Cybersecurity Self-Evaluations for Small Public Water Systems

Small drinking water utilities face unique cybersecurity challenges due to limited resources and training; geographic isolation; and increasing reliance on digital systems for operations, monitoring, and managing customer information and billing. These systems are often vulnerable to cyber threats and data breaches, which can disrupt water service and compromise public health and safety. As regulatory agencies emphasize the importance of cybersecurity in critical infrastructure, small utilities must find accessible and practical ways to evaluate and strengthen their defenses. The Hawaii Department of Health contracted with ERG to assist small drinking water utilities across the state in conducting cybersecurity self-evaluations using federal guidance and tools developed by the U.S. Environmental Protection Agency and the Cybersecurity & Infrastructure Security Agency (CISA). We supported small utilities in identifying vulnerabilities in and risks to their cyber infrastructure, as well as developing mitigating actions and strategies. ERG staff worked onsite, hand in hand, with local operators to develop written self-assessments and provide them with practical knowledge and action plans to enhance each system’s resilience against evolving cyber threats.