WaterISAC’s ‘15 Cybersecurity FUNdamentals Awareness Month’ (15CFAM) – Having FUN Assessing Risks

Welcome back to our homage to National Cybersecurity Awareness Month (NCSAM) with the WaterISAC ‘15 Cybersecurity Fundamentals Awareness Month’ (15CFAM) where we walk through WaterISAC’s 15 Cybersecurity Fundamentals for Water and Wastewater Utilities. Today we are touching on risk assessments. If you missed our kickoff last week, check out Performing Asset Inventories.

While some might think a risk assessment would be the first step in a cybersecurity strategy, organizations quickly realize it is difficult to assess risk when they do not know what they are assessing in the first place. It is unrealistic to expect to adequately complete even a basic risk assessment without a comprehensive asset inventory. For instance, it is difficult to assess a home against the risk of being burglarized if the status of the door(s) is unknown – including things like quantity, type, material, lock(s), alarm sensor, or monitoring of “said” door(s). However, once assets and their details are accounted, threats can be more accurately assessed for the risk they pose to the environment. Furthermore, risk assessments are vital to prioritizing the application of controls and countermeasures to protect the environment. And of course, risk and resilience assessments are now required of drinking water systems every five years per the America’s Water Infrastructure Act (AWIA).

While we want to provide resources not referenced in the current version of the aforementioned guide, it is difficult to not include some of the best risk assessment resources known to water and wastewater systems – including AWWA’s Cybersecurity Guidance and Tool, CISA’s risk assessment resources, and EPA’s VSAT. Whether your utility falls under AWIA or not, please visit a compendium of resources on the AWIA Risk Assessments and ERPs page in the WaterISAC Resource Center.

Next up…Minimize Control System Exposure, Enforce User Access Controls, and Safeguard from Unauthorized Physical Access. Members can track ongoing posts through the WaterISAC portal by searching ‘15CFAM’ in the Resource Center.