The Indiana Department of Environmental Management (IDEM) wants to make you aware of the free cybersecurity risk assessment tools available for water and wastewater utilities. While assessing a utilities cyber security risk can be done by contracted third parties, a number of tools can be used for no cost that allow utilities to self-assess. Both the American Water Works Association (AWWA) and the U.S. Environmental Protection Agency (U.S. EPA) have the following self-assessment tools available.
Cybersecurity & Guidance | American Water Works Association (AWWA)
The AWWA website contains guidance on physical security and cybersecurity geared towards all sizes of utilities, directs both members and non-members to U.S. EPA, CISA, and WaterISAC resources, and of course contains a cybersecurity assessment and evaluation tool any utility can download and use to self-assess at no cost. The tool has the ability to offer an expansive question set to utilities who have more sophisticated systems, and a reduced question set for smaller utilities with less sophisticated control systems. This interactive tool asks utilities to examine how they are using various technologies. Based on responses, the tool generates a customized, prioritized list of controls most applicable to the utility’s technology applications. Utilities can use this output to determine the implementation status of critical controls designed to mitigate cybersecurity vulnerabilities. Navigate to the AWWA website, and search for “Water Sector Cyber Security Assessment Tool”, an AWWA website login is required for access – but membership is not required, and it is easy to set that up.
Additionally, the Indiana Section of the AWWA has also designed a half day workshop to teach utilities how to use the assessment tool, so the self-assessment process is more attainable to all utilities. The state, through the Indiana Finance Authority (IFA), has funded this training program so that it can be offered at no cost to Indiana utilities. Contact Monique Riggs with the Indiana Section of AWWA to inquire about upcoming workshops scheduled. Monique’s contact information is Monique.Riggs@inawwa.org, or call her at (866) 213- 2796.
EPA Cybersecurity for the Water Sector | U.S. Environmental Protection Agency (U.S. EPA)
The U.S. EPA webpage contains information on U.S. EPA and CISA assessment resources, cyber response planning tools and guidance including U.S. EPA’s WCAT self-assessment tool, cybersecurity training available from the EPA, cyber incidence reporting and response, and funding sources for cybersecurity resilience. U.S. EPA's Water Cybersecurity Assessment Tool and Risk Mitigation Template or WCAT, is a free tool available to all utilities to allow self-assessment, can also be used by technical assistance providers and contractors, and it provides information on how to prioritize identified risks. The U.S. EPA is offering webinars to teach interested utilities to use the tool and has or soon will have a recorded copy of the initial webinar available on demand on their website.
Water and Wastewater Cybersecurity | Cybersecurity and Infrastructure Security Agency (CISA)
Regardless of what method of assessment you chose, consider taking advantage of the free vulnerability scanning services offered by the Cybersecurity and Infrastructure Security Agency (CISA). Utilities can sign up and receive a free external scan of their network for unsecured, public facing devices. The CISA webpage contains a wider range of CISA and U.S. EPA resources, as well as information on CISA’s cross-sector cybersecurity performance goals, information on stopping ransomware and recognizing and averting phishing attempts, incident reporting directly to CISA, connecting with CISA staff across the country within each U.S. EPA region, as well as a number of advisories, current alerts, and other cybersecurity information.
As noted above, CISA also has a program offering Free Cyber Vulnerability Scanning for Water Utilities (cisa.gov),
Cybersecurity Reminders
- Obtain technology security such as firewalls, anti-virus software, and intrusion detection software to protect computer systems.
- Limit computer access to personnel who need to know.
- Utilize strong password protection.
- Eliminate exposure to external networks and secure remote access. Develop and enforce mobile device policies.
- Keep all computers' software and applications up to date. Implement an update management cycle.
- Complete a cybersecurity assessment at least once every year.
- Conduct regular employee training related to cybersecurity.