vvEPA
WATER SECTOR CYBERSECURITY PROGRAM
CASE STUDY: Small
Asset Inventory: A Good First Step to Balancing Risks
OVERVIEW
All mechanical operations at this system became automated when a new wastewater treatment plant
came online in 2017. The plant operator had to balance the welcomed convenience of automation and
productivity with the new cybersecurity risks introduced.
CYBERSECURITY APPROACH
The utility developed a cybersecurity policy document to ensure that vulnerabilities were considered, and
cybersecurity risks mitigated. Topics covered include:
ACCOUNT SECURITY
Separate standard user and privileged accounts
Password length requirements
Secure remote access policy
DEVICE SECURITY
OT and IT network asset inventory
DATA SECURITY
Log collection and monitoring frequency for
intrusion detection
VULNERABILITY MANAGEMENT
OT asset connection to the public Internet
RESPONSE AND RECOVERY
Cybersecurity incident
reporting
Cybersecurity Incident
Response Plan for critical
threat scenarios, including
disabled or manipulated
process control systems
System backups for post-
incident recovery efforts
OTHER
Segmentation of OT and
IT networks
The policy document detailed the expectations, standards, and safeguards to reduce cybersecurity risks
at the utility. For example, staff have unique user accounts with separate logins and passwords, and not
all staff have programming privileges once logged into the SCADA system. The document clearly defined
who to call for help once a cyber incident is discovered and provided contact information. In addition to
the cyber policy, the Incident Response Plan was updated to describe how to run the plant in full "manual
mode" without the benefit of the SCADA system in case of a cyber incident.
Page 1 of 2
-------�
vvEPA
The utility has planned to make more cyber improvements such as enhancing internet capabilities.
Enhancing Internet capabilities will allow operators to remotely access the SCADA system via a virtual
private network (VPN). However, the utility will be introducing this new capability with multi-factor
authentication procedures for logging in. The utility is committed to their goal of boosting convenience
and productivity while balancing the new cybersecurity risks that these features bring.
LESSONS LEARNED
• Take advantage of free cybersecurity assessments. The utility took advantage of the U.S.
Environmental Protection Agency's free cybersecurity vulnerability assessment which laid the
groundwork for their cybersecurity improvements.
• Take action on all of the no-cost implementation measures. The cybersecurity measures
implemented by the utility were essentially free, other than requiring some technical input from
existing vendors and the operator's time (e.g., drafting the policy document, overseeing
implementation of the identified actions) over an eight-month period.
• Maintain a cybersecurity asset inventory. In retrospect, one item the utility realized as fundamental
to their success was the cyber asset inventory. This inventory served as the springboard for all
other cyber improvements, as it gave them a clear snapshot of what they owned and how it was
connected. In the operator's words, "It's really hard to know how to protect what you don't know
you have." The inventory has also assisted in ongoing maintenance for cyber assets, as it listed
all the assets in one place and contained information such as model and serial number, age, how
the asset is used within the network, and vendor contact information for the asset.
READY TO BUILD YOUR CYBERSECURITY PROGRAM?
Visit the Cybersecurity for the Water Sector website and learn more about resources that can bring your
utility one step closer to cybersecurity resilience.
Office of Water (4608T)
Page 2 of 2
EPA 817-F23-003
September 2023
-------� |