NOTE: This guide will soon be superceded by the forthcoming 15 Cybersecurity Fundamentals for Water and Wastewater Utilities. Stay tuned!
Attached below is WaterISAC's 10 Basic Cybersecurity Measures: Best Practices to Reduce Exploitable Weaknesses and Attacks (October 2016). It was developed in partnership with the U.S. Department of Homeland Security Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), the FBI, and the Information Technology ISAC. Each recommendation is accompanied by links to corresponding technical resources. This document is an updated version of the 10 Basic Cybersecurity Measures to Reduce Exploitable Weaknesses and Attacks report that WaterISAC published in June 2015.
In reviewing its incident reports for 2014, ICS-CERT noted that implementation of the first three recommendations likely would have detected the issues, prevented the vulnerabilities, and averted the resulting impacts related to those incidents. In its review of 2015 assessments, ICS-CERT noted that over one-third of weaknesses found were related to six security practices. Although risks remain and threat actors will continue to change their capabilities and methods, ICS-CERT advises that the first three recommendations be implemented as soon as practical.
For further measures to reduce cyber risks, consult the Framework for Improving Critical Infrastructure Cybersecurity by the National Institute of Standards and Technology (NIST) and the American Water Works Association’s (AWWA’s) Cybersecurity Guidance and Tool. The NIST Cybersecurity Framework is a set of voluntary practices, standards, and guidelines created to help critical infrastructure owners and operators manage cyber risks. The AWWA Guidance and Tool is a sector-specific approach for adopting the NIST Cybersecurity Framework.
Also, download WaterISAC’s Cybersecurity Resource Guide for more information on key resources to help water and wastewater utilities and the government agencies that support them mitigate risks and resolve vulnerabilities.