When our drinking water coaches present at conferences, schools, webinars, and on the road the first item that we all discuss is how we in the drinking water sector can work together to create a culture of health. There are many ways to create a shared culture. One of the first steps is to focus on our shared goal in our daily work of providing safe drinking water to the public. The basics of this shared goal are for water providers to follow the drinking water regulations and for the safe drinking water program to ensure that those regulations are being adhered to. As we know regulations can sometimes lag behind current needs and issues that arise in drinking water. So, the question remains, how can we go above and beyond the regulations to protect public health?
In recent years cyberattacks have been on the rise for critical infrastructure providers, including water providers. Examples of recent attacks include: cutting off operators from their SCADA controls, holding customer billing data ransom, and attempting to alter dosing rates and contaminate the drinking water supply. While the EPA does not currently have any rules for the division to adopt as regulations for cybersecurity, we know this is a critical issue that has the potential to affect systems of all sizes.
The Infrastructure Investment and Jobs Act (Public Law No. 117-58) also known as the Bipartisan Infrastructure Law (BIL) requires the U.S. Environmental Protection Agency (EPA), in coordination with the Cybersecurity and Infrastructure Security Agency (CISA), to develop a Technical Cybersecurity Support Plan. This plan was released on August 22, 2022 and documents current and future steps that the EPA will take to increase their cybersecurity assistance for drinking water systems. In addition to sharing this report with the drinking water community the division would also like to share some resources and initial steps to help your system prepare for cyberattacks. Thank you for the work you do everyday to protect your communities. We hope these resources help with your efforts!
Resources:
- New to cybersecurity? Read this article from Simplilearn to learn about the most common types of cyberattacks and simple steps you can take to protect your system
- EPA: Technical Cybersecurity Support Plan for Public Water Systems - Report to Congress
- EPA: Cybersecurity Best Practices for the Water Sector
- CDPHE: Drinking Water Security Response Toolbox
- Cybersecurity Resources: The department gathered resources to help your system prepare and respond to cybersecurity attacks.
- Guidance: Respond and Report Cyberattacks is a guidance document that can be used when your water/wastewater facility experiences a cybersecurity event. It outlines what steps to take, how to report the event, and what to expect after reporting the event
Does your system …
- Keep an inventory of control system devices and ensure this equipment is not exposed to networks outside the utility? Never allow any machine on the control network to “talk” directly to a machine on the business network or on the Internet.
- Segregate networks and apply firewalls? Classify IT assets, data, and personnel into specific groups, and restrict access to these groups.
- Use secure remote access methods? A secure method, like a virtual private network, should be used if remote access is required.
- Establish roles to control access to different networks and log system users? Role-based controls will grant or deny access to network resources based on job functions.
- Require strong passwords and password management practices? Use strong passwords and have different passwords for different accounts.
- Stay aware of vulnerabilities and implement patches and updates when needed? Monitor for and apply IT system patches and updates.
- Enforce policies for the security of mobile devices? Limit the use of mobile devices on your networks and ensure devices are password protected.
- Have an employee cybersecurity training program? All employees should receive regular cybersecurity training.
- Involve utility executives in cybersecurity? Organizational leaders are often unaware of cybersecurity threats and needs.
- Monitor for network intrusions and have a plan in place to respond? Be capable of detecting a compromise quickly and executing an incident response plan.
Please contact us at cdphe.wqdwtraining@state.co.us if you have any questions about any of these areas or need assistance with making improvements to your cybersecurity measures.
➽ Kyra Gregory Drinking Water Training Specialist and CoWARN Administrator
