Water ISAC’s 15 Cybersecurity Fundamentals for Water and Wastewater Utilities

Last week WaterISAC released its 15 Cybersecurity Fundamentals for Water and Wastewater Utilities. This is a completely updated guide of the 2012 version that addresses the expanding threats to the water sector. The guide organizes several best practices into 15 categories, which water utilities can use to mitigate security risks in information and operational technology. Within this guide are links to technical resources, allowing users to further investigate issues as needed.

Additionally, the updated guide will be helpful for utilities in preparation of risk and resilience assessments required under AWIA. The 15 Fundamentals are also beneficial for informing emergency response plans that address mitigation and resilience options under AWIA.

The 15 Fundamentals:

  1. Perform Asset Inventories
  2. Assess Risks
  3. Minimize Control System Exposure
  4. Enforce User Access Controls
  5. Safeguard from Unauthorized Physical Access
  6. Install Independent Cyber-Physical Safety Systems
  7. Embrace Vulnerability Management
  8. Create a Cybersecurity Culture
  9. Develop and Enforce Cybersecurity Policies and Procedures
  10. Implement Threat Detection and Monitoring
  11. Plan for Incidents, Emergencies, and Disasters
  12. Tackle Insider Threats
  13. Secure the Supply Chain
  14. Address All Smart Devices (IoT, IIoT, Mobile, etc.)
  15. Participate in Information Sharing and Collaboration Communities