Skip to main content

The Association of Metropolitan Water Agencies (AMWA) believes that water utilities have a responsibility to proactively protect their critical facilities from acts of terrorism, cyber attacks and other hazards. Congress should encourage all water utilities to frequently evaluate their security postures and resilience against a range of possible threats and make corrective actions when shortcomings are identified.

AMWA believes the U.S. Environmental Protection Agency (EPA) should continue to be the lead federal agency for security for the water and wastewater sector. Having more than one federal agency with that lead responsibility would be inefficient, possibly leading to duplication of effort, as well as be confusing to the sector. Simultaneous compliance with competing mandates from different agencies would be difficult, at best, and could lead to substantial costs with no real improvement in security or resilience.

But recognizing that other federal agencies have deep reserves of security expertise and resources, EPA should also work cooperatively with other federal entities, and should leverage the capabilities of the Cybersecurity and Infrastructure Security Agency (CISA) when exploring or recommending actions to improve the cybersecurity defenses of water systems.

Development of federal programs and recommendations on security should be done in close cooperation with the water and wastewater sector, where deep expertise on these matters reside.


Any water security program or requirement that includes the collection of data from water providers should explicitly prohibit the disclosure of such information under federal, state, and local public information laws. Likewise, federal, state and local agencies must take all internal precautions to prevent the inappropriate disclosure of water system information.

National information and intelligence sharing practices must adapt to meet the dynamic threat environment and address emerging threats. Federal policy should prioritizes helping water systems access and interpret cyber and physical threat information made available by WaterISAC and other reputable sources. As critical infrastructure protection is a national security priority, federal agencies should regularly brief the water sector on threats and vulnerabilities and provide unclassified information that can be shared with utilities.


The increasing attractiveness of water systems and other critical infrastructure assets as targets of cyber attacks poses new risks and challenges to water utilities. While individual water systems should be encouraged to review cyber best practices and guidelines for protecting information technology and industrial control systems, and to address any cybersecurity vulnerabilities that are identified, the federal government should not dictate the adoption of particular cyber defense mechanisms for water treatment facilities.

Any new or expanded federal security requirements should be accompanied by federal funding assistance that helps utilities update threat assessments or implement other physical security or water treatment process enhancements that the utility determines will increase security without compromising public health. Otherwise, new security evaluations or requirements will amount to unfunded federal mandates on local governments at a time when water treatment facilities are facing hundreds of billions of dollars in other priority infrastructure projects.

Legislative and regulatory proposals that would require the adoption of alternative disinfection chemicals or “inherently safer technologies” over the objections of local officials fail to recognize the potential for negative risk trade-offs and unacceptable costs. Requirements that propose, directly or indirectly, to displace locally preferred and effective treatment practices could undermine public health.

Finally, AMWA supports the federal government’s grouping of certain governmental and private sector capabilities into an organizational structure known as Emergency Support Functions (ESF), which provide support, resources, program implementation, and services for victims and communities following domestic incidents. However, the water sector should be placed entirely within its own ESF, as are other critical lifeline sectors like energy, communications and transportation.

Rationale:

  1. Metropolitan drinking water agencies are experienced in reviewing threats and evaluating their security and preparedness posture through their ongoing compliance with Section 1433 of the Safe Drinking Water Act. As a result of these activities, water systems have made significant strides in protecting their facilities and building resilience to a variety of hazards.
  2. Drinking water utilities are essential to maintaining public health, as well as its trust and confidence in a safe and reliable supply of water. Water utilities are on the front line for defending critical water facilities across the United States.
  3. Federal mandates requiring utilities to implement “inherently safer technologies” could conflict with drinking water disinfection options determined locally based on source water quality and other feasibility considerations. Switching from one technology to another is a matter of risk-tradeoffs, such as whether to manage risk presented by large chlorine gas supplies or to accept new risks from more frequent deliveries of smaller quantities by truck.
  4. The Department of Homeland Security (DHS) is charged with regulating security at the nation’s chemical facilities, but does not have similar authority over water and wastewater facilities. Because EPA oversees water utility compliance with required risk management plans under the Clean Air Act and vulnerability assessments under the Safe Drinking Water Act, altering this arrangement could result in confusing multiple-agency requirements being placed on water and wastewater systems.
  5. Water sector information technology and industrial control systems represent tempting targets for cyber criminals, and the compromise of such systems could have severe consequences for local water service and the public’s confidence in their drinking water. Because inflexible cybersecurity regulations could quickly become outdated, the federal government should incentivize individual water systems to periodically review their cyber defenses and ensure they are consistent with the latest industry best practices. Water systems that fail to take reasonable and appropriate steps to maintain their cyber defenses should be required to develop plans to address the problem.
  6. Placing the water sector within its own ESF will promote better communication and coordination with preparedness and response partners at all levels and align the water sector with other critical infrastructure sectors.