Local Drinking Water Suppliers Wear Many Hats – But Nobody’s Owning InfoSec.
At most small to mid-sized water systems, someone keeps the chemicals dialed in. Someone keeps the pumps moving and the tanks full. Someone answers to the board and the ratepayers. That “someone” is usually you – the Superintendent and operational staff.
But when it comes to Cybersecurity? Nobody’s officially in charge. And that’s where real risk starts: with a lack of clear ownership
Not your IT service provider. Not your contracted engineers. Not the control system integrator who provided you pump motor controls and SCADA system five years ago. And yet – the exposure is growing. Threats are evolving. And more regulatory attention is coming.
Federal and State Requirements Are Here, And Expanding
If your system serves more than 3,300 people, federal law already requires you to complete cyber-related risk assessments and response plans. More is coming.
Federal Requirements
- AWIA (America’s Water Infrastructure Act): Requires Risk and Resilience Assessments (RRAs) and Emergency Response Plans (ERPs), both of which must include Cybersecurity elements.
- CIRCIA: Will require mandatory reporting of covered cyber incidents within 72 hours and ransom payments within 24 hours.
- EPA: Provides technical tools, self-assessments, and funding paths – and attempted enforcement through sanitary survey mandates (withdrawn after legal challenge).
- CISA: Actively promotes its voluntary but high-impact Cross-Sector Cybersecurity Performance Goals for critical infrastructure.
State-Level Developments (example: New England)
- New York: Proposed binding Cybersecurity rules for water systems, with size-based requirements and direct grant funding through programs like SECURE.
- Other New England states (NH, MA, ME): Increasing expectations for infrastructure grant eligibility and resilience planning to include Cybersecurity maturity components.
Plenty of Guidance. Very Little Practical Help.
The guidance available is extensive – and overwhelming. Water systems are referred to dozens of complex frameworks, standards, and documents, including:
- NIST Cybersecurity Framework
- NIST SP 800-82 for industrial control systems
- CIS Critical Controls
- CISA Cyber Performance Goals
- AWWA assessment tools
- EPA incident checklists and planning templates
- WEF management guides
- State and grant-specific compliance pathways
What’s missing though: A structured, no-nonsense approach to applying any of this – one that fits real supply and distribution systems, real people, and real budgets. One that sends the confusion down the drain and makes the use of these security controls as clear as spring water (puns fully intended).
Where Granite State InfoSec Consulting Comes In:
Practical Security from Fellow Commissioners, Not Buzzwords
Two of our founders at Granite State InfoSec Consulting (GSIC) – including yours truly – are in fact elected volunteer public drinking water commissioners.
We look at a combined experience of almost a decade in leading, modernizing, and managing one of the largest drinking water entities in the state of New Hampshire. We offer a unique value proposition of not only being InfoSec experts but also knowing exactly the inner workings of a critical infrastructure organization.
We don’t just look at your firewall, login screens, or VPNs. We focus on the Management Systems of policies, processes, procedures, and resources that create clarity, responsibility, and repeatability, even when staffing changes, outages happen, or budgets tighten. This Management System provides the organizational and operational foundation for management, employees, contractors, suppliers, and service providers to ensure the Information Security, Cybersecurity, and Business Continuity of your Water Supply Entity.
That work starts with a GAP analysis.
The GSIC GAP Analysis: A Structured Review of Readiness
Our GAP analysis is built around the core lifecycle every mature organization follows – the same Plan-Do-Check-Act Cycle behind all credible Management Systems.
We evaluate how your organization is:
- Planning for Cybersecurity, Information Security, and Business Continuity in its policies, procedures, and staffing.
- Executing on those plans through actual operational controls, roles, and documentation.
- Verifying that what’s written is actually being followed – and updated when needed.
- Responding to incidents and gaps with actionable learning and system updates.
We focus this review on your existing policies and processes – and whether they actually provide comprehensive coverage of:
- Cybersecurity exposure
- Information asset protection
- Access control and monitoring
- Operational continuity
- Threat detection and response
- Internal accountability and improvement
This isn’t a technical scan – it’s an organizational scan. It is the first step in building a system that works whether or not one key employee is out, a vendor disappears, or the next compliance rule lands in your inbox.
We Also Look at the Landscape – But Only to Map It
Our GAP analysis includes a preliminary asset and risk overview – just enough to:
- Identify what’s connected
- Flag systems or functions that might be exposed
- Help prioritize critical infrastructure and information flows
But the detailed inventory and risk modeling? That comes later, during the structured implementation of a formal Information Security Management System, should your organization choose to proceed.
Bottom Line
You don’t need to become a Cybersecurity expert. But your organization does need structure, and someone who understands how to build it inside a water utility.
That’s where GSIC comes in.
We help you:
- Understand what’s missing
- Build clarity from the noise
- Comply with what’s required
- And protect what matters
Let’s start with a conversation. We’ll bring the structure. You bring the system knowledge. Together, we close the gap.
Your Granite State InfoSec Team
#Water #DrinkingWater #CriticalInfrastructure #ISMS #InfoSec #InformationSecurity #CyberSecurity #ISO27001 #RiskManagement #GSInfoSec
