Like other critical infrastructure, the water sector can be a target of cyber security threats and hazards. Implementing cybersecurity best practices is critical for water and wastewater utilities (USEPA).
Tools
- AWWA Cybersecurity Assessment Tool – an interactive tool that generates a customized list of controls that are applicable to the utility’s technology applications. Login required.
- Water Sector Cybersecurity Risk Management Guidance – AWWA Cybersecurity Tool User Guidance
- Vulnerability Self Assessment Tool 2.0 – this online tool leads water and wastewater systems through a risk assessment and shows costs and benefits of additional countermeasures to reduce risks.
- Develop and Conduct a Water Resilience Tabletop Exercise with Water Utilities – this tool provides water and wastewater systems with the resources to plan, conduct and evaluate all-hazard scenarios including cybersecurity incidents.
Guides
- 15 Cybersecurity Fundamentals for Water and Wastewater Utilities – this guide contains best practices, grouped into 15 main categories, that water and wastewater systems can implement to reduce security risks to their IT and OT systems.
- Cybersecurity Incident Action Checklist – This guide provides steps for water and wastewater systems to prepare for, respond to and recover from a cybersecurity incident.
- Cybersecurity Risk and Responsibility Guide – this guide covers the scope and significance of cyber threats, operator responsibility to anticipate threats and address vulnerabilities, strategy to manage risks and prioritize solutions.
- National Cyber Threat Assessment 2020 – this document highlights the cyber threats facing individuals and organizations in Canada.
- Ransomware Playbook – publication from the Canadian Centre for Cyber Security to provide information on how to defend against ransomware and how to recover from ransomware.
- Water Sector Cybersecurity Risk Management Guidance – practical guidance from AWWA for protecting process control systems used by the water sector.
- Water Sector Cybersecurity: Risk Management Guidance for Small Systems – a guide for small utilities to help improve their cybersecurity practices.
Manuals
- M19: Emergency Planning for Water and Wastewater Utilities, 5th edition. All-hazards approach for principles, practices, and guidelines in water utility emergency planning. Covers plan development, mutual aid partnerships, communication strategies, staff preparedness, risk mitigation and more. Purchase required.
Standards
- ANSI/AWWA G430-14(R20): Security Practices for Operation and Management – covers the minimum requirements for a protective security program for a water, wastewater, or reuse utility. Purchase required.
- ANSI/AWWA G440-17: Emergency Preparedness Practices – covers minimum requirements to establish and maintain an acceptable level of emergency preparedness based on identified and perceived risks facing water utilities. Purchase required.
- ANSI/AWWA J100-21: Risk and Resilience Management of Water and Wastewater Systems – enables water and wastewater utility owners and operators to make sound decisions when allocating limited resources to reducing risk and improving resilience. Purchase required.
- ANSI/AWWA G300-14: Source Water Protection – critical requirements for the effective protection of source waters. Purchase required.
- NIST Cybersecurity Framework – key set of standards, methodologies, procedures, and processes designed to align policy, business, and technology solutions to cyber risks. Purchase required.
Articles
- Cyber Security for Water Utilities
- Cyber Security of Water SCADA Systems—Part I: Analysis and Experimentation of Stealthy Deception Attacks
- Cyber Security of Water SCADA Systems—Part II: Attack Detection Using Enhanced Hydrodynamic Models
- Engineering Cyber–Physical Resilience
- It’s Time to Regulate Water and Wastewater Cybersecurity–Here’s How
- Security considerations for industrial control systems
Alerts
- Cyber threat bulletin: Cyber Centre reminds Canadian critical infrastructure operators to raise awareness and take mitigations against known Russian-backed cyber threat activity
- Alert: Compromise of U.S. Water Treatment Facility
- Alert: Destructive Malware Targeting Organizations in Ukraine
- Alert: New Sandworm Malware Cyclops Blink Replaces VPNFilter
- Alert: Ongoing Cyber Threats to U.S. Water and Wastewater Systems
- Alert: Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors
- Alert: Understanding and Mitigating Russian State-Sponsored Cyber Threats to U.S. Critical Infrastructure
- Water Sector Cybersecurity Brief for the States
- Cyclops Blink
- Cyclops Blink Malware Analysis Report: Modular Malware Framework Targeting SOHO Network Devices
- Shields Up Guidance for All Organizations
- Threat Brief: Ongoing Russia and Ukraine Cyber Conflict
- Ukraine Campaign Delivers Defacement and Wipers, in Continued Escalation
- UNC1151 Assessed with High Confidence to have Links to Belarus, Ghostwriter Campaign Aligned with Belarusian Government Interests
Training
- Cybersecurity in the Water Sector – this course is designed to teach participants how to use the AWWA Water Sector Cybersecurity Risk Management Tool, to recognize gaps in a utility’s cybersecurity coverage and be able to take actionable steps to manage cybersecurity risks.
Case Studies
- Ontario town plans to pay ransom after computers locked down
- Wasaga Beach pays cyber criminals thousands to regain access to town servers: staff report
- Toronto Water SCADA System Security – Results of 2021 Follow-up of Previous Audit Recommendations
- Cyber attack on small Illinois water treatment plant has serious implications: security expert
- Hacker dangerously raises sodium hydroxide levels at Florida water plant
- Ransomware Hit SCADA Systems at 3 Water Facilities in U.S.
Disponible en français.
Image from https://www.freepik.com/