AWWA COMPLIANCE SECURITY CONSULTING
AWWA cybersecurity program compliance & NIST CSF
Cybersecurity in the Water Industry: Establishing AWWA Cybersecurity Risk Management Framework is required by the United States Environmental Protection Agency (EPA) and the American Water Works Association (AWWA). Our team assist with Implementing cybersecurity best practices for critical water and wastewater utilities companies. Cyber-attacks are a growing threat to critical infrastructure sectors, including water and wastewater systems. Many critical infrastructure facilities have experienced cybersecurity incidents that led to the disruption of a business process or critical operation.
Many water and wastewater utilities, particularly small systems, lack the resources for information technology (IT) and security specialists to assist them with starting a cybersecurity program. Utility personnel may believe that cyber-attacks do not present a risk to their systems or feel that they lack the technical capability to improve their cybersecurity. This is so far from the truth, and where our team of Cybersecurity Advisory can help.
AWWA Cybersecurity Advisory Services
Our American Water Works Association (AWWA) Water Sector Experts will assist with the entire Cybersecurity Risk Management Process, based on the requirement outlined with in AWWA Water Sector Cybersecurity Risk Management Guidance.
Benefits of a Cybersecurity Program for water Systems
The good news is that cybersecurity best practices can be very effective in eliminating the vulnerabilities that cyber-attacks exploit. Implementing AWWA cybersecurity program can:
Ensure the integrity of process control systems;
Protect sensitive utility and customer information;
Reduce legal liabilities if customer or employee personal information is stolen; and
Maintain customer confidence.
Restrict all remote connections to SCADA systems, specifically those that allow physical control and manipulation of devices within the SCADA network. One-way unidirectional monitoring devices are recommended to monitor SCADA systems remotely.
Install a firewall software/hardware appliance with logging and ensure it is turned on. The firewall should be secluded and not permitted to communicate with unauthorized sources.
Keep computers, devices, and applications, including SCADA/industrial control systems (ICS) software, patched and up-to-date.
Use two-factor authentication with strong passwords.
Only use secure networks and consider installing a virtual private network (VPN).
The balancing act between operational risk and operational continuity
A Risk Management Framework (RMF) that aligns risk, exposure with consequence, and treatment, and insight into CapEx and OpEx trade-offs
The need to protect Industrial Control System (ICS) networks by having a clear and well-defined separation of the OT, enterprise network, and cloud infrastructure
The reasons why people are a critical aspect of an effective cybersecurity adoption, and why having a security culture in the organization is a key attribute to success
NIST CyberSecurity Framework Implementation for AWWA
NIST CSF Recommended Security Controls for Federal Information Systems and Organizations
NIST CSF Assessing Security Controls
NIST CSF Guide for Applying the Risk Management Framework
NIST CSF Wireless Network Security
NIST CSF IT Security Services
NIST CSF Guideline on Network Security Testing
NIST CSF IT Security Awareness and Training Program
NIST CSF Contingency Planning for IT Systems
NIST CSF Guidelines on Firewalls and Firewall Policy
NIST CSF Securing Public Web Servers
NIST CSF Email Security
NIST CSF Interconnection IT Systems
AWWA Cybersecurity Program for Water Utilities
Cyber Risks are increasing significantly. CyberSecOp delivers a strong team of IT security professionals with such credentials as ISACA and CISSP. Our team brings strategies and resources to improve the resilience of the system, including the physical security and cybersecurity of the systems.
Risk Categorization: Organizations must categorize their information and information systems in order of risk to ensure that sensitive information and the systems that use it are given the highest level of security.
System Security Plan: NIST requires agencies to create a security plan which is regularly maintained and kept up to date. The plan should cover things like the security controls implemented within the organization, security policies, and a timetable for the introduction of further controls.
Security Controls: NIST outlines an extensive catalog of suggested security controls for NIST compliance. NIST does not require an agency to implement every single control; instead, they are instructed to implement the controls that are relevant to their organization and systems. Once the appropriate controls are selected and the security requirements have been satisfied, the organizations must document the selected controls in their system security plan.
Risk Assessments: Risk assessments are a key element of NIST’s information security requirements. NIST offers some guidance on how agencies should conduct risk assessments. According to the NIST guidelines, risk assessments should be three-tiered to identify security risks at the organizational level, the business process level, and the information system level.
Certification and Accreditation: NIST requires program officials and agency heads to conduct annual security reviews to ensure risks are kept to a minimum level. Agencies can achieve NIST Certification and Accreditation (C&A) through a four-phased process which includes initiation and planning, certification, accreditation, and continuous monitoring.
Facilitating Compliance with America's Water Infrastructure Act Security Practices for Operations and Management, Risk and Resilience for Water and Wastewater Systems Emergency Planning, and Cybersecurity in the Water Sector.
