The state Public Service Commission has ordered all water and sewer utilities to conduct a cyber threat vulnerability assessment within 60 days.
The order was issued Thursday as “a general investigation to examine water and sewer system cybersecurity.”
“Cyberattacks against water and sewer utilities are increasing throughout the United States,” the PSC said in the order. “Cyberattacks threaten the distribution of clean and safe drinking water to the public. In addition, cyberattacks can create significant costs to the public and the affected utilities. Vulnerability to cyberattacks threatens water and sewer service at all levels.”
Because these utilities are key segments of state infrastructure, the PSC said, improving cybersecurity for water and sewer utilities is a high priority.
The PSC offered several options for conducting the assessment.
One, the EPA and Department of Homeland Security Cybersecurity and Infrastructure Security Agency provide cybersecurity assessment programs at no cost. EPA also provides a tool that produces an assessment report and risk mitigation plan: the EPA Water Cybersecurity Assessment Tool.
Two, the utility may contract with a third party for an assessment at its own cost.
In both cases, the utility must certify in a filing when and who performed the assessment. The PSC said it will not collect the results of the assessments nor any related documents.
And three, larger systems may already have threat assessment policies and procedures in place. In that case, within 60 days the utility should certify that it has those in place, along with the date of the last assessment, and identify the individual or entity that performed the assessment.
Once they’re complete, utilities will be required to develop a plan to address cyber threats, and to designate an individual employee responsible for compliance with that plan and to attend cybersecurity training for water and sewer utilities. This will be addressed in a later PSC order in this case.
PSC Chairman Charlotte R. Lane said in the announcement of the investigation, “This is a seriously developing problem across the nation and the Public Service Commission wants to be in the forefront of helping assure the safety of data concerning utilities and their customers. These attacks are widespread and will become more common, we fear, as we rely more and more on computers in our daily lives and in running our businesses.”
Morgantown Utility Board told The Dominion Post on Friday that, given the order was just issued late Thursday, it is still evaluating the route MUB will take with respect to what entity it will retain to conduct the threat assessment.
EMAIL: dbeard@dominionpost.com
TWEET @DominionPostWV
