Recently, the EPA issued an urgent enforcement alert for water utilities and community water systems around the country requiring immediate steps to reduce cybersecurity vulnerabilities and ensure compliance with SDWA Section 1433. The alert was published following a number of cybersecurity incidents against community water systems across the country. Based on these incidents, we know that many water utilities around the country are vulnerable to foreign adversaries potentially manipulating operational technology. Read on to find out how this can affect procurement.
If you work for a water utility, the first move should be to follow any guidance directly from the EPA. But the severity of this vulnerability should be a wake-up call for agencies of all kinds to assess the state of their cybersecurity, and to bolster it. As long as you are storing sensitive information, your agency should be attentive to any possible security vulnerabilities.
The EPA Enforcement Alert
On Monday, May 20th, the Environmental Protection Agency issued an alert to agencies across the country. Of the utilities inspected, over 70% were vulnerable to cyberattacks and were noncompliant with the Safe Water Drinking Act (SWDA). This is alarming, given that cyberattacks on water utilities systems are on the rise.
This past December 2023 saw a cyberattack from an Iran-affiliated group that targeted water utilities in several states, including a small Pennsylvania town of just 5,000. No matter how small, any agency that manages sensitive infrastructure is a possible target.
What is the Safe Water Drinking Act (SWDA) Section 1433?
From the EPA’s guidelines: “On October 23, 2018, America’s Water Infrastructure Act (AWIA) was signed into law. AWIA Section 2013, which amended Section 1433 of the Safe Drinking Water Act (SDWA), requires community (drinking) water systems (CWSs) serving more than 3,300 people to develop or update risk and resilience assessments (RRAs) and emergency response plans (ERPs). The law specifies the components that the RRAs and ERPs must address, and establishes deadlines by which water systems must certify to EPA completion of the RRA and ERP.”
AWIA Section 2013 also requires the EPA to provide guidance and technical assistance to water systems that serve less than 3,301 people on how to conduct RRAs and ERP.
How could this affect my procurement operations?
In public procurement, solicitations for contracting opportunities can contain sensitive information. The solicitation documents produced by a water district, for example, may contain information that bad actors could use to do wide-scale damage to water infrastructure.
This isn’t unique to water districts, either; school districts have similar concerns in publishing solicitation documents that may have floorplans for a school building in their district, and keeping this kind of information out of the public eye is a priority for them as well.
As a buyer, there will always be a challenge in balancing the distribution of information about your upcoming contracting opportunities, restricting sensitive information while ensuring that prospective vendors can still put together accurate bids and proposals.
What can I do to help secure my agency’s procurement operations?
Immediate Steps
As soon as possible, your agency should implement any changes suggested by EPA guidance, and perform the EPA’s cybersecurity assessment to identify and correct any vulnerabilities. The EPA also recommends to make your agency compliant with 2018’s America’s Water Infrastructure Act, section 2013, which stipulates new requirements for risk assessment and emergency response plans. The EPA has prepared a thorough cybersecurity assessment for drinking water and wastewater systems.
Agencies of all kids can benefit from implementing some of the cybersecurity recommendations given to water districts, and some of those resources are linked at the bottom of this page.
An immediate action to take today to mitigate security risk is to have everyone in your office: 1. implement multi-factor authentication on any system which has personally identifiable or sensitive information; 2. use strong, unique passwords; and 3. check systems for default passwords and change them to something secure.
Use Strong Encryption
Securing your sensitive information with strong encryption is a must. According to the EPA’s Water Cybersecurity Assessment Tool and Risk Mitigation Template: “When sending information and data, use Transport Layer Security (TLS) or Secure Socket Layer (SSL) encryption standards.”
This especially applies to sensitive documents and files that the public could have access to, such as solicitation documents that have sensitive infrastructure information. For instance, if the bid packet includes a schematic for a treatment plant, this could reveal weaknesses in exterior physical plant security and open it to possible breach by a bad actor.
Scan for Viruses
Scanning any file uploads for viruses is absolutely critical. If you accept electronic copies of bids through USB drives or CDs, there is a huge risk of malicious files that you could unknowingly introduce to your systems. Bid Locker has automatic virus scanning to ensure that no such risk exists.
Limit File and Document Access
You should also take steps to ensure that documents containing sensitive information about your water infrastructure are not made widely available to the public. If your e-procurement platform allows you to lock solicitations down only to vendors you authorize, this is an important step to take.
Our e-procurement platform, Bid Locker, includes a number of tools and features to make sure that your sensitive infrastructure information is kept private and sensitive documents are only seen by the right eyes. It gives you fine-grained control over who can access documents, from manually approving vendors for access to your solicitation information to allowing per-solicitation access granted to vendors you’ve vetted.
It also allows you to monitor WHO has accessed them. You can limit this feature not only to specific solicitations, but you can also lock solicitations down to certain vendors only.
Accept Bids Securely
Accepting bids via email or mail risks bad actors accessing documents. Bid Locker’s Secure Lock Box, a virtual bid submission window, has enterprise-grade security that encrypts both database records (where vendor information is stored) and vendor-submitted documents. Also, you would want to make your vendors confident that their documents and personal information won’t be compromised by hacking, phishing, or direct system access.
Prevent Data Scraping
In addition, your agency should take care to prevent plan centers from accessing your solicitations. Plan centers often scrape solicitation data and bid documents and disseminate them widely for profit, without any concern given to access controls that you might have set up. Bid Locker’s Plan Center Exclusion features can help limit the ability of plan centers to access and redistribute, and profit off your sensitive infrastructure information.
Implement a Cybersecurity Response Plan (And work with vendors who have one)
In the EPA’s guidance, it is recommended for agencies to “Require vendors and service providers to notify [the agency] of potential security incidents and vulnerabilities within a stipulated timeframe described in procurement documents and contracts.”
We take the security our agencies’ security very seriously, and our cybersecurity incident response (IR) plan includes rapid notification of potential security incidents or vulnerabilities in a risk-informed timeline, in accordance with the EPA’s cybersecurity threat assessment guide.
In addition, Bid Locker’s built-in virus scanner automatically scans all your documents, and if it detects a suspicious upload attempt, an item is flagged and you are notified (as recommended by the Water Sector Incident Action Checklist).
Cyberattacks are on the rise
In addition to the attack from the Iran-affiliated hackers, which targeted programmable logic controllers, two other recent notable water utility cybersecurity incidents occurred. According to their recent blog post, Microsoft said it has uncovered a China-affiliated hacker group that has targeted multiple different types of critical infrastructure agencies. And last month, a Russian hacktivist group breached a rural Texas town’s water system, causing it to overflow.
The implications of these state-sponsored hacking of our infrastructure are alarming to say the least. Microsoft postulates that these attacks are indicative of a potential larger and more wide-scale attack on our infrastructure on the part of one of our geopolitical rivals to very seriously disrupt government agencies and essential American operations. This just highlights the urgency for public utilities and other essential agencies to strengthen their cyber and operational security.
Resource List
EPA: Water Security Cybersecurity Evaluation Program
EPA: Water Cybersecurity Tool and Risk Mitigation Template
EPA: Guide to Cybersecurity Assessments
EPA: 2019 Risk Assessment and Emergency Response Plan Requirements for Community Water Systems
EPA: America’s Water Infrastructure Act Section 2013: Risk and Resilience Assessments and Emergency Response Plans (many linked resources within this page)
EPA: Small Community Water System Risk and Resilience Assessment Checklist
EPA: Water Enforcement Guide
CISA/EPA/FBI: Top Cyber Actions for Securing Water Systems
EPA: Cybersecurity Planning Resources
CISA: Free Cyber Vulnerability Scanning for Water Utilities
CISA: Cybersecurity Advisory – Iran-Affiliated Cyber Actors Exploit PLCs in Multiple Sectors, Including U.S. Water and Wastewater Systems Facilities (full details about what was compromised and how)
This post was written by a person, not AI.