You are here

Conducting Cyber Risk Assessments under AWIA: A WaterISAC Webinar Series

July 17, August 20, and September 18, 2019

Under America’s Water Infrastructure Act (AWIA), water utilities must conduct initial risk and resilience assessments and update them every five years. To help utilities do so, WaterISAC is hosting a series of three webinars designed to offer expert guidance. The first will introduce the cybersecurity assessment process, the second will focus on operational technology risks and controls, and the third will identify business system information technology risks.

The webinars will be presented by EMA, Inc., a leading provider of technology, management, and engineering services to utilities.

Separate registration is required for each webinar. Webinar #1 is open to the public, but webinars #2 and #3 are for WaterISAC members only. Become a member here.

Webinar #1 – Introduction to the Cybersecurity Assessment Process

July 17, 2019 - View recording and download slides

This webinar will prepare a utility to complete a cybersecurity assessment. An overview of operational technology (OT) and information technology (IT) threats and risks that impact process control and business systems will be presented.

The methodology used in an assessment will be described, including who should be involved, developing workshops to review systems and practices, and how electronic testing is performed, allowing the utility to plan for staff commitments and identify the documentation required for the workshops and field investigation, including scanning and site inspections. Outputs and recommendations that may emerge from cybersecurity assessments will be discussed and aligned with the AWWA J100 standard, the risk and resiliency assessment, and the emergency response plan requirements under AWIA.

Webinar #2 – Process Control and SCADA System Risks

August 20, 2019 - View Recording and Download Slides (MEMBERS ONLY)

This webinar reviews OT system risks. Risks specifically associated with SCADA systems will be identified. The unique challenges, including distribution of remote sites, data exchanges, interfaces, and 24/7 operational requirements will be discussed.  The webinar will describe the tasks included in an assessment and the requirements for the utility.  

The webinar will address utility staff participation in workshops that form the bench portion of the assessment and the use of the AWWA Cybersecurity Guidance and Tool and Department of Homeland Security Cyber Security Evaluation Tool (CSET) to identify system controls and practices. The field-testing component will be presented with a discussion of scanning tools, field investigation tasks, and the risks to be aware of when scanning OT equipment. Attendees will be able to identify resources needed to complete assessment tasks in preparation for AWIA requirements.

The outcomes of an assessment may include improvements in technology, practices, or staffing to reduce risks. Improvement projects include a mix of network, control systems, and, very importantly, policies and practices. The assessment process will expand staff knowledge of cybersecurity requirements and controls.  The webinar will review how the assessment recommendations will provide alignment with AWIA and how the assessment outputs can be used to plan operational and capital improvements to mitigate risks and vulnerabilities.

Webinar #3 – Business System Risks

September 18, 2019 - 2:00-3:00 pm ET – MEMBERS ONLY

The final webinar will focus on the IT or business systems identified in AWIA. Risks associated with the data, internal and public facing access (e.g., portals), payment systems, remote access, interfaces, and hosted solutions will be discussed. The webinar will also review how testing methods for business systems will differ from OT testing and will describe best practices for utility staff participation.

Assessments of business systems can lead to recommendations which might include segregation of OT and IT networks, network and system monitoring requirements, and alignment of OT and IT cybersecurity policies. The webinar will describe how the assessment recommendations can be used to meet the emergency response plan requirements of AWIA and to define cybersecurity improvements to reduce system and staff risks.

The webinar will also address how the OT and IT components of the assessment will work together to meet the risk and resiliency assessment requirements for AWIA.

Register for Webinar #3 (WaterISAC members only)