List printed with permission from WaterISAC
WaterISAC has revised its Cybersecurity Fundamentals for water and wastewater utilities, releasing a new edition tailored for small, rural, and less cyber-experienced utilities. This updated guide includes the Small Systems Guidance, which includes 12 Cybersecurity Fundamentals.
“Our reasoning behind this update is a desire to make the guidance a little more manageable, but still touch on key cybersecurity fundamentals that smaller water and wastewater utilities should consider addressing,” said Jennifer Lyn Walker, Director of Infrastructure Cyber Defense for WaterISAC.
The Small Systems Guidance was incorporated into eight of the twelve fundamentals and represented in the following:
Walker said that what’s consistent across the 12 Cybersecurity Fundamentals is that there are many references to Cybersecurity and Infrastructure Security Agency’s (CISA) Cross-Sector Cybersecurity Performance Goals (CPGs) and the Five ICS Cybersecurity Critical Controls within the eight sections.
She also said that it was important to share cybersecurity guidance with service providers.
“We recognize that many small/rural utilities outsource technology and systems integration services. As such, it is practical to consult with those providers on cybersecurity practices to help protect your OT and IT networks,” Walker said.
Something else to remember is that agency staff may receive a call from someone with information about a cyber incident at their utility.
“Unless you know this person, it is important not to divulge any information to them – regardless of who they say they’re with – CISA, FBI, EPA, even WaterISAC,” she said. “However, do not ignore them. Rather, record all the information they will provide to you and then immediately contact someone you trust to help you get to the bottom of the issue.”
Below is a list of the 8 Cybersecurity Fundamentals for Water and Wastewater Utilities: Small Systems Guidance, along with why they are important to small sector utilities:
Regardless of utility size, the inability to promptly and efficiently contain, mitigate, and communicate about cybersecurity incidents, emergencies, or disasters could result in significant operational disruption.
Developing plans for how a utility will respond to incidents, emergencies, and disasters is critical for recovering from such events quickly. IT and OT teams should be concerned primarily with cyber incident response plans and disaster recovery plans. These are just two elements of, or adjuncts to, overall business continuity or continuity-of-operations plans.
Unidentified connections into the OT network present unnecessary risk to the availability, control, and safety of industrial automation and control systems.
All communication pathways that exist between the ICS/OT network and hostile networks – internal (IT, business) and external (internet) – must be identified. Isolating (air-gapping) a control system from the rest of the world would be ideal. However, complete isolation is likely not practical and may not even be possible.
Connections are difficult to avoid given the demands for remote system access by staff and third parties due to system monitoring/ maintenance or to export control system data for regulatory and business purposes. Even if these connections could be avoided, there are always control system upgrades and patches that make some kind of communication with the outside world unavoidable. Implementing a defensible architecture is the key to minimizing control system exposure and requires a combination of physical and logical network segmentation, hardware and software that restrict traffic, protection of control system design and configuration documents, encrypted communications, restrictive procedures, and physical security.
Cybersecurity is a shared responsibility among all staff. Every employee, executive, and board member is accountable for the overall cybersecurity posture of an organization. Creating a cyber secure culture relies on leadership support and staff engagement that can result in a significant risk reduction against insider threats and risks.
When employees are not involved in cybersecurity, not only can vulnerabilities and threats proliferate or go unnoticed, but employees can become insider threats or conduits through which incidents occur – intentionally or unintentionally. Utilities should instill good cyber hygiene practices in every facet of employees’ daily tasks. All staff should know what to do when faced with a potential security incident, whether it is a physical or cyber attack. Developing a strong culture will also minimize insider threats.
While many of the cybersecurity fundamentals in this publication are developed with prevention in mind, in this “assume breach” world, we must be able to detect suspicious and nefarious activity. Without the ability to detect threats within your environments, adversaries will go unnoticed.
Continuous monitoring and threat detection is necessary for the visibility into both IT and ICS/ OT networks. The ability to detect threats enables faster threat identification, satisfies regulatory or compliance requirements, and typically reduces adversary dwell time within the network(s). Effective monitoring and threat detection can prevent or minimize financial losses by identifying and mitigating threats before they cause substantial harm.
By identifying, inventorying, classifying, and documenting the most critical ICS/OT assets, utilities can prioritize and allocate security resources effectively to protect those assets from potential threats, attacks, or failures that could disrupt operations or cause safety incidents.
Identifying assets is one of the foundations of a cybersecurity risk management strategy. Most frameworks and seminal guidance resources prominently list asset inventory.
Maintaining strict access controls play a crucial role in protecting resources, data, and systems from unauthorized access, ensuring confidentiality, integrity, availability, and safety. Access controls should be enforced for users and devices.
Access control involves providing control system access only to those individuals who are authorized to have it. Restricting access to select individuals limits the number of people who can interact with key systems. When logging and auditing is enabled (Fundamental 4), this restriction also makes it much easier to detect suspicious and unauthorized access. Some important components of access controls include role-based controls, principle of least privilege, and strong authentication.
Vulnerability management across OT and IT is essential for water and wastewater utilities in maintaining operational continuity, protecting critical infrastructure, and mitigating the risks associated with cyber threats in increasingly interconnected industrial systems.
Vulnerability management is a foundation of every cybersecurity program. Like asset inventory (Fundamental 5 | Account for Critical Assets) and risk assessments, it is a continuous process and completely dependent on and intertwined with those activities. Vulnerabilities are present everywhere – hardware, software, firmware, configurations, supply chains, and staff practices.
Engaging with third-party vendors expands a utility’s attack surface whereby cyber threats can infiltrate a utility through its supply chain. Likewise, as third parties often have access to sensitive data/information, this necessitates regular assessments of third-party security postures.
A supply chain or third-party risk management strategy helps identify and mitigate potential threats and contributes to maintaining operational integrity by reducing the risk of disruption to critical (operational or business) processes due to third parties.
For the complete guide, visit the WaterISAC website: https://bit.ly/4qkAdm4. To find the original list of Cybersecurity Fundamentals for Water and Wastewater Utilities, visit waterISAC.com.
My Profile
