Environmental Protection Agency (EPA): Water System Security

Public Health Security & Bioterrorism Preparedness Act

2002

Physical security, contamination events

Community water systems serving >3,300

Vulnerability assessments, emergency response plans

December 2003

Presidential Policy Directive 21 (PPD-21)

2013

Critical infrastructure protection

All critical infrastructure sectors

Sector-specific risk management

Ongoing framework

Presidential Decision Directive 63

1998

Critical infrastructure protection coordination

Federal agencies, critical sectors

Information sharing, protection plans

Ongoing

America's Water Infrastructure Act (AWIA) §2013

2018

Resilience, cyber threats, all hazards

Community water systems serving >3,300

Risk & Resilience Assessments, Emergency Response Plans

Tiered deadlines 2019-2021

AWIA §2018

2018

Cybersecurity support

All public water systems

Technical assistance, information sharing

Voluntary participation

Tier 1

≥100,000

~400 systems

March 31, 2020

September 30, 2020

5 years

$85,000-$250,000 initial

Tier 2

50,000-99,999

~600 systems

December 31, 2020

June 30, 2021

5 years

$45,000-$120,000 initial

Tier 3

25,000-49,999

~1,100 systems

June 30, 2021

December 31, 2021

5 years

$25,000-$75,000 initial

Tier 4

3,300-24,999

~5,200 systems

June 30, 2021

December 31, 2021

5 years

$15,000-$45,000 initial

Small Systems

<3,300

~142,000 systems

Not required

Voluntary

Voluntary

Variable (if pursued)

Physical risks to infrastructure

Assessment of physical threats to assets

Site security surveys, access control evaluation, critical asset identification

Insufficient consequence analysis, missing interdependencies

Moderate (asset inventory, threat analysis)

Cybersecurity risks

Evaluation of cyber threats to systems

IT/OT security assessment, network architecture review, vulnerability scanning

Legacy SCADA systems not assessed, inadequate network segmentation

High (network diagrams, scan results, control inventories)

Natural hazards

Assessment of malevolent acts, natural hazards

Flood risk, seismic analysis, extreme weather impacts

Climate change projections not incorporated, cascading failures not modeled

Moderate (hazard mapping, historical data)

Interdependencies

Evaluation of dependencies on other infrastructure

Power, communications, transportation, supply chain analysis

Single points of failure not identified, backup dependencies not validated

High (dependency mapping, failure scenarios)

Resilience of pipes and constructed conveyances

Assessment of distribution system risks

Pipe condition assessment, critical valve analysis, storage capacity evaluation

Age-based assumptions without condition validation, inadequate redundancy analysis

Very high (GIS data, condition assessments, hydraulic modeling)

Financial infrastructure

Evaluation of financial and rate-setting impacts

Revenue stability, insurance coverage, emergency funding sources

Inadequate cyber insurance, insufficient emergency reserves

Low (financial statements, budget documents)

Community impacts

Assessment of service area demographics and vulnerability

Critical customer identification, vulnerable populations, economic impacts

Environmental justice considerations missing, mutual aid agreements not formalized

Moderate (demographic data, customer categorization)

Operational impacts of malevolent acts and natural hazards

Consequence analysis for identified threats

Process failure modes, treatment capacity under stress, operator safety

Single points of failure not stress-tested, limited tabletop exercises

High (operational procedures, failure scenarios)

Strategies and resources to improve resilience

Plans to prepare for, respond to, and recover from identified risks

Asset hardening, redundancy improvements, detection capabilities

Annual tabletop or functional exercise

RRA updates, significant incidents

Plans for responding to confirmed or suspected threats

Immediate actions, escalation procedures, decision criteria

Incident classification matrix, notification trees, authority delegation

Annual exercise with documented outcomes

Lessons learned from exercises or real events

Actions to respond to decontamination and disposal of contaminated water

Contamination scenarios, treatment approaches, disposal options

Detection methods, isolation procedures, treatment protocols, waste handling

Biennial exercise or drill

Regulatory changes, technology updates

Strategies for alternative water supply during interruptions

Backup sources, mutual aid, emergency interconnections, bottled water distribution

Interconnection agreements, hauled water capabilities, distribution points

Annual validation of backup source capacity

Changes in backup availability

Coordination with federal, state, and local agencies

Information sharing protocols, resource requests, unified command integration

Emergency contact lists, MOUs/MOAs, ICS/NIMS integration

Exercise participation with external agencies

Changes in agency contacts or procedures

Legacy SCADA Systems

15-30 year equipment lifecycles, proprietary protocols, no security features

Cannot patch, cannot monitor effectively, minimal authentication

Network segmentation, protocol gateways, anomaly detection

High capital ($200K-$2M for network redesign)

Limited IT Security Expertise

Small IT teams (1-3 people), no dedicated security staff, reliance on consultants

Reactive security posture, compliance-focused vs. risk-focused

Managed security services, regional sharing, WaterISAC engagement

Moderate operational ($40K-$150K annually for services)

Remote/Unmanned Facilities

Pump stations, wells, storage tanks spread across service area

Physical access difficult to control, network security challenging

Secure remote access solutions, cellular backhaul, tamper detection

Moderate capital + operational ($500-$5K per site)

Limited Cybersecurity Budget

Security competes with infrastructure replacement, compliance, water quality

Insufficient tools, training, and staffing

Risk-based prioritization, grant funding (WIFIA, SRF), multi-utility sharing

Variable (5-8% of IT budget target)

Operational Technology (OT) Priority Over IT

"Keep the water flowing" culture, change-averse operations staff

Resistance to security controls that might impact operations

Collaborative design, phased implementation, extensive testing

Low-moderate (change management time)

Interconnected Systems

Integration with power utilities, regional water systems, wastewater

Attack surface includes partner organizations

Supply chain risk management, third-party security requirements

Low-moderate (contract provisions, assessments)

Public Availability of Sensitive Information

Geographic data, infrastructure locations, capacity information publicly accessible

Attackers can conduct reconnaissance without touching network

Information classification, controlled sharing, public awareness balance

Low (policy development time)

Asset Inventory

IT assets, OT assets, data assets, external dependencies

Spreadsheet-based inventory, annual updates

Asset management database (CMMS), automated discovery, continuous updates

Critical for RRA

Data Classification

Identify sensitive operational data, customer data, security data

Simple classification scheme (public, internal, restricted)

Formal classification policy, automated labeling, DLP controls

Important for RRA

Risk Assessment

Cyber threat assessment, vulnerability identification, consequence analysis

Consultant-led assessment every 3 years

Continuous risk assessment program, threat intelligence integration

Required by RRA

Third-Party Risk

Vendor access inventory, remote access control, supply chain assessment

Vendor contract provisions, access logging

Formal third-party risk program, security questionnaires, ongoing monitoring

Important for RRA

Access Control

Multi-factor authentication, least privilege, network segmentation

Start with admin accounts, expand to all users; segment SCADA network from business

"Too complicated for operators," fear of lockouts during emergencies

Executive support, gradual rollout, emergency access procedures

Awareness Training

Phishing simulation, security awareness, role-based training

Annual computer-based training, quarterly phishing tests

"We don't have time," viewed as checkbox exercise

Relevant scenarios, short modules, positive reinforcement

Data Security

Encryption at rest/transit, secure backups, secure disposal

Enable encryption on new systems, encrypt backups, documented disposal

Performance concerns, legacy system incompatibility

Phased approach, test before production deployment

Maintenance

Patch management, configuration management, system hardening

Monthly patching (test environment first), baseline configurations

Cannot patch SCADA without vendor support, fear of breaking systems

Vendor agreements for OT patching, IT/OT patch differentiation

Protective Technology

Firewalls, IDS/IPS, antivirus, application whitelisting

Perimeter firewalls, endpoint protection, SCADA network monitoring

Cost, performance impact, false positives

Right-sized solutions, gradual tuning, clear ROI demonstration

Continuous Monitoring

Network traffic analysis, log aggregation, SIEM

Detect unauthorized access, malware, configuration changes

Tuning period 60-90 days, accept 5-10% false positive rate initially

Automated alerts to on-call staff, integration with ERP

Anomaly Detection

SCADA protocol analysis, behavioral analytics, flow monitoring

Detect process anomalies, unauthorized commands, unusual patterns

Requires 30-day baseline, seasonal adjustments

Engineering review for process anomalies

Security Testing

Vulnerability scanning, penetration testing, red team exercises

Identify exploitable weaknesses before attackers do

Risk of operational impact from testing

Carefully scoped tests, off-peak scheduling, extensive coordination

Response Planning

Cyber incident response plan, playbooks, authority matrix

Documented procedures, contact lists, escalation criteria

Annual tabletop, biennial functional exercise

Integrates with ERP, coordinates with WaterISAC

Communications

Internal notifications, external reporting, public messaging

Notification templates, spokesperson designation, media protocols

Tested during exercises

Legal review, regulatory coordination

Analysis

Incident investigation, root cause analysis, evidence collection

Forensic procedures, chain of custody, reporting templates

Post-incident reviews for all incidents

Law enforcement coordination if criminal

Mitigation

Containment strategies, eradication procedures, recovery prioritization

Technical playbooks, decision trees, recovery checklists

Component testing quarterly

Business continuity integration

Recovery Planning

System restoration procedures, backup validation, alternate processing

Critical systems: <4 hours; Important systems: <24 hours; Standard: <72 hours

Annual backup restoration test, recovery procedure validation

Update after incidents, technology changes

Improvements

Lessons learned process, corrective actions, metrics tracking

Post-incident review within 30 days, corrective action closure in 90 days

Track MTTD, MTTR, incident trends

Board reporting, resource allocation decisions

Communications

Reputation management, customer communication, stakeholder updates

Restoration status updates every 4-6 hours during major incidents

Communications exercises as part of incident response drills

Media training for designated spokespersons

Water Treatment Plants

Population served, treatment capacity, redundancy availability

Service disruption, contamination risk, public health threat

High (fencing, cameras, access control, 24/7 monitoring)

$50,000-$500,000 per facility

Large Storage Reservoirs (>1MG)

Storage volume, service area dependency, contamination vulnerability

Service disruption, contamination risk

Medium-high (fencing, cameras, intrusion detection, water quality monitoring)

$25,000-$150,000 per facility

Critical Pump Stations

Flow capacity, redundancy, service area

Service disruption, pressure loss

Medium (fencing, cameras, tamper alarms)

$15,000-$75,000 per facility

Emergency Interconnections

Backup capacity, dependency level

Reduced resilience if compromised

Medium (locked valve vaults, monitoring)

$5,000-$25,000 per connection

Supervisory Control Systems

SCADA servers, HMI workstations, communication networks

Complete operational visibility loss, potential manipulation

High (physical + cyber security, access control, monitoring)

$75,000-$300,000 per control center

Chemical Storage

Chemical type (chlorine gas vs. hypochlorite), quantity, proximity to population

Public safety threat, environmental release

High (fencing, cameras, intrusion detection, secondary containment, gas detection)

$40,000-$200,000 per facility

Small Booster Stations

Limited flow impact, high redundancy

Minimal service impact

Low (locked buildings, periodic inspections)

$2,000-$10,000 per facility

Distribution System Valves

Criticality varies by location, most have high redundancy

Limited impact (segment isolation only)

Low (locked vaults)

$500-$2,000 per valve

Perimeter Security

7-8 ft security fencing with 3-strand barbed wire, anti-climb features, vehicle barriers

Balance security with aesthetics (community relations), comply with local zoning

Annual fence inspection, vegetation control, barrier testing

High (delays intruders 5-15 minutes)

Access Control

Card readers, biometrics for sensitive areas, visitor management, vehicle access control

Integration with HR systems (automatic deactivation), emergency access procedures

Card reader maintenance, credential updates, audit log review

Very high (creates accountability)

Video Surveillance

Cameras covering entry points, chemical storage, process areas; 90-day retention minimum

Camera positioning (avoid blind spots), lighting integration, cybersecurity (network cameras vulnerable)

Quarterly camera inspection, annual system health check, periodic storage verification

High (investigation support, deterrent)

Intrusion Detection

Motion sensors in after-hours areas, door/window contacts, glass break sensors

Zone design (minimize false alarms), integration with monitoring

Monthly testing, battery replacement, sensitivity adjustment

Medium-high (high false positive rate without tuning)

Lighting

Illumination of perimeter, entries, parking, process areas; motion-activated supplemental

Energy efficiency (LED, solar), light pollution considerations, backup power

Lamp replacement, photocell testing, timer adjustments

Medium (supports other controls, not standalone)

Security Personnel

Roving patrols, fixed posts during elevated threats, contracted vs. internal

Cost-benefit analysis (expensive for continuous coverage), training requirements

Ongoing training, performance monitoring, credential verification

Very high (adaptive response) but costly

Limited Physical Presence

Tamper detection, remote monitoring, periodic inspections

Door contacts, motion sensors, video verification, cellular communication

$3,000-$8,000

High (repeatable design)

Connectivity Constraints

Low-bandwidth monitoring, store-and-forward video, periodic check-in

Cellular (LTE/5G), satellite where no cellular, edge storage with cloud sync

$1,200-$4,500

Medium (cellular coverage dependent)

High Asset Count

Risk-based prioritization, tiered security levels, standardized designs

Classify sites by criticality; maximum security on top 20%, basic on remaining 80%

Variable by tier

Very high

Maintenance Access

Contractor access management, temporary credentials, access logging

Cloud-based access control, time-limited credentials, automatic expiration

$2,500-$6,000

High

Vandalism Risk

Hardened enclosures, cameras with deterrent signage, rapid response

Reinforced doors/locks, wireless cameras, alarm monitoring with rapid response

$4,000-$12,000

Medium

Source Water

Limited physical security at intake points, large volume makes detection difficult

Continuous source water monitoring, biological early warning systems

Hours to days

Very high (large population exposure)

Treatment Plant

Chemical storage access, process manipulation

Process monitoring, access control, chemical inventory management

Minutes to hours

Very high (direct contamination of treated water)

Distribution Storage

Reservoir/tank access points, atmospheric vents

Storage facility security, water quality monitoring, tamper detection

Hours to days

High (localized population exposure)

Distribution System

Vast geographic area, numerous access points (hydrants, blow-offs, service connections)

Pressure monitoring, flow anomaly detection, water quality sensors

Hours to days

Medium to high (variable population exposure)

Customer Connection

Individual service line, minimal security

Customer complaints, localized monitoring

Minutes to hours

Low (single customer/building)

Free Chlorine Residual

Disinfectant depletion, organic contamination

Real-time

$3,000-$8,000 per analyzer

Treatment plant, distribution system

pH/ORP

Chemical contamination, treatment process issues

Real-time

$2,500-$6,000 per analyzer

Treatment plant, distribution system

Turbidity

Physical contamination, treatment failure

Real-time

$4,000-$10,000 per analyzer

Treatment plant, distribution system

Conductivity

Total dissolved solids, chemical contamination

Real-time

$2,000-$5,000 per analyzer

Distribution system

TOC (Total Organic Carbon)

Organic contamination, disinfection byproduct precursors

Near real-time (5-15 min)

$25,000-$65,000 per analyzer

Treatment plant, selected distribution points

Biological Early Warning

Toxicity, biological agents

5-30 minutes

$15,000-$50,000 per system

Source water, treatment plant entry

Event Detection Algorithms

Anomaly patterns across multiple parameters

Real-time analysis

Software: $5,000-$25,000

Central monitoring (analyzes data from multiple sensors)

Executive Summary

Purpose, scope, authority, plan maintenance, distribution

2-3 pages

Annually or post-incident

Executive leadership, board

Concept of Operations

Incident classification, notification criteria, command structure, ICS integration

5-8 pages

Annually or post-incident

Management, supervisors

Roles and Responsibilities

Position-specific duties (ICS-aligned), succession planning, authority levels

8-12 pages

Semi-annually (staffing changes)

All staff

Notification Procedures

Internal notifications, external agency coordination, public communication

4-6 pages

Quarterly (contact updates)

Operations, communications

Response Procedures

Incident-specific playbooks, decision trees, technical procedures

30-60 pages

Annually or post-incident

Operations staff, supervisors

Resource Inventory

Emergency equipment, contractors, mutual aid, supplies

6-10 pages

Annually

Operations, procurement

Recovery Procedures

Service restoration priorities, damage assessment, business continuity

8-12 pages

Annually

Operations, management

Training and Exercise

Training requirements, exercise schedule, evaluation process

3-5 pages

Annually

All staff, training coordinator

Plan Maintenance

Review schedule, update procedures, version control

2-3 pages

Annually

Plan administrator

Appendices

Maps, diagrams, forms, contact lists, MOUs, technical references

20-50 pages

Variable by appendix

Incident-specific

Immediate (0-15 min)

Shift supervisor notified, operations switched to manual control, preserve evidence, assess service impact

Operations Supervisor, SCADA Administrator

Is service at risk? Is manual control viable?

None yet

Assessment (15-60 min)

IT/cybersecurity assessment initiated, incident classification (severity level), notification to management, WaterISAC alert check

IT Manager, CISO (if staff) or consultant, General Manager

Is this a reportable incident? Do we need external IR support?

WaterISAC situational awareness

Response (1-24 hours)

Network isolation (if not already), forensic preservation, incident response team activation, EPA notification if reportable, law enforcement coordination if criminal

Incident Commander (GM or designee), IT/cyber team, legal counsel

Can we restore systems safely? Is contamination possible? Do we need emergency declaration?

EPA, FBI (if applicable), CISA

Recovery (1-7 days)

System restoration (validated clean), enhanced monitoring, return to automated control (phased), public communication

Operations staff with IT support, Communications lead

When is automated control safe to resume? What interim measures stay?

EPA status updates, law enforcement coordination

Post-Incident (7-30 days)

Forensic analysis completion, root cause determination, corrective actions, incident report to EPA, lessons learned

Incident investigation team, IT/cyber

What failed? What worked? What changes are needed?

EPA incident report, information sharing with WaterISAC

Geographic Coverage

Define participating systems, service area overlap, response zones

Indemnification, liability, insurance, state-level enabling legislation

Response triggers, staging areas, access procedures

Response costs reimbursement, equipment replacement

Resource Sharing

Equipment (generators, pumps, tankers), personnel, technical expertise, emergency supplies

Licensing requirements (operator certifications across jurisdictions), workers compensation

Equipment inventory, maintenance standards, deployment procedures

Daily rates, equipment rental, fuel/consumables

Water Supply Support

Emergency interconnections, hauled water, bottled water distribution

Water quality standards, cross-connection control, regulatory notifications

Hydraulic analysis, pressure requirements, quality testing, distribution logistics

Cost recovery, treatment charges

Technical Assistance

Incident management, specialized skills (SCADA, treatment, engineering), laboratory support

Professional liability, contracting authority, procurement rules

Expert roster, deployment mechanisms, documentation

Daily rates for personnel, lab fees

Training and Exercises

Joint exercises, shared training, equipment familiarization

Liability during training, insurance coverage

Exercise schedule, participation expectations, scenario development

Shared costs, host rotation

Information Sharing

Threat intelligence, incident notification, lessons learned

Confidentiality, FOIA exemptions (security-sensitive information)

Communication protocols, information classification, dissemination procedures

No cost typically

Orientation

Very low

As needed for new staff

Individual or small group

30-60 minutes

Minimal

Familiarization with plan, basic roles

Drill

Low

Quarterly

Single team/function

1-2 hours

Low

Practice specific procedure, validate equipment

Tabletop Exercise

Medium

Annually

Leadership + key staff (15-30 people)

2-4 hours

Moderate (facilitator, scenario development)

Decision-making, coordination, plan familiarity

Functional Exercise

High

Every 2-3 years

All relevant staff (30-100 people)

4-8 hours

High (controllers, evaluators, scenario development, logistics)

Real-time response, coordination with external agencies, full plan activation

Full-Scale Exercise

Very high

Every 5 years or post-major plan revision

All staff + external agencies (100+ people)

8-24 hours

Very high (extensive planning, resources, coordination)

Operational response, field deployment, public interface

Cyber Attack on SCADA

Tabletop

Decision-making under uncertainty, manual operations, notification procedures

FBI, CISA, WaterISAC

Appropriate decisions within timeframes, correct notifications

Contamination Event

Functional

Sample collection, lab coordination, public notification, alternative water supply

Public health, emergency management, EPA

Detection within targets, containment executed, public properly informed

Infrastructure Failure (Pipe Break)

Drill

Isolation procedures, customer notification, repair mobilization

Contractors, emergency management (for large events)

Isolation time, notification coverage, repair timeline

Power Outage (Extended)

Functional

Generator deployment, fuel management, priority service, conservation messaging

Electric utility, emergency management, public health

Service maintenance to critical customers, fuel logistics

Chemical Release

Tabletop

Evacuation procedures, emergency response notification, environmental containment

Fire department, hazmat, environmental agencies

Proper notification, public safety protected

Physical Attack

Tabletop

Security response, law enforcement coordination, service continuity

Law enforcement, emergency management

Security activated, proper coordination, service maintained

Natural Disaster (Flood)

Full-scale

Facility protection, alternative operations, emergency supply, mutual aid

Emergency management, mutual aid partners, National Guard (if major)

Facility protected or alternative operations established

RRA Completion

Conduct assessment addressing all required components

System-specific deadline (2020-2021 based on tier)

RRA report, supporting analysis, board presentation

Permanent (update every 5 years)

RRA Certification

Certify to EPA that RRA was completed

Within 30 days of RRA completion

EPA certification form, signed by authorized official

Permanent

ERP Development

Develop ERP incorporating RRA findings

Within 6 months of RRA certification

ERP document, supporting materials, board approval

Permanent (update every 5 years or as needed)

ERP Certification

Certify to EPA that ERP was completed

Within 30 days of ERP completion

EPA certification form, signed by authorized official

Permanent

Document Retention

Maintain RRA and ERP

Ongoing

Current and superseded versions

5 years after superseded

RRA Completeness

All required components addressed, methodology appropriate, findings documented

Complete RRA report, supporting data, board presentation

Insufficient cybersecurity assessment, inadequate consequence analysis

90 days for documentation gaps

ERP Adequacy

RRA findings incorporated, response procedures detailed, resource identification

Complete ERP, exercise records, training documentation

Generic procedures not tailored to system, insufficient exercise program

180 days for plan updates

Program Implementation

Evidence that plans are operationalized, not just documents

Exercise records, training logs, security upgrade evidence, incident logs

Plans exist but not exercised, training inadequate, identified improvements not implemented

Variable (30-365 days based on severity)

Physical Security

Critical asset protection appropriate to risk

Site visit observations, security assessment reports, access logs

Inadequate perimeter security, poor access control, missing intrusion detection

180-365 days for capital improvements

Cybersecurity

OT security controls, network segmentation, monitoring

Network diagrams, vulnerability assessment reports, monitoring logs

SCADA network not segmented, no OT monitoring, inadequate access control

180-365 days for technical implementations

Exercise Program

Regular exercises conducted, findings addressed, continuous improvement

Exercise after-action reports, corrective action tracking

Insufficient exercise frequency, findings not addressed, no multi-year cycle

90 days for program documentation

Informal Notice

Minor documentation gaps, late submission

None (opportunity to correct)

Submit missing documentation or certification

30-60 days

Notice of Violation

Failure to complete RRA/ERP, significant deficiencies

Potential enforcement, public record

Complete required work, demonstrate compliance

90-180 days

Administrative Order

Continued non-compliance after NOV

Enforceable deadlines, potential daily penalties

Comply with order requirements, regular status reporting

180-365 days

Civil Penalties

Persistent non-compliance, refusal to cooperate

Financial penalties up to $25,000/day

Pay penalties, achieve compliance

Immediate penalties + compliance timeline

NIST Cybersecurity Framework

Voluntary (recommended by EPA)

Identify, Protect, Detect, Respond, Recover

90% overlap with AWIA cyber requirements

Use NIST CSF as implementation methodology for AWIA cyber requirements

AWWA G430-17 (Security Practices)

Voluntary industry guidance

Physical security, cybersecurity, operational security

85% overlap, provides detailed implementation guidance

Use as reference for developing RRA/ERP procedures

State Primacy Agency Requirements

Mandatory (varies by state)

Emergency response, contamination protocols, operator certification

70% overlap, state requirements often more prescriptive

Ensure ERP meets both EPA and state requirements

OSHA Process Safety Management (PSM)

Mandatory if threshold quantities of hazardous chemicals

Hazard analysis, operating procedures, emergency response, training

60% overlap (chemical safety, emergency response)

Integrate chemical safety into RRA, coordinate ERP with PSM emergency procedures

EPA Risk Management Plan (RMP)

Mandatory if threshold quantities of listed chemicals

Off-site consequence analysis, prevention program, emergency response

65% overlap (chemical safety, consequence analysis)

Use RMP consequence analysis as input to RRA, coordinate emergency procedures

NERC CIP (if electric utility owned)

Mandatory for bulk electric system assets

Cyber security, physical security, personnel training

40% overlap (cyber/physical security)

Coordinate security programs, shared monitoring infrastructure

State Homeland Security Requirements

Variable by state

Critical infrastructure protection, information sharing

50% overlap (threat assessment, information sharing)

Participate in state fusion centers, coordinate with emergency management

Extreme Precipitation

Increased flood frequency and severity

Source water contamination, infrastructure damage, power outages

Flood-proofing critical assets, backup power, source water monitoring enhancement

Future RRA updates likely to require climate risk assessment

Extended Drought

Reduced source water availability

Capacity constraints, quality degradation, increased treatment costs

Drought contingency plans, alternative sources, conservation programs

Some states already requiring drought planning in ERPs

Temperature Extremes

Heat waves, cold snaps

Increased demand, infrastructure stress, treatment challenges

Capacity expansion, infrastructure hardening, temperature-resilient chemicals

Not yet in AWIA but emerging in state requirements

Sea Level Rise

Coastal flooding, saltwater intrusion

Source water salinization, infrastructure inundation

Relocation of critical assets, desalination capability, alternative sources

Emerging in coastal state requirements

Wildfire Impacts

Source water contamination, infrastructure damage, power grid disruption

Water quality degradation, treatment challenges, service disruption

Enhanced source water monitoring, alternative sources, backup power

Increasing in Western state requirements

Cybercriminals

Financial gain (ransomware)

Moderate (commodity malware, social engineering)

Opportunistic (vulnerable targets)

Moderate (signature-based detection works)

Insider Threats

Grievance, ideology, financial

High (legitimate access, system knowledge)

Targeted (own organization)

Very high (authorized access appears normal)

Hacktivists

Political statement, publicity

Moderate (public exploits, DDoS)

Targeted (politically significant systems)

Moderate (often noisy attacks)

Nation-State APTs

Espionage, pre-positioning for conflict

Very high (zero-days, custom malware, extensive resources)

Strategic (critical infrastructure)

Very high (designed to evade detection)

Terrorist Organizations

Public fear, disruption

Variable (depends on technical capabilities)

High-impact targets (large populations)

Variable

Network Segmentation

Air-gapped or strictly controlled OT networks

High (prevents lateral movement)

Operational complexity, user resistance

$75,000-$350,000

Zero Trust Architecture

Continuous authentication, least privilege

Very high (limits adversary movement)

Requires identity infrastructure, culture shift

$120,000-$500,000

Behavioral Analytics

Anomaly detection, user behavior monitoring

High (detects novel attacks)

High false positive tuning effort

$40,000-$180,000 annually

Threat Intelligence

IOC feeds, APT campaign tracking

Moderate (reactive, relies on sharing)

Must be operationalized, not just consumed

$15,000-$75,000 annually

Hunt Team

Proactive threat hunting, hypothesis-driven searches

Very high (finds hidden persistence)

Requires specialized skills

$120,000-$400,000 annually (internal team or MDR)

Deception Technology

Honeypots, decoy systems, breadcrumbs

High (early warning, adversary intel)

Must be realistic, maintained

$25,000-$100,000 annually

Anomaly Detection

Identify unusual SCADA behavior, process deviations, access patterns

N/A

Mature (commercial products available)

Medium (20-30% of large systems)

Predictive Maintenance

Detect equipment failures before impact, optimize replacement

N/A

Maturing (demonstrated value)

Low-medium (15-25% of large systems)

Social Engineering

N/A

AI-generated phishing, deepfake videos/audio for CEO fraud

Emerging (demonstrated in labs)

N/A (threat vector)

Automated Vulnerability Discovery

Find weaknesses before attackers

Discover zero-day vulnerabilities in SCADA systems

Emerging (research stage)

N/A (threat vector)

Automated Response

Execute containment actions without human intervention

Automated attack orchestration

Early (limited deployment)

Very low (<5% of systems)

Natural Language Processing

Analyze threat intelligence, incident reports, security logs

N/A

Mature (commercial products)

Low (10-15% of large systems)

Compromised Equipment

Backdoors in SCADA hardware/software, counterfeit components

(2020) Suspected backdoors in Chinese-manufactured sensors deployed in US water systems

Vendor security requirements, equipment validation, network monitoring

Very high (sophisticated backdoors)

Malicious Updates

Trojanized software updates from vendors

(2020) SolarWinds Orion platform supply chain attack (not water-specific but demonstrated risk)

Update validation, staged deployment, vendor security assessment

High (signed by legitimate vendor)

Compromised Credentials

Third-party vendor remote access

(2021) Florida Oldsmar attack used legitimate remote access software

Third-party access management, monitoring, MFA requirement

Moderate (legitimate access tools)

Counterfeit Parts

Non-genuine replacement parts with inferior quality or malicious functions

(2019) Counterfeit circuit boards discovered in industrial control systems

Supplier verification, part authentication, trusted supplier programs

Moderate to high

Service Provider Compromise

MSP/cloud provider breach exposing customer data

(2019) Multiple MSP ransomware attacks affecting customers

MSP security requirements, data encryption, backup independence

Moderate

Vendor Security Requirements

Contractual security obligations, audit rights, incident notification

Moderate (depends on enforcement)

Low (contract language)

Moderate (may limit vendor pool)

Component Authentication

Certificate validation, part number verification, trusted suppliers

High (for hardware integrity)

Low to moderate

Low (additional validation steps)

Secure Development Lifecycle

Require vendors to follow secure coding practices, testing

High (reduces vulnerabilities)

Low (contract requirement)

Moderate (not all vendors have SDL)

Third-Party Risk Assessment

Security questionnaires, audits, certification verification

Moderate (point-in-time assessment)

Moderate ($5K-$25K per vendor assessment)

Moderate (assessment time)

Update Validation

Test updates in non-production environment, staged deployment

High (prevents mass compromise)

Moderate (requires test environment)

Low (just process change)

Network Segmentation

Limit vendor access to specific network zones, not entire network

Very high (limits breach impact)

High (network redesign)

Low (post-implementation)

Remote Access Management

Centralized vendor access portal, session monitoring, automatic expiration

High (visibility and control)

Moderate ($15K-$75K for platform)

Low (vendors adapt quickly)

Very Small

3,300-10,000

$35,000-$75,000

$15,000-$35,000

$110,000-$215,000

$6.67-$21.50

3-6%

Small

10,000-25,000

$65,000-$150,000

$28,000-$65,000

$205,000-$410,000

$8.20-$16.40

4-7%

Medium

25,000-50,000

$125,000-$280,000

$48,000-$110,000

$365,000-$830,000

$7.30-$16.60

3-6%

Large

50,000-100,000

$220,000-$520,000

$85,000-$190,000

$640,000-$1,470,000

$6.40-$14.70

3-5%

Very Large

100,000-500,000

$380,000-$1,200,000

$140,000-$420,000

$1,060,000-$3,300,000

$2.12-$6.60

2-4%

Metropolitan

>500,000

$850,000-$3,500,000

$320,000-$1,200,000

$2,450,000-$9,500,000

$1.63-$4.75

2-3%

Cybersecurity (IT/OT)

$85,000

$38,000

$275,000

48%

Physical Security

$120,000

$22,000

$230,000

40%

Emergency Planning

$18,000

$8,000

$58,000

10%

Training & Exercises

$12,000

$6,000

$42,000

7%

Compliance & Audits

$15,000

$4,000

$35,000

6%

Total

$250,000

$78,000

$640,000

Water Infrastructure Finance and Innovation Act (WIFIA)

Large capital projects including security upgrades

$5M-$500M (loans, not grants)

51% non-federal funding

Very high (federal credit program)

Moderate (limited capacity)

Drinking Water State Revolving Fund (DWSRF)

Infrastructure, security upgrades, resilience improvements

$100K-$50M+ (low-interest loans, some principal forgiveness)

Variable by state (0-20%)

Moderate (state-administered)

Moderate (priority scoring)

FEMA Homeland Security Grant Program

Physical security, emergency response equipment, training

$25K-$500K

0-25% (varies by program)

Moderate to high

High (many applicants)

EPA Water Security Initiative

SCADA security, contamination warning systems

$50K-$500K (grants)

None typically

Moderate

High (limited funding)

USDA Rural Development

Rural system infrastructure and security

$50K-$5M+ (loans and grants)

Variable (grants often 25-75% of project)

Moderate

Moderate (rural systems only)

State Homeland Security

Critical infrastructure protection

$10K-$250K

0-50% (varies by state)

Moderate

High

Regional Cooperation Grants

Multi-system security improvements, mutual aid

$25K-$300K

25-50% typically

Moderate

Moderate

Clear Nexus to Public Health Protection

Very high

Emphasize population protected, contamination prevention, service resilience

Demonstrated Risk

Very high

Reference RRA findings, incident history, threat intelligence

Regional/Multi-System Benefit

High

Partner with neighboring systems, demonstrate broader impact

Leveraged Funding

High

Show other funding sources, demonstrate financial commitment

Measurable Outcomes

High

Define specific metrics (population protected, detection time improvement, etc.)

Readiness to Execute

Moderate

Demonstrate engineering complete, permits obtained, procurement ready

Disadvantaged Community

Moderate to high (for some programs)

Demonstrate financial need, affordability challenges