Navigating Cybersecurity Threats and Regulatory Compliance in US Water and Wastewater Utilities

Cybersecurity threats to U.S. water and wastewater facilities have escalated over the past 12 months resulting in significant disruptions to plant operations. 

As utilities increasingly invest in modern Supervisory Control and Data Acquisition (SCADA) and industrial control systems, the cybersecurity attack surface has expanded, necessitating heightened vigilance from plant information technology (IT) and security teams. However, many water and wastewater facilities operate within limited cybersecurity budgets, balancing operational performance and safety with IT and cybersecurity. Today’s challenge for utilities is to defend against increasingly sophisticated cyber exploits that can cause grave damage while maintaining focus on core operational objectives. 

Recent directives and regulatory actions from the U.S. government now mandate that water and wastewater facilities implement baseline cybersecurity standards and promptly report substantial incidents to the Department of Homeland Security's Cybersecurity Infrastructure Security Agency (CISA). Notably, the newly introduced Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) legislation requires water entities to categorize and report significant cyber incidents, ensuring the maintenance of operational and network data for auditability. 

At Jacobs, we play a crucial role in the water sector. Since our beginnings, we’ve designed thousands of water and wastewater systems around the world, and currently operate more than 250 of them across the U.S. Additionally, we offer cybersecurity and risk management consultative support, including U.S. Environmental Protection Agency (EPA)-mandated America’s Water Infrastructure Act (AWIA) Risk and Resilience Assessments (RRA), which prioritize cybersecurity readiness. Our expertise spans traditional plant operations, SCADA systems, and contemporary cybersecurity practices, enabling us to assist utilities in meeting current standards and complying with CIRCIA requirements. 

Introducing our Cyber Ready assessments   

Elevated cyber threat levels and increasing regulatory requirements are compelling water and wastewater facilities to evaluate their current compliance with standards such as ISA/IEC 62443, NIST 800-53, and NIST 800-82. As OT increasingly adopts IT solutions to enhance business system connectivity and network performance, OT assets have become more susceptible to software exploits. These vulnerabilities can have repercussions on enterprise IT systems if not properly segmented. 

The AWIA mandates that community water systems in the U.S., serving more than 3,300 people, certify their risk and resilience plans by 2025. These plans include robust cybersecurity assessments covering asset and data protection, cyber monitoring protocols and incident response. Utilities must ensure that assets, from pump stations to IT networks, adhere to contemporary cybersecurity standards. 

Many utilities would greatly benefit from independent cybersecurity assessments across both IT and OT assets. These assessments can diagnose vulnerabilities and recommend practical corrective actions, considering operational, safety and budget constraints. At Jacobs, we understand the priorities of utility operators and the trade-offs made by management teams managing complex production and clean water delivery operations. Our experience combines operational insights with sector-specific cybersecurity practices, enabling us to responsibly diagnose and implement cybersecurity processes and technologies for utilities. 

Our assessment framework incorporates the latest cyber threat intelligence. Working closely with operational and IT leaders, we identify vulnerabilities and establish a threat-prioritized, budget-aligned roadmap. This roadmap includes process implementation, training for IT and OT personnel and investments in technologies to meet current cybersecurity standards. Utilities emerge from our cyber assessments with a clear understanding of vulnerabilities across all domains and a realistic execution plan for mitigation and enduring cyber resilience. 

What’s next?

On April 4, 2024, CISA released a proposed rule titled “Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) Reporting Requirements.” The bill was originally signed into law by President Biden on March 15, 2022 and covers the 16 critical infrastructure sectors outlined in Presidential Policy Directive-21. Entities in a critical infrastructure sector that either exceed the small business size standard or meet a sector-based criterion are subject to the rule. As a result, all water and wastewater utilities serving populations of more than 3,300 people will be required to comply with CIRCIA reporting standards based on the sector-aligned criteria. 

The new proposal focuses on “substantial cyber incidents” experienced by a covered entity. Incidents meeting this criterion include substantial loss of confidentiality, integrity, or availability to IT systems and networks. It also includes impacts to the safety and resiliency of OT and physical processes. More broadly, any disruption of a covered entity’s ability to engage in business or industrial operations will be covered along with unauthorized breaches of cloud service providers, managed service providers, third party data hosting providers or supply chain compromises. 

The proposal also sets new submission timelines for covered incidents. All substantial cyber incidents must be reported within 72 hours after a covered entity “reasonably believes” a covered incident occurred. Importantly, ransomware payments must be reported 24 hours after the payment was made. Public comments on the regulation are due in June 2024 with a final rule publishing deadline of October 2025. 

As CIRCIA moves closer to being implemented, utilities must begin preparing for the litany of new reporting requirements. This involves establishing new system and data management processes that allow for improved security visibility and ease of reporting. Additional IT and OT data infrastructure to warehouse network logs and other auditable data may also be necessary. Emergency response plans should be updated to incorporate cybersecurity mitigation and response including detailed communication plans with stakeholders. In summary, CIRCIA necessitates a new paradigm for cybersecurity data management and response that utilities must quickly begin preparing for. 

At Jacobs, we’ve have created our cyber readiness assessment framework to help utilities understand their cybersecurity posture from the network to the plant floor. Our comprehensive approach starts by identifying gaps aligned to the latest threat intelligence and sets the course for the establishment of full-spectrum cybersecurity defense within a modern water/wastewater utility. We understand the roles that systems, data and stakeholders play throughout the utility environment and establish practical processes and recommended technology adoption to enable strong cybersecurity while remaining focused on the operational work at hand.  Finally, our agile cyber readiness  solution begins preparing entities for CIRCIA compliance with a focus on the efficiency of reporting and complete compliance with regulatory requirements.