Cyber Security for the Water Sector
Like other critical infrastructure, the water sector can be a target of cyber security threats and hazards. Implementing cybersecurity best practices is critical for water and wastewater utilities (USEPA).
Tools
- AWWA Cybersecurity Assessment Tool – an interactive tool that generates a customized list of controls that are applicable to the utility’s technology applications. Login required.
- Water Sector Cybersecurity Risk Management Guidance – AWWA Cybersecurity Tool User Guidance
- Vulnerability Self Assessment Tool 2.0 – this online tool leads water and wastewater systems through a risk assessment and shows costs and benefits of additional countermeasures to reduce risks.
- Develop and Conduct a Water Resilience Tabletop Exercise with Water Utilities – this tool provides water and wastewater systems with the resources to plan, conduct and evaluate all-hazard scenarios including cybersecurity incidents.
Guides
- 15 Cybersecurity Fundamentals for Water and Wastewater Utilities – this guide contains best practices, grouped into 15 main categories, that water and wastewater systems can implement to reduce security risks to their IT and OT systems.
- Cybersecurity Incident Action Checklist – This guide provides steps for water and wastewater systems to prepare for, respond to and recover from a cybersecurity incident.
- Cybersecurity Risk and Responsibility Guide – this guide covers the scope and significance of cyber threats, operator responsibility to anticipate threats and address vulnerabilities, strategy to manage risks and prioritize solutions.
- National Cyber Threat Assessment 2020 – this document highlights the cyber threats facing individuals and organizations in Canada.
- Ransomware Playbook – publication from the Canadian Centre for Cyber Security to provide information on how to defend against ransomware and how to recover from ransomware.
- Water Sector Cybersecurity Risk Management Guidance – practical guidance from AWWA for protecting process control systems used by the water sector.
- Water Sector Cybersecurity: Risk Management Guidance for Small Systems – a guide for small utilities to help improve their cybersecurity practices.
Manuals
- M19: Emergency Planning for Water and Wastewater Utilities, 5th edition. All-hazards approach for principles, practices, and guidelines in water utility emergency planning. Covers plan development, mutual aid partnerships, communication strategies, staff preparedness, risk mitigation and more. Purchase required.
Standards
- ANSI/AWWA G430-14(R20): Security Practices for Operation and Management – covers the minimum requirements for a protective security program for a water, wastewater, or reuse utility. Purchase required.
- ANSI/AWWA G440-17: Emergency Preparedness Practices – covers minimum requirements to establish and maintain an acceptable level of emergency preparedness based on identified and perceived risks facing water utilities. Purchase required.
- ANSI/AWWA J100-21: Risk and Resilience Management of Water and Wastewater Systems – enables water and wastewater utility owners and operators to make sound decisions when allocating limited resources to reducing risk and improving resilience. Purchase required.
- ANSI/AWWA G300-14: Source Water Protection – critical requirements for the effective protection of source waters. Purchase required.
- NIST Cybersecurity Framework – key set of standards, methodologies, procedures, and processes designed to align policy, business, and technology solutions to cyber risks. Purchase required.
Articles
- Cyber Security for Water Utilities
- Cyber Security of Water SCADA Systems—Part I: Analysis and Experimentation of Stealthy Deception Attacks
- Cyber Security of Water SCADA Systems—Part II: Attack Detection Using Enhanced Hydrodynamic Models
- Engineering Cyber–Physical Resilience
- It’s Time to Regulate Water and Wastewater Cybersecurity–Here’s How
- Security considerations for industrial control systems
Alerts
- Cyber threat bulletin: Cyber Centre reminds Canadian critical infrastructure operators to raise awareness and take mitigations against known Russian-backed cyber threat activity
- Alert: Compromise of U.S. Water Treatment Facility
- Alert: Destructive Malware Targeting Organizations in Ukraine
- Alert: New Sandworm Malware Cyclops Blink Replaces VPNFilter
- Alert: Ongoing Cyber Threats to U.S. Water and Wastewater Systems
- Alert: Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors
- Alert: Understanding and Mitigating Russian State-Sponsored Cyber Threats to U.S. Critical Infrastructure
- Water Sector Cybersecurity Brief for the States
- Cyclops Blink
- Cyclops Blink Malware Analysis Report: Modular Malware Framework Targeting SOHO Network Devices
- Shields Up Guidance for All Organizations
- Threat Brief: Ongoing Russia and Ukraine Cyber Conflict
- Ukraine Campaign Delivers Defacement and Wipers, in Continued Escalation
- UNC1151 Assessed with High Confidence to have Links to Belarus, Ghostwriter Campaign Aligned with Belarusian Government Interests
Training
- Cybersecurity in the Water Sector – this course is designed to teach participants how to use the AWWA Water Sector Cybersecurity Risk Management Tool, to recognize gaps in a utility’s cybersecurity coverage and be able to take actionable steps to manage cybersecurity risks.
Case Studies
- Ontario town plans to pay ransom after computers locked down
- Wasaga Beach pays cyber criminals thousands to regain access to town servers: staff report
- Toronto Water SCADA System Security – Results of 2021 Follow-up of Previous Audit Recommendations
- Cyber attack on small Illinois water treatment plant has serious implications: security expert
- Hacker dangerously raises sodium hydroxide levels at Florida water plant
- Ransomware Hit SCADA Systems at 3 Water Facilities in U.S.
Disponible en français.
Image from https://www.freepik.com/
Read More
0
Risk Assessment and Emergency Preparedness Course Resources
This post provides resources for WCWC’s Risk Assessment and Emergency Preparedness course.
Supporting Documents
- Emergency Operations Centre Organization Chart
- Emergency Operations Centre Quick Reference Guide
- Emergency Operations Centre Response Goals
- Position Log
- Potential Hazardous Events to Consider for DWQMS Risk Assessment
- Quality Management System Risk Assessment Rating
- Status Report
- My Emergency Management Resources » EOC Forms Library
Videos
- Hackers hold Ontario town hostage
- Lye poisoning attack in Florida shows cybersecurity gaps in water systems
- A new type of river management
Visit our course catalog to view all our training courses and the upcoming schedule or select the course overview below to learn more about this course.
Visit our online library’s main webpage to find more resources on topics related to drinking water.
Disponible en français.
Read More
0