ICS Self Assessment

Protecting critical infrastructure can be overwhelming and a seemingly endless endeavor. As more and more technology and connectivity is required for the operations of water and wastewater systems, Operators are tasked with ensuring the safety, reliability, and control of these systems – but often with limited resources.

When asked the question: “Is your system secure?”, the answer is often “I think so, but I am not really sure”.

Complete the following checklist and see how well your systems are protected and what areas could be improved.

  • We have an asset management system in place and it is kept up-to-date
  • Patching of both IT and OT assets are completed on a regular basis
  • The IT and OT networks are segregated and accountability of each segment is clearly defined
  • Our access control policy stipulates user requirements and applicable permissions
    • Internal threats include intentional and unintentional incidents
    • Contractors, vendors and other external parties
    • Former employee access
  • Our facilities have provisions for secure physical access implemented along with intrusion controls.
  • Drawings, network diagrams and O&M manuals are up-to-date, versioned and accessible.
  • All passwords are both; housed within a password management system, and changed from factory-set credentials.
  • The team understands:
    • our threat/intrusion detection and monitoring protocols.
    • the consequences of a cyber attack and the importance of cybersecurity.
    • at minimum, how basic intrusion methods (eg. phishing, credential stuffing, drive-by attacks, XSS attacks, etc.) are conducted
  • Our facilities have an auditing process in place to ensure cybersecurity/physical security measures are effective and up to date
  • We have an Emergency Plan for breaches, disasters (eg. wild fire, earthquake) and other emergencies
  • Smart devices used for remote access/control utilize encryption and two-factor authentication

This checklist is non-exhaustive and is intended to provide basic guidance on reasonable steps to be taken to mitigate risk. This is to be used for informational purposes only.

Connect with us to learn more about how ICI can assist your team in implementing an Industrial Cybersecurity Management Plan.

Great further resources:
WaterISAC newly updated resource: 15 Cybersecurity Fundamentals for Water and Wastewater Utilities

PDF Version available for download