Earthquakes, terrorism, wildfires, debris flows, flooding, accidents, sabotage, tsunami, and cyber security are a few of the natural and man-caused incidents that water/wastewater agencies face during operations. The enhancement of security and the ability of water systems to prevent, prepare for, respond to, and recover from all-hazards is key to maintaining a reliable and critical infrastructure.
Water Security, Preparedness, and Emergency Response (WSPER) – The Division of Drinking Water (DDW) has homeland security staff and resources available to assist California’s water systems with security and emergency response issues.
General Water Security Checklist – DDW has created a general checklist of security issues that every water/wastewater system should consider and implement.
Guidelines for the Physical Security of Water Utilities (PDF) -These guidelines contain information that utilities should consider when developing specific security methods and specifications to individual facilities or assets. These guidelines and methods were developed in the best interest of ASCE, AWWA, and WEF, and follow best engineering practices at the time.
Guidelines for the Physical Security of Wastewater Utilities (PDF) – These guidelines contain information that utilities should consider when developing specific security methods and specifications to individual facilities or assets. These guidelines and methods were developed in the best interest of ASCE, AWWA, and WEF, and follow best engineering practices at the time.
Cal/OSHA Guidelines of Workplace Security and Violence Prevention – These Guidelines for Workplace Security are designed to provide information and guidance about workplace security issues to California employers and employees.
Cal/OSHA Model Program for Workplace Security and Violence Prevention – Every employer should perform an initial assessment to identify workplace security and violence issues. If the initial assessment determines that workers are at significant risk for workplace violence, then the employer should review the material presented in this Model Program.
Active Shooter – How to Respond – Booklet from the Department of Homeland Security. The best way to prepare your staff for an active shooter situation is to create an Emergency Action Plan (EAP) and conduct training exercises. Local law enforcement is an excellent resource in designing training exercises.
The 2018 America’s Water Infrastructure Act requires water systems serving more than 3,300 people to update, or develop, risk assessments and emergency response plans that take cybersecurity into account.
The American Water Works Association (AWWA) offers assessment tools that enable a water utility to evaluate its cyber security and identify the most important immediate steps for improvement. These are available at no cost on the AWWA website. AWWA’s Cybersecurity Guidance and Assessment Tool have been updated and revised to maintain alignment with the NIST Cybersecurity Framework and Section 2013 of America’s Water Infrastructure Act (AWIA) of 2018 .
WaterISAC, a nonprofit established in coordination with industry associations, research organizations and the EPA, is an all-threats security information source for the water and wastewater sector. Its free resource, “15 Cybersecurity Fundamentals for Water and Wastewater Utilities,” is complementary to the AWWA materials.
Federal resources are also available. In keeping with its role as the lead agency for cybersecurity in this sector, the U.S. EPA offers tools including a cybersecurity guide, an incident action checklist, and a vulnerability self-assessment tool.
Ransomware Guide – On September 30, 2020, a joint Ransomware Guide was released, which is a customer centered, one-stop resource with best practices and ways to prevent, protect and/or respond to a ransomware attack. CYBERSECURITY & INFRASTRUCTURE SECURITY AGENCY (CISA) is distributing this guide to inform and enhance network defense and reduce exposure to a ransomware attack:
This Ransomware Guide includes two resources:
Part 1: Ransomware Prevention Best Practices
Part 2: Ransomware Response Checklist
CISA offers several scanning and testing services to help organizations reduce their exposure to threats by taking a proactive approach to mitigating attack vectors. These free cybersecurity tools are available to local governments and agencies: Cyber Hygiene Services | CISA
- Vulnerability Scanning: Evaluates external network presence by executing continuous scans of public, static IPs for accessible services and vulnerabilities. This service provides weekly vulnerability reports and ad-hoc alerts.
- Web Application Scanning: Evaluates known and discovered publicly-accessible websites for potential bugs and weak configuration to provide recommendations for mitigating web application security risks.
- Phishing Campaign Assessment: Provides an opportunity for determining the potential susceptibility of personnel to phishing attacks. This is a practical exercise intended to support and measure the effectiveness of security awareness training.
- Remote Penetration Test: Simulates the tactics and techniques of real-world adversaries to identify and validate exploitable pathways. This service is ideal for testing perimeter defenses, the security of externally-available applications, and the potential for exploitation of open source information.