Today, WaterISAC is unveiling the first three of its newly updated 12 Cybersecurity Fundamentals for Water and Wastewater Utilities as part of a concerted effort to provide the sector with the most up-to-date guidance (see attached). At the WaterISAC Cyber Resilience Briefing yesterday, Gus Serino, President at I&C Secure, walked attendees through the first three of the Fundamentals and gave a high-level overview of their importance and practical application. The last iteration of the Fundamentals was published just under five years ago, in 2019. WaterISAC is excited to bring this refresh to its members and the larger water and wastewater sector.

Why the change? A desire to make it a little more manageable, but still touch on key fundamentals that water and wastewater utilities should consider addressing.

What changed to get us from 15 to 12? A few things were combined, most notably:

• Tackle Insider Threats section was appropriately merged with building a cyber secure culture (this quarters’ release).
• Address All Smart Devices (IIoT, IoT, Mobile, etc.) was consolidated with the fundamental on asset management (which will be released next quarter in June 2024).
• Among other things, given AWIA requirements it was decided that Assess Risks (risk assessments) is an “assumption” and as such there will be a discussion in the introduction.

What other changes?

• To keep the Fundamentals practical, especially for smaller systems to address, they will be released in small manageable chunks - three per quarter (in March, June, September, and December).
• One of the most significant updates to this version is extensive incorporation throughout each section of CISA’s Cross-Sector Cybersecurity Performance Goals (CPGs) and references to The Five ICS Cybersecurity Critical Controls.

Note: the current 2019 version of WaterISAC’s 15 Cybersecurity Fundamentals for Water and Wastewater Utilities will remain on the website until the end of the year, so there will be a full set available until all 12 refreshed ones have been released.

Access the fundamentals 1-3 in the attachment below.