Cybersecurity Fundamentals for Water and Wastewater Utilities

UPDATE - December 2024

On December 18, 2024, WaterISAC unveiled the fourth and final set of three of its newly updated 12 Cybersecurity Fundamentals for Water and Wastewater Utilities to members during this month's Cyber Resilience Briefing. As part of a concerted effort to provide the water and wastewater systems sector with the most up-to-date guidance, WaterISAC is excited to officially bring this refresh together in it's entirety.

10 | Develop and Enforce Cybersecurity Policies and Procedures
11 | Secure the Supply Chain
12 | Participate in Information Sharing and Collaboration Communities

What’s new in Q4?

Fundamentals 10-12 cover the importance of governance in cybersecurity, working with service providers, integrators, and other “trusted” third parties, as well as utilizing information sharing and collaboration communities.
We’ve also continued to add mappings from CISA’s Cross-Sector Cybersecurity Performance Goals (CPGs) and references to The Five ICS Cybersecurity Critical Controls.
We’ve also continued incorporating a Small Systems Guidance section.
There’s also more “eye-candy” elements/callouts for greater emphasis.

Members and non-members alike can now find the full set of 12 Fundamentals attached below. Coming soon, WaterISAC will distribute an official single document that includes all of them as you see them today. This initiative demonstrates our commitment to supporting the water sector and our members by ensuring they have access to the latest information and resources to enhance their operations.

UPDATE - September 2024

On September 25, 2024, WaterISAC unveiled the third set of three of its newly updated 12 Cybersecurity Fundamentals for Water and Wastewater Utilities to members during this month's Cyber Resilience Briefing. WaterISAC is thrilled to continue rolling out this update to its valued members, and the the water sector as a whole, highlighting a concerted effort to equip the water and wastewater systems sector with the most current and relevant guidance. This initiative demonstrates our commitment to supporting the water sector and our members by ensuring they have access to the latest information and resources to enhance their operations.

7 | Safeguard from Unauthorized Physical Access
8 | Install Independent Cyber Physical Safety Systems
9 | Embrace Risk-Based Vulnerability Management

What’s new in Q3?

Fundamentals 7-9 cover the topics of Safeguarding from Unauthorized Physical Access, Installing Independent Cyber-Physical Safety Systems, and the importance of Embracing Risk-Based Vulnerability Management
We’ve added more mappings (4) from CISA’s Cross-Sector Cybersecurity Performance Goals (CPGs) and more references to The Five ICS Cybersecurity Critical Controls.
We’ve continued incorporating a Small Systems Guidance section.
There’s also an applicable "Real-World Scenario" section that applies to Fundamental 7.
Of course we've continued adding even more “eye-candy” for greater emphasis of practical applications and things to consider.

Access the new refreshed Fundamentals 1-9 below.

UPDATE - JUNE 2024

On June 26, 2024, WaterISAC unveiled the second set of three of its newly updated 12 Cybersecurity Fundamentals for Water and Wastewater Utilities to members during the month's Cyber Resilience Briefing. WaterISAC is excited to continue bringing this refresh to its members as part of a concerted effort to provide the water and wastewater systems sector with the most up-to-date guidance.

4 | Implement System Monitoring for Threat Detection and Alerting
5 | Account for Critical Assets
6 | Enforce Access Control

What’s new in Q2?

Fundamentals 4-6 cover the topics of Implementing System Monitoring for Threat Detection and Alerting, Accounting for Critical Assets, and the importance of Enforcing Access Controls
We’ve added more mappings (13) from CISA’s Cross-Sector Cybersecurity Performance Goals (CPGs) and references to The Five ICS Cybersecurity Critical Controls.
A new sector-specific resource was highlighted from the SANS Institute, Protecting Critical Water Systems with the Five ICS Cybersecurity Critical Controls by Dean Parsons.
We’ve also continued incorporating a Small Systems Guidance section.
There’s even a few more “eye candy” elements/callouts for greater emphasis.

Access the new refreshed Fundamentals 1-6 below.

Update - March 2024

On March 28, 2024, WaterISAC unveiled the first three Fundamentals as part of an ongoing update to its acclaimed Cybersecurity Fundamentals for Water and Wastewater Utilities series. The current version, 15 Cybersecurity Fundamentals for Water and Wastewater Utilities, is being replaced by the 12 Cybersecurity Fundamentals for Wastewater and Wastewater Utilities. WaterISAC is excited to bring this refresh, which represents a concerted effort to provide the sector with the most up-to-date guidance.

Why the change? A desire to make it a little more manageable, but still touch on key fundamentals that water and wastewater utilities should consider addressing.

What changed to get us from 15 to 12? A few things were combined, most notably:

Tackle Insider Threats section was appropriately merged with building a cyber secure culture (this quarters’ release).
Address All Smart Devices (IIoT, IoT, Mobile, etc.) was consolidated with the fundamental on asset management (which will be released next quarter in June 2024).
Among other things, given AWIA requirements it was decided that Assess Risks (risk assessments) is an “assumption” and as such there will be a discussion in the introduction.

What other changes?

To keep the Fundamentals practical, especially for smaller systems to address, they will be released in small manageable chunks - three per quarter (in March, June, September, and December).
One of the most significant updates to this version is extensive incorporation throughout each section of CISA’s Cross-Sector Cybersecurity Performance Goals (CPGs) and references to The Five ICS Cybersecurity Critical Controls.

Note: the current 2019 version of WaterISAC’s 15 Cybersecurity Fundamentals for Water and Wastewater Utilities will remain on the website until the end of the year, so there will be a full set available until all 12 refreshed ones have been released.

BACKGROUND ABOUT THE CYBERSECURITY FUNDAMENTALS FOR WATER AND WASTEWATER UTILITIES

Water and wastewater utilities provide critical lifeline services to their communities and their regions. Supporting these vitally important functions requires secure information technology (IT) and operational technology (OT), yet our sector’s IT and OT networks continue to face an onslaught of threats from cyber criminals, nation states and others.

To support members and the wider sector in its cybersecurity goals, and in response to continually evolving threats, WaterISAC published 15 Cybersecurity Fundamentals for Water and Wastewater Utilities in 2019. The original guide, first published in 2012, has been downloaded thousands of times.

The guide contains dozens of best practices, grouped into 15 main categories, that water and wastewater systems can implement to reduce security risks to their IT and OT systems. Each recommendation is accompanied by links to corresponding technical resources, giving you the information and tools you need to take a dive deep into this acutely important issue.

The guide will also be helpful to utilities preparing risk and resilience assessments required by America’s Water Infrastructure Act, or AWIA. The 15 fundamentals will also be especially useful for informing emergency response plans, because AWIA requires those plans to address mitigation and resilience options.

The original 15 fundamentals included: