hazards approach to risk management. Adoption of the Cybersecurity Framework will be a major step forward in this effort.