62
America’s Water Infrastructure Act: Cybersecurity
America’s Water Infrastructure Act: Cybersecurity
Tom Bahun II & Tom Bahun III
Maine Rural Water Association
America’s Water Infrastructure Act (AWIA) : Cybersecurity
AWIA: Cybersecurity
• Detail Provisions of AWIA
• Defined Cybersecurity
• List Cyber Threats to Water & Wastewater
Utilities and Cyber Attack Indicators
• Explain the Benefits of a Cybersecurity
Program
• Discuss Available Cybersecurity Tools
• Review Challenges for Utilities in Starting a
Cybersecurity Program
3
America's Water Infrastructure Act (AWIA) of 2018
4
AWIA signed into law October 23, 2018
The Questions of AWIA
1. Who: Community Water Systems > 3300
2. What: Risk Resiliency Assessments (RRA)
and Emergency Response Plans (ERP)
3. When: Earliest 03/2020 - Refer to next slide
4. Where: Your system and the location of all
assets
5. Why: Prepare for and ensure proper
identification of and response to risk, as
well as avoiding fees
5NOTE: $25,000.00/day Fee for Non-compliance
Certification Due Dates
6
CWS SIZE (Pop.)
RRA ERP
>100,000 March 31, 2020 Sept. 30, 2020
>50,000 Dec. 31, 2020 June 30, 2021
>3300 June 30, 2021 Dec. 30, 2021
Note: ERP due 6 months after certification of RRA or indicateddate above, whichever comes earlier
AWIA is… and is not…
• AWIA is legislation that requires CWS
reporting and compliance
• AWIA concerns all-hazards: Natural,
Manmade, and Cyber
• AWIA is not a guide to compliance*
• AWIA does not require RRA or ERP be
sent to governing authority*
7* EPA assumes this roll
All-Hazards Approach
1. Natural Risks – floods, tornadoes,
fires, and more
2. Manmade Risks – vandalism,
terrorism, active shooters, and
more
3. Cyber Risks* – Cyber attacks,
terrorism, customer data breaches,
and more8
Cyber Risks and the AWIA
• Legislation added and expanded on Cyber
Security in the AWIA from the Bio-terrorism
Act of 2002
• Focuses on: Identify, Assess, Plan, and
Respond
• Vulnerability Assessments → RRA
• Emergency Response Plans (cont.)
9
Identify Risks
✓Create or edit a current list of assets
✓Determine mission critical assets, goals, and customers
❑Pair each critical asset with threats
❑Pair mission critical customers and goals with threats that impede service
10
Assess Risks
RISK = Cost Impact * Vulnerability *
Threat Likelihood
▪ Cost Impact: Total cost to you,
customers, and community (in dollars)
▪ Vulnerability: Probability of threat success
▪ Threat Likelihood*: Very unlikely – Very likely
11* Threat Likelihood will not be 0, otherwise it is not a threat.
Plan and Respond to Risks
• Based on the findings in the
assessment, the next step is to
categorize risks based on risk: address
threats with higher risks first
• The development of ERPs follow the
RRA and categorizations
12
Resources and Tools
We understand this is a lot to take in and prepare for…
• Tools, training, and resources from EPA, MRWA, and more (AWWA, etc.)
• VSAT (EPA)
• Cyber tool, training, consultations and more (MRWA)
13
America's Water Infrastructure
Act (AWIA) of 2018
• CWS serving more than 3,300 people
must develop or update risk assessments and
emergency response plans (ERPs)
• Sec. 2013, (b)(1): ERP must include:
“strategies and resources to improve the resilience of the system, including the physical security and cybersecurity of the system”
• https://www.congress.gov/bill/115th-
congress/senate-bill/3021/text
14
• AWIA section 2018 amended the
Emergency Release Notification (EPCRA
section 304) and Hazardous Chemical
Inventory Reporting (EPCRA section 312)
sections of EPCRA.
• Those amendments are….
15
Amendments to the Emergency
Planning and Community
Right-to-Know Act (EPCRA)
• SERC must promptly notify state
drinking water primacy - Maine
Drinking Water Program (DWP) of
any reported release
• The DWP must promptly provide
notice/reports to applicable CWSs
16
Amendments to the Emergency
Planning and Community
Right-to-Know Act (EPCRA)
• SERC and LEPCs must provide
affected CWS with chemical
inventory data for facilities within
their source water protection areas
17
Amendments to the Emergency
Planning and Community
Right-to-Know Act (EPCRA)
• CWS required (to the
extent possible) to
coordinate with LEPCs
• DWP should consider
opportunities to fully
participate with their
SERC
18
Amendments to the Emergency
Planning and Community
Right-to-Know Act (EPCRA)
• The practice of defending
computers, servers, mobile devices,
electronic systems, networks, and data
from malicious attacks.
AKA information technology security or electronic information security.
19
What is Cybersecurity?
What is Cybersecurity?
• Cybersecurity applies in a
variety of contexts, from process control
systems to business critical systems and
can be divided into the following
categories:
– Network security
– Application security
– Information security
– Operational security
– Disaster recovery and business continuity
– End-user education 20
1. Access Management
2. Environment Management
3. Data Security
Management
21
Cybersecurity Involves:
1. Access Management
Identifying, tracking, controlling and managing authorized users’ access to a system, application or any IT instance.
The greatest risk comes from someone that is already inside your operation.
22
Cybersecurity Involves:
2. Environment Management
Involves managing all the networks, the connectivity of the networks with other networks, and monitoring activity within the networks.
Smart network design, network traffic and flow monitoring, and managing network access and routing.
23
Cybersecurity Involves:
Cybersecurity Involves:
3. Data Security Management
Is a way to maintain the integrity of data and to make sure that the data is not accessible by unauthorized parties or susceptible to corruption.
Data security is put in place to ensure privacy in addition to protecting this data.
24
Cyber Threats to Water &
Wastewater Utilities
• Upset treatment and conveyance
processes (e.g. SCADA)
• Deface the utility’s website or compromise
the email system
• Steal customers’ personal data or credit
card information
• Install malicious
programs like
ransomware
25
26
Cyber attacks on
water and
wastewater systems
are growing
increasingly
common
nationwide.
27
Cyber Attacks on Maine PWS 2016 - 2018
Not if but when…
What Happens When You Dare Expert Hackers To Hack You?
• https://www.youtube.com/watch?v=b
jYhmX_OUQQ
29
30
Potential Cyber Attack Indicators
• Slow or unusual computer function,
• Unusually heavy network traffic,
• Many bounced emails,
• Deactivation of antivirus software,
• The creation of new user accounts,
• Log files that have been cleaned out,
• Unsuccessful attempts to
log in from unfamiliar
systems
• Files/programs execute on
their own, and
• Others…..
Benefits of a
Cybersecurity Program
• Ensure the integrity of process control
systems
• Protect sensitive utility and customer
information
• Reduce legal liabilities if customer or
employee personal information is stolen
• Maintain customer
confidence
31
Cybersecurity Tools for Water/Wastewater Utilities
• Self-Assessment “Checklist”
• Guidance
• Glossary of Terms
32
Cybersecurity Tools to
Understand, Evaluate, and Mitigate Risks for Maine PWSs
• Cybersecurity Self-Assessment
• Improvement Planning Worksheet
• 12 Basic Cybersecurity Measures
• Cyber Incident Action Planning
• Glossary of Terms
• References & Resources
• Acknowledgements
33
Maine PWS
Cybersecurity Self-Assessment
1. Maintain an Accurate Inventory of Control System Devices and Eliminate Any Exposure of this Equipment to External Networks.
Identify physical hardware and software assets within the organization to establish the basis of a cyber-asset management program.
34
Maine PWS
Cybersecurity Self-Assessment
2. Defining Cybersecurity Policies &
Regulatory Requirements
Define cybersecurity policies within the organization as well as identifying legal and regulatory requirements regarding the cybersecurity capabilities of the organization.
35
Maine PWS
Cybersecurity Self-Assessment
3. Evaluating Threats & Vulnerabilities
Evaluate asset vulnerabilities, threats to internal and external organizational resources, and risk response activities as a basis for the organizations risk assessment.
36
Maine PWS
Cybersecurity Self-Assessment
4. Establishing a Risk Management
Strategy
Establish a risk management strategy for the organization including establishing risk tolerances.
37
Maine PWS
Cybersecurity Self-Assessment
5. Protections for Identity Management
and Access Control
Utilize Protections for identity management and access control within the organization including physical and remote access.
38
Maine PWS
Cybersecurity Self-Assessment
6. Empowering Staff Through Awareness
and Training
Empower staff within the organization through awareness and training including role based and privileged user training.
39
Maine PWS
Cybersecurity Self-Assessment
7. Establishing Data Security Protection
Establish Data Security protection consistent with the organization’s risk strategy to protect the confidentiality, integrity, and availability of information
40
Maine PWS
Cybersecurity Self-Assessment
8. Implementing Information Protection
Processes and Procedures
Implement information protection processes and procedures to maintain and manage the protections of information systems and assets.
41
Maine PWS
Cybersecurity Self-Assessment
9. Protecting Resources Through
Maintenance
Protect organizational resources through maintenance, including remote maintenance
42
Maine PWS
Cybersecurity Self-Assessment
10. Detect Malware
Detect and prevent unauthorized software from executing by deploying antivirus technology and application whitelisting
43
Maine PWS
Cybersecurity Self-Assessment
11. Ensuring Anomalies and Events
Are Detected
Ensure anomalies and events are detected, and their potential impact is understood
44
Maine PWS
Cybersecurity Self-Assessment
12. Ensuring the Organization
Implements Recovery Planning
Ensure the organization implements recovery planning processes and procedures to restore systems and/or assets affected by cybersecurity incidents
45
46
Maine PWS
Cybersecurity Self-Assessment
47
1. Perform Asset Inventories
2. Assess Risks
3. Minimize Control System Exposure
4. Enforce User Access Controls
5. Safeguard from Unauthorized Physical Access
6. Install Independent Cyber-Physical Safety Systems
7. Embrace Vulnerability Management
8. Create a Cybersecurity Culture
9. Develop and Enforce Cybersecurity Policies and Procedures
10. Implement Threat Detection and Monitoring
11. Plan for Incidents, Emergencies, and Disasters
12. Tackle Insider Threats
13. Secure the Supply Chain
14. Address All Smart Devices (IoT, IIoT, Mobile, etc.)
15. Participate in Information Sharing and Collaboration Communities
48
Cyber Incident Action Planning
1. Detect and respond to a
cyber incident/attack,
2. Promptly and effectively
assess the situation and
scope,
3. Notify key PWS personnel, local law
enforcement, primacy agencies and
others,
49
Cyber Incident Action Planning
4. Activate and coordinate response activities, including establishing an incident command center,
5. Develop a communication plan and designate a Public Information Officer, and
6. Implement critical systems recovery once the cyber incident has been eradicated/isolated.
50
Challenges for Utilities in Starting a
Cybersecurity Program
51
• Many utilities, particularly small systems,
lack IT resources
• Utility personnel may believe that cyber-
attacks do not present a risk to their
systems or feel that they lack the technical
capability to improve cybersecurity
Challenges for Utilities in Starting a
Cybersecurity Program
• Rest assured, basic cybersecurity best
practices can be carried out without
specialized training
• User-friendly resources are available to
help. You just have to know
how to start and where to
look!
52
Challenges for Utilities in Starting a
Cybersecurity Program
What you can do now:
• Use strong passwords
• Control access
• Put up a firewall
• Update programs and systems regularly
• Raise awareness
• Begin to establish cybersecurity policies
• Consult with IT experts53
Policy Template
“Inventory Audit Policy”
Purpose:
• Know what devices you have
• Track changes in your IT assets
• Plan upgrades and migrations
• Proactively manage contracts and licenses
• Identify rogue devices on network
• Ensure adequate physical protection of devices
54
Policy Template
“Awareness and Training Policy”
Purpose:
• To ensure that managers, systems administrators, and users of organizational systems are made aware of the security risks associated with their activities and of the applicable policies, standards, and procedures related to the security of those systems.
55
Policy Template
“Acceptable Use Policy”
Purpose:
• To establish acceptable and unacceptable use of electronic devices and network resources in conjunction with established culture of ethical and lawful behavior, openness, trust, and integrity.
56
Policy Template
“Clean Desk Policy”
Purpose:• To establish the minimum requirements
for maintaining a “clean desk” where sensitive information such as employee and customer information, intellectual property, and sensitive configuration information is secure and out of sight except when in use.
57
Policy Template
“Password Policy”
Purpose:
• To establish a standard for creation of strong passwords and the protection of those passwords.
58https://www.youtube.com/watch?v=opRMrEfAIiI
Policy Template
“Remote Access Policy”
Purpose:• To define the rules and regulations for
connecting to network from any outside network. These rules are designed to minimize the risk of:– unauthorized access to company resources, – exposure of sensitive company data, – damage to company equipment, and – damage resulting from the misuse of
company equipment.
59
Plan Template
“Disaster Recovery Plan”
Purpose:• To ensure the timely recovery of critical IT
systems in an orderly fashion, while simultaneously ensuring the safety of employees and minimizing the confusion of a disaster situation.
• The objectives of the plan are to document contact information, decisions, and procedures for responding to a disaster that involves IT systems, data, and services.
60
Where To Find Tool and Templates
mainerwa.org/Csresources
Google: “EPA AWIA”
Google:
“WaterISAC AWIA
61
Tom Bahun II & Tom Bahun III
Maine Rural Water Association
America’s Water Infrastructure Act: Cybersecurity
