Who is a member?
Our members are the local governments of Massachusetts and their elected and appointed leadership.
Working with eight other communities so far, the town of Avon has secured a state grant to promote information sharing and collaboration around an increasingly urgent cybersecurity concern: municipal water systems.
In December, the nine communities received an Efficiency and Regionalization grant for nearly $200,000 through the state’s Community Compact Cabinet. The funding will help the community water systems form a coalition to address cybersecurity concerns and conduct a feasibility study exploring whether a shared service provider model would create efficiencies and help water systems save money. Avon, the lead applicant, is working with Acton, Auburn, Brockton, Chelmsford, Hanover, Plainville, Rowley and Stoughton.
Local water system operators say they are dealing with unique cybersecurity challenges, given the size and scale of their facilities, complex water safety regulations requiring specialized knowledge, and the difficulty of integrating standard information technology resources with their operational technology systems — not to mention a worst-case scenario of a disrupted or contaminated drinking water supply.
“There are things we absolutely have to deal with, and we all have so many other demands on our time, with PFAS (‘forever chemicals’) and with aging infrastructure, affordability of rates, a complete lack of operators,” said Bill Fitzgerald, Avon’s public works director. “People are so overwhelmed.”
Cyberattacks against U.S. water systems have gained greater attention in recent years. In one well-publicized incident, a hacker broke into a water treatment plant’s system in Oldsmar, Florida, in 2021, and attempted to poison the water supply, before an employee noticed unusual activity and thwarted the attack.
Federal and state agencies, along with insurance companies, are paying more attention to the threat. The federal Cybersecurity and Infrastructure Security Agency, for instance, has identified water and wastewater among 16 critical sectors that need special protection. And insurance companies have been looking at enhanced cybersecurity requirements for water systems. Local water officials say they welcome the increased vigilance, but wonder how additional requirements will affect their systems’ finances and operations.
Fitzgerald said he got the idea for the water-systems collaboration while attending the MassCyberCenter’s Municipal Cybersecurity Summit in October and learning about an IT collaborative, including a shared fiber optic network, led by Danvers with several nearby North Shore communities.
Fitzgerald said he saw a similar possibility for municipal water systems. And since the systems wouldn’t have to be physically linked by fiber networks or other infrastructure to benefit, he envisioned a network of water systems spread around the state, and asked other communities to join the grant application.
Some of the grant money ($67,710) will help extend an existing project already underway in Avon. For the past six months or so, Fitzgerald said, Avon has been working on a pilot project, funded through the Department of Environmental Protection’s State Revolving Fund, to investigate its system’s cybersecurity hygiene. The new funds will help support an implementation phase, and help assess the applicability of Avon’s project to the collaborative and to other water suppliers.
Another grant participant, the Chelmsford Water District, is one of three separate water districts serving that town. In terms of cybersecurity, the district’s 14 employees have much to protect: 20 wells, three treatment plants, five tanks, two booster stations and more than 200 miles of pipe, said Superintendent Andy Reid.
“We’re small staffs, but we’re often dealing with multi-million dollars in assets,” Reid said of water systems.
He said water systems often turn to outside vendors to meet their specialized cybersecurity needs. By the time this grant wraps up in 18 months, he said he hopes the process will produce “some sort of standard of practice or guideline” for systems to follow.