Cybersecurity and the AWIA

Agenda• General Thoughts• Assessment Principles• Tools• Final Thought

I’m glad water isn’t a target!

Energy Defense

Finance Healthcare

We’re not connected to the Internet…

Cybersecurity is not just an IT issue

IT

SecurityOperations

Assessment Principles• Create an Assessment Team

• Operations• Information Technology• Plant Management• Senior / Executive Management

• Determine the Scope• Standards• Due Diligence

Tools• VSAT 2.0 (EPA)• Cybersecurity Guidance and Tool (AWWA)• Cybersecurity Evaluation Tool (DHS)

Answering the Questions• Question & Answer• Is there a documented process?• Is process known / trained?• Is process followed?• Where is the evidence?

VSAT 2.0 (EPA)• “A tool for assessing risk and resilience and drinking water

and wastewater systems”• Utility Overview

VSAT 2.0 (EPA)• Utility Resilience Index

• 12 Scoping Questions

VSAT 2.0 (EPA)• Qualitative Risk Assessment

VSAT 2.0 (EPA)• Quantitative Risk Assessment

VSAT 2.0 (EPA)• Countermeasure Analysis

VSAT 2.0 (EPA)• Pros

• Full AWIA assessment in single interface• Cons

• Requires significant industry / functional knowledge• Personnel dependent – must be highly trained• Frustrating to use / very involved

Cybersecurity Guidance / Tool (AWWA)• “Voluntary sector specific approach for implementing

applicable cybersecurity controls and recommendations”• Scoping – 22 Questions

Cybersecurity Guidance / Tool (AWWA)• Controls Output

• “Suggested Controls” – must input YOUR status

Cybersecurity Guidance / Tool (AWWA)• Control Status Summary

Cybersecurity Guidance / Tool (AWWA)• Improvement Projects

Cybersecurity Guidance / Tool (AWWA)• Pros

• Sector specific with good documentation• Easy to use / intuitive• Maps to applicable standards for further info• Walks through entire process (scoping – declaration template)

• Cons• Must be integrated with other functional categories to meet full

AWIA requirements

CSET (DHS)• “A desktop software tool that guides users through a step-

by step process to assess control system and IT network security practices against recognized industry standards”

CSET (DHS)• Preparation

• Standard demographic info

CSET (DHS)• Assessment

CSET (DHS)• Results

CSET (DHS)• Pros

• Consistent, repeatable, easy to use• Tailorable (Basic / Advanced) • Maps to applicable standards for further info• Good dashboard and reporting tools

• Cons• Not tailored to water industry• Requires cyber / IT expertise• Must be integrated with other functional categories to meet full

AWIA requirements

Final Thought