S-EPA

i »

Au.uiim

Incident Action Checklist - Cybersecurity

For on-the-go convenience, the actions in this checklist are divided up into three "rip & run" sections and provide a list of
activities that water and wastewater utilities can take to prepare for, respond to and recover from a cyber incident. You
can also populate the "My Contacts" section with critical information that your utility may need during an incident.

Cyber Incidents at Water and Wastewater Utilities

Cyberspace and its underlying infrastructure are vulnerable to a wide range of hazards from both physical
attacks as well as cyberthreats. Sophisticated cyber actors and nation-states exploit vulnerabilities to steal
information and money and are developing capabilities to disrupt, destroy or threaten the delivery of essential
services such as drinking water and wastewater.

As with any critical enterprise or corporation, drinking water and wastewater utilities must evaluate and mitigate
their vulnerability to a cyber incident and minimize impacts in the event of a successful attack. Impacts to a
utility may include, but are not limited to:

Interruption of treatment, distribution or conveyance
processes from opening and closing valves, overriding
alarms or disabling pumps or other equipment

Theft of customers' personal data such as credit card
information and social security numbers stored in on-line
billing systems

Defacement of the utility's website or compromise of the
email system

Damage to system components

Loss of use of industrial control systems (e.g., SCADA
system) for remote monitoring of automated treatment
and distribution processes

/h n« in
f*j 1 u • id

' iff! Pn 1 * rimn mm n< j,

• . i -> < t pv uui • u iuu u iu i u 4..

' J 1 * Mpn 1 nnn i 1 nn in t
• •,. i ,. •WViJ 1 ouu i i lu i u jlW 11 i n t nn « .

1 •-<	i nnn Am ' ,u'uu ,U

»» u j «

tf) Cfitt •

inn r> »ni ni in ni
i Uu u ui u • i o u i

'ui iu cjuu uuu i w

jriffrmwiHkic ioci jgio w,

K31GCC! I OSQD^IQI 0
.I.VJ 		u 			'iCJO 10M

I *•*,	. i ni.no nini n

flmnWi	^

• o ut'jg ouu

TMW.m

Cyber incidents can compromise the ability of water and wastewater utilities to provide clean and safe water,
erode customer confidence and result in financial and legal liabilities. The following sections outline actions
drinking water and wastewater utilities can take to prepare for, respond to and recover from cyber incidents.

. v* *	ih kin |

^ -.ub-lndu^
—	-cart-menu .cart-icon-^

—m S ~^t®r-transParent heatler*^.
-sf-menu > li. current-

— -w/ . sf-menu > li u

		L ' • current-menu-aaf&—

^ > ul- > T-1 > a:hover >
™/ ul #search-btn a:hover -r~
"¦•rsi*/ .sf-menu > li . current-menu—ht»
^-"Aw«r -"icon-salient-cart,.ascesc^^w*
! "important; color: #ffffff;-i
¦	header#top nav>ul>li .

'/i/#- Hri
-------
Actions to Prepare for a Cyber Incident

.buuiiiuA.

Utility

Identify al! mission critical information technology
(IT) and operational technology (OT) systems,
considering business enterprise, process control
and communications. Document the key functions
of the mission critical objectives and identify the
personnel or entity responsible for operating and
maintaining each IT/OT system.

Identify an overall IT/OT security lead to
coordinate with each IT and OT system
manager and oversee all cyber-related duties.

Ensure that IT/OT system managers enforce
cybersecurity practices on all business
enterprise, process control and communications
systems. For example, verify adherence to user
authentication, current anti-virus software and
installation of security patches.

~	Review and update the utility's emergency
response plan (ERP) to address a cyber incident
impacting business enterprise, process control
and communications systems. Account for all
potential impacts on operations, and ensure
emergency contacts are current.

~	Prevent unauthorized physical access to
IT/OT systems through security measures
such as locks, sensors and alarms. Include
workstations and process control systems (e.g.,
programmable logic controllers or PLCs).

Identify priority points of contact for reporting a
cyber incident and requesting assistance with
response and recovery. Include any state
resources that may be available such as State
Police, your local Federal Bureau of Investigation
(FBI) field office or the FBI Internet Crime
Complaint Center (IC3) http://www.ic3.gov.
National Guard Cyber Division or mutual aid
programs, as well as the Department of
Homeland Security Cybersecurity and
Infrastructure Security Agency (CISA) at
https://www.cisa.gov/forms/report or 1-844-Say-
CISA (1-844-729-2472).

Train all essential personnel to perform mission
critical functions during a cyber incident that
disables business enterprise, process control
and communications systems. Include the
manual operation of water collection, storage,
treatment and conveyance systems.

~ Conduct drills and exercises for responding to
a cyber incident that disables critical business
enterprise, process control and communications
systems.

2 of 6


-------
Actions to Prepare for a Cyber Incident

m

•SlLnnii,^

IT/OT Staff or Vendor	

~	Establish a program for maintaining updated
anti-virus software on all critical IT/OT
systems, along with rapid installation of all
security patches.

~	Set up an automatic back-up on critical systems
and ensure the process is producing a readable,
uncorrupted restore file on a routine basis.

I I Implement rigorous user authentication,
including multi-factor authentication where
possible. Use individual accounts and unique
passwords for each employee and restrict IT/OT
system access privileges to the level needed for
a user's duties.

~	Restrict internet access to process control
systems unless absolutely necessary.

EH Where possible, separate process control
system traffic from business traffic by using a
firewall. If this is not possible, logically filter
traffic by using a firewall.

EH Identify all routes of remote access to IT/OT
systems. Eliminate remote access where
possible, and restrict remaining access (e.g.,
do not allow persistent remote access to control
networks).

~	Assess the use of additional strategies to
protect IT/OT systems, such as application
whitelisting, network segmentation with restricted
communication paths and active monitoring for
adversarial system penetration.

~	Conduct a detailed assessment of vulnerabilities
in all mission critical IT/OT systems. Consider the
use of the tools and subject matter experts
provided by the EPA

(https://www.epa.gov/waterresilience/epa-
cvbersecuritv-water-sector) and/or CISA
(https://www.cisa.gov/water). Develop an action
plan to mitigate all significant vulnerabilities
identified in the assessment.

r Notes:

3 of 6


-------
Actions to Respond to a Cyber Incident

iUJ

Utility	

] If possible, disconnect compromised computers
from the network to isolate breached components
and prevent further damage, such as the
spreading of malware. Do not turn off or reboot
systems - this preserves evidence and
allows for an assessment to be performed.

I I Notify IT/OT personnel and/or IT/OT vendor(s)
of the incident and the need for emergency
response assistance. In addition, CISA can
assist with IT/OT system response and
recovery (https://www.cisa.gov/forms/report or
1 -844-Say-CISA (1 -844-729-2472)).

~ Assess any damage to utility systems and
equipment, along with disruptions to utility
operations.

I I Execute the utility ERP as needed, including
notification of utility personnel, actions to restore
operations of mission critical processes (e.g.,
switch to manual operation if necessary), and
public notification (if required).

I I Report the cyber incident as required to
regulatory agencies and law enforcement to
include your local FBI field office or FBI IC3
http://www.ic3.gov.

I I Notify any external entities (e.g., vendors, other
government offices) that may have remote
connections to the affected network(s).

I I Document key information on the incident,
including any suspicious calls, emails, or
messages before or during the incident, damage
to utility systems and steps taken in response to
the incident (including dates and times).

r Notes:	

IT/OT Staff or Vendor	

] Review system and network logs and use virus
and malware scans to identify affected
equipment, systems, accounts and networks.

] Document which user accounts were or are
logged on, which programs and processes were
or are running, any remote connections to the
affected IT/OT systems or network(s) and all
open ports and their associated applications.

] If possible, take a "forensic image" of the
affected IT/OT systems to preserve evidence.
Tools to take forensic images include Forensic
Tool Kit (FTK) and EnCase.

] If possible, identify any malware used in the
incident, any remote servers to which data may
have been sent during the incident and the
origin of the incident. CISA can assist with the
forensic analysis

(https://www.cisa.gov/forms/report or 1-844-
Say-CISA (1-844-729-2472)).

~ Research and identify if any employee or
customer personally identifiable information
(PII) was compromised.

] Check the system back-up time stamp to
determine if the back-up was compromised
during the incident.

] Document all findings and avoid modifying or
deleting any data that might be attributable to
the incident.

4 of 6


-------
Utility

Continue to work with IT/OT staff, vendors and
integrators, government partners and others
to obtain needed resources and assistance for
recovery.

^ Notify affected employees and customers if any
Pll was compromised.

Submit an incident report to CISA
(https://www.cisa.gov/forms/report or 1-844-
Say-CISA (1-844-729-2472)).

Develop a lessons-learned document and/or
an after-action report (AAR) to document
utility response activities, successes and
areas for improvement. Create an
improvement plan (IP) based on your AAR
and use the IP to update your vulnerability
assessment, ERP and contingency plans.

I I Register for cybersecurity alerts and advisories
from water sector and government partners to
be aware of new vulnerabilities and threats.
Some sources of cybersecurity alerts are EPA
(https://www.epa.gov/waterresilience/cvbersecur
ity-response), WaterlSAC, which has a basic
membership that is free, and CISA
(https://www.cisa.gov/about/contact-
us/subscribe-updates-cisa).

IT/OT Staff or Vendor

]] Remove any malware, corrupted files and other
changes made to IT/OT systems by the incident.

]] Restore IT/OT systems as required (e.g., re-
image hard drives, reload software). CISA can
assist with the IT/OT system recovery
(https://www.cisa.gov/forms/report or 1 -844-
Say-CISA (1-844-729-2472)).

Restore compromised files from a system
back-up that has not been compromised.

Install patches and updates, disable unused
services and perform other countermeasures
to harden the system against known
vulnerabilities that may have been exploited.

r Notes:

5 of 6


-------
My Contacts and Resources	fjf

J	KlamM

CONTACT NAME

UTILITY/ORGANIZATION NAME

PHONE NUMBER



Law Enforcement





FBI Field Office





IT Staff/Vendor





OT Staff/Vendor





Local Cybersecurity and Infrastructure
Security Agency (CISA) Cybersecurity
Advisor





Local Laboratory





State Primacy Agency





Local Emergency Management Agency





Local Health Department





WARN Chair





State Emergency Management Agency





State Information Security Office (or
equivalent department)









Resources

•	Cvbersecuritv Resources for the Water and Wastewater Sector (EPA)

•	Water and Wastewater Cvbersecuritv Toolkit (CISA & EPA)

•	Alerts & Advisories (CISA)

•	Regional Cvbersecuritv Advisors (CISA)

•	Best Cvbersecuritv Practices (Water I SAC)

•	Cvbersecuritv Guidance and Tool (AWWA)

•	Internet Crime Complaint Center (FBI)

r Notes:	

Office of Water (4608-T) EPA810-B-17-004 September 2024

6 of 6


-------