Titus Crabb May 30, 2019

Government Mandates Municipalities to Perform Network Assessments

Now is the time for water utilities and municipalities to get serious about their network security. Cyber attacks are the top threat to critical infrastructure in the United States. In an effort to secure our nation’s critical infrastructure, the United States government passed the Water Infrastructure Act of 2018. This act mandates every community water system serving 3,300+ people to assess their network for risk and prove the resilience of their system in protecting against cyber threats and the deadlines are approaching.

This assessment must cover:

  1. The risk to the system from malevolent acts and natural hazards
  2. The resilience of the pipes and constructed conveyances, physical barriers, source water, water collection and intake, pretreatment, treatment, storage and distribution facilities, electronic, computer, or other automated systems (including the security of such systems) which are utilized by the system
  3. The monitoring practices of the system
  4. The financial infrastructure of the system
  5. The use, storage, or handling of various chemicals by the system
  6. The operation and maintenance of the system.

 One aspect of this requirement that many water districts struggle with is evaluating their SCADA control systems and operational technology (OT) networks, covered in item number 2 above. Because these systems can seem complex without specific expertise in how they work, this is an area in which water districts can often benefit from third-party support from an experienced system integrator.

We’ve got you covered. At Vertech, we have an extensive background and wealth of knowledge in industrial networks and SCADA control systems specific to municipalities and water districts, coupled with a team of highly trained and certified IT/OT professionals.

Our team of network engineers can satisfy the control and SCADA-related requirements of this act and ensure the security of your systems by assessing the current state of your control systems and network infrastructure. Specifically, we can provide documentation of your existing control and SCADA system assets and networks and provide actionable recommendations to improve your cyber-security posture to industry standards.

After the network assessment, the Water Infrastructure Act of 2018 requires that municipalities prepare and/or update their emergency response plan that incorporates the findings of the risk assessment. Emergency response plans should include:

  1. Strategies and resources to improve the resilience of the system, including the physical security and cybersecurity of the system
  2. Plans and procedures that can be implemented, and identification of equipment that can be utilized, in the event of a malevolent act or natural hazard that threatens the ability of the community water system to deliver safe drinking water
  3. Actions, procedures and equipment which can obviate or significantly lessen the impact of a malevolent act or natural hazard on the public health and the safety and supply of drinking water provided to communities and individuals, including the development of alternative source water options, relocation of water intakes and construction of flood protection barriers
  4. Strategies that can be used to aid in the detection of malevolent acts or natural hazards that threaten the security or resilience of the system.


Based on the initial assessment, the Vertech team can develop emergency response and disaster recovery plans specific to your SCADA control systems and OT networks as well as develop ongoing maintenance procedures to ensure continued compliance and keep your plant running smoothly from an operational and security standpoint.

The deadline for completing your risk assessment and emergency response plan depends on your municipality’s population size. Emergency response plans are due six months from the date of the risk assessment. Here is a chart to determine which deadlines apply to your organization:

Screen Shot 2019-05-30 at 2.04.13 PM 
*Emergency response plan certifications are due six months from the date of the risk assessment certification. The dates shown above are certification dates based on a utility submitting a risk assessment on the final due date.  For more information on complying with this new law, please visit:  https://www.awwa.org/Resources-Tools/Resources/Risk-Resilience


Learn more about assessing, managing, and protecting your industrial networks by downloading our white paper, 5 Practical Steps for Managing Critical Control Networks. To get started on your SCADA control system and network security assessment, contact us.






Sign up to get the latest from Vertech delivered right to your inbox.