vvEPA

WATER SECTOR CYBERSECURITY PROGRAM
CASE STUDY: Medium Drinking Water System #2

Cybersecurity:	Take Charge

OVERVIEW

This medium-sized drinking water utility provides safe drinking water to 85,000 customers. With cybersecurity
threats growing every day, and news that other local entities had experienced ransomware disruptions, this
utility decided to reduce its cyber risks while increasing staff cybersecurity awareness and culture.

CYBERSECURITY APPROACH

With no one person in charge of cybersecurity, past efforts at the utility lacked momentum and cohesion. To
energize and focus these efforts, the utility hired a full-time IT Manager to oversee both its information
technology (IT) and operational technology (OT) systems. The new manager leveraged several free
cybersecurity resources and technical assistance programs:

	EPA's cybersecurity assessment and technical assistance program

	Tabletop exercises conducted by regional DHS Cybersecurity and Infrastructure Security Agency
(CISA) representatives

	Nationwide Cybersecurity Review (NCSR) self-assessment based on the National Institute of
Standards and Technology (NIST) Cybersecurity Framework

	Guidance, tools, and free services (e.g., alerts) from the Multi-State Information Sharing and
Analysis Center (MS-ISAC)

	American Water Works Association (AWWA) water sector cybersecurity resources

	Local water sector associations/organizations

	A cyber audit performed by the state auditor's office

These resources enabled the IT manager to better understand the water sector's cyber risks and what
could be done to mitigate them. Several cyber improvents were instituted at the utility:

DEVICE SECURITY

VULNERABILITY MANAGEMENT

	Completed a thorough asset
inventory to identify and
replace legacy equipment

	Implemented server upgrades

 Employed active vulnerability detection to apply
software updates and patches

RESPONSE AND RECOVERY

DATA SECURITY

 Established offsite back-ups of critical data

 Deployed a Managed Detection and

OTHER

Response (MDR) service

 Instituted virtual local area networks (VLANs)



to segment the OT and IT networks

Page 1 of 2


-------
vvEPA

The IT Manager is also working on creating the utility's IT and OT standards to cover topics such as
hardware retirement/replacement, acceptable use of utility devices, incident response procedures, data
disposal criteria, password control, malware detection, and media protection.

LESSONS LEARNED

	Research and take advantage of all the free resources available to help implement cybersecurity
practices.

	A stepwise, methodical approach with the understanding that you will not be able to do everything
you want to do at once can help limit frustration.

	Invest time and resources on staff cybersecurity awareness training. Bottom line: you want to
build both cybersecurity awareness and a cybersecurity culture at your utility.

READY TO BUILD YOUR CYBERSECURITY PROGRAM?

Ready to make your utility more cyber secure? EPA can help. Visit the Cybersecurity for the Water Sector
website and learn more about resources that can bring your utility one step closer to cybersecurity resilience.

Office of Water (4608T)

Page 2 of 2

EPA 817-F23-007

December 2023


-------