Incident Action Checklist - Cybersecurity
For on-the-go convenience, the actions in this checklist are divided up into three "rip & run" sections and provide a list of
activities that water and wastewater utilities can take to prepare for, respond to and recover from a cyber incident. You
can also populate the "My Contacts" section with critical information that your utility may need during an incident.
Cyber Incidents and Water Utilities
Cyberspace and its underlying infrastructure are vulnerable to a wide range of hazards from both physical
attacks as well as cyberthreats. Sophisticated cyber actors and nation-states exploit vulnerabilities to steal
information and money and are developing capabilities to disrupt, destroy or threaten the delivery of essential
services such as drinking water and wastewater.
As with any critical enterprise or corporation, drinking water and wastewater utilities must evaluate and mitigate
their vulnerability to a cyber incident and minimize impacts in the event of a successful attack. Impacts to a
utility may include, but are not limited to:
Interruption of treatment, distribution or conveyance
processes from opening and closing valves, overriding
alarms or disabling pumps or other equipment
Theft of customers' personal data such as credit card
information and social security numbers stored in on-line
billing systems
Defacement of the utility's website or compromise of the
email system
Damage to system components
Loss of use of industrial control systems (e.g., SCADA
system) for remote monitoring of automated treatment
and distribution processes

Cyber incidents can compromise the ability of water and wastewater utilities to provide clean and safe water to
customers, erode customer confidence and result in financial and legal liabilities. The following sections outline
actions drinking water and wastewater utilities can take to prepare for, respond to and recover from cyber
v*	III ft §	. 4
.cart-menu .cart-icon-Zjt
¦v f!®r-transParent hea li.current paee
-w .sf-menu > li c,,r„„v
^	L1 • current-menu-a8tee-Sj«—
^ > ul > li > a:hover > .sf-Z^T—
~™J ut #search-btn a:hover span „
TSav .sf-menu > li.current-menu-ra*. ,
-*	• "> con-salient-cart,.ascene ^ti™,
"important;color	!i
¦	header#top nav>ul>li .bu^fr^t,
V	/ // I l|M 1 UA \V BQ
1 of 6

Actions to Prepare for a Cyber Incident	1®
Identify all mission critical information technology
(IT) systems, considering business enterprise,
process control and communications. Document
the key functions of the mission critical
objectives, and identify the personnel or entity
responsible for operating and maintaining each
IT system.
Identify an overall IT security lead to coordinate
with each IT system manager and oversee all
cyber-related duties.
~ Ensure that IT system managers enforce
cybersecurity practices on all business
enterprise, process control and communications
systems. For example, verify adherence to user
authentication, current anti-virus software and
installation of security patches.
Identify priority points of contact for reporting
a cyber incident and requesting assistance
with response and recovery. Include any state
resources that may be available such as State
Police, National Guard Cyber Division or mutual
aid programs, as well as the Department of
Homeland Security National Cybersecurity and
Communications Integration Center (NCCIC)
(888-282-0870 or NCCIC@ha.dhs.aovV
~	Review and update the utility's emergency
response plan (ERP) to address a cyber incident
impacting business enterprise, process control
and communications systems. Account for ail
potential impacts on operations, and ensure
emergency contacts are current.
~	Prevent unauthorized physical access to
IT systems through security measures
such as locks, sensors and alarms. Include
workstations and process control systems (e.g.,
programmable logic controllers or PLCs).
~	Train all essential personnel to perform mission
critical functions during a cyber incident that
disables business enterprise, process control
and communications systems. Include the
manual operation of water collection, storage,
treatment and conveyance systems.
~	Conduct drills and exercises for responding to
a cyber incident that disables critical business
enterprise, process control and communications
2 of 6

Actions to Prepare for a Cyber Incident (continued)
IT Staff or Vendor	
~	Establish a program for maintaining updated
anti-virus software on all critical IT systems,
along with rapid installation of all security
~	Set up an automatic back-up on critical systems
and ensure the process is producing a readable,
uncorrupted restore file on a routine basis.
I I Implement rigorous user authentication,
including multi-factor authentication where
possible. Use individual accounts and unique
passwords for each employee, and restrict IT
system access privileges to the level needed for
a user's duties.
~	Restrict internet access to process control
systems unless absolutely necessary.
~	Where possible, separate process control
system traffic from business traffic through the
use of a firewall. If this is not possible, logically
filter traffic through the use of a firewall.
I I Identify all routes of remote access to IT
systems. Eliminate remote access where
possible, and restrict remaining access (e.g.,
do not allow persistent remote access to control
~	Assess the use of additional strategies to
protect IT systems, such as application
whitelisting, network segmentation with restricted
communication paths and active monitoring for
adversarial system penetration.
~	Conduct a detailed assessment of vulnerabilities
in all mission critical IT systems. Consider use
of the tools and subject matter experts provided
by the DHS Industrial Control System Cyber
Emergency Response Team (ICS-CERT) (www,
ics-cert. us-cert.aov^. Develop an action plan to
mitigate all significant vulnerabilities identified in
the assessment.
r Notes:
3 of 6

Actions to Respond to a Cyber Incident
EH If possible, disconnect compromised computers
from the network to isolate breached
components and prevent further damage, such
as the spreading of malware. Do not turn off or
reboot systems - this preserves evidence and
allows for an assessment to be performed.
EH Notify IT personnel and/or IT vendor of the
incident and the need for emergency response
assistance. In addition, NCCIC can assist with IT
system response and recovery (888-282-0870 or
EH Assess any damage to utility systems and
equipment, along with disruptions to utility
EH Execute the utility ERP as needed, including
notification of utility personnel, actions to restore
operations of mission critical processes (e.g.,
switch to manual operation if necessary), and
public notification (if required).
EH Report the cyber incident as required to law
enforcement and regulatory agencies.
EH Notify any external entities (e.g., vendors, other
government offices) that may have remote
connections to the affected network(s).
EH Document key information on the incident,
including any suspicious calls, emails, or
messages before or during the incident, damage
to utility systems, and steps taken in response to
the incident (including dates and times).
IT Staff or Vendor
EH Review system and network logs, and use
virus and malware scans to identify affected
equipment, systems, accounts and networks.
EH Document which user accounts were or are
logged on, which programs and processes were
or are running, any remote connections to the
affected IT systems or network(s) and all open
ports and their associated applications.
EH If possible, take a "forensic image" of the
affected IT systems to preserve evidence. Tools
to take forensic images include Forensic Tool Kit
(FTK) and EnCase.
EH If possible, identify any malware used in the
incident, any remote servers to which data may
have been sent during the incident, and the
origin of the incident. NCCIC can assist with the
forensic analysis (888-282-0870 or NCCIC@
EH Research and identify if any employee or
customer personally identifiable information (PI I)
was compromised.
EH Check the system back-up time stamp to
determine if the back-up was compromised
during the incident.
EH Document all findings, and avoid modifying or
deleting any data that might be attributable to the
r Notes:
4 of 6

Actions to Recover from a Cyber Incident
EH Continue to work with IT staff, vendors and
integrators, government partners and others
to obtain needed resources and assistance for
EH Notify affected employees and customers if any
Pll was compromised.
EH Submit an incident report through WaterlSAC
(866-H20-ISAC). Membership is not required to
submit a report.
EH Develop a lessons learned document and/or
an after action report (AAR) to document utility
response activities, successes, and areas for
improvement. Create an improvement plan
(IP) based on your AAR and use the IP to
update your vulnerability assessment, ERP and
contingency plans.
EH Register for cybersecurity alerts and advisories
from water sector and government partners to
be aware of new vulnerabilities and threats. Two
sources of cybersecurity alerts are WaterlSAC,
which has a basic membership that is free, and
IT Staff or Vendor
EH Remove any malware, corrupted files and other
changes made to IT systems by the incident.
EH Restore IT systems as required (e.g., re-image
hard drives, reload software). NCCIC can assist
with the IT system recovery (888-282-0870 or
EH Restore compromised files from a system back-
up that has not been compromised.
EH Install patches and updates, disable unused
services and perform other countermeasures to
harden the system against known vulnerabilities
that may have been exploited.
r Notes:
5 of 6

My Contacts and Resources	Pj

Law Enforcement

IT Staff/Vendor

SCADA Staff/Vendor


Local Laboratory

State Primacy Agency

Local Emergency Management Agency

Local Health Department

WARN Chair

State Emergency Management Agency

•	Best Cvbersecuritv Practices (WaterlSAC)
•	Cvber Security Evaluation Tool (DHS ICS-CERT)
•	Advisories (DHS ICS-CERT)
•	Cvbersecuritv Advisors (DHS)
•	National Cvbersecuritv and Communications Integration Center (NCCIC^ (DHS)
•	Cybersecurity Guidance and Tool (AWWA)
•	Cybersecurity Resource Guide (WaterlSAC)
•	Cybersecurity Insurance (National Rural Water Association)
r Notes:	
Office of Water (4608-T) EPA 810-B-17-004 October2017
6 of 6