If a water utility is seeking to review and recertify its risk and resiliency assessment (RRA) or emergency response plan (ERP) in accordance with America's Water Infrastructure Act (AWIA) requirements, I have one word for you: consolidate.

It is not unusual for utilities to maintain separate, uncorrelated plans for physical and cybersecurity.  Now would be a great time to combine both into a single, integrated all-hazards plan. In addition to meeting regulatory needs, an integrated plan can result in smarter capital investments and operations and maintenance spending. It can also help bring stakeholders onto the same page and — most importantly — reduce security vulnerabilities.

Here are some tips on how to create a framework for your updated plan.

  1. Assess any risks. The physical and cyber risks facing a community water system can be overwhelming. So, instead, begin by identifying and prioritizing the assets that are most valuable to the utility and then assess the risks facing each one.

    Keep in mind that an asset’s value isn’t limited to its financial cost. It’s also valued in terms of:

    • Confidentiality — Does the asset contain sensitive information that would place the utility at risk if it got into the hands of the wrong people, or if the right people were prevented from accessing it?
    • IntegrityHow important is it to maintain the consistency, accuracy and trustworthiness of the asset’s performance or the data it produces over its life cycle?
    • AvailabilityHow critical is the asset to maintaining a properly functioning water system, and what happens if it is not available?
    • Resiliency — Should something happen to a water system, will this asset be resilient enough to maintain some level of service to customers?
  2. Leverage current relationships. Your utility’s existing technology suppliers want you to succeed. In fact, they have a vested interest in your ability to achieve a successful outcome. So don’t be shy about talking to them about security needs and asking for help in filling security gaps and meeting new, more stringent requirements.

    A utility’s technology providers benefit from having a solid understanding of processes and will likely be able to offer insights on the best practices common in the industry. You may also be able to drive them to develop solutions that address emerging needs. In other words, it’s smart to put security standards in place as a requirement for suppliers and vendors.
  3. Consider new technologies. And that includes the requirements that accompany them. Given the obligation to deliver a clean, safe water supply, a utility may be hesitant to serve as a guinea pig for new security solutions and technologies. However, if systems are or are becoming outdated and a utility’s security needs are evolving, new technologies may need to be relied upon to for adequate protection.

    However, investing in new solutions is just the first step. Also consider how new security tools will integrate with your current processes and what training requirements will be needed for the personnel responsible for them. In many cases, new processes may need to be established to enable staff to do their jobs well.
  4. Test, measure and refine during implementation. The successful implementation of new solutions does not mean a security system is complete. Ongoing program testing in real-life scenarios is a valuable tool, not only for rollouts and pilot testing but also for ongoing updates and evaluations of future products.

    Because the best security programs are based on constant improvement, measurement should be constant. That includes tracking performance goals, including how quickly your utility identifies and responds to potential system breaches. By continuously testing, measuring and refining, you can create a culture of checks and balances and achieve a life cycle of process improvement.

In a nutshell: The key to a solid security program is understanding the assets you’re trying to protect and then using people, processes and technologies to build security around them. Then test and repeat.


The need for physical security continues to increase. The first step in a security strategy is understanding how rules and regulations can help state and municipal governments create a plan.

Read the White Paper

Jason Vigh is a cybersecurity manager at 1898 & Co., part of Burns & McDonnell. He leads cybersecurity efforts for a wide variety of clients and projects. Jason is a Certified Information Systems Security Professional (CISSP) and has completed the AWWA Utility Risk & Resilience Certificate Program. He earned a Bachelor of Science in law enforcement from Western Illinois University, Bachelor of Science in information technology from DeVry University and a Master of Science in network and communications from the Keller Graduate School of Management.