Upload
others
View
4
Download
0
Embed Size (px)
Citation preview
Cybersecurity and the AWIA
Agenda• General Thoughts• Assessment Principles• Tools• Final Thought
I’m glad water isn’t a target!
Energy Defense
Finance Healthcare
We’re not connected to the Internet…
Cybersecurity is not just an IT issue
IT
SecurityOperations
Assessment Principles• Create an Assessment Team
• Operations• Information Technology• Plant Management• Senior / Executive Management
• Determine the Scope• Standards• Due Diligence
Tools• VSAT 2.0 (EPA)• Cybersecurity Guidance and Tool (AWWA)• Cybersecurity Evaluation Tool (DHS)
Answering the Questions• Question & Answer• Is there a documented process?• Is process known / trained?• Is process followed?• Where is the evidence?
VSAT 2.0 (EPA)• “A tool for assessing risk and resilience and drinking water
and wastewater systems”• Utility Overview
VSAT 2.0 (EPA)• Utility Resilience Index
• 12 Scoping Questions
VSAT 2.0 (EPA)• Qualitative Risk Assessment
VSAT 2.0 (EPA)• Quantitative Risk Assessment
VSAT 2.0 (EPA)• Countermeasure Analysis
VSAT 2.0 (EPA)• Pros
• Full AWIA assessment in single interface• Cons
• Requires significant industry / functional knowledge• Personnel dependent – must be highly trained• Frustrating to use / very involved
Cybersecurity Guidance / Tool (AWWA)• “Voluntary sector specific approach for implementing
applicable cybersecurity controls and recommendations”• Scoping – 22 Questions
Cybersecurity Guidance / Tool (AWWA)• Controls Output
• “Suggested Controls” – must input YOUR status
Cybersecurity Guidance / Tool (AWWA)• Control Status Summary
Cybersecurity Guidance / Tool (AWWA)• Improvement Projects
Cybersecurity Guidance / Tool (AWWA)• Pros
• Sector specific with good documentation• Easy to use / intuitive• Maps to applicable standards for further info• Walks through entire process (scoping – declaration template)
• Cons• Must be integrated with other functional categories to meet full
AWIA requirements
CSET (DHS)• “A desktop software tool that guides users through a step-
by step process to assess control system and IT network security practices against recognized industry standards”
CSET (DHS)• Preparation
• Standard demographic info
CSET (DHS)• Assessment
CSET (DHS)• Results
CSET (DHS)• Pros
• Consistent, repeatable, easy to use• Tailorable (Basic / Advanced) • Maps to applicable standards for further info• Good dashboard and reporting tools
• Cons• Not tailored to water industry• Requires cyber / IT expertise• Must be integrated with other functional categories to meet full
AWIA requirements
Final Thought