AWIA: Municipal ICS and EPA Regulations Webinar Transcript Watch On-Demand Now

Lisa Remsa [00:00:17] Good morning, everyone and welcome to today's true talk webinar. Thank you for joining us. My name is Lisa r m so and I'm the marketing manager here at your digital security and I have the pleasure of being today's webinar host. Our presentation today will focus on municipalities internal control systems. What we know as AWIA, which is America's Water Infrastructure Act and the EPA regulations that will govern that legislation Randy Roberts. 

Lisa Remsa [00:00:44] Our senior security consultant will be today's doctor and he's going to take us through the basics of this newer legislation who it affects and what you need to know. If it does affect you to achieve and maintain compliance. So just a little housekeeping info before we get started. We are going to discuss the topics. We think are of the most importance with you today. But if you have any questions that aren't answered or addressed during the webinar, please feel free to use the control panel to submit any questions during the webinar or after the webinar. Today's webinar on one about run about 30. 

Lisa Remsa [00:01:16] To 45 minutes with some room for Q&A at the end. If we don't have a chance to get to all questions we’ll be happy to answer any unanswered questions by email post webinar. There will also be a recorded version of this webinar available on demand and you can view that on our True Digital Security website. So now without further ado I will turn the time over to Randy. 

Randy Roberts [00:01:37] Good morning. Good afternoon. Good evening, wherever you're from glad to have you here today. My name is Randy Roberts. I'm a senior security consultant with true digital security and I'll be talking today and met America's Water Infrastructure Act and what it means for us is people who deal with water systems. So, I'm going to jump right in here the AWIA summary of basically Congress passed a law. 

Randy Roberts [00:02:06] Last year about this time of years in October of last year that replaces pieces of the Safe Drinking Water Act that in as part of this. They require that drinking water systems must conduct risk and resilience assessments and we'll get into what that means in just a bit here. Systems also have to create and revise any emergency response plans and basically,

Randy Roberts [00:02:36] what they're asking you to do is base those plans on these risk and resilience assessments. So that's a really important thing. The other thing that's really important here is that this replaces basically the old piece on bioterrorism. So, you remember back in the early aughts where everyone had to go out and do a bunch of work to do some things around bioterrorism and that was pretty much a one and done kind of thing. 

Randy Roberts [00:03:05] What the Congress has directed the EPA to do with the AWIA is to make that an ongoing process. So, every five years utilities will be required to certify that they have reviewed their assessments and made any needed plans revisions to their emergency response plans. So, I think that's a big difference. This is something that the EPA has going to look to you as system operators to do on a regular basis and that's something very new. 

Randy Roberts [00:03:36] So, you know to summarize AWIA have from my perspective from a cyber security perspective in the past. The EPA stance on cyber  security has been that it's really important in that NIST has some good standards and you were pretty much left. Is this as a systems operated to figure out what to do with that groups like the Americas water? 

Randy Roberts [00:04:02] Aww a the AWWA has some great standards and provided some more details around that, but from an EPA perspective they were that was outside of their regulatory interest at this point with a AWIA cyber security is squarely in the EPA's regulatory interest and they've got clear and concise requirements around that. So that's what we're going to talk about today. 

Randy Roberts [00:04:30] So we again I go back to the risk and resilience assessments are very large scale that cover a number of different areas and I'm going to focus on what we at True Digital Security can do to help people with these specific pieces of those assessments that are related to cyber security. 

Randy Roberts [00:04:50] So let's talk. 

Randy Roberts [00:04:51] First of all about certification deadlines. So, within the way this works. Once you've done a risk assessment, you're supposed to certify to the EPA that you've accomplished that and the nice thing is, you know, if you go back to the old bioterrorism act peace, they actually asked you to send in a bunch of data. The EPA is not interested in that data today. 

Randy Roberts [00:05:16] What they're interested in is that you've done the work and you must certify that you've done that work so and they've broken out the timelines for this based on population serve and they're very clear about this. Its go look at your data that you provided to them last year in the fourth quarter very clear indication of the population serve based on your system ID. And if you serve a population of over a hundred thousand, you must certify to them that you've completed a risk assessment by March 31st, 2020, emergency response plans are due six months after that certification. 

Randy Roberts [00:05:58] So the emergency response plan certification for populations over a hundred thousand is due on September 30th 2020. 

Randy Roberts [00:06:08] And again, if you're in the fifty thousand a hundred thousand range  you've got to certify that you've done the risk assessment by December 31st, 2020 with a deadline for the Emergency Response plan certification by June 30th, 2021. If your system is between 3300- 50,000 then your risk assessment is due June 30^th, 2021, with an emergency response plan deadline of December 30th 2021. So really the important thing here is to understand what you've reported in the past to the EPA as your population served. 

Randy Roberts [00:06:53] The other thing here is that if you're a water wholesaler, you basically have to memorize all the people you sell water to drive where you sit in this population served model, but if you're a downstream system, that doesn't do your own treatment. You're simply getting water from someone that you're distributing to your population. You need to look at your populations that you serve individually and again that date if you see here SDWIS is and you all know what that means. 

Randy Roberts [00:07:28] That's the data source that they're thing to drive all of this requirement. Okay. So if you would look at those numbers know what you're dealing with these dried the dates and those are very important so assessment categories. 

Randy Roberts [00:07:43] So when we look at what the EPA is trying to get us to do with these risk and resilience assessments, is they want us to look at all the various ways that either Malevolent Acts or natural disasters can affect a water system. So, I'm going to run through these categories very quickly. And each of these has a series of questions that we'll get to in a bit. So physical barriers, is one of the categories, electronic computer or other automated systems, including the security of such systems and of highlighted this because this is where the vast majority of the cyber stuff is. Right here. Okay. 

Randy Roberts [00:08:29] Source Water Systems monitoring practices, and monitoring doesn't have it has a few pieces of cyber. If you're using automated system in your monitoring, you're going to have to look at that too. Pipes constructed, conveyance has water collection and intake. 

Randy Roberts [00:08:49] Financial infrastructure, which often includes all of the billing systems, the your systems for management of your population data, those systems are part of this financial, infrastructure pre-treatment and treatment. 

Randy Roberts [00:09:07] The operation maintenance of the system storage and distribution facilities. 

Randy Roberts [00:09:13] The use storage or handling of chemicals. So these are these are the categories that the EPA has identified that must be dealt with through this assessment work. Our focus is mostly here, in these electronic computer other automated systems, including the security of those systems. 

Randy Roberts [00:09:33] The threat categories again. So, we the way the EPA has looked at this they said here's a series of assets, here are threats against those assets. So, we'll walk through these very quickly The assault on a utility. So physical assaults sabotage, typically a physical type of an attack contamination, to finish water accidental and contamination of source water accidental. 

Randy Roberts [00:10:03] And this interesting to then we've gone to contamination of finished water intentional. So, this is basically accidental is you know, what it is intentional someone actually caused this and did something and contamination of source water intentional. 

Randy Roberts [00:10:19] Cyber attacks on your business enterprise systems and cyber attacks on process control systems and I find it very interesting that they've split these out, because of different threat models are associated with these and we'll get to that in a minute. 

Randy Roberts [00:10:32] And again I've highlighted these two pieces, these two threat categories, because this is where we have our strength and can help you in these assessment activities and then theft or diversion. So AWIA has required that you look at these threat categories as you do your assessment against all of these various assets that you have. All right. So I'm going to go now some of the statements that are made in the EPA data around process that the business system. So, I find this one really an interesting deal. 

Randy Roberts [00:11:18] Again EPA worked with AWWA and other advisory groups and individuals to come up with the data around this so the conservative estimate of threats. So, in each of those various thread examples, they came up with estimates of how often a system would experience that type of threat. 

Randy Roberts [00:11:44] So water utilities experience an attempted cyber attack on a business enterprise system. So basically, you think of your billing systems your financial systems your customer management systems. They're saying once a year and 30% of those incidents had the potential for a significant economic consequence. I think that we see that a lot today with ransomware attacks. And if you look at what's happening with cities over the last year the rising incident of ransomware attacks on cities, 

Randy Roberts [00:12:18] systems is its explosive and this is the kind of thing that you the EPA is asking everyone in this business to look at what goes on with this stuff. And how is it affect your ability to continue to deliver water to your clients and in the financial part of this is really about if we attack those systems, if someone attacks those systems, how do you continue financially to operate? 

Randy Roberts [00:12:48] When you're unable say if your finance system is hit, how do you continue to operate if you're unable to bill? Becomes a big issue. It's part of why they brought this mindset into this is that we have to look at those problems. The other side of this is the process control systems. 

Randy Roberts [00:13:06] And again here we're talking about those systems that are used to run your plants, to do all the work that's required to produce clean water and deliver that in water to your consumer, so the conservative estimate of threat likelihood here. It's again a little lower than the other ones is about 10%. They expect to be attacked on a yearly basis about once a year, but only 10% of those incidents having significant public health or economic consequences. 

Randy Roberts [00:13:41] And this is an area where I've done a lot of I really watched the research around this I watch the news around this and the reality is that we're seeing a lot more attacks on these type of systems and it's it I can't draw any conclusion as to why that's the case, but process control systems in the water industry are being hit on a regular basis and we have to be very cognizant of that and aware of the effects of that and what this AWIA law does is it helps drives the necessary understanding that this is important. 

Randy Roberts [00:14:18] And must be looked after, so if we go to the next slide here, EPA guidance is really summed up in a fascinating document called the Baseline Information for Malevolent Acts for Community Water Systems. So I'm going to, I'm going to switch to that document for a moment now, so give me just a moment while I pull this up. 

Randy Roberts [00:14:48] So you're looking now at this document produced by the EPA and you can see this document came out in July of 2019. So, it's fairly recent and this document goes through. How do you do a risk assessment? What are the asset categories the things that we just talked about threat categories and things of that nature. I'm going to take you right to the piece on cyber, which is where our strengths lie and where we feel like we can be of great service. 

Randy Roberts [00:15:16] Is to you all as clients. So, let me go to full screen mode here just to show you this. 

Randy Roberts [00:15:25] So again we go to in this area of cyber attack. They've broken things out for business systems and one for process control systems and they've shown different threat likelihoods for each of these. 

Randy Roberts [00:15:43] And what I want to focus on here is what they're asking us to look at while doing a review of the system. 

Randy Roberts [00:15:52] So the factors for modifying default threat likelihood or really things that the EPA has said these are the important areas where we have to look at things to understand. Are you basically, where are you on the continuum of doing really great security to really poor security, these factors make a big difference and they affect your how often you might expect an attacker to be successful. 

Randy Roberts [00:16:20] So I'm going to walk through these, because I think this is, these are the kind of questions we would ask about and doing and helping you do an assessment. So that we got a good understanding that we get a good understanding of what your systems look like and how they might behave under attack. Do you keep an inventory of your control system devices and ensure that the equipment is not exposed to networks outside the utility? So, this is to me, this is really two questions. Do you have good inventory? 

Randy Roberts [00:16:52] Number two, is are you exposed outside networks? Do you employ staff with primary responsibility and an allocated and dedicated budget to the security and resilience of your electronic network? So basically, do you have a security person on staff, right? 

Randy Roberts [00:17:10] Do you address the security block electronic networks in relevant contracts? So, do your contracts require your vendors to do things around cybersecurity? And what does that look like and there's some great guidance on it out there from various sources on how to accomplish that we're very accomplished in helping people with these issues. So then do we ensure that those contracts staff with access to utility networks, 

Randy Roberts [00:17:39] are they vetted? And this applies to both contract staff and your internal staff or people properly vetted before they have access to your networks. Do you segregate networks and apply firewalls? That's pretty standard stuff anymore. But I'm amazed we often go into places where we think these are standard things and everyone has them that's not always the case. 

Randy Roberts [00:18:03] Do you secure remote access methods? 

Randy Roberts [00:18:06] And again, this is a this is an area where you know, if you look at basically the state-of-the-art for industrial control systems is don't expose them to other networks. But the reality is we all know that we need to get data out of them for certain things and we need to often get into them to do certain things. The question is, have you done that using secure remote access methods and there are ways to accomplish that TRUE is very familiar with and we can evaluate whether what you've got in place meets good. 

Randy Roberts [00:18:36] Charity methodologies around that or if there needs to be some work in that area. 

Randy Roberts [00:18:42] Do you establish roles to control access to different networks and logs system users, you know fairly standard stuff for security people. But if you're unfamiliar with this, this is an area where we can help you require strong passwords and password management practices. Again, this is an area where in a lot of industrial control systems. We don't see good use of password management practices may be strong passwords at front, but are you doing something on a regular basis change? 

Randy Roberts [00:19:12] It's is that an appropriate interval given current best practices and we are very familiar with these activities and can evaluate your systems, in-regards to those practices. Do we stay aware of vulnerabilities and implement patches and updates when needed. I almost wish I had a voting thing on here. I'd like to ask the question of people to think about. 

Randy Roberts [00:19:35] When's the last time you actually updated your process control systems in both at the you know, the if you're running a Windows box or a Linux box. When did you last update the underlying architecture there? When did you last update the applications that run on that box? And then we get out to the process control system devices themselves and have you applied patches as Pi by the vendor? It's not anime. You know, the thing that we're well aware of is that in these industrial control systems. 

Randy Roberts [00:20:05] We have to be very mindful about how we go about this process, but I think what the EPA is at with this one is quite simple. Is there a process in place? Are you doing something about this? What does that look like for your system? Do enforce policies for the security of mobile devices? So, if you use mobile devices in any way shape or form in your environment, what does that process look like from a security perspective? 

Randy Roberts [00:20:36] TRUE has a lot of experience again with mobile device security and how that should work with process control systems and with financial systems, so we're well aware of what to do in those areas. 

Randy Roberts [00:20:49] Do you have an employee cyber security training program? And again, this is something that's really important both from a financial systems perspective and from an industrial control systems perspective. And the amazing thing to me is there's some overlap in those training programs that are required for those areas. 

Randy Roberts [00:21:07] But there is also enough difference between what needs to be done in a process controls perspective versus a financial systems perspective that those training plans don't always it's not a one-size-fits-all deal. There are pieces of it that are comparable in both areas and the thing that week bring to the table as an understanding of where those things differ and it ability to help people build a program that can meet both of those needs. 

Randy Roberts [00:21:40] Are your utility executives involved in cyber security? So that's an important priority and what the EPA is asking. There's not that you're going to your utility executives with every issue. But it's, that your briefing them on a regular basis, providing them with data that they need to know to help them from a risk perspective manage what they need to manage from a cyber security perspective. 

Randy Roberts [00:22:09] And in asking this question, I think they're simply driving home the point that this is not just a technical issue to be solved by technical teams, but it's often a board issue that requires our senior executives to understand what's going on provide guidance provide budget and provide planning to help us execute. Do you monitor your network for intrusions and have a plan in place to respond? And I find this one really good, 

Randy Roberts [00:22:39] because it ties into the next piece of this around what do we do from a response perspective, which is related directly to the emergency response plans. And do you readily investigate possible network intrusions? So basically, the question here is are you monitoring? If so, what do you do when things happen two very important questions and they get down to the basic of day-to-day execution of a cyber, 

Randy Roberts [00:23:09] policy within your network. So those are the questions that are being asked and I wanted to run through these with you, because this is what the EPA is expecting you as a water system operator to ask yourself about your networks. Ask yourself about your process, to ask yourself about your business, how you execute in the relationship to cyber security the important point here, 

Randy Roberts [00:23:35] I want to make, and it goes throughout not just the cyber piece, but everything else in this Malevolent Acts Document, all of these questions are asking you are to spur thought around the potential issues that could impact your system. 

Randy Roberts [00:23:54] Now, I'm not going to tell you that every one of these things you have to answer yes to and you have to have a great plan for, because I think what the EPA wants from you is to think about this, make decisions at the appropriate level of organization, about what is required to get to a yes in the future. So, the emergency response plans if you think about this we do this assessment every place. I say no, I'm not doing this or don't have a plan, the response then is what am I going to do about that and like everything we do from a security planning perspective is pretty much what's cost affordable. What's going to drive the best? 

Randy Roberts [00:24:39] You for money. What's going to help us most towards getting to a more secure perspective with the systems that we're dealing with and that's really what the EPA is asking of us to do is to have that conversation and to have it on a regular basis. So, what we can do at True is we can help you look at what these, what if you said no, to one of these what's it look like to get from no to yes, what the impact would be and what the cost, 

Randy Roberts [00:25:09] going to be to get there? Okay that then drives the next piece, which is if it's too expensive. What are you going to do from an emergency response plan perspective that says, yeah. I know we don't have this piece, but here's how we're compensating with other controls, right? So I'm going to go back to the slide deck now. 

Randy Roberts [00:25:29] So a big piece of this is working with your local emergency planning committees. And the intent here is to integrate these local emergency planning committees into your emergency response plans. So, the EPA is asking you to do this assessment work figure out what it's going to take for you to respond, yes? And where they, where you can't or simply won't because of cost or other issues where you won't respond,  yes, to those questions. 

Randy Roberts [00:25:59] And then how am I going to build a process so that if an emergency were to happen, I could engage the appropriate resources and make these things happen. The EPA provides some great tools for how to do these emergency response plans. In fact, they've got a document, I'm not going to show you today. It is all about how you build out that response plan and it goes it's an amazing document. 

Randy Roberts [00:26:29] It's a lot like what we build out for people for incident response. In fact, what we build out for people for incident response fits right into that document from the perspective of what do I do for cyber? So, I want to just be very clear about that. We have a tremendous amount of experience in building out response plans for people and what we do in cyber security response plans fits perfectly into what the EPA is asking people to do. 

Randy Roberts [00:26:59] Around this emergency response planning. So, the other thing I'll just say again. If you don't know who your local emergency planning committees are if you would just shoot me an email. 

Randy Roberts [00:27:11] I can help you find that data, because the other part of this is not just what you do if we go back to August of this year 23 cities in Texas were hit by a coordinated ransomware attack and what they executed on wasn't 23 separate cities going out and doing their plans. They each pulled out their plans and worked, but they also work with their local emergency planning committees. 

Randy Roberts [00:27:40] These are things that are there to help you engage with other resources within your local community like the FBI, your state, and local police, your state water boards and people like that so that it's not just you responding to an emergency, but the so building out these emergency response plans basically makes you go through and look at each of those various organizations that you could interact with including folks like True Digital who can help you with very specific pieces of that plan. So that's a really important part of this. So, the big question here is how can we help, right and I just want to be very clear with the all we have significant experience. 

Randy Roberts [00:28:29] In cyber security, that's I mean, it's in our name. That's what we do. Right? We have experience with cyber security and industrial control systems today. We work with a number of municipalities where we help them with the cyber security of these very systems. 

Randy Roberts [00:28:47] We also do a lot of work in the oil and gas industry where industrial control systems, operating plants, and pipelines and things of that nature very common and just the reality is that industrial control systems look a lot alike and we have significant experience in securing those systems. So, we know what we're doing there. We have worked to understand, 

Randy Roberts [00:29:15] what requirements for these assessments so we can execute with you on the cyber assessments that meet the AWIA requirements in order to be clear that you know, the again AWIA has a lot of other requirements in areas where we do not have expertise. We are really here to help you with the cyber portion of these assessments. 

Randy Roberts [00:29:40] We can also help in this important part, where you have to take this data to your senior management teams, your boards, you know, the senior executives responsible for your water systems are going to need to be aware of this stuff and we can help with providing the education that is required to understand the risk that we can evaluate in these assessments. We can help in the communication with those senior 

Randy Roberts [00:30:10] board teams on what those risk look like what the potential mitigations are and what the costs are associated with that. So that we can help you tell the story that's necessary to your senior management teams. We do this regularly through our risk management teams. 

Randy Roberts [00:30:29] We know how to interact with senior management's to get these messages across and last we can help you build out those cyber portions of the see response plans. Those are really important in our work to build out emergency incident response plans is highly applicable to what the EPA is asking you to do is part of this process. 

Randy Roberts [00:30:59] Next, I'm going to go to a couple of resources and I'll say again. If you want to get these resources, I they're obviously on the slide. It's a lot of its the EPA. So, it's really long URLs, but if you send me an email at this address or give me a call, I'd be happy to provide this data to you. Okay? 

Randy Roberts [00:31:22] So Lisa I have run through the slide deck and I'm more than happy to take any questions from the crowd,

Lisa Remsa [00:31:30] Okay, let's see if we have a didn't have any comment during the actual session but we'll give it a minute, but I also wanted to let everyone know what we did that that any of that any of our webinars can be seen on demand post live webinar on our website at True Digital Security.com forward slash webinars. So please always keep an eye there and keep an eye out for next month's webinar, which will be about trusted partner network, which is a new topic for us to cover. So, it's very exciting. We haven't had any questions come in. So, I think we can close up for today. But if you do have any questions after we end the session as Randy said, please feel free to reach out to him Randy dot Roberts at True Digital Security.com, and we look forward to having you all on the next true talk webinar. Have a great day.