{"id":17214,"date":"2022-01-12T10:59:15","date_gmt":"2022-01-12T15:59:15","guid":{"rendered":"https:\/\/www.paawwa.org\/?p=17214"},"modified":"2022-01-12T10:59:15","modified_gmt":"2022-01-12T15:59:15","slug":"very-important-message-from-us-epa-be-proactive-about-cybersecurity-you-will-sleep-better-at-night","status":"publish","type":"post","link":"https:\/\/dev.linnflux.tech\/paawwa\/very-important-message-from-us-epa-be-proactive-about-cybersecurity-you-will-sleep-better-at-night\/","title":{"rendered":"Very Important Message from US EPA: Be Proactive about Cybersecurity \u2013 You will sleep better at night"},"content":{"rendered":"<p><strong>Be Proactive about Cybersecurity \u2013 You will sleep better at night<\/strong><\/p>\n<p>Many things will keep water suppliers up at night &#8212; supply chain issues, COVID illnesses of staff, family and friends, approaching severe weather and cybersecurity breaches. There are numerous resources to assist water suppliers with unraveling the complicated web of how someone can attack the IT of a water system.\u00a0 But the key is to begin to take steps now to protect our infrastructure and to continue to provide safe drinking water.<\/p>\n<p><strong>WHY:<\/strong> Water systems have been attacked and this will very likely happen again. It is important to minimize impacts in the event of a successful attack. Impacts to a utility may include, but are not limited to: interruption of treatment, distribution or conveyance processes from opening and closing valves, overriding alarms or disabling pumps or other equipment; theft of customers\u2019 personal data such as credit card information or Social Security numbers stored in on-line billing systems; loss of use of industrial control systems (e.g., SCADA system) for remote monitoring of automated treatment and distribution processes, encrypted data files and more.\u00a0 Any of these impacts can erode public confidence in water supply safety.<\/p>\n<p><strong>WHAT:<\/strong> According to IBM, cybersecurity is the\u00a0practice of protecting critical systems and sensitive information from digital attacks. Also known as information technology (IT) security,\u00a0<a href=\"https:\/\/www.ibm.com\/security\">cybersecurity<\/a>\u00a0measures are designed to combat threats against\u00a0<a href=\"https:\/\/www.ibm.com\/cloud\/learn\/networking-a-complete-guide\">networked systems<\/a>\u00a0and applications, whether those threats originate from inside or outside of an organization. \u00a0In 2020,\u00a0<a href=\"https:\/\/www.ibm.com\/security\/data-breach\">the average cost of a data breach was $3.86 million globally, and $8.64 million in the United States<\/a>.<\/p>\n<p><strong>WHO:<\/strong> All water utilities need to understand the problem and be proactive in addressing it.\u00a0 State primacy agencies need to address the status of cybersecurity programs during site visits such as sanitary surveys and share resources for improvements with water suppliers.\u00a0 EPA will develop guidance and conduct training for sanitary survey inspectors and water suppliers.\u00a0 It is anticipated that the Department of Homeland Security DHS, will issue cybersecurity performance goals for critical infrastructure control systems.<\/p>\n<p><strong>WHEN:<\/strong> <em>NOW!<\/em>\u00a0 Don\u2019t be overwhelmed by the myriad of ways you could be attacked or the tremendous amount of resources that exist to assist you.\u00a0 \u201cJust do it,\u201d as Nike says.\u00a0 Think of Spring as the time to spring into action to protect your IT system.<\/p>\n<p>If you have completed your risk and resilience assessment (RRA) and have updated your emergency response plan (ERP) as required under the America\u2019s Water Infrastructure Act, but failed to include addressing cybersecurity events, do this now.\u00a0 The RRA should cover electronic, computer, or other automated systems and the security of such systems.\u00a0 An ERP should include strategies and resources to improve the resilience of the system, including physical security and cybersecurity of the water system. In addition, the ERP should include plans to address malevolent acts, which is what a cyber-attack is considered.<\/p>\n<p><strong>HOW:<\/strong> Here are some ideas to get you started but this is not an exhaustive list.<\/p>\n<p>Follow the recommendations in EPA\u2019s Cyber Incident Action Checklist to prepare, respond and recovery from an attack. <a href=\"https:\/\/www.epa.gov\/sites\/default\/files\/2017-11\/documents\/171013-incidentactionchecklist-cybersecurity_form_508c.pdf\">https:\/\/www.epa.gov\/sites\/default\/files\/2017-11\/documents\/171013-incidentactionchecklist-cybersecurity_form_508c.pdf<\/a><\/p>\n<p>Develop a cybersecurity culture by training staff and establishing and enforcing policies.<\/p>\n<p>Be suspicious of emails.\u00a0 Curb your curiosity to open all emails and click on links.\u00a0 Don\u2019t trust anyone unless you know them and yet, you still need to be cautious and leery of anything that does not look or feel right.<\/p>\n<p>Require changing of passwords every 90 days and do not allow sharing of passwords.<\/p>\n<p>Use multi-factor authentication: what you have and what you know (similar to how most banks require you to log into your account by sending you a text with a code to your cell phone or email).<\/p>\n<p>Revoke\/inactivate credentials of former employees.<\/p>\n<p>Keep software up to date and install patches when available.<\/p>\n<p>Limit remote access and allow only for those with a verified operational need.<\/p>\n<p>Practice shifting to manual operations to be more familiar if or when the need arises.<\/p>\n<p>Back up data and store off-line, allowing for easier restoration if data is lost, stolen or encrypted.<\/p>\n<p>Keep servers in a secure room, lock the door and limit access.<\/p>\n<p>Keep billing IT separate from SCADA IT.<\/p>\n<p>Consider cybersecurity when undertaking other projects so it isn\u2019t an add-on or an after-thought.<\/p>\n<p>Sign up for a FREE, confidential, cybersecurity assessment and technical assistance offered by EPA\u2019s contractors at <a href=\"https:\/\/horsleywitten.com\/cybersecurityutilities\/\">https:\/\/horsleywitten.com\/cybersecurityutilities\/<\/a><\/p>\n<p><strong>WHERE:<\/strong>\u00a0 Numerous resources exist and advisories are shared by CISA, EPA, AWWA, WaterISAC to name a few. Many are free and without membership subscriptions. Sign up for these and stay on top of updating software.<\/p>\n<p>EPA: <a href=\"https:\/\/www.epa.gov\/waterriskassessment\/epa-cybersecurity-best-practices-water-sector\">https:\/\/www.epa.gov\/waterriskassessment\/epa-cybersecurity-best-practices-water-sector<\/a><\/p>\n<p>CISA Advisories: <a href=\"https:\/\/www.cisa.gov\/uscert\/ncas\/alerts\">https:\/\/www.cisa.gov\/uscert\/ncas\/alerts<\/a>; subscribe at the link at the bottom of their page.<\/p>\n<p>WaterISAC: <a href=\"https:\/\/www.waterisac.org\/fundamentals\">https:\/\/www.waterisac.org\/fundamentals<\/a><\/p>\n<p>AWWA: <a href=\"https:\/\/www.awwa.org\/Resources-Tools\/Resource-Topics\/Risk-Resilience\/Cybersecurity-Guidance\">https:\/\/www.awwa.org\/Resources-Tools\/Resource-Topics\/Risk-Resilience\/Cybersecurity-Guidance<\/a><\/p>\n<p><strong>WHO<\/strong> (again): Consider reporting events to the WaterISAC which compiles water sector incident information to share with the sector.\u00a0 This assists other water suppliers with knowing what events are occurring across the sector.\u00a0 Information shared is done anonymously. <a href=\"https:\/\/www.waterisac.org\/report-incident\">https:\/\/www.waterisac.org\/report-incident<\/a><\/p>\n<p>Capture response assistance contacts, such as the Critical Infrastructure Security Agency (CISA) per the <a href=\"https:\/\/usepa-my.sharepoint.com\/personal\/wisniewski_patti-kay_epa_gov\/Documents\/Desktop\/Cyber%20Incident%20Reporting:%20A%20Unified%20Message%20for%20Reporting%20to%20the%20Federal%20Government\">Cyber Incident Reporting: A Unified Message for Reporting to the Federal Government<\/a>\u00a0(<a href=\"https:\/\/www.dhs.gov\/publication\/cyber-incident-reporting-unified-message-reporting-federal-government\">https:\/\/www.dhs.gov\/publication\/cyber-incident-reporting-unified-message-reporting-federal-government<\/a>) which explains when, what, and how to report a cyber incident to the federal government.\u00a0 Key contact information is:<\/p>\n<p><strong>Cybersecurity and Infrastructure Security Agency (CISA) <\/strong><a href=\"https:\/\/www.cisa.gov\/\">https:\/\/www.cisa.gov\/<\/a><\/p>\n<p>To report incidents, phishing, malware, or vulnerabilities:<\/p>\n<p>Online forms: \u00a0<a href=\"https:\/\/www.cisa.gov\/uscert\/report\">https:\/\/www.cisa.gov\/uscert\/report<\/a><\/p>\n<p>Email CISA Service Desk: \u00a0<a href=\"mailto:cisaservicedesk@cisa.dhs.gov\">cisaservicedesk@cisa.dhs.gov<\/a><\/p>\n<p>Phone: 888-282-0870<\/p>\n<p>&nbsp;<\/p>\n<p><strong>Federal Bureau of Investigation (FBI)<\/strong><\/p>\n<p><a href=\"https:\/\/www.fbi.gov\">https:\/\/www.fbi.gov<\/a><\/p>\n<p>&nbsp;<\/p>\n<p>Finally, remember to capture your planned response and recovery actions in emergency response plans and Continuity of Operation Plans and exercise these plans at least annually.\u00a0 If an event has occurred be sure to conduct an after-action review, capture ideas for improvements in your plans and provide additional staff training.<\/p>\n<p>Taking steps now to further protect your water system will help you sleep at night.\u00a0 At least until the next storm is heading your way.<\/p>\n<p>By Patti Kay Wisniewski, Drinking Water Security\/Preparedness\/Resilience Coordinator<\/p>\n<p>USEPA Region 3<\/p>\n<p>If there are any questions, please contact Patti Kay Wisniewski, EPA Drinking Water Security, Preparedness and Resilience Coordinator, cell: 215-514-7893, <a href=\"mailto:Wisniewski.patti-kay@epa.gov\">Wisniewski.patti-kay@epa.gov<\/a> .<\/p>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Be Proactive about Cybersecurity \u2013 You will sleep better at night Many things will keep water suppliers up at night &#8212; supply chain issues, COVID illnesses of staff, family and friends, approaching severe weather and cybersecurity breaches. There are numerous resources to assist water suppliers with unraveling the complicated web of how someone can attack [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_mi_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"_links_to":"","_links_to_target":""},"categories":[6,14,7,5,11,10],"tags":[],"acf":[],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/dev.linnflux.tech\/paawwa\/wp-json\/wp\/v2\/posts\/17214"}],"collection":[{"href":"https:\/\/dev.linnflux.tech\/paawwa\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/dev.linnflux.tech\/paawwa\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/dev.linnflux.tech\/paawwa\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/dev.linnflux.tech\/paawwa\/wp-json\/wp\/v2\/comments?post=17214"}],"version-history":[{"count":1,"href":"https:\/\/dev.linnflux.tech\/paawwa\/wp-json\/wp\/v2\/posts\/17214\/revisions"}],"predecessor-version":[{"id":17215,"href":"https:\/\/dev.linnflux.tech\/paawwa\/wp-json\/wp\/v2\/posts\/17214\/revisions\/17215"}],"wp:attachment":[{"href":"https:\/\/dev.linnflux.tech\/paawwa\/wp-json\/wp\/v2\/media?parent=17214"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/dev.linnflux.tech\/paawwa\/wp-json\/wp\/v2\/categories?post=17214"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/dev.linnflux.tech\/paawwa\/wp-json\/wp\/v2\/tags?post=17214"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}