In honor of Cybersecurity month, CWEA pulled together a list of resources that focus on cybersecurity for control systems that are frequently used in water/wastewater. Thank you Daniel Groves of West Yost for the Cybersecurity tips!
- ICS-CERT – https://ics-cert.us-cert.gov/
- SANS Institute – sans.gov
- AWWA – https://awwa.org/cybersecurity
- WaterISAC – https://www.waterisac.org/
- Google News Alerts – https://www.google.com/alerts (enter search criteria like “SCADA hack”)
10 Questions for a Cybersecurity Dialogue with a Utility* Does your utility…
- Keep an inventory of control system devices and ensure this equipment is not exposed to networks outside the utility?
Never allow any machine on the control network to “talk” directly to a machine on the business network or on the Internet.
- Segregate networks and apply firewalls?
Classify IT assets, data, and personnel into specific groups, and restrict access to these groups.
- Use secure remote access methods?
A secure method, like a virtual private network, should be used if remote access is required.
- Establish roles to control access to different networks and log system users?
Role-based controls will grant or deny access to network resources based on job functions.
- Require strong passwords and password management practices?
Use strong passwords and have different passwords for different accounts.
- Stay aware of vulnerabilities and implement patches and updates when needed?
Monitor for and apply IT system patches and updates.
- Enforce policies for the security of mobile devices?
Limit the use of mobile devices on your networks and ensure devices are password protected.
- Have an employee cybersecurity training program?
All employees should receive regular cybersecurity training.
- Involve utility executives in cybersecurity?
Organizational leaders are often unaware of cybersecurity threats and needs.
- Monitor for network intrusions and have a plan in place to respond?
Be capable of detecting a compromise quickly and executing an incident response plan.
*For more information about each of these questions, see WaterISAC’s 10 Basic Cybersecurity Measures at https://www.waterisac.org/cybersecuritymeasures