Water System Cybersecurity

Resources for addressing vulnerabilities and risks for system operations.

Cybersecurity is one of the top threats facing business and critical infrastructure in the United States. All drinking water systems should examine cybersecurity vulnerabilities and develop a cybersecurity risk management program, thus mitigating a cyberattack from impacting system operations. Breaches in cybersecurity practices can compromise the ability of drinking water and wastewater utilities to provide clean and safe drinking water to customers, erode customer confidence and result in financial and legal liabilities. All drinking water systems should examine cybersecurity vulnerabilities and develop a cybersecurity risk management program, thus mitigating a cyberattack from impacting system operations.

Pilot Program - Overwatch Foundation
Overwatch Foundation is a nonprofit organization based in Concord, New Hampshire working with NHDES and the New Hampshire Department of Information Technology (DoIT) on a pilot project called “Cyber in a Box.” This project is funded by the American Rescue Plan Act of 2021 (ARPA) and was put together to assist public water systems with their cybersecurity needs and concerns. Public water systems are selected for this project based on need and amount served. If you are interested in being considered for this project please contact Brenda.J.Leonard@des.nh.gov.

Reporting an Incident

Organizations should report anomalous cyber activity and/or cyber incidents 24/7 to the contacts below. Keep your thresholds low. Do not be afraid to report something that doesn't seem right.

Improve Cybersecurity with Emergency Planning

It's important to have a cybersecurity action plan in place to help plan for, respond to, and recover from a cybersecurity attack. This can be included in your community water system emergency plan.

Tips to Improve Cybersecurity:

Incorporate phrases into passwords along with numbers and symbols (recommended minimum 16 characters).
Implement vulnerability scanning.
Conduct a cybersecurity assessment.

For more information on water system emergency planning, visit the Public Water System Emergency Planning webpage.

Assessing the risks to cybersecurity practices is a federal requirement for community drinking water systems under EPA's America’s Water Infrastructure Act (AWIA). Specifically, the water system shall evaluate components of the water system that uses electronic, computer, or other automated systems including the security of such systems.

Cybersecurity Assessments

NHDES recommends community water systems conduct a cybersecurity assessment to identify gaps in cybersecurity practices. If you have not already completed a cybersecurity assessment, the EPA and CISA are offering the following FREE assessments for drinking water and wastewater systems:

DHS CISA is available to help drinking water and wastewater systems improve resiliency against cyber threats. CISA cybersecurity assessments are a free resource. If your system is interested in an assessment, please review the DHS CISA assessments and contact Richard Rossi at richard.rossi@cisa.dhs.gov. For any additional questions please contact:

Richard F. Rossi
Cybersecurity Advisor – New Hampshire
Cybersecurity and Infrastructure Security Agency
U.S. Department of Homeland Security
Mobile: 202-770-8991 | Email: richard.rossi@cisa.dhs.gov

EPA is offering free cybersecurity assessments and technical assistance to drinking water systems. For more information and registration, please visit the EPA Water Sector Cybersecurity Evaluation Program.

Additional Resources

Below are resources to help maintain a safe and secure water utility while reducing risks and mitigating potential impacts.

History of the Cybersecurity Grant Program

The American Rescue Plan Act of 2021 (ARPA) previously funded cybersecurity improvements to drinking water and wastewater systems to develop and implement programs to proactively mitigate the risk of cybersecurity attacks.

Learn more