WaterISAC Monthly Update: July 2024

Reports

Part 2 of New 12 Cybersecurity Fundamentals for Water and Wastewater Utilities

In late June, WaterISAC unveiled the second set of three of its newly updated 12 Cybersecurity Fundamentals for Water and Wastewater Utilities. It also discussed the latest Fundamentals with members during the June 26, 2024 Cyber Resilience Briefing (access the recording and presentation at WaterISAC).

These three refreshed fundamentals are now publicly available on the WaterISAC website.

• 4 | Implement System Monitoring for Threat Detection and Alerting

• 5 | Account for Critical Assets

• 6 | Enforce Access Control

What's new?

• Fundamentals 4-6 cover the topics of Implementing System Monitoring for Threat Detection and Alerting, Accounting for Critical Assets, and the importance of Enforcing Access Controls

• We've added more mappings (13) from CISA's Cross-Sector Cybersecurity Performance Goals (CPGs) and references to The Five ICS Cybersecurity Critical Controls.

• A new sector-specific resource was highlighted - Protecting Critical Water Systems with the Five ICS Cybersecurity Critical Controls by Dean Parsons.

• We've also continued incorporating a Small Systems Guidance section.

• There's even a few more "eye candy" elements/callouts for greater emphasis.

The last iteration of the Fundamentals was published just under five years ago, in 2019. WaterISAC is excited to continue bringing this refresh to its members as part of a concerted effort to provide the water and wastewater systems sector with the most up-to-date guidance.

Important Notes

The 2019 version of WaterISAC's 15 Cybersecurity Fundamentals for Water and Wastewater Utilities will remain on the website until the end of the year, so there will be a full set available until all 12 refreshed ones have been released.

Additionally, WaterISAC encourages utilities to share the Fundamentals with other utilities and partners. As with the previous version, the updated Fundamentals will remain publicly accessible - FREE - for any utility and other sector stakeholder to access and use.

Quarterly Water Sector Incident Summary, January to March 2024

The Quarterly Water Sector Incident Summary for Q2 2024 presents information on incidents and suspicious activities at sector utilities between January 1 and March 31, 2024. The information on incidents and suspicious activities is derived from a variety of sources, including WaterISAC members who provided inputs via a survey and incident reports. A total of 150 organizations participated in the survey; respondents were from 19 U.S. states and a U.S. territory. The report also includes incident information from open sources and intelligence and analytical documents from federal, state, and local governments and law enforcement agencies, and other information sharing and analysis centers.

The events presented in this document should not be considered a comprehensive data set of all incidents and suspicious activities that occurred in the water and wastewater sector. However, they do provide insights into the types of incidents occurring at sector assets.

Opportunities

Quarterly Incident Survey, April to June 2024

In support of its mission to identify threats to the water and wastewater sector, WaterISAC is asking utilities to respond to its survey asking about physical and cyber incidents and suspicious activities they've experienced in the past quarter, from April 1 to June 30, 2024. WaterISAC will aggregate, make confidential, and share with members the information collected from the survey in its next Quarterly Water Sector Incident Summary report. The response deadline is Friday, July 26, 2024.

WaterISAC's surveys of incidents and suspicious activities occurring at water and wastewater facilities are an important tool in the industry's efforts to protect itself. Completing the survey can take as little as a few minutes, and your time investment represents a valuable contribution to this vital industry effort. Plus, you will receive a copy of the completed report.

If you have no incidents to report, please complete the survey anyway. Simply indicate that you experienced no incidents. Additionally, participants have the option to skip incidents that are not applicable given their role (e.g., they work in cybersecurity and are not responsible for tracking physical security incidents). Still, WaterISAC encourages participants to obtain incident information from others in their organization if possible.

Take the Survey.

Upcoming Events

Water Sector Natural Disaster Threat Briefing - Don't Get Burned! Build Your Utility's Resilience to Extreme Heat

Wednesday, August 14 at 2 pm ET

On August 14 at 2 pm ET, WaterISAC will convene the next event in its quarterly Water Sector Natural Disaster Threat Briefings, this time focusing on extreme heat and what utilities can do to protect and mitigate their facilities and personnel from these events. WaterISAC will be joined by speakers from the Salt River Project (SRP), a water and electric utility that serves central Arizona, and the National Weather Service's (NWS's) Phoenix office, which is collocated and operates closely with SRP. When it comes to extreme heat, this group really knows what it's talking about, so don't miss this special opportunity to learn about what your utility can do to build resilience to these events.

NWS Warning Coordination Meteorologist Tom Frieders will begin the briefing by providing a background on extreme heat and describing experiences in Arizona, which include Phoenix having a record-setting 55 days of 110 degrees Fahrenheit or higher in 2023 and trends for the summer of 2024 so far. He will also provide information on how climate change has impacted local temperature trends, how they work with SRP and their other partners to help them prepare for and respond to adverse weather, and then finish with the weather outlook for the remainder of the summer. Next, SRP Director of Risk Management Sara McCoy, and Director of Hydro Generation Ivan Insua, will share a utility viewpoint on the practices and realities of operating in extreme heat, including impacts to workers and to the equipment. Some of the measures and tools they have implemented include a corporate heat stress program, weatherization procedures, and hand-held heat stress meters.

Additionally, WaterISAC staff will identify other resources water and wastewater utilities should be aware of to assist with protection, mitigation, and response. These include sources of extreme heat forecasts and monitoring, checklists and guides to help prepare utilities and personnel, and partners to connect with.

Register via WaterISAC or directly at Zoom.

Contacting WaterISAC

If there are any questions about the events, reports, and opportunities covered above or anything else related to WaterISAC, please reach out to its staff at: [email protected] or 1-866-H2O-ISAC (1-866-426-4722).

Public link

Please use the above public link if you want to share this noodl on another website.