USEPA Resources
Cybersecurity & Infrastructure Security Agency (CISA) 
  • Free Cybersecurity Services and Tools
    CISA offers a range of no-cost, in-house cybersecurity services to help individuals and organizations build and maintain a robust and resilient cyber framework, and maintains a list of free cybersecurity services and tools provided by the private and public sector to help organizations further advance their security capabilities.
  • Free CISA Assessment Services
    CISA assessment services are available at no cost and federal, state, local, tribal and territorial governments, as well as public and private sector critical infrastructure organizations, can utilize these free Cyber Hygiene services.
  • CISA's Water and Wastewater Cybersecurity page
    Toolkit with the most relevant CISA and EPA resources to protect against, and reduce impacts from, threats posed by malicious cyber actors looking to attack water and wastewater systems. 
  • Shields Up!
    CISA’s Shields Up campaign webpage provides recommendations, products, and resources to increase organizational vigilance and keep stakeholders informed about cybersecurity threats and destructive exploits against critical infrastructure.
  • Cross-Sector Cybersecurity Performance Goals
    Baseline cybersecurity performance goals that are consistent across all critical infrastructure sectors. These voluntary cross-sector Cybersecurity Performance Goals (CPGs) are intended to help establish a common set of fundamental cybersecurity practices for critical infrastructure, and especially help small- and medium-sized organizations kickstart their cybersecurity efforts. 
  • Water and Wastewater Sector - Incident Response Guide
    The Water and Wastewater Sector has been impacted by various cyber events, including unauthorized access, and ransomware. Continued compromises or failures of the WWS Sector could cause cascading impacts across critical infrastructure. The guide outlines how water utility owners and operators can expect to work with federal partners as they prepare for, respond to, and mitigate the impact of a cyber incident.
  • Top Cyber Actions for Securing Water Systems
    This fact sheet highlights the top cyber actions water systems can take today to reduce cyber risk and improve resilience to cyberattacks and provides free services, resources, and tools to support these actions, which can be taken concurrently.
  • Actions for Critical Infrastructure Leaders
    This fact sheet provides an overview for executive leaders on the urgent risk posed by People’s Republic of China (PRC) state-sponsored cyber actors known as “Volt Typhoon.” 

Water Information Sharing and Analysis Center (WaterISAC) 

  • Cybersecurity Fundamentals for Water and Wastewater Utilities
    The guide contains dozens of best practices, grouped into 15 main categories, that water and wastewater systems can implement to reduce security risks to their IT and OT systems. Each recommendation is accompanied by links to corresponding technical resources, giving you the information and tools you need to take a dive deep into this acutely important issue. The guide will also be helpful to utilities preparing risk and resilience assessments required by America’s Water Infrastructure Act, or AWIA. The 15 fundamentals will also be especially useful for informing emergency response plans, because AWIA requires those plans to address mitigation and resilience options.

US Dept of Justice

  • Best Practices for Victim Response and Reporting of Cyber Incidents
    Originally published to help organizations prepare a cyber incident response plan and be equipped to respond effectively and lawfully to a cyber incident. Now includes additional incident response considerations, including ransomware, cloud computing, and working with cyber incident response firms.

AWWA Cybersecurity Resources

Water Sector Cybersecurity Risk Management Guidance: Practical, step-by-step guidance from AWWA for protecting process control systems used by the water sector from cyberattacks. Following this guidance saves time and yields more comprehensive, accurate and actionable recommendations from the Assessment Tool.
Assessment Tool: This interactive tool asks utilities to examine how they are using various technologies. Based on responses, the tool generates a customized, prioritized list of controls most applicable to the utility’s technology applications. Utilities can use this output to determine the implementation status of critical controls designed to mitigate cybersecurity vulnerabilities. AWWA website login is required for access.
Small Systems Guidance: A getting-started guide to help small and rural utilities improve cybersecurity practices. This resource is targeted for water utilities serving fewer than 10,000 people, and especially those serving fewer than 3,300 people, and follows the Water Sector Cybersecurity Risk Management Guidance.