Photo courtesy American Water Works Association
Photo courtesy American Water Works Association

Nearly 150 AWWA utility members are piloting a new training program to guard against cybersecurity threats amid growing worldwide concerns that hackers are targeting critical infrastructure, including water utility operations.

The in-person training workshop demonstrates how to use AWWA’s cybersecurity use-case tool, which recommends ways utilities can close possible cybersecurity gaps in their systems. The pilot ends in September. Beginning Nov. 1, the training will be available to other interested utilities through AWWA Section-led workshops.

The Virginia Section was the first of four Sections to pilot the four-hour workshop, which was developed through a contract AWWA received from the U.S. Department of Homeland Security.

“The tool was very well received,” said Geneva Hudgins, executive manager of AWWA’s Virginia Section, who has an information technology background. “Someone with some basic concepts of IT infrastructure can pick it up quite easily and be able to evaluate their network and determine their risks.”

AWWA’s Cybersecurity Guidance and Use-Case Tool is a free, sector-specific resource that provides a prioritized list of recommended controls based on characteristics of the individual utility. The operator selects use cases that most closely match the organization’s profile. Based on the selection, controls are recommended along with standards that describe how to implement them.

The tool was developed by the Water Utility Council in 2014 and updated last year. It has been endorsed by the U.S. Environmental Protection Agency and DHS as the water sector-specific approach for voluntary application of the Cybersecurity Framework prepared by the National Institute of Standards and Technology.

The new workshop is meant to increase awareness of cyber risks to water utility operations and encourage more widespread use of the tool.

Biggest threat

Cybersecurity is the biggest threat facing business and critical infrastructure in the United States, according to the Federal Bureau of Investigation and the DHS. Just last year, the information system of the Lansing Board of Water & Light in Michigan was paralyzed for an entire week after an employee mistakenly opened a malicious attachment. The utility paid a $25,000 ransom to unlock its communications system and more than $2.4 million in technology upgrades to prevent future attacks.

While the Lansing attack targeted the utility’s traditional IT enterprise functions – payroll, billing, etc. -- utility operation systems are also vulnerable to attack. The AWWA tool is focused on the process control systems, but the principles also apply to the overall enterprise cyber risk management.

The tool and workshop are a sector level response to the growing frequency of cyber attacks that threaten all forms of critical infrastructure.

This week, The Telegraph of London reported that hackers may have compromised Britain’s energy grid. The Times of London also ran a story that hackers backed by the Russian government have attacked energy networks running the national grid in Ireland. In addition, a report by Britain’s Government Communication Headquarters says that since June 8 the agency has become aware of “online infrastructure” associated with threats to the UK’s critical infrastructure networks in the water, energy, and manufacturing sectors.

“If they are doing it there, it’s not a leap of faith to believe it’s happening here as well,” said Dr. Kevin Morley, AWWA’s manager of federal relations and lead on homeland security matters. “No amount of controls or preparation can make you entirely immune, but you can manage the risk by implementing basic best practices under various use conditions.

The tool facilitates discussions between operations, IT, management, SCADA, and other utility staff members, Morley said. It allows utilities to understand cybersecurity needs based on use cases from five categories: networks, network management and support systems, program access, PLC programming and maintenance, and user access.

It easily enables utility managers to assess critical components of their operations and determine what additional controls are most appropriate

“Management of cybersecurity issues needs to be part of the utility’s overall risk management paradigm,” Morley said. “It’s just as important as managing the physical assets – your treatment plant, pipes, and source water. This is the virtual dimension of the multi-barrier approach.”

Sections hosting workshops

The pilot workshops are being conducted by the Virginia, Texas, Rocky Mountain and Pacific Northwest Sections of AWWA and taught by instructors from EMA Inc. and West Yost, which helped develop the workshop content.

All of the pilot program participants attend for free, but the Sections may charge for the workshops after the pilot ends. More information will be available soon on Section-led workshops.

“We are making this content free for the Sections. After the pilot ends, all the Sections need to do is find a qualified instructor and they work with us to vet that instructor,” said Chad Weikel, AWWA’s education and workforce manager, who managed the workshop development with assistance from Stacy Naus, AWWA education and development specialist.

To date, about 50 utilities have piloted the tool and another 90 are scheduled to do so by the end of September, Weikel said. Participant feedback will be used to refine the final workshop materials.

In addition to the workshop, the Association is developing webinars and an eLearning course for those unable to attend a workshop.“Cybersecurity is a really important national security issue,” Weikel said. “AWWA wants to get this tool out in front of as many eyes as possible and aid in mitigating the cyber risks facing the water sector.”

For more information on the workshops, contact Stacy Naus at [email protected]