The cybersecurity breach in Oldsmar, Florida drives home the importance of the cybersecurity recommendations included in America’s Water Infrastructure Act (AWIA).
“The U.S. Department of Homeland Security has been issuing warnings for more than a decade about the existence of hackers who aim to harm the nation’s electrical grid and water systems. The Risk and Resilience Assessments and Emergency Response Plans that are required under the AWIA include cybersecurity considerations. Creating plans and ensuring the utility staff is aware of them is important to preventing or responding to a cyberattack like what happened in Florida,” says Nate Weisenburger, AE2S Drinking Water Practice Leader.
Under the AWIA, Risk and Resilience Assessments should consider the potential for malevolent acts and vandalism or terrorism. Emergency Response Plans are recommended to include the monitoring practices of the system, strategies to improve the cybersecurity of the system, and procedures that can detect or be implemented in the event of a malevolent act that threatens the ability of the community water system to deliver safe drinking water.
The U.S. Environmental Protection Agency (USEPA) has several tools to assist utilities gain compliance with AWIA requirements. The Vulnerability Self-Assessment Tool (VSAT) helps water providers prepare the AWIA Risk and Resilience Assessment. In addition, USEPA has an Emergency Response Plan template with instructions to help water systems develop or revise existing Emergency Response Plans.
The deadline for community water systems serving 50,000-100,000 people to submit Emergency Response Plans is June 30, 2021. The deadlines for systems serving 3,300 to 50,000 people are June 30, 2021 for Risk and Resilience Assessments and Dec. 31, 2021 for Emergency Response Plans.