The U.S. Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) offers a variety of testing and assessment services to critical infrastructure operators and other partners. These services identify strengths and weaknesses, with the overall intent of increasing an organization’s cybersecurity posture. What’s more, CISA provides these services for free, and many can be conducted remotely. It should come as no surprise then that many water and wastewater utilities have already taken advantage of these services.
On December 16, 2020, CISA representatives joined WaterISAC for a briefing on the cybersecurity services offered by their organization. The presentation from that briefing is posted below.
Below is a listing of CISA's services. These are discussed in greater detail in fact sheets posted below as well as on CISA's Cyber Resource Hub. Water and wastewater sector entities should contact this email address for inquiries on CISA cybersecurity services: CyberLiaison_Industry@cisa.dhs.gov.
- Cyber Hygiene Vulnerability Scanning - This service continuously assesses the “health” of internet-accessible assets by checking for known vulnerabilities and weak configurations, and recommends ways to enhance security through modern web and email standards.
- Phishing Campaign Assessment - With this service, CISA measures an organization’s propensity to click on email phishing lures, commonly used to collect sensitive information or as initial access to a network. CISA subsequently provides an organization's leadership with information on potential training and awareness improvements based on the metrics gathered through the assessment.
- Remote Penetration Test - This service utilizes a dedicated remote team to assess and identify vulnerabilities and work with organizations to eliminate exploitable pathways. As a remote service, it is less costly and more scalable than on-site offerings; however, it is more limited in organizational insight and context.
- Risk and Vulnerability Assessment - This is a one-on-one engagement with stakeholders that combines open-source national threat and vulnerability information with data collected through remote and onsite assessment activities to provide actionable risk analysis reports with remediation recommendations prioritized by severity and risk.
- Validated Architecture Design Review - This service entails an assessment based on federal and industry standards, guidelines, and best practices. Assessments can be conducted on Information Technology (IT) or Operational Technology (OT) infrastructures.
- Red Team Assessment - This is a comprehensive evaluation of an information technology (IT) environment. Simulation of advanced persistent threats (APTs) can assist stakeholders in determining their security posture by testing the effectiveness of response capabilities to a determined adversarial presence.
- High Value Asset Assessment - This assessment is similar to a Risk and Vulnerability Assessment in knowledge, skills, tools, tactics, and methodology. However, it entails specific, predefined attack scenarios used consistently across the assessment targeted at critical assets selected by the Office of Management and Budget.
- Critical Product Evaluation - This consists of is a multi-week, comprehensive evaluation of a vendor’s solution or appliance that ubiquitously supports critical infrastructure operations or other national endeavors to improve the “out of the box” and recommended security implementation of the product, ultimately improving our national resiliency.
- Cyber Security Evaluation Tool - Also known as CSET, this is a self-directed assessment consisting of a stand-alone desktop application that guides asset owners and operators through a systematic and repeatable process for evaluating key national cyber assets (OT and IT). It includes both high-level and detailed questions related to all industrial control and IT systems. Due to a recent collaboration between CISA and AWWA, results from AWWA's cybersecurity tool can be uploaded to CSET. All the work performed in the previous assessment is uploaded into CSET, avoiding rework.