×
JOIN US

Home News Cybersecurity Fundamentals Guide for Water and Wastewater Utilities Now Available

Cybersecurity Fundamentals Guide for Water and Wastewater Utilities Now Available

Jennifer Lyn Walker, Director of Infrastructure Cyber Defence, Water Information Sharing and Analysis Center (WaterISAC), Technology and Innovation

Water and wastewater utilities provide critical lifeline services to their communities and their regions. Supporting these vitally important functions requires secure information technology (IT) and operational technology (OT), yet the sector’s IT and OT networks continue to face an onslaught of threats from cyber criminals, nation-states, and others.

15 FUNDAMENTALS

There are various terms that are associated with cybersecurity issues. Some of these terms are already well-known and widely practiced, while others make sense but are not included in everyday cybersecurity practices. Additionally, there are some new terms that may require further explanation in order to be fully understood.
Understanding and implementing the below 15 fundamental strategies can begin to help safeguard water and wastewater agencies against cyber attacks.

  1. Asset inventories are necessary for effective cybersecurity. Knowing your environment is crucial for protection.
  2. After completing asset inventories, assess OT and IT risks, taking into account the probability of a threat occurring and the degree of impact it would have on the organization.
  3. It is important to minimize exposure of the control system environment to untrusted networks. This can be achieved through network segmentation, traffic restrictions, and the use of encrypted communications.
  4. It’s important to enforce user access controls on a network to ensure that users have only the necessary access to perform their job functions. To achieve this, apply role-based access controls and follow the principle of least privilege. Additionally, limit the use of administrator rights to avoid unauthorized access to systems and files.
  5. Safeguard against unauthorized physical access. Restrict non-technical physical access to IT and OT environments to prevent compromise.
  6. Water and wastewater utilities should consider installing independent physical and cyber safety systems to protect critical assets against “blended” threats caused by cyber-attacks that may have physical impacts.
  7. Embrace vulnerability management. Largely informed by asset inventory and risk assessments, vulnerability management involves the need to identify and remediate cybersecurity gaps and vulnerabilities before the bad guys exploit them.
  8. Create a cybersecurity culture. Effective cybersecurity starts at the top level. To make positive behavioral changes, involve every executive, board member, and employee in cybersecurity awareness and training.
  9. To ensure cybersecurity, it is important to have clear policies and procedures in place. These policies should be created, shared, and implemented across the organization to ensure that everyone is aware of the expectations around cybersecurity.
  10. Implement threat detection and monitoring. You will not find it if you are not looking. The importance of configuring detailed logging and reviewing system logs to detect active threats in your environment cannot be overstated.
  11. Plan for incidents, emergencies, and disasters. Plan ahead for maintaining business continuity and resilience.
  12. Tackle insider threats. The insider threat is a people problem, not a technology problem; however, not all insider threats are malicious. Mitigate this organizational-level threat by understanding behavioral indicators that predicate an insider threat and apply appropriate training and technology controls to deter an incident.
  13. Secure the supply chain. The supply chain/vendor relationship is a common threat vector for cyber-attacks and must be intentionally managed through security and vulnerability testing and risk assessments.
  14. Address all smart devices. When unsecured Internet of Things (IoT) and mobile devices are connected to networks, they create holes (often to the Internet) that may not have previously existed.
  15. Participate in information-sharing and collaboration communities. Share information with others. Utilities can learn from each other. Cyber-mature utilities can significantly help the community and sector by sharing their experiences.

WaterISAC is a nonprofit water and wastewater sector organization dedicated to protecting sector utilities from all hazards. WaterISAC disseminates threat advisories, reports, and mitigation resources to help utilities prevent cyber and physical security incidents and recover from disasters. For more information go to waterISAC.com.

TAGS