Water Sector Cyber-Security Meeting Held this Week

On March 5th, the Water Sector and Government Coordinating Councils (as part of the Critical Infrastructure Partnership Advisory Council) held a joint cyber-security meeting in Washington, DC.  Water utility and Federal and state government representatives (including ASDWA staff) were in attendance and Johnna McKenna of the New Hampshire Drinking Water Program (ASDWA’s representative on the GCC) participated by phone.   Following are some items from the meeting that should be of interest to state drinking water programs:

  • The Incident Command System Computer Emergency Readiness Team (ICS-Cert) received reports of 256 cybersecurity incidents in 2013, including two that took place at water systems (see the “Year in Review” report on the web site).  The ICS-Cert has many other resources on its web site such as a self-assessment tool, fact sheets, and multiple best practices documents.
  • The new 2013 National Infrastructure Protection Plan (NIPP) has been updated from the 20009 version to include a greater focus on integration of cyber and physical security efforts, closer alignment to national preparedness efforts, and integration of information-sharing.  DHS plans to create and kickoff a new workgroup in April 2014 to implement the new NIPP and develop some metrics to evaluate achievement.
  • EPA’s Water Security Division is waiting to release the updated Vulnerability Self-Assessment Tool (VSAT) until its stakeholder workgroup has a chance to conduct an in-person review.  EPA hopes to announce the release of the tool in the June 2014 timeframe.
  • The National Institute of Standards and Technology (NIST) released the first version of the Framework for Improving Critical Infrastructure Cybersecurity on February 12, 2014, that was developed with stakeholders in response to Presidential Executive Order 13636, Improving Critical Infrastructure Cybersecurity.  The voluntary Framework consists of standards, guidelines, and practices to promote the protection of critical infrastructure.  The Department of Homeland Security (DHS) is responsible for implementing the Framework over the next two-three years and has created a Critical Infrastructure Cyber Community C³ Voluntary Program for critical infrastructure owners and operators to:  understand and support the use of the Framework; serve as a point of contact and align them with helpful resources; and receive feedback on how the Framework and the C³ Voluntary Program can be improved.
  • The American Water Works Association’s new Process Control System Security Guidance  (and tool) for the Water Sector is now freely available to the public and is designed to provide actionable information for utility owner/operators based on their use of process control systems.  These tools are expected to be continually updated, particularly as the DHS Framework implementation approach is developed.

As a next step, the GCC and WSCC plan to form a sub-workgroup to develop a Framework implementation approach that is supported by the existing 2009 Sector Specific Plan (SSP) and also promotes the use of DHS’s Cyber Security Evaluation Tool for utilities to conduct cybersecurity self-assessments.  After the work on the Framework implementation strategy is completed, the next task will be for the GCC and WSCC to work on revising the SSP.  For more information about the CIPAC, the GCC, and the WSCC, visit the web site.