You are here

15 Cybersecurity Fundamentals for Water and Wastewater Utilities

15 Cybersecurity Fundamentals for Water and Wastewater Utilities

Created: Monday, June 3, 2019 - 13:26
Cybersecurity, Security Preparedness

Water and wastewater utilities provide critical lifeline services to their communities and their regions. Supporting these vitally important functions requires secure information technology (IT) and operational technology (OT), yet our sector’s IT and OT networks continue to face an onslaught of threats from cyber criminals, nation states and others.

To support members and the wider sector in its cybersecurity goals, and in response to continually evolving threats, WaterISAC has published a newly updated resource: 15 Cybersecurity Fundamentals for Water and Wastewater Utilities. The original guide, first published in 2012, has been downloaded thousands of times.

This completely updated guide contains dozens of best practices, grouped into 15 main categories, that water and wastewater systems can implement to reduce security risks to their IT and OT systems. Each recommendation is accompanied by links to corresponding technical resources, giving you the information and tools you need to take a dive deep into this acutely important issue.

The guide will also be helpful to utilities preparing risk and resilience assessments required by America’s Water Infrastructure Act, or AWIA. The 15 fundamentals will also be especially useful for informing emergency response plans, because AWIA requires those plans to address mitigation and resilience options.

The 15 fundamentals are: 

  1. Perform Asset Inventories
  2. Assess Risks
  3. Minimize Control System Exposure
  4. Enforce User Access Controls
  5. Safeguard from Unauthorized Physical Access
  6. Install Independent Cyber-Physical Safety Systems
  7. Embrace Vulnerability Management
  8. Create a Cybersecurity Culture
  9. Develop and Enforce Cybersecurity Policies and Procedures
  10. Implement Threat Detection and Monitoring
  11. Plan for Incidents, Emergencies, and Disasters
  12. Tackle Insider Threats
  13. Secure the Supply Chain
  14. Address All Smart Devices (IoT, IIoT, Mobile, etc.)
  15. Participate in Information Sharing and Collaboration Communities

Download the guide below.