The Cyber Security Infrastructure and Assurance Agency (CISA) recently posted an updated alert on how water utilities can protect from cyber attacks. The Alert – called Securing Water Systems – is based on a new fact sheet from both the Environmental Protection Agency (EPA), and the Federal Bureau of Investigation (FBI).
Changes in Cyber Security Requirements for Water Systems
Under the previous EPA ruling, cyber assessments were going to be part of regular Sanitary Surveys. While the Biden Administration withdrew the 2023 new cyber requirements for PWS entities, cyber security is still a top concern. While it is not clear how or if these new guidelines will be enforced, the idea is that public water systems (PWS) need to be more proactive in the implementation of cyber controls.
Streamlining EPA Water Cyber Compliance
The ComplianceShield platform helps streamline the entire process for Water and Wastewater Systems (WWS) Sector utilities to address all of the new cyber requirements. Implied in these requirements is the development and maintenance of an Information Security Management System (ISMS) that enables organizations to create, document and address key Cyber Security Controls. Table 1 illustrates how the various cyber requirements map to key Information Shield features.
Table 1: Water Utility Cyber Requirement Summary
EPA Cyber Security Requirement | Information Shield Solution |
Conduct Regular Cybersecurity Assessments | Risk Assessment Wizard with built-in asset and threat libraries. Supporting Risk Assessment policies and procedures. |
Create an IT Asset Inventory | IT Asset Wizard to build and maintain an IT Asset Inventory. Supporting Assert Management Policy library. |
Change Default Passwords Immediately | Template security policies for Access Control and Password management. |
Develop and Exercise Cybersecurity Incident Response and Recovery Plans | Built-in Incident Management functions, supported by Incident Response Policies and Procedures. |
Backup OT/IT Systems | Full library of backup and recovery policies, including development of Disaster Recovery Plans |
Reduce Exposure to Vulnerabilities | Vulnerability Management policies and procedures, including tracking of action items. |
Conduct Cybersecurity Awareness Training | Built-in Security Awareness and Training Library with automation to allow employees to take and record training. |
Reduce Exposure to the Public-Facing Internet | Built-in Network Security Management policy and matching controls for network security, including DDOS protection. |
Developing and Maintaining Cyber Security Policies
In addition to these key functions, ComplianceShield contains a complete security policy template library covering all key areas of cyber security for water utilities. Customers can explore the platform risk-free with a 14-day trial.