Welcome to the AWWA Water Sector Cybersecurity Risk Management Tool

The AWWA Water Sector Cybersecurity Risk Management Tool is designed to support utilities in developing their cybersecurity risk management strategy while also facilitating compliance with the cybersecurity provisions in §2013 of America’s Water Infrastructure Act (AWIA) of 2018. The risk and resilience assessment must consider malevolent and natural hazards that may impact critical assets, including the following that may be vulnerable to cyber threats:

  • electronic, computer, or other automated systems;
  • the monitoring practices of the system; and,
  • the financial infrastructure of the system.

The emergency response plan provisions of AWIA requires a utility to address the following:

  • strategies and resources to improve the resilience of the system, including the physical security and cybersecurity of the system;
  • plans and procedures that can be implemented, and identification of equipment that can be utilized, in the event of a malevolent act or natural hazard that threatens the ability of the community water system to deliver safe drinking water;
  • actions, procedures, and equipment which can obviate or significantly lessen the impact of a malevolent act or natural hazard on the public health and the safety and supply of drinking water provided to communities and individuals, including the development of alternative source water options, relocation of water intakes, and construction of flood protection barriers; and
  • strategies that can be used to aid in the detection of malevolent acts or natural hazards that threaten the security or resilience of the system.

Utility Staff Engagement

Often, utility staff responsible for AWIA §2013 compliance are not cybersecurity technologists or those responsible for the secure and reliable operation of either the Process Control System (PCS) or enterprise systems. Therefore, it is recommended that a utility convene internal and external support staff, including, but not limited to:

  • Utility staff responsible for AWIA §2013 compliance.
  • Utility staff responsible for and knowledgeable in the design, operation, and maintenance of the utility’s PCS and enterprise systems (information technology).
  • Utility leadership responsible for overall operation of the utility.
  • Utility staff with the authority to make risk management decisions.
  • External support staff including technology vendors, engineering firms, etc., as appropriate.

This approach will improve the quality and timeliness of data collection. In addition, it is expected to reduce the overall time required to complete compliance actions while advancing the organizations cybersecurity risk management program/strategy.

Preparing to Use the Tool

It is recommended that users review the summary of the tool questions in Appendix C of AWWA Waster Sector Cybersecurity Risk Management Guidance document. This will allow the user to prepare appropriate responses directly or based on feedback from others, as needed. Once a user begins answering questions within the tool, they must complete the session since no input data is retained by AWWA. The only record of the session is in the output report generated and sent to the user.

Tool version (Version: 3.0.0)