New Hampshire Hosts Cyber Security Workshop for Water and Wastewater Utilities

Hats off to our New Hampshire Drinking Water Security Coordinator, Johnna McKenna, for coordinating a very successful cyber security workshop in June!    Approximately 40 drinking water, wastewater and IT personnel came together for a workshop on cyber security issues for drinking water and wastewater facilities.  The workshop was the first of its kind for NH’s water sector and provided attendees with a half day of presentations to introduce the topic of cyber security and the true threat that cyber intrusions represent.

Please read on for good information on tools and other resource opportunities that should also be available in your state…and consider whether your program could help coordinate a similar effort.

Cyber Overview and Background

Jennifer Harper, Co-Director of the NH Information and Analysis Center (NHIAC), began the workshop with a description of the NHIAC which is NH’s “fusion center”. The NHIAC provides an integrated, all-crimes, all-hazards information sharing network to collect, analyze and disseminate information derived from multiple sources to stakeholders in a timely manner in order to protect the citizens and the critical infrastructure of the state. The NHIAC’s focus is ‘situational awareness’ at such a level that preemptive action can be taken to prevent or mitigate an incident. NHIAC works to get the right information to the right people and organizations at the right time.

As NH’s PSA (Protective Security Adviser), Ron Peimer described the free assessments that he can provide to critical infrastructure. These assessments are a non-regulatory, on the ground security assessment at water and wastewater facilities. Ron has done several water sector assessments already across the state and has had success with assisting one NH water utility with obtaining grant funds to implement some of the gaps that were identified during their assessment. The assessment report is protected under the DHS Protected Critical Infrastructure Information (PCII) Program [] which means the results are for organizational use only and DHS does not share the results – they are protected from right-to-know and cannot be used in civil litigation.

The National Cyber Security Division (NCSD) coordinates DHS’ efforts to secure cyberspace and our nation’s cyber assets and networks. Critical infrastructures are dependent on information technology systems and computer networks for essential operations. Particular emphasis is placed on the reliability and resiliency of the systems that comprise and interconnect these infrastructures.

Practical Considerations

DHS has partnered with Carnegie Mellon University to create US-CERT, a coordination point for prevention, protection and response to cyber attacks across the Internet. Mike Leking (NCSD) and Matt Butkovic and Mike Rattigan of Carnegie Mellon provided an overview of cyber security and how real the threat is. It can happen to anyone, anywhere, anytime. Attacks are becoming more complex but easier to execute and hackers are always finding new ways to attack systems. One issue is that some facilities are using outdated control systems that no longer have IT support,  so they are not updated and therefore are more vulnerable to attack. Some of the first things facilities should do if they aren’t already are basic common sense items such as:

_ Stay informed – Maintain situational awareness, be aware of cyber alerts

_ Follow best practices – Maintain systems/applications (e.g. isolate SCADA system network from the office network)

_ Be consistent – Define policies & require standard products (e.g. no USB ports on plant computers)

_ Raise awareness – Require cyber security awareness training

_ Know your data – Classify & conduct risk assessments (e.g. CSET & CRR-see below)

_ Share – Communicate with others; report incidents

_ Be Prepared – Have a plan to responds to cyber incidents & exercise it

_Make sure to change default SCADA administrator password

Available Cyber Tools & Resources

DHS can provide several tools for the water sector. The Cyber Security Evaluation Program (CSEP) can conduct a no-cost, voluntary Cyber Resilience Review (CRR) to evaluate and enhance cyber security capacities and capabilities within all 18 Critical Infrastructure and Key Resources Sectors. The CRR seeks to understand cyber security management of services (and associated assets) critical for an organization’s mission by focusing on protection and practices within ten key domains that contribute to the overall cyber resilience of an organization. The goal of the CRR is to develop an understanding of an organization’s operational resilience and ability to manage cyber risk to its critical services and assets during normal operations and during times of operational stress and crises. The CRR is a one-day, on-site facilitation and interview of key cyber security personnel. The participants will receive a draft report within 45 days to review and provide feedback. DHS will subsequently issue a final CRR Report. CRR reports are also protected under the PCII program. One NH municipal wastewater facility had a CRR conducted by Mike Leking before the workshop so that they could share real, recent and local experiences with the group. The wastewater facility said that while it was a long day to commit to it the time together going through the process with IT personnel was beneficial. They had just received the report and plan to go through it. Then they will work with Mike to fine tune the final report and then move forward to determine which items the facility chooses to improve upon.  For facilities that may not want to or can’t commit to a CRR, they can use the Cyber Security Evaluation Tool (CSET) which is a free downloadable DHS product that assists organizations in protecting key national cyber assets. CSET is a desktop software tool that guides users through a step-by-step process to assess their cyber systems and network security practices against recognized industry standards. Mike Leking walked attendees through the CSET tool.

Handouts included NHIAC brochure, Office of Energy: 21 Steps to Improve Cyber Security of SCADA Networks, Everyday Machines Vulnerable Hacking-June 4th Washington Post article, DHS ICS-CERT Technical Information Paper: Cyber Intrusion Mitigation Strategies, WaterISAC Fact Sheet, and DHS Fact Sheets on CSEP, CRR, and CSET.

The workshop concluded with a brief discussion about the recent National Level Exercise in June which involved a cyber incident. Another NH municipal wastewater facility participated in the NLE along with NH Department of Environmental Services Drinking Water and Wastewater staff. The facility provided a brief overview of their experience and lessons learned which included practicing “SCADA free” days to ensure that all staff can operate the plant manually in case they ever needed to shut down all SCADA operations due to cyber attacks.  Information was provided regarding the WaterISAC and its importance as a tool to receive cyber threat updates and resources and encouraged systems to sign up during the free trial period.

Evaluation and Next Steps

Attendees were asked to evaluate the workshop.  Overall, most (84% that completed the survey) felt that the event and information shared was worth their time and the remaining 16% somewhat agreed with that.  Many attendees found the discussions to be informative, the subject to be eye opening and were interested in more detailed information on SCADA equipment and security basics. The New Hampshire Drinking Water program is hopeful that systems will take back the information and use some of the tools offered to begin to improve their cyber resiliency.


Comments are closed.