Technical Cybersecurity
Support Plan for Public Water
Systems - Report to Congress


-------
Contents

Contents

Introduction	1

Section 1: Methodology, as established by the

Prioritization Framework, for identifying specific PWSs

for which cybersecurity support should be prioritized	3

Section 2: Timelines for making voluntary technical

support for cybersecurity available to specific PWSs 	6

Section 3: "Public water systems identified by EPA, in
coordination with CISA, as needing technical support for

cybersecurity" 	7

Section 4: "Specific capabilities of EPA and CISA that

may be utilized to provide support to public water	. 8

systems"

Appendix: Public Water Systems Identified by EPA, in

Coordination with CISA,as.Needing.Technical.Su.ppo.rt .	.18

for Cybersecurity

i


-------
The Infrastructure Investment and Jobs Act (Public Law No. 117-58) (hereinafter, Bipartisan
Infrastructure Law or BIL) requires the U.S. Environmental Protection Agency (EPA), in coordination
with the Cybersecurity and Infrastructure Security Agency (CISA), to develop a Technical
Cybersecurity Support Plan (hereinafter, Support Plan). The BIL directs that "the Administrator
[EPA], in coordination with the Director [CISA] and using existing authorities of [EPA] and [CISA] for
providing voluntary support to public water systems and the Prioritization Framework, shall develop
a Technical Cybersecurity Support Plan for public water systems." The Prioritization Framework is
a separate document required under the BIL that describes a methodology for prioritizing public
water systems (PWSs) for technical cybersecurity support. The Prioritization Framework is further
described in Section 1 of this document.

Pursuant to the BIL, the Support Plan must address the following: "(i)...the methodology [as
established by the Prioritization Framework] for identifying specific PWSs for which cybersecurity
support should be prioritized, (ii)...timelines for making voluntary technical support for cybersecurity
available to specific PWSs, (iii)...PWSs identified by [EPA], in coordination with [CISA], as needing
technical support for cybersecurity, and (iv)...specific capabilities of [EPA] and [CISA] that may
be utilized to provide support to PWSs...including (I) site vulnerability and risk assessments, (II)
penetrations tests; and (III) any additional support determined to be appropriate by [EPA]." All
support to PWSs under the Support Plan is voluntary.

As the Sector Risk Management Agency (SRMA) for the Water and Wastewater Systems sector,
EPA leads the Federal effort to promote security and resilience, both physical and cyber, in water
and wastewater systems and serves as a day-to-day Federal interface for coordination of sector-
specific activities. In implementing its SRMA responsibilities, EPA collaborates with CISA and other
Federal departments and agencies, along with state, local, Tribal, and territorial (SLTT) governments,
private sector entities and associations, and critical infrastructure owners and operators. EPA
provides, supports, and facilitates technical assistance to water and wastewater systems to identify
and mitigate vulnerabilities and carries out incident management responsibilities consistent with
statutory authority, including understanding the business or operational impact of a cyber incident
on private sector critical infrastructure.

The authorities and responsibilities of EPA's SRMA mission stem from several statutes and
Presidential Directives, including the Homeland Security Act of2002, America's Water Infrastructure
Act of 2018, the National Defense Authorization Act (NDAA) of2021, Presidential Policy Directive 21
- Critical Infrastructure Security and Resilience, and Presidential Policy Directive 41 - United States
Cyber Incident Coordination.

l


-------
CISA under its authorities has responsibilities to lead the national effort to understand, manage,
and reduce risk to our cyber and physical infrastructure in coordination with SRMAs. These
responsibilities include identifying and prioritizing physical and cyber threats, vulnerabilities, and
consequences to critical infrastructure; providing technical assistance to critical infrastructure
owners and operators upon request; facilitating the exchange of intelligence to strengthen the
security and resilience of critical infrastructure; and, pursuant to Presidential Policy Directive (PPD)
41, leading the Federal Government in critical infrastructure asset response through "furnishing
technical assistance to affected entities to protect their assets, mitigate vulnerabilities, and reduce
im pacts of cyber incidents."

Not later than August 22, 2022, EPA must submit to the appropriate Congressional committees
the Support Plan and a list describing any PWSs identified by EPA, in coordination with CISA, as
needing technical support for cybersecurity. This list is attached as an appendix to the Support Plan.

2


-------
SECTION 1: METHODOLOGY, AS ESTABLISHED BY THE
PRIORITIZATION FRAMEWORK, FOR IDENTIFYING
SPECIFIC PWSs FOR WHICH CYBERSECURITY
SUPPORTSHOULD BE PRIORITIZED

Note: This section describes the Prioritization Framework, which EPA, in coordination with
CISA, would use to prioritize PWSs where the need for technical assistance exceeds the near-
term capacity to provide support. Section 3 of this Support Plan describes PWSs identified by
EPA, in coordination with CISA, as potentially needing technical cybersecurity support at
present. EPA published the Prioritization Framework as the Prioritization Framework for
Technical Cybersecurity Support to Public Water Systems, EPA 817-R-22-001.

The Prioritization Framework is structured as a series of qualitative questions stemming from the
criteria that the BIL requires EPA to consider. This qualitative structure will provide the flexibility
necessary to tailor the prioritization of PWSs for technical cybersecurity support to specific threat
circumstances and PWS' needs.

The Framework is not designed to assign a water system to a fixed prioritization rank independent of
a scenario where prioritization is needed. Rather, it reflects the understanding that prioritizing PWSs
for technical cybersecurity support will depend on the circumstances of a particular scenario (e.g.,
the type of cybersecurity vulnerability and technical support required, the number of water systems
requesting assistance, and the capacity to deliver support).

Existing circumstances have not required the use of a prioritization framework. Should that need
arise in the future, the Framework offered here could be adjusted as needed.

Under the Prioritization Framework, if demand for cybersecurity support exceeds near term capacity
to respond, a PWS would be asked to respond to the prioritization questions. EPA, in coordination
with CISA, would use those answers, as well as a number of other factors, to prioritize the requests for
assistance. Some of those other factors may include:

¦	The risk to PWS operations and potential adverse impacts on the service area, downstream critical
infrastructure, and defense/national security assets,

¦	The capabilities of a PWS to remediate the vulnerability without Federal support, and

¦	The risk reduction benefits that technical cybersecurity support would achieve.

Table 1 below lists the required statutory criteria for the Prioritization Framework, the associated
questions that a PWS would answer when requesting cybersecurity technical support, and
considerations for prioritizing the order of support.

3


-------
Note that the order in which the criteria are listed in Table 1 does not imply preferential weighting
for prioritization rank. Rather, weighting would be based on the threat circumstances and the
needs of PWSs for technical cybersecurity support.

Table 1: PRIORITIZATION FRAMEWORK CRITERIA, QUESTIONS, AND AGENCY CONSIDERATIONS1

Statutory criteria from Sec.
1420A(b)(l)

Questions for PWSs requesting
technical cybersecurity support

Considerations for prioritizing
assistance requests

(A)...identify public water
systems (including sources of
water for those public water
systems) that, if degraded or
rendered inoperable due to
an incident, would lead to
significant impacts on the
health and safety of the public

How many people does the
PWS or source serve (including
consecutive systems and those
technologically integrated)?

Does the service area have
resources (e.g., alternative sources
of supply) that could mitigate the
impact of degraded water service?

Note: Downstream critical
infrastructure, such as health
care, is addressed in a separate
criterion.

Priority would increase with greater
population served (i.e., adverse impacts
from water service degradation would
grow with higher population served).

Priority would decrease for PWSs
where the service area has greater
resources to mitigate impacts of
degraded water service.

(B)(i) whether cybersecurity
vulnerabilities for a public
water system have been
identified under Section 1433

Did the PWS conduct a risk and
resilience assessment under
America's Water Infrastructure
Act that included cybersecurity
(required for community water
systems serving over 3,300
people)?

Did the PWS conduct an
alternative cybersecurity
vulnerability assessment (e.g.,
CISA Cyber Hygiene services, EPA
Technical Assistance Provider
program, NISTCybersecurity
Framework, or private sector
assessment)?

Whether a PWS had conducted a
cybersecurity vulnerability assessment
would not be a factor in providing
critical technical cybersecurity
support.

If a PWS reported that it had
identified a vulnerability under an
assessment but had not yet addressed
the vulnerability, consider whether
that vulnerability would increase the
need for assistance under the threat
circumstance. Regardless, the PWS
would be encouraged to correct the
deficiency.

Furthermore, if a PWS requested
technical cybersecurity support
and had not assessed cybersecurity
vulnerabilities, EPA, in coordination
with CISA, would encourage the PWS
to do so and would assist the PWS if
necessary.

1 The Prioritization Framework criteria in this Table include minor modifications to the version submitted to Congress for
the sake of clarity.

4


-------
Statutory criteria from Sec.
1420A(b)(l)

Questions for PWSs requesting
technical cybersecurity support

Considerations for prioritizing
assistance requests

(B)(ii) the capacity of a public
water system to remediate
a cybersecurity vulnerability
without additional Federal
support

What near- and long-term internal
technical capabilities and financial
resources does the PWS have to
correct cybersecurity vulnerabilities?

How urgent is the PWS's need for
technical cybersecurity assistance?

Are other external sources of
technical cybersecurity support (e.g.,
other government or private sector
assistance providers) available to the
PWS?

A PWS with an urgent need for
technical cybersecurity support
(e.g., a known vulnerability that
poses a significant risk to the PWS's
operations) and that lacks either
internal or external technical or
financial resources to correct the
vulnerability in a sufficient time
frame would be prioritized for
assistance.

(B)(iii) whether a public water
system serves a defense
installation or critical national
security asset

Does the PWS serve a defense
installation or national security asset
(e.g., defense production facility,
communications provider, etc.)?

Serving a defense installation or
national security asset would be a
significant prioritization factor for
technical cybersecurity support.

(B)(iv) whether a public
water system, if degraded
or rendered inoperable due
to an incident, would cause
a cascading failure of other
critical infrastructure

What critical infrastructure facilities
does the PWS serve (across all 16
critical infrastructure sectors)?

PWSs that serve a greater number
of critical infrastructure facilities
would be prioritized for technical
cybersecu rity su pport.

Further, PWSs that serve critical
infrastructure facilities where
a degradation in water service
would cause especially severe
consequences (e.g., health care
facilities) would be prioritized for
support.

5


-------
SECTION 2: TIMELINES FOR MAKING VOLUNTARY
TECHNICAL SUPPORT FOR CYBERSECURITY
AVAILABLE TO SPECIFIC PWSs

Section 4 of this Support Plan, which describes specific capabilities of EPA and CISA that may be
utilized to provide support to PWSs, includes both currently available support and planned future
support. Separate timelines are associated with each.

The first part of Section 4 describes currently available support, which is listed on EPA's and CISA's
websites and is available to any PWS upon request. As noted in Section 4, some of the currently
available services are self-assessments, which would be conducted by the PWS and can be accessed
at anytime. Other services are fa cilita ted assessments, which require coordination and must be
scheduled.

Typically, the wait time to schedule facilitated assessments is minimal. For example, PWSs that
register for EPA's Water Sector Cybersecurity Technical Assistance Provider Program are contacted
within a few days for a preliminary assessment and to schedule a full assessment with a technical
assistance provider. The vulnerability scanning and web application scanning offered by CISA
typically begin within one week of a facility returning the appropriate forms.

The second part of Section 4 describes planned future support, which is targeted to the PWSs
identified in Section 3 as having an elevated need for technical cybersecurity support. As described in
Section 4, this support will comprise two areas:

1.	"Checklist" of cybersecurity best practices coupled with training, which will be targeted to
small community water systems2 (serving 3,300 people or fewer) and all non-community
water systems3 that did not develop risk assessments and emergency response plans under
America's Water Infrastructure Act of 2018, and

2.	Technical support for PWSs to address vulnerabilities in current cybersecurity practices, which
may be identified through a cybersecurity assessment program.

EPA intends to offer this support beginning in calendar year 2023. In 2022, EPA expects to develop
the cybersecurity checklist guidance and training and build the capability to provide technical
support for addressing cybersecurity deficiencies through a collaborative stakeholder process. These
products and services would then be delivered when available in 2023 on an ongoing basis.

2	Community water systems are PWSs (which are systems that have at least 15 service connections or regularly
serve at least 25 individuals) that provide water to the same population year-round.

3	Non-community water systems are composed of non-transient non-community water systems, which are PWSs that
regularly supply water to at least 25 of the same people at least six months per year, but not year-round; and transient
non-community water systems, which are PWSs that provide water in a place such as a gas station or campground
where people do not remain for long periods of time.

6


-------
SECTION 3: "PUBLIC WATER SYSTEMS IDENTIFIED
BY EPA, IN COORDINATION WITH CISA, AS NEEDING
TECHNICAL SUPPORT FOR CYBERSECURITY"4

Available data, discussed below, indicate that most PWSs need technical support for cybersecurity.
However, certain PWSs may have an elevated need and would benefit from being targeted with
specific additional resources.

In 2021, for example, a coalition of water sector associations collaborated on a survey of current
cybersecurity practices, challenges, and needs of PWSs. The survey collected 606 responses from
water and wastewater systems. The results showed that most PWSs had not implemented certain
basic cybersecurity practices, such as identifying all network assets, and that many PWSs had not
begun to conduct cyber protection efforts. Deficiencies in cybersecurity increased with decreasing
water system size in terms of population served. Approximately half of respondents stated a need
for technical assistance, advice, assessments, or other support along with training and education
targeting the water sector [Water and Wastewater Systems Cybersecurity2021: State of the Sector,
Water Sector Coordinating Council, 2021).

The survey results are supported by evidence of the vulnerabilities that have been exploited in cyber-
attackson PWSs. In many incidents, threat actors used a lackof basic cybersecurity, such asthefailureto
update passwords or insecure remote access, to penetrate PWS networks. Cyber-attacks on PWSs are a
national security concern due to the criticality of the water sector as lifeline infrastructure. Consequently,
these incidents support the broad need for technical cybersecurity support across the water sector.

EPA has identified two situations where PWSs may have an elevated need for technical cybersecurity
support:

1.	Under America's Water Infrastructure Act of 2018, all community water systems serving
over 3,300 people were required to conduct risk and resilience assessments that included
computer and other automated systems and to address cybersecurity in emergency response
planning. Consequently, smaller community water systems and all non-community water
systems may not have undertaken these important security steps. As discussed in Section 4,
EPA plans to develop a "checklist" of cybersecurity best practices and associated training to
assist these PWSs with identifying and addressing cybersecurity vulnerabilities.

2.	Where PWSs undergo a cybersecurity assessment and the assessment identifies vulnerabilities
that need to be addressed, the PWS may request technical cybersecurity support. EPA plans
to stand up a technical support service to provide individual assistance to PWSs with adopting
cybersecurity practices to remediate the vulnerabilities.

By continuing to offer broad technical support for cybersecurity to all PWSs, along with targeted
support to PWSs in situations like the two listed above that may have an increased need, EPA, in
coordination with CISA and water sector partners, can reduce the risk and increase the resilience of
the water sector to a potentially disabling cyber-attack.

Safe Drinking Water Act (42 U.S.C. 300g et seq.) Part B, Section 1420A(b)(2)(B)(iii), as amended by the Infrastructure
Investment and Jobs Act (Public Law No. 117-58), Section 50113

7


-------


SECTION 4: "SPECIFIC CAPABILITIES OF EPA
AND CISATHAT MAY BE UTILIZED TO PROVIDE
SUPPORTTO PUBLIC WATER SYSTEMS"5

This section describes both the current resources available from EPA and CISA and the planned
future work of EPA to provide technical cybersecurity support to PWSs. In addition to the resources
described here, EPA emphasizes that many excellent cybersecurity standards, guidance materials,
and risk management tools are available from other government agencies and private sector
organizations, including the American Water Works Association, WaterlSAC, and other water sector
associations. Private sector products, however, are outside the scope of this document.

CURRENT RESOURCES

The Support Plan divides the technical cybersecurity support into four categories-.Assessments and
Vulnerabilities, Industrial Control Systems (ICS), Vendors/Third-Party Management, and Training
Courses and Exercises. These topic areas allow PWSs to quickly identify resources that address
different types of threats and vulnerabilities that may be of concern.

Within the categories are subcategories, which may include Prevention, Response, or Guidance.
Prevention describes resources intended to identify prevent, and mitigate a cyber threat. These
resources establish cyber hygiene, precede a cyber-attack, and aid in establishing resilient systems. The
resources in this subcategory include assessments and vulnerabilities, checklists, alert systems, and
playbooks available to PWSs.

The subcategory Response includes resources intended to help detect and contain malicious threats
and restore normal operations following a cyber-attack. The resources help improve response time,
limit the impact of cyber-attacks, and provide recovery resources. Provided resources include
playbooks, software, cybersecurity exercises, and information sharing resources.

ASSESSMENTS AND VULNERABILITIES

The Assessments and Vulnerabilities section lists resources for voluntary assessments that are
designed to prevent, deter, and mitigate risks of cyber-attacks on PWSs by identifying and addressing
potential vulnerabilities that increase the likelihood of cyber-attacks. The resources in this section
help PWSs make decisions about allocation of resources to enhance cybersecurity before an event
and improve recovery following an event.

5 Safe Drinking Water Act (42 U.S.C. 300g et seq.) Part B, Section 1420A(b)(2)(B)(iv), as amended by the Infrastructure
Investment and Jobs Act (Public Law No. 117-58), Section 50113


-------
For the listed resources, the Support Plan notes the level of expertise needed for each resource
where applicable and whether the resource is a self-assessment or a facilitated assessment. Self-
assessments can be conducted by the PWS itself, while facilitated assessments require additional
coordination with EPA or CISA.

PREVENTION

Self-Assessments

Vulnerability Self-Assessment Tool (VSAT): This online self-assessment, provided by EPA, allows PWSs
to identify the highest risks to mission-critical operations, including cyber risks, and find cost-effective
measures to reduce the resulting risks. To start the assessment, review Conduct a Drinking Water or
Wastewater Utility Risk Assessment and open the VSAT Web portal at https://vsat.epa.gov/vsat/.

Cybersecurity Evaluation Tool (CSET): A stand-alone desktop application that guides asset owners
and operators through the process of evaluating operational technology (OT) and information
technology (IT). Upon completion of the assessment, organizations will receive summarized and
detailed findings. The CSET requires basic knowledge of the PWS networks and systems to complete.
To get the desktop application, visit Downloading and Installing CSET | CISA.

Cyber Resilience Review (CRR): The CRR is an interview-based assessment that measures a PWS's
operational and cybersecurity practices. The process measures the capabilities and capacities of
the PWS to perform planning, manage, measure, and define cybersecurity across ten domains. This
assessment is offered as a self-assessment and facilitated assessment. To utilize the self-assessment,
reviewthe below resources. To schedule a facilitated assessment, contact cvberadvisor(a)cisa.dhs.gov.

a.	CRR - Question Set with Guidance

b.	CRR - Self-Assessment

c.	CRR - User Guide

d.	CRR - NIST Cybersecurity Framework Crosswalks
Facilitated Assessments

Cybersecurity Assessment and Technical Assistance: A virtual or in-person EPA program offering
free, confidential cybersecurity assessments to PWSs to lower impact and likelihood of a cyber
incident. As a part of the program, the PWS will work to develop a cyber action plan with EPA and
will work at its own pace to implement best practices. To learn more, review here.

Remote Penetration Testing (RPT): A CISA RPT team works with the PWS to test internet exposure
to eliminate exploitable pathways. RPT focuses only on externally accessible systems. This is a
remote process, not an on-site offering. This assessment requires a basic skill level to complete. View
the Remote Penetration Fact Sheet for the detailed process or contact vulnerabilitv(a)cisa.dhs.oov.

9


-------
Vulnerability Scanning (VS): A CISA service continuously assessing the health of internet-
accessible assets by initiating non-intrusive checks to determine potential vulnerabilities and
configuration weaknesses. This assessment requires a basic skill level to complete. Review the
Vulnerability Scanning Fact Sheet for the detailed VS process or email vulnerability(a)cisa.dhs.qov
to request an assessment.

Phishing Campaign Assessment (PCA): A CISA service created to measure employees' tendency to
click on email phishing lures. PCA tests the behavioral responses of a specified target user base.
The findings are used to inform leadership of potential training and awareness improvements for
the organization. The assessment only requires a basic skill level to complete. Review the Phishing
Campaign Assessment Fact Sheet for detailed PCA process or contact vulnerability(a)cisa.dhs.gov to
request an assessment.

Web Application Scanning (WAS): A CISA service that assesses the health of an organization's publicly
accessible web applications and initiates non-intrusive checks to determine vulnerabilities, bugs, and
weak configurations. WAS requires a basic skill level to complete. Review the detailed process in the
Web Application Scanning Fact Sheet or contact vulnerabilitv(a)cisa.dhs.gov.

Risk and Vulnerability Assessment: A CISA service comprised of virtual and on-site assessment that
provides PWSs with an actionable risk analysis report containing remediation recommendations
prioritized by risk and severity. Review the Risk and Vulnerability Assessment Fact Sheet for detailed
information or contact vulnerability(a)cisa.dhs.gov.

Cyber Infrastructure Survey: A CISA survey evaluating the effectiveness of organizational security
controls, cybersecurity preparedness, and the overall resilience of the organization's cybersecurity
ecosystem. Upon completion of the survey, a user-friendly dashboard with results and findings will
be provided. To schedule, contact cyberadvisor(a)cisa.dhs.gov.

Enhanced Cybersecurity Services (ECS): CISA services facilitating the protection of IT networks
by offering intrusion detection and prevention services through approved service providers. The
programs offer domain name service (DNS) sinkholing, email (SMTP) filtering, and NetFlow analysis.
Forspecific program information contact ECS_Program(a)cisa.dhs.gov. For information on enrollment,
contact an ECS service provider directly; service providers can be found at Enhanced Cybersecurity
Services (ECS) I CISA.

Validated Architecture Design Review (VADR): A CISA assessment based on Federal and industry
standards, guidelines, and best practices. The service includes architecture design review, system
configuration and log review, and network traffic analysis to provide an in-depth analysis of
infrastructure. Review FACT SHEET Validated Architecture Design Reviewforthe detailed process. To
schedule, contact vulnerability(q)cisa.dhs.gov.

10


-------
RESPONSE

Facilitated Assessments

Red Team Assessment (RTA): AC ISA service providing evaluation of an IT environment via
simulations of advanced persistent threats (APTs). RTAs simulate APT tactics, techniques, and
procedures to access, navigate, and persist in a stakeholder environment. RTA requires an advanced
skill level to complete the assessment. Contact vulnerabilitv(a)cisa.dhs.gov to request an RTA.

High Value Asset (HVA) Assessment: A CISA service assessing targeted critical assets through
scenario-based penetration testing, web application testing, and social engineering to provide
recommendations for system vulnerabilities. Review the detailed process in the HVA Fact Sheet or
contact vulnerability info@cisa.dhs.gov.

Malware Analysis: A CISA service that provides PWSs with a dynamic analysis of malicious code and
recommendations for malware removal and recovery activity. To submit malicious code for analysis,
visit https://www.malware.us-cert.aov.

GUIDANCE

Baseline Information on Malevolent Acts for Community Water Systems: This EPA document serves
as a resource for PWSs to identify malevolent acts and take steps toward reducing the risks water
systems will experience if a threat occurs or to potentially deter the threat. The document contains
resources, questionnaires, and baseline information on cyber threats. To utilize the document, review
Baseline Information on Malevolent Acts for Community Water Systems fepa.gov).

Guidance for Small Community Water Systems on Risk and Resilience Assessments under America's
Water Infrastructure Act: This guidance document contains and explains the Risk and Resilience
Assessments required for community water systems serving more than 3,300 but less than 50,000
people. It assists PWSs with assessing their risks from and resilience to malevolent acts, such as cyber-
attacks, regardless of population size served. To access the assessment, review Guidance for Small
Community Water Systems on Risk and Resilience Assessments under AWIA fepa.gov). Please note:
this document is associated with the Baseline Information on Malevolent Acts for Community Water
Systems provided above.

Water Sector Cybersecurity Brief for States: A brief from EPA and the Association of State Drinking
Water Administrators providing information to helpstate primacy agencies start a conversation with PWSs
about cybersecurity threats. Reviewthe brief here: Water Sector Cvbersecu ritv Brief for States fepa.oov).

Cybersecurity Incident Action Checklist: A customizable checklist from EPA to help PWSs prepare
for, respond to, and recover from a cyber incident. To review the checklist, visit Water Sector Incident
Action Checklist - Cybersecurity fepa.gov).

Free Cybersecurity Services and Tools: A list of no cost cybersecurity tools and resources to help
organizations reduce the likelihood of a damaging cyber event, detect malicious activity, respond
effectively to confirmed cyber incidents, and maximize resilience. To view the list of resources and
tools, visit Free Cybersecurity Services and Tools | CISA.

11


-------
INDUSTRIAL CONTROL SYSTEMS

Industrial Control Systems (ICS) are essential to the operation of U.S. critical infrastructure. ICS
owners and operators face threats from a variety of adversaries whose intentions include theft,
gathering intelligence, and disrupting National Critical Functions. As ICS owners and operators
adopt new technologies to improve operational efficiencies, they should be aware of the additional
cybersecurity risk of connecting OT to enterprise IT systems and Internet of Things (loT) devices. This
section will cover ICS prevention and response resources available to improve ICS protection.

PREVENTION

CISA Industrial Control Systems Security Offerings: CISA partners with the ICS community to help
understand, detect, and protect against ICS risk and, when necessary, help critical infrastructure
owners and operators respond to significant cybersecurity incidents. Reviewthe cyber management
products, services, and capabilities within the CISA Industrial Control Systems Security Offerings fact
sheet. The included security offerings are as follows:

a.	Assessments: Voluntary cybersecurity assessment services focused on OT that evaluate an
organization's operational resilience, cybersecurity practices, management of external dependencies,
and additional elements that are key to a robust cybersecurity framework. Visit https://www
.cisa.gov/cvber-resource-hub for more information on how to request assessment services.

b.	Cyber Hunt: CISA Cyber Hunt capabilities are specifically focused on identifying sophisticated
threats and adversary presence in OT and IT environments, often beyond the capacity and
capability of traditional cybersecurity tools and techniques.

c.	Exercises: CISA provides cyber exercise planning to support ICS and critical infrastructure
partners by delivering a full spectrum of cyber exercise planning workshops and seminars.
These range from small discussion-based exercises that last two hours to full-scale,
internationally scoped, operations-based exercises that span multiple days. The exercises were
created to assist organizations at all levels in the development and testing of cybersecurity
prevention, protection, mitigation, and response capabilities. For more information, visit
https://www.cisa.gov/critical-infrastructure-exercises or email central(a)cisa.dhs.gov.

d.	Information Exchange: CISA publishes ICS-specific alerts, advisories, and guidance documents
for the public. The alerts provide timely notification to critical infrastructure owners and
operators concerning control system threats. To view latest alerts, visit https://www.cisa.oov/ics.

e.	Partnerships and Engagement: The Industrial Control Systems Joint Working Croup (ICSJWG)
supports information sharing and reduction of risk to the nation's ICS through enhanced
collaboration between the Federal Government and private owners and operators of ICS
across all critical infrastructure sectors. The working group offers in-person meetings, webinars,
and newsletters. To learn about membership and events, visit https://www.cisa.gov/icsiwg.

12


-------
f.	Response Capabilities: CISA brings expertise and advanced tools to aid ICS cyber victims in
identifying artifacts, determining affected components, and building recovery plans specific to
lower-level OT devices. To report an ICS incident, visit https://www.cisa.gov/uscert/report.

g.	Strategic Risk Analysis: CISA provides ICS partners with resources and capabilities to manage
ICS risk through CISA's National Risk Management Center (NRMC). The NRMC serves as the
end-to-end integrator of risk management activities for the National Critical Functions (NCFs)
and leverages that risk expertise to support overall execution of the CISA mission. To access
resources, visit https://www.cisa.aov/national-risk-manaaement.

h.	Technical Analysis: CISA's ICS advanced malware laboratory specializes in malware threats to
ICS environments and can provide ICS owners and operators with support. To report malware,
please visit https://www.cisa.gov/uscert/report.

i.	Training: CISA's ICS training courses and workshops provide the ICS community no-cost,
in-person, and virtual training. Learn more below or visit https://www.cisa.gov/cvbersecuritv-
training-exercises to view training options.

j. Vulnerability Coordination: CISA's Coordinated Vulnerability Disclosure (CVD) program
coordinates the remediation and public disclosure of newly identified cybersecurity
vulnerabilities in products and services with the affected vendor(s). To report an ICS
vulnerability, visit https://www.cisa.gov/uscert/report.

Known Vulnerabilities Catalog: A continually updated catalog that can be used by organizations to
identify software updates per vendor instructions and fix known security flaws. To view the catalog,
visit Known Exploited Vulnerabilities Catalog | CISA.

Malcolm: Malcolm is an open source, easily deployable network traffic analysis tool suite that enables
the user to capture full network packet artifacts (PCAP files) and logs in OT/ICS environments.
Malcom provides unique insight into specific protocols used in the ICS environments. Because
Malcom comprises only open-source tools, it does not require users to obtain paid licenses. To learn
more, contact central(a)cisa.dhs.gov.

Web-Based training on Industrial Control Systems: CISA training "Introduction to Control Systems
Cybersecurity" will help ICS owners/operators to describe ICS deployments, components,
and information flow; differentiate cybersecurity within IT and ICS domains; recognize sector
dependencies; and identify cybersecurity resources within CISA. Courses are offered both online
and in-person. Learn more information on the ICS training at Training Available Through CISA | CISA.
Register for free ICS courses at CISA VLP finLoov).

13


-------
RESPONSE

CyberSentry: A CISA-sponsored voluntary pilot program that leverages best in breed, commercial
off-the-shelf technologies, such as network intrusion detection tools, to identify malicious activity
in critical infrastructure ICS and corporate networks. CyberSentry participation increases real-time
network visibility and the capability to detect nation-state adversaries, as well as derive cross-sector
analytic insights. To learn more, contact central@cisa.dhs.aov

GUIDANCE

Cybersecurity Best Practices for Industrial Control Systems: Guidance entailing the preventative
steps ICS owners and operators can utilize to protect ICS in the event of a cyber-attack. The
guidance breaks down cybersecurity best practices in various critical areas to increase ICS resilience.
View the guidance here.

Securing Industrial Control Systems: The CISA guidance focuses on building ICS security capabilities
that directly empower ICS stakeholders to secure their operations against threats. The intended
audience is the whole ICS community and all CISA partners who have an interest in ICS security.

This fact sheet is a summary of the strategy document. ICS Strategy Fact Sheet - Securing Industrial
Control Systems: A Unified Initiative (cisa.gov).

Rising Ransomware Threat to OT Assets: CISA guidance providing resources for heightened
awareness and voluntary recommendations for preparing for, mitigating, and responding to
ransomware threats to OT. To learn more, visit CISA Fact Sheet: Rising Ransomware Threat to OT Assets.

Stopransomware.gov: StopRansomware.gov is the U.S. Government's official one-stop location for
resources to tackle ransomware more effectively. Visit Stop Ransomware | CISA to learn more about
how to prevent and recover from ransomware.

14


-------
VENDOR/ THIRD-PARTY MANAGEMENT

Vendor and third-party organizations provide essential technology services to PWSs. However,
as external dependencies, they also increase the risk of cyber threats and attacks. This section
contains resources addressing the PWS' ability to prevent and respond to risks presented by
external dependencies.

PREVENTION

CISA Coordinated Vulnerability Disclosure (CVD) Process: A CISA service that coordinates the
remediation and public disclosure of newly identified cybersecurity vulnerabilities in products and
services with affected vendor(s). The vulnerabilities cover ICS, loT, and medical devices as well as
traditional IT. To report an loT or ICS vulnerability, email centra l(a)cisa.d hs.gov.

RESPONSE

External Dependencies Management (EDM) Assessment: An interview based assessment that
evaluates an organization's management of external dependencies. This assessment focuses on the
relationship between an organization's high-value services and assets—such as people, technology,
facilities, and information—and evaluates how the organization manages risks derived from its use of
the Information and Communications Technology (ICT) Supply Chain in the deliverance of services.
To schedule an assessment, contact cvberadvisor(a)cisa.dhs.gov.

a.	EDM - Downloadable Resources: External Dependencies Management Assessment content
and guides.

b.	EDM - Assessment: Downloadable PDF Copy of the EDM Assessment so that a user can
employ the EDM assessment for self-evaluation purposes for their organization. This
assessment can be used as a precursor for on onsite assessment (facilitated by DHS
Cybersecurity Advisor).

c.	EDM -Assessment User's Guide: A guide containing the overall description of the EDM along
with detailed steps and explanations for how to conduct an EDM self-assessment at an
organization.

d.	EDM - Question Set with Guidance: A guide containing the entire EDM assessment question
set along with explanation on howto interpret and answer each of the questions contained
within the self-assessment package.

15


-------
TRAINING COURSES AND EXERCISES

Training courses and exercises provide PWSs with effective and practical mechanisms to identify best
practices, lessons learned, and areas for improvement in plans and procedures. The exercises and
training courses found within this section increase cybersecurity resilience within PWSs.

PREVENTION

Water Resilience Tabletop Exercise (TTX) Tool: An EPA tool providing PWSs with resources to plan,
conduct, and evaluate tabletop exercises for all-hazards scenarios, including cybersecurity incidents.

CISATabletop Exercise (TTX) Packages (CTEPs): A comprehensive set of resources designed to
assist stakeholders in conducting their own exercises. Partners can use the exercises to initiate
discussions within their organizations about their ability to address a variety of threat scenarios. The
packages include pre-built templates for exercise planning, execution, and follow up. Below are the
links to Cybersecurity, Cyber-Physical, and Critical Infrastructure scenarios. To review the pre-built
documents, visit CISATabletop Exercises Packages I CISA.

a.	Cybersecurity Scenarios: The Cybersecurity scenarios cover ICS, ransom ware, ransomware of a
third-party vendor, vendor phishing, water systems, and insider threats. Retrieve the Situation
Manuals at Cybersecurity Scenarios | CISA.

b.	Cyber-Physical Convergence Scenarios: The Cyber-Physical scenarios are designed to address
the physical impacts resulting from a cyber threat or cyber impacts resulting from a physical
threat. These scenarios are intended to further explore the impacts of convergence and
howto enhance resiliency. To viewthe Situation Manuals, visit Cvber-Phvsical Convergence
Scenarios I CISA.

c.	Critical Infrastructure Scenarios: CISA assists government and industry partners in conducting
exercises to enhance security and resilience of critical infrastructure. The exercises range from
small-scale discussion-based exercises to large-scale operations-based exercises. For more
information or to request services, please email cisa.exercises(a)cisa.dhs.gov.

Federal Virtual Training Environment (FedVTE): A free, online, and on-demand cybersecurity
training system. With self-paced courses ranging from beginner to advanced levels, individuals
can strengthen or build cybersecurity ski I Isets. To access the courses, visit FedVTE Login Page
fusalearning.gov).

CISA Training: Web-based, self-paced, and instructor-led courses offered through CISA addressing
cybersecurity and ICS support. Courses are located on the Virtual learning portal. Review the list of
courses available at Training Available Through CISA | CISA.

16


-------
Incident Response Training: CISA has developed no-cost cybersecurity incident response (IR)
training for government employees and contractors across Federal and SLTT governments, and for
educational and critical infrastructure partners. The course offerings range from basic to intermediate
skill level. To reviewthe list of webinars and events, visit Incident Response Training I CISA. To register
for upcoming events, visit Connect Event Catalog fconnectsolutions.com).

Cybersecurity Awareness Program: A national public awareness program to increase the
understanding of cyber threats and empower the American public to be safer and more secure
online. To learn more, visit CISA Cybersecurity Awareness Program I CISA.

Cyber Games: Each game presents simulated cybersecurity threats, defenses, and response actions.
The games are available for download on Android and Apple iOS devices. To review and play the
game options, visit Cvber Games | CISA.

Cyber Career Pathway Tools Fact Sheet: A CISA program that helps individuals identify, build, and
navigate a potential cyber career pathway by increasing understanding of the knowledge, skills, and
abilities needed to begin, transition, or advance a cyber career. To learn more, visit The Cvber Career
Pathways Tool: The New Interactive Tool for Career Exploration fcisa.gov).

PLANNED FUTURE EPA TECHNICAL CYBERSECURITY SUPPORT FOR WATER SYSTEMS

As discussed in Section 3, EPA plans to develop additional technical cybersecurity support for PWSs
in two situations:

Checklist of Cybersecurity Best Practices: This brief guidance document will be targeted to
small community water systems (those serving 3,300 people or fewer) and all non-community
water systems that may not have conducted a risk and resilience assessment and developed an
emergency response plan for cyber threats under America's Water Infrastructure Act of 2018. It
should be written for PWSs with low technical capability. EPA plans to accompany it with an online
training course.

Cybersecurity Technical Support Service: EPA plans to offer a standing service where subject
matter experts are available to offer technical advice to PWSs on approaches to mitigating
vulnerabilities in current cybersecurity practices, which may be identified through the cybersecurity
assessment program.

17


-------


APPENDIX: PUBLIC WATER SYSTEMS IDENTIFIED BY
EPA, IN COORDINATION WITH CISA, AS NEEDING
TECHNICAL SUPPORT FOR CYBERSECURITY

As discussed in Section 3, available data indicate that most PWSs need technical support for
cybersecurity. However, EPA has identified the following two categories of PWSs as potentially having
an elevated need for additional technical support:

1.	Community water systems serving 3,300 people or fewer and all non-community water
systems were not required to conduct risk and resilience assessments or develop emergency
response plans under America's Water Infrastructure Act of 2018. EPA believes that these steps
are essential security measures. They are necessary for PWSs to identify and remediate their
most significant vulnerabilities, both physical and cyber, and to be prepared to respond to a
cyber-attack and minimize any disruption in service.

To address this security gap, EPA pians to develop a "checklist" of cybersecurity best practices,
along with guidance on how to implement them and associated training. While this
checklist and guidance will be available to all PWSs, EPA plans to target the training to small
community water systems and all non-community water systems, which will encourage these
PWSs to identify and address cybersecurity vulnerabilities.

Nationally, community water systems serving 3,300 people or fewer and all non-community
water systems comprise approximately 145,000 PWSs in total. Consequently, EPA is not listing
ail these systems individually in this report. Aii PWSs in these categories may be identified
through EPA's Safe Drinking Water information System using this page: SDWIS :ederai
Reports Advanced Search fepa.aov'l.

2.	A second category of PWSs that may need additional technical support for cybersecurity
are those that undergo a cybersecurity risk assessment, which could be conducted by a
Federal or SLTT entity under a regulatory program or voluntarily by the PWS or an outside
technical assistance provider. A PWS may require technical support to address vulnerabilities
that this assessment identifies. EPA plans to stand up a technical support service to provide
individual assistance to PWSs (remotely) with adopting cybersecurity practices to remediate
vulnerabilities. Because this support will be provided as requested by individual PWSs, EPA
cannot identify in advance the specific PWSs that will need this support.

18


-------