Cyber Best Practices

Editor’s Note: Looking for a good reason to join the WaterISAC?  The information below reflects the type of work and quality of effort that goes into WaterISAC products…and it has practical, on the ground value for drinking water utilities of all sizes.

The WaterISAC has just published 10 Basic Cybersecurity Measures: Best Practices to Reduce Exploitable Weaknesses and Attacks, which provides recommended steps water and wastewater utilities can take to defend themselves in the cyber environment. Each recommended measure includes a description and links to corresponding technical resources.

The document is an updated version of the August 2012 10 Basic Cybersecurity Measures to Reduce Exploitable Weaknesses and Attacks guide. The updated document was developed in partnership with the U.S. Department of Homeland Security Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), the FBI, and the Information Technology (IT) ISAC. WaterISAC also acknowledges the Multi-State (MS) ISAC for its contributions to the document.

In reviewing cyber incident reports for 2014, ICS-CERT noted that if the affected entities had implemented the first three recommendations in the Best Practices Guide, they likely would have detected the issues, prevented the vulnerabilities, and averted the resulting impacts related to those incidents.

Please share this Guide with your water systems.  This information can be a critically useful tool in helping the drinking water community better defend itself against cyber attacks and intrusions.

EPA Hosting COOP Template Training for Labs Webinar

Our colleagues at EPA’s Water Laboratory Alliance (WLA) Team invite you and your drinking water and wastewater laboratory colleagues to join the upcoming WLA Continuity of Operations Plan (COOP) Template Training Webcast.

DATE:  July 7, 2015

TIME:   1:00-2:00PM (eastern)

REGISTER:  http://water.epa.gov/infrastructure/watersecurity/wla/training.cfm

The webcast will provide an overview of the COOP Template for Drinking Water and Wastewater Laboratories developed by EPA’s WLA Team and will also demonstrate how the COOP Template fillable form can be used by laboratories to develop a personalized COOP.  State drinking water programs should collaborate with state labs to make sure that their respective COOPs are aligned and harmonized for maximum efficiency.

The template helps create a plan that contains information to:

  • Establish policies and procedures to assure continuous performance of laboratory testing
  • Provide communication and direction to stakeholders
  • Minimize the loss of assets, resources, critical records and data
  • Reduce or mitigate disruptions to the laboratory’s operation
  • Effectively manage the immediate response to an emergency

Please share this announcement with your laboratory colleagues.

Questions?  Please contact Colin Johnson (johnson.colin@epa.gov) or the WLA Team at WLA@epa.gov.

NIST Releases Update of Industrial Control Systems Security Guide

The National Institute of Standards and Technology (NIST) has issued the second revision to its Guide to Industrial Control Systems (ICS) Security.   The revisions include new guidance on how to tailor traditional IT security controls to accommodate unique ICS performance, reliability and safety requirements, as well as updates to sections on threats and vulnerabilities, risk management, recommended practices, security architectures and security capabilities and tools.

A significant addition in this revision is a new ICS overlay offering tailored guidance on how to adapt and apply security controls and control enhancements.  Using the ICS overlay, utilities, chemical companies, food manufacturers, and other ICS users can adapt and refine these security controls to address their specialized security needs.

More specific information, and the Guide itself, are available from the following links:

 

DATE CHANGE – C3 Webinar

 

 

The date for the Critical Infrastructure Cyber Community C³ (pronounced “C Cubed”) Voluntary Program webinar to discuss cyber resources for State, Local, Tribal, and Territorial (SLTT) Governments has been changed to June 18.  Other details – time, access, and registration links – remain the same.  The original notice for this event appeared in Security Notes on May 28, 2015.

DATE:  June 18, 2015

TIME:   1:00-2:30PM (eastern)

DIAL:   1-888-790-2013/PIN 5376908

LINK:   https://share.dhs.gov/ccubedvp-webinar6/ (Enter as a Guest on the date of the event)

NOTE: You must register for this event.  If you have already registered, your access should still be good despite the date change.  If you would like to register (and have not done so earlier) please email your name and affiliation to CCubedVP@hq.dhs.gov by June 17, 2015.

More information on the C3 Voluntary Program can be found at: https://www.us-cert.gov/ccubedvp.

Two New Water & Power Resiliency Webinars

EPA’s Water Security Division is hosting two additional webinars on power resiliency at water utilities this summer:

U.S. EPA: Water & Power Resiliency Webinar – Power Assessments and Transfer Switches

DATE:  Wednesday, June 24

TIME:   1:00-2:00PM (eastern)

REGISTER:  http://epa-power-assessments-webinar.eventbrite.com

EPA will be hosting a webinar on power assessments and transfer switches for drinking water and wastewater utilities on June 24.  The webinar will feature a U.S. Army Corps of Engineer (USACE) speaker who will discuss the 249th Engineer Battalion (Prime Power) and its mission, the Emergency Power Facility Assessment Tool (EPFAT) and transfer switches.  Two representatives from water utilities will share their experiences in conducting power assessments and installing transfer switches.

 

U.S. EPA: Water & Power Resiliency Webinar – Best Practices

DATE:  Wednesday, July 29

TIME:   1:00-2:00PM (eastern)

REGISTER:  http://epa-best-practices-webinar.eventbrite.com

The best practices in power resiliency at drinking water and wastewater utilities webinar will take place on July 29.  This webinar will describe EPA’s efforts to increase power resiliency at water utilities, including its interactive Best Practices Guide, which will be released in summer 2015.  A water utility speaker will then describe local efforts to increase power resiliency.

NOTE:  There is no cost to participate in these events; however, you must register separately for each of these two webinars.

Water Quality Surveillance and Response System Primer

EPA’s Water Security Division has published a new Water Quality Surveillance and Response System Primer.  Referred to as SRS (Surveillance and Response System), this process “…provides a systematic framework for enhancing distribution system monitoring activities and using the collected information to better manage the system.”

One application of an SRS is monitoring for natural, accidental or intentional contamination incidents, such as:

  • Source water contamination, including chemical spills and algal blooms
  • Backflow through service connections, hydrants and other access points
  • Contamination at storage tanks and reservoirs
  • Cross-connections with non-potable water, and
  • Infiltration of contaminated water into the distribution system during low pressure events

An SRS also provides substantial benefit to routine operations and water quality management. The realtime data generated by an SRS provides a means of identifying emerging water quality incidents, such as low chlorine residual levels, nitrification, rusty water, and taste and odor episodes. Early identification of these incidents can provide sufficient time to respond and implement corrective action.

Typically, an SRS can be grouped into two operational phases, surveillance and response.  The surveillance components are designed to provide timely detection of water quality incidents in drinking water distribution systems and include:

  • Online Water Quality Monitoring
  • Enhanced Security Monitoring, Customer Complaint Surveillance, and
  • Public Health Surveillance.

The response components include Consequence Management and Sampling & Analysis, which support timely response actions that minimize the consequences of a contamination incident.

To learn more about SRS and to download a copy of the Primer, please visit the Water Security Division’s webpage at http://water.epa.gov/infrastructure/watersecurity/lawsregs/upload/epa817b15002.pdf

Climate Ready Water Utility Workshops in June and July

Over the next several weeks, EPA is offering coastal resilience two-day trainings for water sector utilities and technical assistance providers in Florida, Alabama, and New York.  States are also invited to participate, as space allows.

DATES/LOCATIONS

  • June 16-17 – Boca Raton, FL
  • June 25-26 – Mobile, AL
  • July 21-22 – West Babylon, NY

REGISTER:  Click this link Register for a workshop

These two-day training events will focus on how drinking water, wastewater, and stormwater utilities can understand and adapt to impacts from coastal storm events and related threats using two EPA tools:

  • Climate Resilience Evaluation and Awareness Tool (CREAT) and
  • Storm Surge Inundation and Hurricane Strike Frequency Map.

 

NOAA Offers Extreme Weather Grants for Coastal Communities and Ecosystems

The National Oceanic and Atmospheric Administration (NOAA) is making $5 million in funding available through its FY 15 Regional Coastal Resilience Program to build the resilience of coastal regions, communities, and economic sectors to the negative impacts from extreme weather events, climate hazards, and changing ocean conditions; and, separately, grants up to $4 million through its National Marine Fisheries Service to strengthen the resilience of marine and coastal ecosystems to decrease the vulnerability of marine communities to extreme weather.

The Regional Coastal Resilience Grants program expects to award funds to support activities that:  identify and address priority data, information, and capacity gaps; develop tools to inform sound, science-based decisions; acquire and integrate socioeconomic information with physical and biological information to improve the assessment of risk and vulnerability for planning and decision making; understand how hazards and changing ocean conditions affect coastal economies; improve risk communication, and the necessary tools, technical assistance and training tailored toward enhanced resilience to weather events, climate hazards, and changing ocean conditions; and support the development of sustainable recovery, redevelopment, and adaptation plans and implement programs and projects that incentivize rebuilding and development approaches which reduce risk and increase resilience

The Regional Coastal Resilience Grants program is open to state, local, and tribal governments as well as nonprofit organizations and regional consortia.  Awards range between $500,000 and $1 million.  Applications are due July 24.  Visit http://coast.noaa.gov/data/docs/funding/ffo-resilience-2015.pdf for more detailed information.

The Coastal Ecosystem Resilience Grants program is designed to support activities that promote comprehensive planning efforts that address ecosystem resiliency, seek to minimize risks associated with extreme weather events, and provide for adaptation to known or potential climate change impacts, such as sea level rise.  It also is designed to support sustainable fisheries and contribute to the recovery of protected resources.

Awards under this program are expected to range from $500,000 to $1 million with a 2:1 Federal-non-Federal cost share ratio.  The Coastal Ecosystem Resiliency Grants Program Eligible parties include State, local, and tribal governments as well as select 501(c)(3) nonprofit organizations.  Applications are due by July 2.  Click this link http://www.grants.gov/web/grants/view-opportunity.html?oppId=276660  for more information about this grant opportunity.

Global Climate Group Wants Your Ideas

The US Global Change Research Program (USGCRP) is seeking ideas from the public about:

  • what scientific information on climate change, impacts, and responses would be most valuable for future assessment activities;
  • how to more effectively communicate assessment findings; and
  • how the National Climate Assessment (NCA) can better connect with other assessment efforts, such as those at the regional, state, tribal, and local levels.

If you have a research need that you’d like to see in the next NCA, this is your opportunity to request it! Here is the link for more information: http://www.globalchange.gov/news/seeking-public-input-sustained-national-climate-assessment

Responses to these questions will be accepted until June 15, 2015.

FEMA Issues 2015 National Preparedness Report

On May 28, FEMA released the 2015 National Preparedness Report (NPR). The NPR is an annual status report summarizing the Nation’s progress toward reaching the 2011 National Preparedness Goal of a secure and resilient nation. The 2015 NPR places particular emphasis on highlighting preparedness progress in implementing the National Planning Frameworks. The Frameworks describe how the whole community works together to achieve the Goal.

The 2015 report identifies 43 key findings across the Prevention, Protection, Mitigation, Response, and Recovery mission areas, in addition to six key overarching findings listed below:

  • Recent events, including the epidemic of Ebola virus disease, have highlighted challenges with coordinating the response to and recovery from complex incidents that do not receive Stafford Act declarations.
  • Businesses and public-private partnerships are increasingly incorporating emergency preparedness into technology platforms, such as Internet and social media tools and services.
  • Environmental Response/Health and Safety, Intelligence and Information Sharing, and Operational Coordination are additional core capabilities to sustain, which are capabilities in which the Nation has developed acceptable levels of performance for critical tasks, but which face potential performance declines if not maintained and updated to address new challenges.
  • Cybersecurity, Housing, Infrastructure Systems, and Long-term Vulnerability Reduction remained national areas for improvement, and Economic Recovery re-emerged as an area for improvement from 2012 and 2013. Access Control and Identity Verification is a newly identified national area for improvement.
  • Perspectives from states and territories on their current levels of preparedness were similar to previous years. All 10 core capabilities with the highest self-assessment results in 2012 and 2013 remained in the top-10 for 2014; Cybersecurity continues to be the lowest-rated core capability in state and territory self-assessments.
  • While Federal departments and agencies individually assess progress for corrective actions identified during national-level exercises and real-world incidents, challenges remain to comprehensively assess corrective actions with broad implications across the Federal Government.

The National Preparedness Report presents a national perspective, highlighting the contributions to preparedness made by the whole community—namely, Federal, state, local, tribal, and territorial governments, the private and nonprofit sectors, faith-based organizations, communities, and individuals. The report also integrates data from the annual Threat and Hazard Identification and Risk Assessment process and State Preparedness Reports from the 56 states and territories.

For a copy of the full report go to:  https://www.fema.gov/national-preparedness-report