v> EPA
Assessing if a Water & Wastewater
System has Operational Technology
This document helps to determine if a Water and/or Wastewater System (WWS) is using operational
technology (OT).
NOTE: Even if a WWS's OT system
is "air-gapped," meaning it is not
connected to the Internet, it may still
be vulnerable to cyber incidents.
Does the WWS use any OT?
• The term "operational technology" means hardware and
software that detects or causes a change through the
direct monitoring or control of physical devices,
processes, and events in the enterprise.
• In other words, OT is technology that uses a combination
of software and hardware to monitor and control specific
devices and processes in an industrial setting.
• A WWS may use OT for one or more of the following operational processes: source water
intake, treatment, distribution, water storage, pumps, and monitoring.
• Examples of OT include industrial control systems (ICS) such as Supervisory Control and Data
Acquisition (SCADA) systems for drinking water treatment and distribution, building
management systems, fire control systems, and physical access control mechanisms.
Does the WWS use any of the following OT commonly found at a WWS?
SCADA:
A system of software and hardware components
that allow the WWS to control industrial processes
locally or at remote locations; monitor, gather, and
process real-time data; directly interact with
devices such as sensors, valves, pumps, motors,
and more through human-machine interface (HMI)
software; and record events into a log file.
Please note: This is a short list of some of the more commonly found OT at WWSs. It is not
intended to be an exhaustive list of all OT that may be used at a WWS.
Office of Water (4608T)
EPA-810-F-23-031
January 2024
-------�
HMI:
A user interface or dashboard that connects a person to
a machine, system, or device. While the term can
technically be applied to any screen that allows a user to
interact with a device, HMI is most used in the context of
an industrial process.
Figure 2 HMI
Programmable Logic Controllers (PLCs):
Small industrial computers, with various inputs and
outputs, used to control and monitor industrial
equipment based on custom programming.
Ll IJ
ccc
c
c c
3
mm ww
Remote Terminal Unit (RTU):
Remote Telemetry Unit or Remote Telecontrol
Unit is a control device typically installed in a
remote location as part of a larger system. The
main purpose of an RTU is to monitor and
control field devices, such as valves, actuators,
sensors, and more.
Are there systems that have a low cybersecurity risk?
A VWVS with hardware-based OT that does not meet any of the conditions below may have a lower
cybersecurity risk:
• Connected or occasionally connected to a computer (for any reason including alarm
reporting), or
• Connected or occasionally connected to a network (local, wide area or internet), or
• Are remotely accessible or occasionally remotely accessible (either for control or monitoring)
If you are still unclear whether a VWVS has OT, EPA's Cybersecurity Technical Assistance Program
for the Water Sector can help you. Click on the link to submit your questions or request to consult
with a subject matter expert about cybersecurity today!
Office of Water (4608T)
EPA-810-F-23-031
January 2024
-------� |