Ornamental dots. Two rows of three dots. The top row is a light blue. The bottom row is one light blue dot followed by two orange dots. Blog

Conducting Risk & Resilience Assessments and ERPs to Comply with America’s Water Infrastructure Act (AWIA)

Jeremy Morgan, Systems Engineer | December 10, 2019

Over the past decade, water and wastewater utilities, much like electric utilities, have become more dependent on the internet to carry out their daily operations. Water and wastewater plants rely on the same industrial control systems (ICS) and applications prevalent in most process automation and energy facilities, and are therefore subject to similar cyberthreats. Considering the obvious fact that maintaining and securing a reliable municipal water supply to US citizens is of critical importance, many have long believed that the sector has been underserved and underbudgeted with regard to industrial cybersecurity.

As of October of 2018, the long-needed shift toward cybersecurity governance over community water systems has become a reality with America’s Water Infrastructure Act (AWIA). Section 2013 of the AWIA states that:

“Each community water system serving a population of greater than 3,300 persons shall conduct an assessment of the risks to, and resilience of, its system. Such an assessment:

  1. Shall include an assessment of:
    1. The risk to the system from malevolent acts and natural hazards
    2. The resilience of the pipes and constructed conveyances, physical barriers, source water, water collection and intake, pretreatment, treatment, storage and distribution facilities, electronic, computer, or other automated systems (including the security of such systems) which are utilized by the system
    3. The monitoring practices of the system
    4. The financial infrastructure of the system
    5. The use, storage, or handling of various chemicals by the system
    6. The operation and maintenance of the system
  2. May include an evaluation of capital and operational needs for risk and resilience management for the system.”

From a cybersecurity standpoint, this now means that municipal water organizations need to act fast in order to complete and certify their risk and resilience assessment and develop an emergency response plan (ERP). The deadline to comply is determined by the population that a water management company services, and failure to comply by the assigned deadline can mean a hefty fine of up to $25k per day past the due date.

Population Served

Risk Assessment

Emergency Response Plan

≥100,000

March 31, 2020

September 30, 2020

50,000-99,999

December 31, 2020

June 30, 2021

3,301-49,999

June 30, 2021

December 30, 2021

To successfully complete a risk and resilience assessment, every asset owner in water and wastewater needs to ask themselves:

  • Can I identify all assets on my network?
  • Can I discern which assets are controlled manually, and which ones are automated?
  • Can I monitor and manage remote access and on-premises assets connected to the internet?
  • Can I proactively detect anomalous network behavior and vulnerabilities?
  • Can I reliably contain and report cyber and operational threats?

To answer these questions, the average water and wastewater operations team will need to invest in cybersecurity tools that can support the risk and resilience assessment requirements outlined in AWIA. By automatically creating and monitoring an asset inventory, OT network monitoring tools can help streamline compliance with AWIA by automating device inventory and risk management processes and providing emergency responders with extensive data to implement informed ERP strategies.

Some additional benefits of implementing OT network monitoring include:

  • Reduced asset inventory costs by automating the process of creating and maintaining one.
  • Reduced workloads for both cybersecurity and operations teams.
  • Improved overall reliability of operations.

The data captured by these solutions can also help implement network policies to prevent unauthorized and/or dangerous behaviors, monitor the system for scheduled and unscheduled maintenance, validate operational processes, and control policy execution.

To learn how SilentDefense can help simplify compliance with Section 2013 of America’s Water Infrastructure Act (AWIA), check out our compliance guide.

Demo RequestForescout PlatformTop of Page