Ask an Expert
Tel: +1-281-673-2800
Find an Office
Email Us

Tackling the Challenge of Employing Industrial Cybersecurity to Protect Public Water Systems (PWSs)

Tackling the Challenge of Employing Industrial Cybersecurity to Protect Public Water Systems

According to government statistics, there are approximately 153,000 public drinking water systems and more than 16,000 publicly owned wastewater treatment systems in the United States. Nearly 270,000,000 people (about 80 percent of the population) get their drinking water from these water systems and about 75 percent rely on them for sewerage treatment.

Until recently, only large Public Water Systems (PWSs) were required to have cybersecurity plans but recent cyber attacks have shone a spotlight on the susceptibility of smaller PWSs too.

In September 2020, files in the operating system of a New Jersey-based wastewater system were compromised by hackers. In January 2021, a hacker gained access to a system controlling a water treatment plant that serves part of the San Francisco Bay Area using a former employee’s username and password. Three months later, cyber attackers introduced ransomware to a wastewater plant in Nevada. And in July 2021, hackers gained access to a wastewater facility’s SCADA computer in Maine.

Subsequent incidents show that the threat to PWSs is real and growing.


New Requirements for Cybersecurity

The consequences of a PWS cyber attack can be significant for the safety and wellness of PWS customers and the environment, which is why the nation’s water systems are now considered National Critical Functions (NCFs).

The US Cybersecurity and Infrastructure Security Agency (CISA), which is responsible for the nation’s cyber defense, defines NCFs as services that, “would have a debilitating effect on security, national economic security, national public health or safety” if they were disrupted, corrupted or dysfunctional. Every service classified as an NCF must be protected by a robust cybersecurity plan.

A memorandum issued by the US Environmental Protection Agency (EPA) in March 2023 mandates that every PWS have a robust cybersecurity program. Each facility must meet basic cybersecurity requirements and include cybersecurity audits in their regular safety inspections.

To help PWSs through the process, the EPA has issued Evaluating Cybersecurity During Public Water System Sanitary Surveys, which provides guidance for conducting the requisite inspections and explains the responsibilities states have for assessing systems for weaknesses (including defects in design, operation, maintenance or malfunctions in the sources, treatment, storage or distribution system) and taking action to address them.


Taking Steps to Safeguard Facilities

Three Things You Can Do to Get Started
  1. Use the EPA memorandum to secure funding. Implementing a cybersecurity program costs money. Many PWSs do not have the resources to go it alone, so gaining access to government support is the first step on the road to meeting the new requirements.
  2. Leverage the memorandum to get management buy-in. Developing and implementing a successful cybersecurity program requires top-down support. The EPA memorandum lines out the objectives each PWS has to meet and serves as a platform for building the executive leadership involvement that is vital to success.
  3. Take advantage of existing knowledge. Other industries across the country have implemented workable cybersecurity plans and some PWSs already have established cybersecurity programs, so there is no need to reinvent the wheel. Seek out experts and capitalize on “lessons learned” to put your cybersecurity program together.


ABS Consulting is helping PWSs protect their drinking and wastewater plant operations from cyber attacks with a consequence-driven methodology that considers the following risk variables:

  • Threat – an occurrence or action that has the potential to harm life, information, operations, the environment and/or property
  • Vulnerability – physical feature or operational attribute that exposes a PWS to exploitation or a given hazard
  • Consequence – effect of an event or incident.

By using this methodology, cyber threats are prioritized by criticality and represented visually in a bowtie model that shows the steps taken to minimize the likelihood of a cyberattack and mitigate the consequences if cybersecurity is breached.


ABS Group Cybersecurity Methodology


The ABS Consulting team of experts works with clients in multiple industries to understand the cyber risks that are unique to the digital and computer-based systems that run industrial operations, also known as Operational Technology (OT) and help build security solutions that are relevant to OT systems, effectively and manageably.

Additionally, ABS Consulting can help operationalize your OT cybersecurity program with our Industrial Security Operations Center (ISOC), staffed with OT cybersecurity experts that help you identify, respond to, remediate and recover from cyber attacks with 24/7/365 system monitoring.

Why ABS Consulting?

We're the Experts

ABS Consulting provides a comprehensive portfolio of OT cybersecurity consulting, implementation and risk management services. We help organizations, like yours, identify and mitigate critical cyber threats in real-time. We focus on stopping the bad guys so you can focus on what really matters: Your Operations.

Back to top