Attacks such as the one at Oldsmar highlight the need for water facilities to continue honing their ability to defend themselves against digital attacks. Towards that aim, they can use WaterISAC’s guidelines for water and wastewater utilities.
The security fundamentals covered in those guidelines include the following:
Asset Inventory Database
You can’t protect what you don’t know you have. It’s therefore imperative that water facilities create an inventory of network assets. This effort should consist not only of network scanning but also of physical inspection, as the former can uncover only so much. In the process, these utilities can help to reveal blind spots by identifying what shouldn’t belong on the network.
Water facilities need to identify security gaps and vulnerabilities in their environments. The best way they can do both is by undergoing a risk assessment. In order to effectively prioritize risks on business-critical assets, water utilities should conduct a risk assessment on a regular basis. This isn’t always easy to do, but organizations can use several free and voluntary networks such as the NIST Cybersecurity Framework for help.