Welcome to the AWWA Water Sector Cybersecurity Risk Management Tool

The AWWA Water Sector Cybersecurity Risk Management Tool is designed to support utilities in developing their cybersecurity risk management strategy while also facilitating compliance with the cybersecurity provisions in §2013 of America’s Water Infrastructure Act (AWIA) of 2018. The risk and resilience assessment must consider malevolent and natural hazards that may impact critical assets, including the following that may be vulnerable to cyber threats:

• electronic, computer, or other automated systems;
• the monitoring practices of the system; and,
• the financial infrastructure of the system.

The emergency response plan provisions of AWIA requires a utility to address the following:

• strategies and resources to improve the resilience of the system, including the physical security and cybersecurity of the system;
• plans and procedures that can be implemented, and identification of equipment that can be utilized, in the event of a malevolent act or natural hazard that threatens the ability of the community water system to deliver safe drinking water;
• actions, procedures, and equipment which can obviate or significantly lessen the impact of a malevolent act or natural hazard on the public health and the safety and supply of drinking water provided to communities and individuals, including the development of alternative source water options, relocation of water intakes, and construction of flood protection barriers; and
• strategies that can be used to aid in the detection of malevolent acts or natural hazards that threaten the security or resilience of the system.

Utility Staff Engagement

Often, utility staff responsible for AWIA §2013 compliance are not cybersecurity technologists or those responsible for the secure and reliable operation of either the Process Control System (PCS) or enterprise systems. Therefore, it is recommended that a utility convene internal and external support staff, including, but not limited to:

• Utility staff responsible for AWIA §2013 compliance.
• Utility staff responsible for and knowledgeable in the design, operation, and maintenance of the utility’s PCS and enterprise systems (information technology).
• Utility leadership responsible for overall operation of the utility.
• Utility staff with the authority to make risk management decisions.
• External support staff including technology vendors, engineering firms, etc., as appropriate.

This approach will improve the quality and timeliness of data collection. In addition, it is expected to reduce the overall time required to complete compliance actions while advancing the organizations cybersecurity risk management program/strategy.

Preparing to Use the Tool

It is recommended that users review the summary of the tool questions in Appendix C of AWWA Waster Sector Cybersecurity Risk Management Guidance document. This will allow the user to prepare appropriate responses directly or based on feedback from others, as needed. Once a user begins answering questions within the tool, they must complete the session since no input data is retained by AWWA. The only record of the session is in the output report generated and sent to the user.

Definitions:
"Black box" solution – "Black box" refers to piece of equipment on a network with contents and/or function that are unknown to the user/owner/operator.

CIE - Cyber-Informed Engineering

Enterprise systems – Information technology systems that support business processes.

Financial Infrastructure - the accounting and financial business systems operated by a utility, such as customer billing and payment systems that may be vulnerable to cybersecurity threats.

HIPAA – Health Information Portability and Accountability Act

LAN – Local Area Network. Communications network generally limited to a small area such as a single building or plant.

Licensed wireless spectrum – Frequencies or frequency bands designated by the Federal Communications Commission (FCC) as reserved for organizations with licenses.

Mobile Devices - Any laptop smartphone, tablet or other device able to connect to a network. Including managed devices and unmanaged devices.

Monitoring practices of the system - any systems that the utility uses to monitor operations such as water quality, security surveillance systems, access control systems, cyber security systems, energy management systems, or others.

Network Administration – A group of network management activities that provide support services to network users, ensure that the network is used efficiently and securely, and ensure the network meets the needs of the users.

NSF – National Science Foundation

PCI-DSS – Payment Card Industry - Data Security Standard

PCS – Process Control Systems. Process controls systems refers to any automated monitoring or control, including vendor packaged solutions and the communication networks used by these systems. In some cases the PCS is referred to as the "SCADA system" or the production environment.

PII – Personally Identifiable Information

Remote access – The ability to access a computer or a network remotely through a network connection. Remote access enables users to access the systems they need when they are not physically able to connect directly. Users may access systems remotely by using a VPN, telecommunications, or internet connection.

Third-Party – Any consultant, vendor, manufacturer or independent contractor who renders services to the utility.

Unlicensed wireless spectrum – Unlicensed wireless devices operate in one of the frequency bands set aside by the Federal Communications Commission (FCC) for industrial, scientific or medical (ISM) applications. Frequencies within the unlicensed wireless spectrum are free to use.

Vendor panel solution - Vendor panel refers to a control panel provided by a vendor to monitor or operate a treatment or distribution process. For example: a vendor provided ultrafiltration unit would have an accompanying control panel to control the ultrafiltration process.

Virtualization Technology – Technology capable of creating a virtual (rather than actual) version of something, including virtual computer hardware platforms, storage devices, and computer network resources.

WAN – Wide Area Network. Communications network that generally extends over a large geographic area such as communications between two facilities.

Wi-Fi – Wi-Fi is technology for radio wireless local area networking of devices based on the IEEE 802.11 standards.

Wireless access point – A networking hardware device that allows other Wi-Fi enabled devices (e.g. a smart phone) to connect to a wired network.

Thank you for using the AWWA Cybersecurity Tool. Based on the inputs you provided, the tool has generated a list of recommended cybersecurity controls that represent measures the utility should consider to protect their Process Control System against cyber-attack. The controls have been assigned to four levels of priority based on the user’s specific environment as defined by the use cases selected.

• Priority 1 Controls – These controls represent the minimum level of acceptable security for PCS and enterprise systems. If not already in place, these controls should be implemented immediately. In some cases, they could be considered quick wins that provide solid risk reduction without major procedural, architectural, or technical changes to an environment. Alternatively, a control may provide substantial and immediate risk reduction against common attacks. Generally, these will be cyber-hygiene measures. Utilities with many Priority 1 controls to implement will likely be reactive to any cyber-attack.
• Priority 2 Controls – These controls build on those in the Priority 1 category. Despite being Priority 2, these controls have the potential to provide a significant and immediate increase in the security of the organization. Generally, these will be more sophisticated cyber-hygiene measures to improve the process, architecture, and technical capabilities of the utility. These improvements include capabilities such as monitoring of networks and computer systems to detect attack attempts, locate points of entry, identify already-compromised machines, interrupt infiltrated attackers' activities, and gain information about the sources of an attack.
• Priority 3 Controls – These controls improve information security configuration and hygiene to reduce the number and magnitude of security vulnerabilities and improve the operations of networked computer systems, with a focus on protecting against poor security practices by system administrators and end-users that could give an attacker an advantage. These controls lay the foundation for sustained implementation of a managed security system. These controls include more sophisticated longer-term approaches to managing cyber-risk including CIE and cyber supply chain risk management.
• Priority 4 Controls – These controls are more complex and provide proactive protection against more sophisticated attacks. These include new technologies, policies, and methods that provide maximum security but are more complex and potentially more expensive than commoditized security solutions.

As a reminder, the AWWA Cybersecurity Tool does not make any attempt to assess which recommended controls the utility may already have in place. To make effective use of the tool outputs, it is recommended that a utility use the Microsoft Excel output file to evaluate the implementation status of each recommended control.

The AWWA Cybersecurity Tool does not provide specific information on how a recommended control should be implemented. However, the Microsoft Excel output file provides details to support the planning and implementation of controls.

Implementing cybersecurity controls requires in-depth knowledge of the affected Process Control System and/or the enterprise system, and the approach must be customized to those specific conditions. Before implementing any cybersecurity related controls which directly affect a Process Control System and/or an enterprise system, a utility should develop a comprehensive plan which details the specific actions to be taken along with an expected timetable for implementation. It is important that the project team include resources with the necessary technical skills and system knowledge. The risks associated with implementation of cybersecurity controls should also be fully understood and appreciated by operations and management, and contingency plans should be put in place to address any unintended consequences.

By clicking on the "Generate Excel Report" button, your browser will automatically generate a report in Microsoft Excel format. The report will be automatically downloaded to your default "Downloads" file location. Depending on the browser and version you are using these files will either appear at the bottom of the browser window or you will need to find them in your default "Downloads" file location. Generating this report does not complete the assessment or meet the intent of the America's Water Infrastructure Act Risk and Resilience Assessment or Emergency Response Plan compliance requirements. To complete your America's Water Infrastructure Act-compliant Risk and Resilience Assessment and Emergency Response Plan, please open the Excel file and follow the instructions beginning on the first tab. Please refer to the AWWA Water Sector Cybersecurity Risk Management Guidance document for additional details.