EPA Guidance on Improving Cybersecurity at Drinking Water and Wastewater Systems EPA Office of Water (4608T) EPA 817-B-23-001 March 2023, Revised August 2024 ------- Disclaimer The Water Infrastructure and Cyber Resilience Division of the Office of Ground Water and Drinking Water reviewed and approved this document for publication. This document does not impose legally binding requirements on any party. Neither the United States Government nor any of its employees, contractors, or their employees make any warranty, expressed or implied, or assume any legal liability or responsibility for any third party's use of any information, product, or process discussed in this document, or represent that its use by such party would not infringe on privately owned rights. Mention of trade names or commercial products does not constitute endorsement or recommendation for use. Additionally, the guidance provided in this document serves as a voluntary guide to assist water and wastewater entities in assessing, understanding, and combatting cyber risks to their operations, organizational assets, and individuals. ------- Table of Contents 1.0 Background 1 1.1. What is the purpose of this publication? 1 1.2. Optional uses of the guidance provided in this publication 1 2.0 Technical Support for Improving Cybersecurity at Water and Wastewater Systems 2 2.1. Cybersecurity Technical Assistance 3 2.2. Cybersecurity Tools and Guidance................................................................................ 3 2.3. Cybersecurity Training.. 5 2.4. Cybersecurity Financial Resources 5 3.0 EPA Cybersecurity Checklist for Drinking Water and Wastewater Systems 5 3.1. What is the EPA Cybersecurity Checklist? 5 3.2. How should WWSs use the EPA Cybersecurity Checklist? 6 3.3. What are alternatives to the EPA Cybersecurity Checklist? 6 4.0 Priority Cybersecurity Practices for Water and Wastewater Systems................................ 6 5.0 Artificial Intelligence Risks for Water and Wastewater Systems 10 Appendix A: Appendix B: Appendix C: EPA Cybersecurity Checklist for Drinking Water and Wastewater Systems Factsheets Glossary of Terms ------- 1.0 Background 1.1. What is the purpose of this publication? The U.S. Environmental Protection Agency (EPA) developed this publication to assist owners and operators of drinking water and wastewater systems (WWSs) with assessing gaps in their current cybersecurity practices and controls and identifying actions that may reduce their risk from cyberattacks. Further, as described in Section 1.2, community water system (CWS) owners and operators subject to the requirements of the Safe Drinking Water Act (SDWA) section 1433 (as amended by America's Water Infrastructure Act) may use this guidance as one option to address cybersecurity in risk and resilience assessments and emergency response plans. WWSs are frequent targets of malicious cyber activity, which has the potential to interfere with operations and may result in significant response and recovery costs. Of particular concern, a cyberattack on a vulnerable WWS may allow an adversary to manipulate operational technology (OT). which could disrupt the production of clean and safe water. Accordingly, WWS owners and operators should evaluate their cybersecurity practices and controls on a recurring basis and consider steps that may reduce their risk. This will help WWWs from being victimized by a cyberattack and assist with responding if an attack does occur. Specifically, WWS owners and operators should assess how the use of information technology (IT) and OT in their operations, equipment, and networks, along with the evolution of cybersecurity standards and recommendations, new information about cyber threats, and other considerations, may warrant a reevaluation of their cybersecurity practices and controls. This guidance and the additional technical resources listed in Section 2 can assist WWS owners and operators with this assessment. 1.2. Optional uses of the guidance provided in this publication EPA recommends that all WWS owners and operators, regardless of system type and population served, evaluate the risks to and resilience of their IT and OT systems to cyber threats and develop risk mitigation plans to address cyber vulnerabilities in critical operations. The guidance in this publication is one method to assist WWS owners and operators with these essential steps: • Assess current WWS cybersecurity practices and controls to identify significant potential vulnerabilities to cyber threats, • Develop a plan with specific actions, resources, schedules, and responsibilities to reduce risk from and enhance resilience to cyberattacks, and • Identify additional resources to assist with improving cybersecurity. 1 ------- Further, owners and operators of CWSs serving more than 3,300 people are required under SDWA section 1433 to consider cybersecurity when developing or updating risk and resilience assessments and emergency response plans. Compliance with SDWA section 1433 requires: • Assessing the risks to and resilience of the pipes and constructed conveyances, physical barriers, source water, water collection and intake, pretreatment, treatment, storage, and distribution facilities, electronic, computer, or other automated systems (including the security of such systems) which are utilized by the system; the monitoring practices of the system; the financial infrastructure of the system; the use, storage, or handling of various chemicals by the system; and the operation and maintenance of the system; and may include an evaluation of capital and operational needs for risk and resilience management for the system. • Preparing or revising, where necessary, an emergency response plan that incorporates the assessment's findings, which shall include strategies and resources to improve the system's resilience, including the system's physical security and cybersecurity. The guidance in this publication provides one approach that owners and operators of CWSs subject to SDWA section 1433 may follow to meet these requirements. Alternatively, several of the tools and resources from other government and private sector organizations listed in Section 2 of this publication are also effective methods to address cybersecurity under SDWA section 1433. 2.0 Technical Support for Improving Cybersecurity at Water and Wastewater Systems Technical assistance, guidance, tools, training, and funding that can aid WWS owners and operators with improving cybersecurity are available from EPA and other government and private sector organizations. This section summarizes key programs and resources. Information on additional cybersecurity assistance for WWSs is available on the EPA Cybersecurity for the Water Sector website. This support from both EPA and other government and private sector organizations can assist WWS owners and operators with both identifying gaps in their existing cybersecurity practices and adopting new measures to lower risk and build resilience. Further, it may facilitate addressing cybersecurity in risk and resilience assessments and emergency response plans for CWSs that must comply with SDWA section 1433. 2 ------- 2.1. Cybersecurity Technical Assistance • EPA's Cybersecurity Technical Assistance Program for the Water Sector supports the submission of questions or requests to consult with a subject matter expert on WWS cybersecurity. The planned response time is two business days via email or phone. All assistance is remote. o Note: This program does not support cyber incident response or recovery. Reports of cyber incidents will be redirected to the Federal Bureau of Investigation (FBI) or the Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA). Other questions outside the scope of this program will be directed to alternate resources. • EPA's Water Sector Cybersecurity Evaluation Program conducts cybersecurity assessments of WWSs. The assessments follow the EPA Cybersecurity Checklist discussed in Section 3. Assessment results are used to develop a cybersecurity risk mitigation plan with prioritized actions. • CISA Cybersecurity Advisors (CSAs) offer cybersecurity assistance to critical infrastructure owners and operators and state, local, tribal, and territorial governments. CSAs can provide information on CISA cybersecurity products and services and act as liaisons to CISA cyber programs. CSAs also support cyber incident response. • CISA's Free Cyber Vulnerability Scanning for Water Utilities program uses automated tools to conduct vulnerability scanning on external networks. These tools look for vulnerabilities and weak configurations that adversaries could exploit to conduct a cyberattack. EPA recommends that WWSs enroll in this program. • The U.S. Department of Agriculture Rural Development Circuit Rider Program provides technical assistance to rural water systems that are experiencing day-to- day operational, financial or managerial issues. This service is available in each state and territory. 2.2. Cybersecurity Tools and Guidance • EPA's Water Cybersecurity Assessment Tool supports a self-assessment of a WWS for identifying cybersecurity gaps and developing a cybersecurity risk mitigation plan. This program is based on the EPA Cybersecurity Checklist (see Section 3). EPA's Cybersecurity Technical Assistance Program for the Water Sector assists a WWS with a third-party cybersecurity assessment and risk mitigation plan development. 3 ------- • CISA offers several guidance products and tools to strengthen the security and resilience of critical infrastructure facilities, including WWSs, against cyberattacks. o CISA's Water and Wastewater Cvbersecuritv Toolkit highlights CISA resources to protect against, and reduce impacts from, cyberattacks. o CISA's Cvbersecuritv Best Practices website has information on multiple practice areas and programs for both organizational and personal cybersecurity. o CISA's Cyber Threats and Advisories website offers current information on cybersecurity threats, threat actors, incident detection and response, and access to Cybersecurity Alerts and Advisories, which are updated frequently as new information on cyber threats and vulnerabilities becomes available, o The Cyber Security Evaluation Tool (CSET) is a desktop software tool that guides asset owners and operators through a step-by-step process to evaluate industrial control system (ICS) and IT network security practices, o Similarly, the Cyber Resilience Review is an interview-based assessment of an organization's ability to manage cyber risk during normal operations and times of crisis. • The U.S. Department of Commerce National Institute of Standards and Technology (NIST) develops cybersecurity standards and guidelines for critical infrastructure, federal agencies, and the public. The NIST Cybersecurity Framework is a voluntary, structured list of cybersecurity outcomes that organizations in all critical infrastructure sectors can use to assess, prioritize, and communicate their cybersecurity efforts. • The Water Information Sharing and Analysis Center (WaterI SAO is a subscription- based service that offers data, case studies, and analysis related to water security threats, including cyber-crime, and provides resources to support response, mitigation, and resilience initiatives. • The American Water Works Association (AWWA) provides many resources to assess cyber risk exposure, establish priorities, and execute a proactive cybersecurity strategy at WWSs. o The Water Sector Cybersecurity Risk Management Guidance addresses the protection of ICSs at WWSs from cyberattacks. o The Water Sector Cybersecurity Risk Management Tool uses responses to questions about technology applications at a WWS to generate a prioritized list of controls, which can support identifying and mitigating cybersecurity vulnerabilities. 4 ------- o The Water Sector Cvbersecuritv Risk Management Guidance for Small Systems is designed to help WWSs serving fewer than 10,000 people, and especially those serving fewer than 3,300 people, improve their cybersecurity practices. 2.3. Cybersecurity Training • EPA's Cybersecurity Training offers both in-person and virtual training on WWS cybersecurity best practices, vulnerability assessments, and risk mitigation plan development. • The National Rural Water Association (NRWA) offers cybersecurity training and support to help small and rural WWSs serving fewer than 10,000 people. o The NRWA cyber education program will help small WWSs manage their cybersecurity risk by (1) creating a training program targeted to small systems, (2) training Circuit Riders to help small systems to manage cybersecurity risk, and (3) integrating with other WWS cybersecurity initiatives, o NRWA has established a partnership with WaterlSACfor NRWA members who serve populations of 3,300 or fewer. Eligible members will receive WaterlSAC's Security Resilience Update and have access to Water ISAC's monthly Threat Briefing webinars and its Resource Center. 2.4. Cybersecurity Financial Resources • EPA's Cybersecurity Funding webpage provides information on federal programs that provide funding to support cyber resilience at WWSs. Current programs include the Drinking Water State Revolving Fund, the Clean Water State Revolving Fund, and the CISA State and Local Cybersecurity Grant Program. 3.0 EPA Cybersecurity Checklist for Drinking Water and Wastewater Systems 3.1. What is the EPA Cybersecurity Checklist? The EPA Cybersecurity Checklist (Appendix A) is a series of questions designed to assess the cybersecurity practices and controls at a WWS. The questions are paired with recommended actions to fully implement the practice or control. Certain practices and controls are designated as high priority as discussed in Section 4 below. The EPA Cybersecurity Checklist was derived from the CISA Cross-Sector Cybersecurity Performance Goals (CPGs). which are baseline cybersecurity practices applicable across critical infrastructure sectors and with known risk-reduction value. CISA developed the CPGs in collaboration with each of the 16 critical infrastructure sectors, and they align with the NIST Cybersecurity Framework. EPA adapted the CPGs into a simplified question format for use during a WWS cybersecurity assessment. 5 ------- 3.2. How should WWSs use the EPA Cybersecurity Checklist? The EPA Cybersecurity Checklist questions are intended to identify gaps in baseline cybersecurity at a WWS, which could leave the WWS more vulnerable to an attack. After completing the EPA Cybersecurity Checklist, WWS owners and operators are encouraged to develop a risk mitigation plan to address gaps in cybersecurity practices and controls. The Factsheets in Appendix B have information on implementing the practice or control in each EPA Cybersecurity Checklist question. Additional technical support on adopting practices and controls in EPA's Cybersecurity Checklist is available from EPA's Cybersecurity Technical Assistance Program for the Water Sector (described in Section 2). 3.3. What are alternatives to the EPA Cybersecurity Checklist? Use of the EPA Cybersecurity Checklist is voluntary. As discussed in Section 2, many other government and private sector organizations offer valuable methods and guidance for assessing cybersecurity at a WWS and adopting cybersecurity practices and controls to reduce risk and increase resilience. For WWSs, EPA recommends cybersecurity assessment methods from CISA. NIST. and AWWA (see Section 2 for descriptions), or the adoption of standards from the International Organization for Standardization and the International Society of Automation/International Electrotechnical Commission. 4.0 Priority Cybersecurity Practices for Water and Wastewater Systems WWSs have limited cybersecurity resources and may need to prioritize the adoption of risk mitigation actions following an assessment for cybersecurity gaps. EPA, CISA, and the FBI have published the Top Cyber Actions for Securing Water Systems (Top Cyber Actions). This factsheet lists eight priority steps that WWS owners and operators should take to reduce cyber risks and improve resilience to cyberattacks. To support adoption of the Top Cyber Actions, EPA identified the cybersecurity practices and controls from the EPA Cybersecurity Checklist in Appendix A that align with each action. Table 1 shows these practices and controls and associated recommendations from the EPA Cybersecurity Checklist, which are grouped by the corresponding Top Cyber Action. WWSs are encouraged to adopt the cybersecurity practices and controls in Table 1. Where a WWS is unable to adopt a particular cybersecurity practice or control due to logistical, infrastructure, or other constraints, WWSs should seek alternative or compensating cybersecurity steps to mitigate the vulnerability. In the EPA Cybersecurity Checklist in Appendix A, as well as in the Water Cybersecurity Assessment Tool, the questions and recommendations in Table 1 are designated as priority cybersecurity practices. This designation is also applied in the risk mitigation plan template and 6 ------- should be considered by WWS owners and operators in the implementation of risk mitigation plans. Table 1: Priority Cybersecurity Practices for Water and Wastewater Systems Question (Does the WWS...) Recommendation 1. Reduce Exposure to Public-Facing Internet Ensure assets connected to the public Internet expose no unnecessary exploitable services (e.g.. remote desktop protocol) and eliminate connections between OT assets and the Internet? (2.W, 2.X) Recommendation: Eliminate unnecessary exposed ports and services on public-facing assets with regular review and eliminate OT asset connections to the public Internet unless explicitly required for operations. 2. Conduct Regular Cybersecurity Assessments Conduct regular cybersecurity assessments? Recommendation: Conduct a cybersecurity assessment on a regular basis to understand the existing vulnerabilities within OT and IT systems. Assessments enable you to identify, assess, and prioritize mitigating vulnerabilities in both OT and IT networks. Have a named role/position/title that is responsible for planning, resourcing, and executing cybersecurity activities within the WWS? (1.B) Recommendation: Identify one role/position/title responsible for cybersecurity within the WWS. Whoever fills this role/position/title is then in charge of all WWS cybersecurity activities. 3. Change Default Passwords Immediately Change default passwords and require a minimum length for passwords? (2.A, 2.B) Recommendation: Change all default manufacturer or vendor passwords before equipment or software is put into service and implement a minimum length requirement for passwords through a policy and/or administrative controls set in the system. Require multi-factor authentication (MFA) wherever possible, but at a minimum to remotely access WWS OT and IT networks? (2.H) Recommendation: Deploy MFA as widely as possible for both OT and IT networks. At a minimum, MFA should be used for remote access to the OT network. 7 ------- Question (Does the WWS...) Recommendation 4. Conduct Inventory of OT/IT Assets Maintain an updated inventory of all OT and IT network assets? (1.A) Recommendation: Regularly review (no less than quarterly) and maintain a list of all OT and IT assets with an IP address. This includes third- party and legacy (i.e., older) equipment. Maintain current documentation detailing the set-up and settings (i.e., configuration) of critical OT and IT assets? (2.0) Recommendation: Maintain accurate documentation of the original and current configuration ofOT and IT assets, including software and firmware version 5. Develop and Exercise Cybersecurity Incident Response and Recovery Plans Have a written cybersecurity incident response (IR) plan for critical threat scenarios (e.g.. disabled or manipulated process control svstems. the loss or theft of operational or financial data, exposure of sensitive information), which is regularly practiced and updated? (2.S) Recommendation: Develop, practice, and update an IR plan for cybersecurity incidents that could impact WWS operations. Participate in discussion- based (e.g.. TTX) and operations-based (e.g.. Drill) exercises to improve responses to potential cyber incidents. Have a written procedure for reporting cybersecurity incidents, including how (e.g., phone call, Internet submission) and to whom (e.g., FBI or other law enforcement, CISA, state regulators, WaterlSAC, cyber insurance provider)? (4. A) Recommendation: Document the procedure for reporting cybersecurity incidents to better aid law enforcement, receive assistance with response and recovery, and to promote water sector awareness of cybersecurity threats. 6. Backup OT/IT Systems Backup svstems necessarvfor operations (e.g., network configurations, PLC logic, engineering drawings, personnel records) on a regular schedule, store backups separately from the source systems, and test backups on a regular basis? (2.R) Recommendation: Regularly backup OT/IT systems so you can recover to a known and safe state in the event of a compromise. Test backup procedures and isolate backups from network connections. Implement the NIST 3-2-1 rule: 3) Keep three copies: one primary and two backups. 2) Keep the backups on two different media types. 1) Store one copy off site. 8 ------- Question (Does the WWS...) Recommendation 7. Reduce Exposure to Vulnerabilities Patch or otherwise mitigate known vulnerabilities within the recommended timeframe? (1.E) Recommendation: Identify and patch vulnerabilities in a risk-informed manner (e.g., critical assets first) as quickly as possible. Require unique and separate credentials for users to access OT and IT networks and separate user and privileged (e.g.. Svstem Administrator) accounts? (2.C. 2.E) Recommendation: Require a single user to have two different usernames and passwords; one account to access the IT network, and the other account to access the OT network to reduce the risk of an attacker being able to move between both networks using a single login. Restrict System Administrator privileges to separate user accounts for administrative actions only and evaluate administrative privileges on a recurring basis to ensure accurate information for the individuals who have these privileges. Prohibit the connection of unauthorized hardware (e.g.. USB devices, removable media, laptops brought in by others) to OT and IT assets? (2.V) Recommendation: When feasible, remove, disable, or otherwise secure physical ports (e.g., USB ports on a laptop) to prevent unauthorized assets from connecting. Immediately disable access to an account or network when access is no longer required due to retirement, change of role, termination, or other factors? (2.D) Recommendation: Terminate access immediately to accounts or networks upon a change in an individual's status making access unnecessary (e.g., retirement, change in position). 8. Conduct Cybersecurity Awareness Training Provide/conduct annual cybersecurity awareness training for all WWS personnel that covers basic cybersecurity concepts? (2.1) Recommendation: Conduct cybersecurity awareness training annually, at a minimum, to help all employees understand the importance of cybersecurity and how to prevent and respond to cyberattacks. 9 ------- 5.0 Artificial Intelligence Risks for Water and Wastewater Systems The current use of artificial intelligence (Al) by WWSs is limited, but potential advantages of Al for WWS operations and management may drive widespread adoption in the future. Consequently, WWS owners and operators should be aware of the potential advantages, risks, and risk management of Al systems. Al systems analyze large volumes of historic and real-time data to make decisions and predictions. A properly configured Al system could potentially support, automate, or optimize many business and operational processes at WWSs. Examples could include fine- tuning pump controls, planning system growth, responding quickly to emergency situations, communicating with customers, and monitoring water quality. Future research and deployment of Al systems at WWSs is expected to demonstrate additional areas of beneficial Al use. However, the deployment of Al systems at WWSs also carries the risk of the Al malfunctioning, either due to an inadvertent cause or a malevolent act. Regardless of cause, if an Al system malfunctions at a WWS, it could make incorrect predictions and decisions that might disrupt water and wastewater services and potentially damage infrastructure. Inadvertent causes of Al malfunction could include incorrectly installing or training the Al, unexpected data inputs to the Al, or insufficiently trained employees or vendors integrating, monitoring, or interfacing with the Al. An adversary could cause the malfunction or failure of Al by taking control of the Al or feeding the Al corrupt data. Access to Al by adversaries could occur through vectors used in conventional cyberattacks (e.g., weak passwords, social engineering). In consideration of both the promise and risks of Al, the President issued Executive Order 14110. "Safe. Secure. And Trustworthy Development and Use of Artificial Intelligence (Al)" on October 23, 2023. This Executive Order addresses managing and securing Al in critical infrastructure, along with other concerns like protecting privacy and civil liberties and promoting innovation. In keeping with this order, federal agencies are issuing guidance on addressing and managing Al risks to critical infrastructure, including WWSs. The NIST Trustworthy & Responsible Artificial Intelligence Resource Center is an online repository of guidance and training that supports the development and deployment of Al technologies. It includes the NIST Al Risk Management Framework, which is intended to increase the trustworthiness of Al systems and foster the responsible development, deployment, and use of Al systems. 10 ------- This Framework is divided into two parts. Part 1 addresses Al risks and the characteristics of trustworthy systems, which are defined as valid and reliable, safe, secure and resilient, accountable and transparent, explainable and interpretable, privacy enhanced, and fair - with their harmful biases managed. Part 2 comprises the "Core" of the Framework. It describes four specific functions to help organizations address the risks of Al systems: (1) Govern - establish an organizational culture of Al risk management, (2) Map - understand your individual Al use context and risk profile, (3) Measure - develop systems to assess, analyze, and manage Al risks, and (4) Manage - prioritize and act upon Al risks to safety and security. Each of these functions is broken down into categories and subcategories with specific actions and outcomes. CISA has published Mitigating Artificial Intelligence Risk: Safety and Security Guidelines for Critical Infrastructure Owners and Operators. The guidelines list ten Al use categories in critical infrastructure, such as automation of operations, performance optimization, event detection, and forecasting. In addition, three categories of system-level Al risk are defined: attacks using Al, attacks targeting Al systems, and failures in Al design and implementation. Risk subcategories and associated mitigation strategies are provided for each risk category. Further, these guidelines are aligned with the NIST Al Risk Management Framework and include recommended actions that critical infrastructure facilities should take in each of the four NIST Framework core functions (listed above). The factsheet Deploying Al Systems Securely was published jointly by the U.S. National Security Agency, CISA, the FBI, the Australian Signals Directorate, the Canadian Centre for Cyber Security, the New Zealand National Cyber Security Centre, and the United Kingdom's National Cyber Security Centre. It was developed to meet three goals: (1) improve the confidentiality, integrity, and availability of Al systems, (2) assure that known cybersecurity vulnerabilities in Al systems are appropriately mitigated, and (3) provide methodologies and controls to protect, detect, and respond to malicious activity against Al systems and related data and services. In addition to these currently available guidance materials from the federal government, many private sector organizations offer information on the safe and effective deployment of Al systems in critical infrastructure. WWS owners and operators should be aware of this rapidly advancing technology and consider where deployment of Al systems at their facilities could prove beneficial. Further, they should stay updated on current threats using Al to facilitate cyberattacks on critical infrastructure facilities and incorporate recommended mitigation strategies in their cybersecurity programs. 11 ------- APPENDIX A: EPA Cybersecurity Checklist for Drinking Water and Wastewater Systems ------- EPA Cybersecurity Checklist for Drinking Water and Wastewater Systems Priority cybersecurity practices for Water and Wastewater Systems (WWSs) are denoted with a * after the question. 1, IDENTIFY. Does the WWS... 1 .A. Maintain an updated inventory of all OT and IT network assets?* Recommendation: Regularly review (no less than quarterly) and maintain a list of all OT and IT assets with an IP address. This includes third-party and legacy (i.e., older) equipment. 1 .EL Have a named role/position/title that is responsible for planning, resourcing, and executing cybersecurity activities within the WWS?* Recommendation: Identify one role/position/title responsible for cybersecurity within the WWS. Whoever fills this role/position/title is then in charge of all WWS cybersecurity activities. 1 .C. Have a named role/position/title that is responsible for planning, resourcing, and executing OT-specific cybersecurity activities? Recommendation: Identify one role/position/title responsible for ensuring planning, resourcing, and execution of OT-specific cybersecurity activities. 1 .D. Provide regular opportunities to strengthen communication and coordination between OT and IT personnel, including vendors? Recommendation: Facilitate meetings between OT and IT personnel to provide opportunities for all parties to better understand organizational security needs and to strengthen working relationships. 1 .E. Patch or otherwise mitigate known vulnerabilities within the recommended timeframe?* Recommendation: Identify and patch vulnerabilities in a risk-informed manner (e.g., critical assets first) as quickly as possible. 1 .F. This control number is included here to be consistent with the CISA CPG but is not applicable to most WWSs. Page A-1 ------- 1 .G/H. Require that ai! OT vendors arid service providers notify the WWS of any security incidents or vulnerabilities in a risk-informed timeframe? Recommendation: Require vendors and service providers to notify the WWS of potential security incidents and vulnerabilities within a stipulated timeframe described in procurement documents and contracts. 1.1. Include cybersecurity as an evaluation criterion for the procurement of OT and IT assets and services? Recommendation: Include cybersecurity as an evaluation criterion when procuring assets and services. Where feasible, seek out systems that are secure by design and secure by default. Page A-2 ------- 2. PROTECT. Does the WWS... 2.A. Change default passwords?* Recommendation: Change all default manufacturer or vendor passwords before equipment or software is put into service. 2.B. Require a minimum length for passwords?* Recommendation: Implement a minimum length requirement for passwords through a policy and/or administrative controls set in the system. 2.C. Require unique and separate credentials for users to access OT and IT networks?* Recommendation: Require a single user to have two different usernames and passwords; one account to access the IT network, and the other account to access the OT network to reduce the risk of an attacker being able to move between both networks using a single login. 2.D. Immediately disable access to an account or network when access is no longer required due to retirement, change of role, termination, or other factors?* Recommendation: Terminate access immediately to accounts or networks upon a change in an individual's status making access unnecessary (e.g., retirement, change in position). 2.E. Separate user and privileged (e.g., System Administrator) accounts?* Recommendation: Restrict System Administrator privileges to separate user accounts for administrative actions only and evaluate administrative privileges on a recurring basis to ensure accurate information for the individuals who have these privileges. 2.F. Segment OT and IT networks and deny connections to the OT network by default unless explicitly allowed (e.g., by IP address and port)? Recommendation: Require connections between the OT and IT networks to pass through an intermediary, such as a firewall, bastion host, jump box, or demilitarized zone, which is monitored and logged. 2.G. Detect and block repeated unsuccessful login attempts? Recommendation: Enable System Administrator notification after a specific number of consecutive, unsuccessful login attempts in a short amount of time. At that point, future login attempts by the suspicious account should be blocked for a specified time or until re-enabled by an Administrator. Page A-3 ------- 2.H. Require multi-factor authentication (MFA) wherever possible, but at a minimum to remotely access WWS Operational Technology (OT)/lnformation Technology (IT) networks?* Recommendation: Deploy MFA as widely as possible for both operational technology (OT) and information technology (IT) networks. At a minimum, MFA should be used for remote access to the OT network. 2.1. Provide/conduct annual cybersecurity awareness training for all WWS personnel that covers basic cybersecurity concepts?* Recommendation: Conduct cybersecurity awareness training annually, at a minimum, to help all employees understand the importance of cybersecurity and how to prevent and respond to cyberattacks. 2.J. Offer OT-specific cybersecurity training on at least an annual basis to personnel who use OT as part of their regular duties? Recommendation: Provide specialized OT-focused cybersecurity training to all personnel who use OT assets. 2.K. Use effective encryption to maintain the confidentiality of data in transit? Recommendation: When sending information and data, use Transport Layer Security (TLS) or Secure Socket Layer (SSL) encryption standards. 2.L. Use encryption to maintain the confidentiality of stored sensitive data? Recommendation: Do not store sensitive data, including credentials (i.e., usernames and passwords) in plain text files. 2.M. Use email security controls to reduce common email-based threats, such as spoofing, phishing, and interception? Recommendation: Ensure that email security controls are enabled on all corporate email infrastructure. 2.N. Disable Microsoft Office macros, or similar embedded code, by default on all assets? Recommendation: Disable embedded macros and similar executable code by default on all assets. 2.0. Maintain current documentation detailing the set-up and settings (i.e., configuration) of critical OT and IT assets?* Recommendation: Maintain accurate documentation of the original and current configuration ofOT and IT assets, including software and firmware version. Page A-4 ------- 2.P. Maintain updated documentation describing network topology (i.e., connections between all network components) across WWS OT and IT networks? Recommendation: Maintain complete and accurate documentation of all WWS OT and IT network topologies to facilitate incident response and recovery. 2.Q. Require approval before new software is installed or deployed? Recommendation: Only allow Administrators to install new software on a WWS-issued asset. 2.R. Backup systems necessary for operations (e.g., network configurations, PLC logic, engineering drawings, personnel records) on a regular schedule, store backups separately from the source systems, and test backups on a regular basis?* Recommendation: Regularly backup OT/IT systems so you can recover to a known and safe state in the event of a compromise. Test backup procedures and isolate backups from network connections. Implement the NIST 3-2-1 rule: 3) Keep three copies: one primary and two backups; 2) Keep the backups on two different media types; 1) Store one copy off site. 2.S. Have a written cybersecurity incident response (IR) plan for critical threat scenarios (e.g., disabled or manipulated process control systems, the loss or theft of operational or financial data, exposure of sensitive information), which is regularly practiced and updated?* Recommendation: Develop, practice, and update an IR plan for cybersecurity incidents that could impact WWS operations. Participate in discussion-based (e.g., TTX) and operations-based exercises (e.g., Drill) to improve responses to potential cyber incidents. 2.T. Collect security logs (e.g., system and network access, malware detection) to use in both incident detection and investigation? Recommendation: Collect and store logs and/or network traffic data to aid in detecting cyberattacks and investigating suspicious activity. 2.U. Protect security logs from unauthorized access and tampering? Recommendation: Store security logs in a central system or database that can only be accessed by authorized and authenticated users. Page A-5 ------- 2.V. Prohibit the connection of unauthorized hardware (e.g., USB devices, removable media, laptops brought in by others) to OT and IT assets?* Recommendation: When feasible, remove, disable, or otherwise secure physical ports (e.g., USB ports on a laptop) to prevent unauthorized assets from connecting. 2.W. Ensure that assets connected to the public Internet expose no unnecessary exploitable services (e.g., remote desktop protocol)?* Recommendation: Eliminate unnecessary exposed ports and services on public-facing assets and regularly review. 2.X. Eliminate connections between OT assets and the Internet?* Recommendation: Eliminate OT asset connections to the public Internet unless explicitly required for operations. Page A-6 ------- 3. DETECT. Does the WWS... 3.A. Keep a list of threats and adversary tactics, techniques, and procedures (TTPs) for cyberattacks relevant to the WWS? Recommendation: Receive CISA alerts, prioritize the Known Exploited Vulnerabilities (KEV) list, and maintain documentation of TTPs relevant to the WWS. Page A-7 ------- 4. RESPOND. Does the WWS.. 4.A. Have a written procedure for reporting cybersecurity incidents, including how (e.g., phone cail, Internet submission) and to whom (e.g., FBI or other law enforcement, CISA, state regulators, WaterlSAC, cyber insurance provider)?1* Recommendation: Document the procedure for reporting cybersecurity incidents to better aid law enforcement, receive assistance with response and recovery, and to promote water sector awareness of cybersecurity threats. 4.B. This control number is included here to be consistent with the CISA CPGs but is not applicable to most WWSs. 4.C. This control number is included here to be consistent with the CISA CPGs but is not applicable to most WWSs. 1 Under the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), CISA is required to issue regulations, through notice-and-comment rulemaking, requiring covered entities to report covered cyber incidents and ransom payments made as a result of a ransomware attack to CISA. CISA's Notice of Proposed Rulemaking proposes applying these requirements to at least some entities in the Water and Wastewater Sector. This recommendation will be revised as necessary when the CIRCIA Final Rule is issued. Page A-8 ------- 5. RECOVER. Does the WWS.. 5.A Have the ability to safely and effectively recover from a cybersecurity incident? Recommendation: Develop, maintain, and execute plans to recover and restore to service business- or mission-critical assets or systems that might be impacted by a cybersecurity incident. Page A-9 ------- APPENDIX B: EPA Checklist Factsheets The EPA Checklist Factsheets can be found on EPA's Factsheets webpage. ------- APPENDIX C: Glossary of Terms Term Definition Access Control Lists Lists that identify individuals who can access an Operational Technology (OT) and/or information Technology (IT) system. Active Services Programs running in the background. Artificial Intelligence The capability of a device to perform functions that are normally associated with human intelligence such as reasoning, learning, and self-improvement. The Artificial Intelligence Risk Management Framework (AI RMF) A framework developed by the National Institute of Science and Technology (NIST) that is intended to help developers, users and evaluators of Al systems better manage Al risks which could affect individuals, organizations, society, or the environment. Asset A cyber facility, device, information, or process that has value. Automatic Account Lockout or Account Lockout Threshold Policy that determines how many times a person can attempt to log in with incorrect credentials before the system locks them out. Bastion Host A special-purpose computer on an OT or IT network that a WWS specifically designs and configures to withstand cyberattacks. Backup The process of creating a copy of critical WWS data that can be used for recovery in case the original data is lost or corrupted. Cybersecurity and Infrastructure Security Agency (CISA) Cybersecurity Advisors (CSAs) Professionals that provide cybersecurity assistance to critical infrastructure owners, including WWSs, such as cyber preparedness, assessments and protective resources, and incident coordination and support. Community Water System (CWS) A public water system that supplies water to the same population year-round. Page C-1 ------- Term Definition Compensating Controls Security and privacy controls that a WWS implements in lieu of the baseline controls. Compensating controls provide equivalent or comparable protection for an OT or IT system. Configuration The setup of an OT or IT system or component, including the conditions, parameters, and specifications. Control A practice or measure that a WWS uses to prevent, detect, and mitigate cyber threats and attacks. Practices range from physical controls, such as removing USB ports in laptops, to technical controls, such as using firewalls and multi-factor authentication. Control System A system that assists in implementing a procedure or process (e.g., water treatment). Control systems include Supervisory Control and Data Acquisition (SCADA), Distributed Control System (DCS), Programmable Logic Controllers (PLCs), and other types of industrial control systems. Credentials Information that is unique to a specific user and is required to log on to a system or a program. For example, a username and password. Data Loss Prevention (DLP) The practice of detecting and preventing data breaches, exfiltration (theft or unauthorized removal or movement of any data from a device), or unwanted destruction of sensitive data. Organizations use DLP to protect and secure their data and to comply with regulations. Demilitarized Zone (DMZ) A perimeter network that acts as a fence and governs the exchange of information between internal and external computer networks. It regulates how information flows from an internal network to an external network and who from the external network can access the internal network. It is often used between the OT and IT networks of a WWS. Page C-2 ------- Term Definition Cybersecurity and Infrastructure Security Agency (CISA) CISA leads the national effort to understand, manage, and reduce risk to the nation's cyber and physical infrastructure. CISA develops and publishes a variety of information, resources, tools, and training for the water sector and other critical infrastructure sectors. Devices Pieces of computer hardware that include desktops, laptops, servers, and tablets. DomainKeys Identified Mail (DKIM) Email authentication method to verify the authenticity of emails. Domain-Based Message Authentication, Reporting, and Conformance (DMARC) A protocol that uses Sender Policy Framework (SPF) and/or DKIM records to authenticate emails. It allows for the rejection of fraudulent emails. Embedded Code Code that a third-party website, such as YouTube or X (formerly known as Twitter), generates that a user can copy and paste into their own webpage. This embedded code will then show the same media, application, or feed on the user's webpage as it does on the original website. Emergency Response Plan (ERP) A plan that describes strategies, resources, other plans, and procedures WWSs can use to prepare for and respond to a natural or man-made incident that threatens life, property, or the environment. Encrypt Process by which a WWS converts plain text or data into coded or "ciphered" text/data. Encryption Any procedure that a WWS uses to convert plain text or data into coded or "ciphered" text/data to prevent anyone but the intended recipient from decoding and reading the text or data. Executable A piece of computer code or programming that can perform set tasks according to its encoded instructions. Executable files are used by a computer program or routine. Page C-3 ------- Term Definition Fast Identity Online (FIDO)/Client to Authenticator Protocol (CTAP) Developed by the FIDO Alliance, the CTAP enables communication without the use of passwords between an external authenticator (e.g., mobile phones, connected devices) and another client (e.g., browser) or platform (e.g., operating system such as Microsoft Windows). FBI Internet Crime Complaint A division of the Federal Bureau of Investigation focused Center (IC3) on suspected Internet-facilitated criminal activity. Firewall A device that restricts data communication between two connected networks. A firewall may be either an application installed on a general-purpose computer or a separate device that allows or rejects information flow between networks. Typically, a WWS uses firewalls to define zone borders, such as between OT and IT systems at a WWS. Firmware Software program or instructions programmed on the flash read-only memory (ROM) of a hardware device. It enables the device to communicate with other computer hardware. Group Policy Object (GPO) Allows a System Administrator to dictate how users and computers will interact. Group policies are primarily security tools and a WWS can use them to apply security settings to users and computers, such as requiring a minimum password length. Human-Machine Interface (HMI) User interface or dashboard that connects a user to a machine, system, or device. The term "HMI" is commonly used in the context of an industrial process, such as interacting with a SCADA system. For example, a WWS operator might use an HMI to check if a certain pump is operating. Internet Protocol (IP) Address A numerical address that identifies a device on the Internet or local network. Page C-4 ------- Term Definition Incident Response (IR) Plan A set of predetermined and documented procedures to detect and respond to a cyber incident. Some WWSs may include their cybersecurity IR plan as part of their WWS Emergency Response Plan. Information Sharing and Analysis Centers (ISACs) An organization that collects, analyzes, and disseminates actionable threat information to its members and provides them with tools to mitigate risks and improve resiliency. For example, WaterlSAC provides these services to WWSs. Information System Interconnected set of information resources under the same direct management control that share common functionality. A system normally includes hardware, software, information, data, applications, communications, and people. Information Technology (IT) A set of resources that an organization uses for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information. Industrial Control System (ICS) A system used to control industrial processes such as water treatment and distribution. ICSs include SCADA systems (frequently used at WWSs to control geographically dispersed assets), DCSs, and smaller control systems using PLCs to control localized processes. Interception Interception allows attackers to access data, applications, or systems, and are primarily attacks against confidentiality. This could be unauthorized file viewing or copying, eavesdropping on phone conversations, or reading another person's email. These attacks can be conducted against data at rest (e.g., stored on a server) or in motion (e.g., an email in transit from sender to receiver). International Electrotechnical Commission (IEC) A global, not-for-profit membership organization that brings together 173 countries and coordinates the work of 20,000 experts globally. It facilitates electricity access, Page C-5 ------- Term Definition and verifies the safety, performance and interoperability of electric and electronic devices and systems, including consumer devices such as mobile phones, refrigerators, office and medical equipment, IT, electricity generation, and more. International Society of Automation (ISA) A non-profit professional association founded in 1945 to create a better world through automation. ISA develops widely used global standards, certifies professionals, provides education and training, publishes books and technical articles, hosts conferences and exhibits, and provides networking and career development programs for its members and customers. International Society of Automation/International Electrotechnical Commission (ISA/IEC) 62443 The ISA/I EC 62443 series of standards, developed by the ISA99 committee and adopted by the IEC, provides a flexible framework to address and mitigate current and future security vulnerabilities in industrial automation and control systems (lACSs). Intranet A local communications network that is often used to improve communication, collaboration, and engagement within an organization. It typically excludes anyone from outside the organization. Intrusion Detection System/Intrusion Protection System (IDS/IPS) Both systems are placed within a network to alert when an unwanted intrusion has occurred. An IDS is designed to only provide an alert about a potential incident. An IPS, on the other hand, acts to block the attempted intrusion or otherwise remediate the attack. Inventory The formal listing or record of the organizational property at a WWS. Jump Box A hardened and monitored device that spans two dissimilar network security zones and provides a controlled means of access between them. It essentially serves as a gated bridge between the zones. Page C-6 ------- Term Definition Known Exploitable Vulnerabilities (KEV) Catalog A list of vulnerabilities that CISA has identified as being exploited or that threat actors have used to conduct attacks. Log A record of the events occurring within a WWS's OT and IT systems and networks. Media Access Control (MAC) Address A unique identifier assigned to a network interface controller (NIC) for use as a network address. Device manufacturers typically assign MAC addresses, so devices come with this address already assigned to them, unlike IP addresses. Also referred to as the hardware address or physical address. Macro A configured action that allows users to automate tasks and add functionality in files (e.g., a command button and an associated macro on a form). The macro contains the commands that the button will perform each time a user clicks it. MITRE ATT&CK A guideline for classifying and describing cyberattacks and intrusions. Multi-factor Authentication (MFA) A feature that requires more than one distinct authentication factor, such as a code texted to a cell phone, to activate a device or login into an account. National Vulnerability Database (NVD) The NVD was established to provide a U.S. government data repository about software vulnerabilities and configuration settings. Network Segmentation Dividing a network into multiple segments or "subnets," each acting as its own small network. This feature allows for control of the information flow between subnets. WWSs can use segmentation to improve monitoring, boost performance, localize technical issues, and enhance cybersecurity. Page C-7 ------- Term Definition National Institute of Standards and Technology (NIST) An organization that develops cybersecurity standards, guidelines, best practices, and other resources to meet the needs of U.S. industry, federal agencies, and the broader public. NIST Cybersecurity Framework (CSF) Voluntary guidance, based on existing standards, guidelines, and practices, for organizations such as WWSs to better manage and reduce cybersecurity risk. In addition to helping organizations manage and reduce risks, NIST designed the CSF to foster risk and cybersecurity management communications between internal and external organizational stakeholders. Network Switch A device that connects users, applications, and equipment across a network so that they can communicate with one another and share resources. Network Traffic The amount of data that moves across a network during any given time. Operating System (OS) Software that serves as an interface between computer hardware and the user. Applications (e.g., Microsoft Office) require an environment to operate and perform tasks in. The OS helps users interact with applications and other hardware and programs. OS also performs tasks such as file, memory, and process management. Operational Technology (OT) The hardware, software, and firmware components of a system that a WWS uses to detect or cause changes in physical processes through the direct control and monitoring of physical devices. For many WWSs, this is a SCADA system. Patches Software and operating system updates that address security vulnerabilities within a program or product. Software vendors may choose to release updates to fix performance bugs and provide enhanced security features. Page C-8 ------- Term Definition Personally Identifiable Any information that permits the identity of an individual Information (PI 1) to be directly or indirectly inferred. Protected Critical Infrastructure Information (PCM) Program The PCII Program protects information not customarily in the public domain and related to the security of critical infrastructure or protected systems, including documents, records, or other information from federal, state, and local disclosure laws. This allows partners such as WWSs to securely share their critical infrastructure information with CISA without fear of disclosure. Phishing Fraudulent emails, text messages, phone calls or websites that trick people into downloading malware, sharing sensitive information (e.g., Social Security and credit card numbers, bank account numbers, login credentials), or taking other actions that expose themselves or their WWS to cybercrime. Privileged Account A user account that has more privileges than ordinary users. Privileged accounts might, for instance, be able to install or remove software, upgrade the operating system, or modify system or application configurations. These accounts might also have access to files that standard users are not able to access. At a WWS, a "System Administrator" would most likely have a privileged account. Programmable Logic Controller (PLC) A small industrial computer originally designed to perform the logic functions executed by electrical hardware (e.g., relays, switches, and mechanical timer/counters). PLCs have evolved into controllers with the capability of controlling complex processes, and WWSs frequently use them in SCADA systems. Purdue Enterprise Reference Architecture (PERA), or Purdue Model A six-layer model for ICS network segmentation that defines the system components found in each of the layers and the network boundary controls for securing each layer and ultimately the ICS network. Page C-9 ------- Term Definition Remote Desktop Protocol (RDP) A network communications protocol developed by Microsoft. It enables System Administrators to remotely diagnose problems that individual users encounter and gives users remote access to their physical work desktop computers. Support technicians often use RDP to diagnose and repair a user's system remotely. Risk and Resilience Assessment (RRA) An assessment of the risks to the WWS, including malevolent acts and natural hazards, and resilience to those risks. Router A device that communicates between the Internet and the devices at a WWS that connect to the Internet. Server A computer program or device that provides a service (such as sharing data or resources) to another computer program and its user, also known as the client. Supervisory Control and Data Acquisition (SCADA) A type of industrial control system. It is a collection of both software and hardware components that allows users to control, monitor, and automate processes. SCADA systems help to gather and analyze real-time data. Secure Sockets Layer (SSL) A protocol that a WWS uses for protecting private information during transmission via the Internet. Sender Policy Framework (SPF) An email authentication method that helps protect outgoing email from being marked as spam by receiving organizations. Service Level Agreement (SLA) A commitment between a service provider (e.g., vendor) and a customer (e.g., WWS). Aspects of the service's quality and availability, as well as the parties' individual responsibilities, are agreed upon in advance. Spoofing A type of scam in which an attacker disguises an email address, display name, phone number, text message, or website URL to convince a target that they are interacting with a known, trusted source. Page C-10 ------- Term Definition Software A collection of data, programs, and instructions used to operate computers and execute specific tasks, encompassing everything from operating systems to various applications, essential for performing a wide range of digital functions. Start Transport Layer Security (STARTTLS) A protocol used to ensure email is securely transported from one server to another. Supply Chain Attack A type of cyberattack that targets a trusted third-party vendor who offers services or software vital to the supply chain. Supply chain attacks are difficult to detect, as they rely on software that has already been trusted and can be widely distributed (e.g., SolarWinds attack). System Administrator Person responsible for managing, updating, and operating the computer system(s). This person can be an individual at the WWS or a vendor. Security Information and Event Management (SIEM) A tool that collects event log data from a range of sources (e.g., devices, software), identifies activity that deviates from "normal" with real-time analysis, and takes appropriate action. It helps organizations detect, analyze, and respond to security threats before they interrupt operations. Tabletop Exercise (TTX) A discussion-based exercise where personnel with roles and responsibilities in a particular IR plan meet in a classroom setting or in breakout groups to validate the content of the plan by discussing their roles during a cyber emergency and their responses to a particular cyber incident. A facilitator initiates the discussion by presenting a scenario and asking questions based on the scenario. Tactics, Techniques, and Procedures (TTPs) This is the term used by cybersecurity professionals to describe the behaviors, processes, actions, and strategies used by an attacker to engage in cyberattacks. Page C-11 ------- Term Definition Transparent Data Encryption (TDE) TDE enables the user to encrypt sensitive data that is stored in databases at the file level. It protects data at "rest", not data in "transit." Transport Layer Security (TLS) An authentication and encryption protocol widely implemented in browsers and Web servers. Hyper Text Transfer Protocol (HTTP) traffic (a standard method for communication between clients and Web servers) transmitted using TLS is known as Hyper Text Transfer Protocol Secure (HTTPS). U.S. Department of Agricultural (USDA) Rural Development (RD) Circuit Rider Program Circuit Riders provide technical assistance to rural water systems on operational, financial, and/or managerial topics. Virtual Private Network (VPN) A service that extends a private network across a public network (e.g., Internet) and provides a secure, encrypted channel between the user's device and the private network. A VPN allows users to conduct work remotely. Vulnerability A flaw or weakness in a piece of software or firmware that an attacker can use to modify application code, damage an asset, gain access to a network, or execute other malicious activity. Wireless Access Point A device that creates a wireless local area network, or WLAN, usually in an office or large building. An access point connects to a wired router, switch, or hub and projects a WiFi signal within a designated area. Page C-12 ------- |