It looks like you are coming from United States, but the current site you have selected to visit is Belize. Do you want to change site?

Yes, please! No, keep me on the current site

Xylem logo
Enable high contrast mode
< View all Cybersecurity Resources

Water Technology Cybersecurity Information and Resources

Generally Accepted IT And Cybersecurity Best Practices

CISA's Cybersecurity Performance Goals (CPGs)

CISA (Cybersecurity and Infrastructure Security Agency) has provided a standard set of safeguards that all organizations involved in critical infrastructure should put into place, regardless of their size. These defensive actions significantly lower the possibility and effect of recognized threats and adversary tactics and are known as the Cybersecurity Performance Goals (CPGs). CISA’s CPGs are intended to significantly reduce threats to critical infrastructure operations and to their downstream customers. By implementing a small number of these crucial recommendations with high-impact security outcomes, these CPGs aim to assist small- and medium-sized businesses in launching their cybersecurity initiatives.

The CPGs aim to serve as:

  • An established collection of cybersecurity best practices that are widely applicable to all critical infrastructure and have a demonstrated ability to reduce risk
  • A standard by which operators of critical infrastructure may assess and advance their cybersecurity maturity
  • A mix of recommended procedures for owners of operational and information technology, including a ranked list of security procedures
  • Best practices distinguished from other control frameworks because they seek to manage risks to businesses and their communities
  • Additional CISA resources available here

EPA’s Technical Assistance Services for Communities (TASC) Program

The Technical Assistance Services for Communities (TASC) program of the EPA offers impartial support in comprehending the science, rules, and policies surrounding environmental concerns and EPA actions. TASC services are provided to communities free of charge and are decided upon based on the specifics of each project. This assistance helps the community collaborate effectively with the EPA to solve environmental challenges.

The TASC program helps communities by providing information on technical discoveries, responding to inquiries from the community, assisting them in comprehending complicated environmental concerns, and encouraging them to take an active role in promoting environmental protection and preserving healthy communities.

Additional EPA resources available here.

AWWA’s Cybersecurity Guidance

Federal law mandates that community water systems (or those who provide water systems support) that provide services to 3,300 people or more take cybersecurity risks into account when assessing risk and resilience and developing an emergency response plan. Although this may seem overwhelming, systems of all sizes can get assistance from AWWA.

AWWA has created crucial planning tools to get water utilities started on the path toward cyber resilience. They are intended to assist water infrastructure practitioners in determining the cyber threats to which their utility is exposed, in setting priorities, and in implementing a suitable and proactive cybersecurity plan.

  • AWWA’s Water Sector Cybersecurity Risk Management Guidance offers actionable, step-by-step instructions for safeguarding the water industry's process control systems against cyberattacks. By following this advice, the water industry can save time and get more thorough, precise, and useful recommendations from the Assessment Tool.
  • Their Assessment Tool asks utilities to assess how they are using different technologies via AWWA’s interactive application. The tool creates a personalized, ranked list of controls that are most suited for the technological applications used by the utility based on the responses it receives. This result can be used by utilities to assess how well-implemented important controls are in reducing cybersecurity risks. Access to the AWWA website requires a login.
  • AWWA’s Small Systems Guidance is a how-to manual for small rural utilities looking to enhance their cybersecurity procedures. It is targeted to water utilities serving under 10,000 people, and particularly those that serve populations under 3,300. 
    When combined, these materials offer a voluntary method for utilities to both satisfy the cybersecurity requirement of AWIA 2013 and implement relevant cyber controls from the NIST Cybersecurity Framework.
  • Additional AWWA resources available here.

SANS ICS Five Critical Controls: A Practical Framework for OT Cybersecurity

One major step toward improving cybersecurity in operational technology (OT) and industrial control systems (ICS) is the creation of the SANS ICS Five Critical Controls. Under the guidance of acclaimed SANS writers and educators Tim Conway and Robert M. Lee, the CEO and co-founder of Dragos, the SANS ICS Five Critical Controls methodology emerged from an exhaustive examination of all known ICS cyberattacks. The framework is a condensed, powerful collection of guidelines created especially for industrial settings' cyber incident prevention, detection, and reaction. These controls are also sufficiently adaptable to be customized to the requirements and risk profiles of any given firm.

The SANS ICS Five Critical Controls include the need to create or implement 1) ICS Incident Response Plan, 2) Defensible Architecture, 3) ICS Network Visibility and Monitoring, 4) Secure Remote Access, and 5) a Risk-based Vulnerability Management plan. Please click here for more details.

  • Additionally, NRWA (National Rural Water Association) has partnered with SANS to create some free training courses for the SANS Critical 5 that are available to all water utilities: nrwa.org/issues/cybersecurity/.
  • WaterISAC offers free threat intel, guidelines, information, alerts, etc. to the water community. Furthermore, if you meet certain criteria, you can get free WaterISAC membership through their partnership with NRWA: WaterISAC.

Dragos Free Resources

  • Community Defense Program (CDP): Underfunded US water utilities with less than $100 million in annual sales can use the Dragos Platform for free as part of the CDP, which lays the groundwork for developing each underfunded utility’s cybersecurity program and lowering their operational technology (OT) cyber risk. 
  • Neighborhood Keeper: Under Dragos' leadership, Neighborhood Keeper, in collaboration with the Department of Energy, provides the larger ICS community with access to ICS visibility and cyber threat analytics. Neighborhood Keeper is a community-wide visibility and collective defense solution that shares threat intelligence across industries and geographical areas at machine speed, resulting in a more effective industrial cyber protection. Participation strengthens each organization's defense capabilities beyond what they could accomplish independently.

 Benefits for Neighborhood Keeper Participants:

  • Data and information sharing that is anonymous and non-sensitive
  • Exchange response protocols and ICS insights
  • Learn about the ICS danger environment and improve everyone's perception of the overall threat
  • Once implemented, identify and keep an eye on supply chain cyber hazards
  • Allow members to communicate directly with partners

Additionally, Dragos offers OT-Cert, which is an Operational Technology – Cyber Emergency Readiness Team committed to filling the industrial infrastructure's OT resource need. Dragos OT-CERT offers free cybersecurity tools for the Industrial Control System (ICS) and OT community, with the goal of assisting asset owners and operators of industrial infrastructure. 

For the ICS/OT community, OT-CERT offers free resources that give members the knowledge and tools they need to develop an OT cybersecurity program, strengthen their security posture, and lower OT risks. Dragos's industry-leading Threat Intelligence team also works with suppliers to organize the remedy and public disclosure of newly found ICS/OT cybersecurity vulnerabilities. Via OT-CERT, vulnerabilities are made public. 

Organizations worldwide are eligible to join, and businesses of all sizes are encouraged to do so. Join the community and receive monthly access to new resources through the OT-CERT portal. 

Europol EC3 European Cybercrime Centre

EC3 provides Member States investigations with operational, strategic, analytical, and forensic support. EC3:

  • acts as the primary location for intelligence and criminal information
  • provides operational analysis, coordination, and experience to support Member States' activities and investigations
  • offers investigations and operations extremely specialized technological and digital forensic assistance skills
  • hosts and supports the Joint Cybercrime Action Taskforce's (J-CAT) anti-crime initiatives
  • facilitates the operational, technical, and strategic cooperation between law enforcement agencies (LEAs), other pertinent cyber communities, and EU institutions, bodies, and agencies (e.g. Eurojust, EEAS, ENISA, CERT-EU, Commission, Council, etc.); supports EU crisis management structures within the parameters of Europol's mandate
  • offers a range of strategic analysis products that facilitate well-informed decision-making about the prevention and defense against cybercrime
  • helps create and implement standardized awareness and prevention programs and activities in the areas designated for cybercrime
  • For more information on EC3's resources, contact them at https://www.europol.europa.eu/contact-us

ENISA’s Training and Exercises

In the fields of cybersecurity and crisis management, ENISA (European Union Agency for Cybersecurity) has a long history of conducting exercises and offering trainings.

Cyber Exercises: 

  • For the past 15 years, ENISA has been hosting regional, global, and EU-wide exercises. It has also created cyber exercise platforms that are open to stakeholders, enabling them to run their own exercises.
  • The training and teach-the-teacher initiatives offered by ENISA contribute to the development of technical and operational security competencies and resilience.
  • To evaluate the EU's vital IT security infrastructure and cross-border response coordination capabilities, ENISA conducts extensive, lifelike simulations. Cyber Europe, which brings together leading crisis and continuity experts from the public and corporate sectors, is the biggest of these exercises. 
  • This kind of stress testing is essential to ENISA's philosophy of educating new hires and upgrading the abilities of IT staff members who are already operating at an expert level. 

 

Xylem’s Water Industry Cybersecurity Services

Identifying vulnerabilities in your own systems can be difficult. A strong cybersecurity partner will challenge assumptions you have about your organization; they will test the systems, policies, and help train the people who run your water operations and will also help you build prioritized plans to modernize and protect yourself against attacks. Working with a partner that can provide the full spectrum of assessments will help to protect your operations and provide you with peace of mind. 

Xylem provides cybersecurity assessment services such as an architecture review, a vulnerability assessment, a maturity assessment and health checks for your digital systems. We also offer incident response with our partner, Dragos. Our cybersecurity and water industry specialization means that your organization will receive expert support, prioritized planning, and an extension of your team to protect against cybersecurity threats before they happen. 

This full-spectrum model provides a shared responsibility approach to help you manage any potential connectivity risks. Review our services or reach out to product.security@xylem.com for more information.