The American Water Works Association (AWWA) has updated its Water Sector Cybersecurity Risk Management Guidance and assessment tool. The new resources are revisions to the National Institute of Standards and Technology (NIST) Cybersecurity Framework version 1.1 and requirements in Section 2013 of America’s Water Infrastructure Act (AWIA) of 2018.
The revised assessment tool provides a simplified user interface that generates a prioritized list of recommended controls based on responses to 22 use-case questions regarding application various technologies. The user does not provide any security sensitive information nor does AWWA retain any user information.
The guidance and assessment tool emphasize actionable recommendations with the highest priority assigned to those that are expected to provide the greatest impact in the short term. The outputs from the assessment tool provide users with a clear approach for assessing the implementation status of applicable controls, consideration of needs for enhancements, and progress documentation.
National intelligence agencies report cybersecurity as the top threat facing critical infrastructure. AWIA requires all community water systems serving populations of 3,300 or more to conduct and certify completion of a risk and resilience assessment and an emergency response plan. The new requirement places emphasis on assessing cybersecurity risks to the following:
- Electronic, computer, or other automated systems (including the security of such systems) which are utilized by operator and administration personnel;
- The monitoring practices of the system (including network monitoring); and
- The financial infrastructure of the system (accounting and financial business systems operated by a utility, such as customer billing and payment systems).