WATER SECTOR CYBERSECURITY RISK

MANAGEMENT GUIDANCE
Prepared by West Yost Associates

Copyright© 2019 American Water Works Association

 Tool and Guidance Revision History
Version Date Description
1.0 4/4/2014 Initial Release
Revised to match updated Cybersecurity Guidance tool. The Use Case descriptions were revised
2.0 2/22/2017 for clarity. Use cases were added to address wireless communications. An additional 12 cyber
controls were added.
Revised to improve user interface. Explicitly supports AWIA 2018 §2013 compliance. Updates to
the use cases and controls, and alignment with NIST Cybersecurity Framework v1.1. Provide
3.0 9/4/2019
Microsoft Excel-based output to allow for self-assessment of controls and development of an
improvement plan.

Disclaimer
The authors, contributors, editors, and publisher do not assume responsibility for the validity of the content or any
consequences of its use. In no event will AWWA be liable for direct, indirect, special, incidental or consequential
damages arising out of the use of information presented herein. In particular, AWWA will not be responsible for
any costs, including, but not limited to, those incurred as a result of lost revenue.

2
CONTENTS
ACKNOWLEDGEMENTS .................................................................................................................. 5
EXECUTIVE SUMMARY ................................................................................................................... 7
Use of this Guidance to Support AWIA §2013 Compliance ........................................................ 8
Cybersecurity Guidance and Tool Output Information Security................................................. 9
RECOMMENDED CYBERSECURITY PRACTICES............................................................................... 9
Overview ..................................................................................................................................... 9
Practice Categories...................................................................................................................... 9
Governance and Risk Management ...................................................................................... 10
Business Continuity and Disaster Recovery ........................................................................... 10
Server and Workstation Hardening ....................................................................................... 10
Access Control ........................................................................................................................ 10
Application Security ............................................................................................................... 10
Encryption .............................................................................................................................. 11
Data Security.......................................................................................................................... 11
Telecommunications, Network Security, and Architecture ................................................... 11
Physical Security of PCS Equipment ....................................................................................... 11
Service Level Agreements (SLA) ............................................................................................. 11
Operations Security (OPSEC).................................................................................................. 12
Education ............................................................................................................................... 12
Personnel Security.................................................................................................................. 12
Cyber-Informed Engineering ..................................................................................................... 12
CYBERSECURITY TOOL USER GUIDANCE...................................................................................... 13
Overview ................................................................................................................................... 13
User Interface ............................................................................................................................ 13
Use-Cases .................................................................................................................................. 13
Cybersecurity Controls .............................................................................................................. 14
Recommended Cybersecurity Practices and Improvement Projects ....................................... 16
AWWA Assessment Tool Output .............................................................................................. 21
REFERENCE STANDARDS .............................................................................................................. 24
Appendix A: America’s Water Infrastructure Act (AWIA) of 2018 §2013 .................................. 26
Appendix B: Network Architecture Reference Diagram and Definitions................................... 27
Appendix C: User Interface Questions ........................................................................................ 29

3
Appendix D: Cybersecurity Use-Cases ......................................................................................... 36
Appendix E: Cybersecurity Controls ............................................................................................ 40
Appendix F: Cross Reference to NIST 1.1 Cybersecurity Framework ......................................... 51

4
ACKNOWLEDGEMENTS
This project was funded by the American Water Works Association (AWWA), utilizing Water Industry
Technical Action Fund (WITAF), WITAF Project #039, and managed by Kevin M. Morley.

Project Advisory Committee

• Norm Anderson, Carollo Engineers • Don Dickinson, Phoenix Contact
• John Brosnan, Santa Clara Valley Water • Patrick Norton, Tampa Bay Water
District • Robert Raffaele, American Water
Project Contractors
• Andrew Ohrt, West Yost Associates • Judith H. Germano, GermanoLaw LLC
• Dan Groves, West Yost Associates • Gwen M. Schoenfeld, GermanoLaw LLC
• Jeff Pelz, West Yost Associates • Gemma Kite, Horsley Witten Group, Inc.
• Joel Cox, West Yost Associates • Tom Noble, Horsley Witten Group, Inc.
• Murphy Altunel, West Yost Associates • Will Keefer, Horsley Witten Group, Inc.
• Bailey Bartolucci, West Yost Associates

Subject Matter Expert Panel

• Danielle Anderson, City of Minneapolis Water • Dr. Connie Justice, Indiana University Purdue
Treatment and Distribution Services Division University Indianapolis
• Will Bianchini, Onondaga County Water • Marlene Ladendorff, Schneider Electric
Authority • Michael Lewis, City of Albany Public Works
• Andy Bochman, Idaho National Laboratory • Jim Livermore, CDM Smith
• Jacques Brados, Black and Veatch • Mike Malone, Eastern Municipal Water
• Geoffrey Brown, Alameda County Water District
District • Blas Moreno, Prince William County Service
• Bernie Bullert, SL-Serco Authority
• Travis Cochrane, City of Corpus Christi • Ariz Naqvi, Alameda County Water District
• Jeff Cooley, City of Vacaville Public Utilities • Debbie Newberry, United States
• Steve Crumley, City of Minneapolis Water Environmental Protection Agency
Treatment and Distribution Services Division • Janine Nielsen, Rockwell Automation, Inc.
• Charley Cunningham, City of Sacramento • Kevin Owens, Control Cyber Inc.
Department of Utilities • Cayce Parrish, United States Environmental
• Bob Daly, EMA Inc. Protection Agency
• Jon Eaton, City of Eagan Public Utilities • David Paul, AquaEngineers
• Bill Fisher, National Institute of Standards and • Chuck Redding, City of Sacramento
Technology Department of Utilities
• Jamie Foreman, City of Carmel Public Works • Nelson Sims, DC Water and Sewer Authority
• Glen Goins, The Automation Group • Chris Walcutt, Black and Veatch
• Andrew Hildick-Smith, Massachusetts Water • Jennifer Lyn Walker, WaterISAC
Resource Authority • Linda Warren, Launch! Consulting
• Daniel Honore, Village of Pleasant Prairie
Utility Department

© Copyright American Water Works Association 2019 5

 Acronym and Abbreviation Table
Acronym
Description
/Abbreviation
ANSI American National Standards Institute
AWIA 2018 America’s Water Infrastructure Act of 2018
AWWA American Water Works Association
CCE Consequence-Centered Engineering
CFR Code of Federal Regulations
CIA Confidentiality Integrity and Availability
CIA Confidentiality, Integrity, and Availability
CIE Cyber-Informed Engineering
CIR Committed Information Rate
CISSP Certified Information Systems Security Professional
ERP Emergency Response Planning
FOIA Freedom of Information Act
HIPAA Health Insurance Portability and Accountability Act
INL Idaho National Laboratory
ISA International Society of Automation
IT Information Technology
LAN Local Area Network
NIDS Network Intrusion Detection System
NIST National Institute of Standards and Technology
OPSEC Operations Security
PCI Payment Card Industry
PCS Process Control Systems
PII Personally identifiable information
PLC Programmable Logic Controller
QoS Quality of Service
RRA Risk and Resilience Assessment
SCADA Supervisory Control and Data Acquisition
SLA Service Level Agreement
SME Subject Matter Experts
SSN Single Sign On
VLAN Virtual Local Area Network
WAN Wide Area Network
WITAF Water Industry Technical Action Fund

© Copyright American Water Works Association 2019 6

EXECUTIVE SUMMARY
Within the last several decades, cybersecurity threats, including such things as cyber-terrorism and
ransomware attacks, have grown from the esoteric practice of a few specialists to a problem of general
concern. Critical infrastructure systems serving the people of the United States have been found to be
particularly vulnerable to such attacks. As noted in the Cybersecurity Risk and Responsibility in the
Water Sector 1:
“Government intelligence confirms the water and wastewater sector is under a direct threat as part of a
foreign government’s multi-stage intrusion campaign, and individual criminal actors and groups threaten
the security of our nation’s water and wastewater systems’ operations and data.”
In response to the general threat to critical infrastructure, a wide array of standards and guidelines are
available to assist organizations with implementing security controls to mitigate the risk from cyber-
attacks. The scope of these documents is large, and the security controls in the standards often require
significant planning and years of implementation.
In February 2013, the American Water Works Association (AWWA) Water Utility Council initiated a
project (WITAF #503) to address the absence of practical, step-by-step guidance for protecting water
sector process control systems (PCS) 2 from cyber-attacks. This action was timely as it corresponded
with the development of the National Institute of Standards and Technology (NIST) Cybersecurity
Framework as called for in Executive Order 13636 - Improving Critical Infrastructure Cybersecurity. 3 The
NIST Cybersecurity Framework includes a set of standards, methodologies, procedures, and processes
that align policy, business, and technological approaches to address cyber risks.
This AWWA Water Sector Cybersecurity Risk Management Guidance (AWWA Guidance) and associated
AWWA Cybersecurity Assessment Tool (AWWA Assessment Tool), collectively referred to as AWWA
Guidance and Assessment Tool, is a voluntary, sector-specific approach for adopting the NIST
Cybersecurity Framework as expressed by the Water Sector Coordinating Council. The original goal of
this AWWA guidance was to provide water sector utility owners/operators with a consistent and
repeatable assessment tool and recommended course of action to reduce vulnerabilities to cyber-
attacks as recommended in ANSI/AWWA G430: Security Practices for Operations and Management and
EO 13636. The guidance is also expected to communicate a “call to action” for utility executives
acknowledging the significance of securing PCS and enterprise systems (e.g. information technology)
given their role in supporting water utility operations.
This AWWA Guidance and Assessment Tool update was developed to assist community water systems
(i.e. utility) in complying with section 2013 of America’s Water Infrastructure Act (AWIA) of 2018 (PL
115-270). 4 AWIA requires all community water systems serving populations of 3,300 or more to conduct
and certify completion of an assessment of the risks to, and resilience of their systems, including an
emergency response plan. The new requirement places emphasis on assessing and mitigating
cybersecurity risks that could impact the following:
• Electronic, computer, or other automated systems (including the security of such systems)
which are utilized by the system;

1
American Water Works Association, Cybersecurity Risk and Responsibility in the Water Sector, 2018.
2
The term process control system (PCS) is preferred over industrial control system (ICS) to avoid confusion with
incident command system (ICS) common in national emergency response planning.
3
Executive Order 13636 - Improving Critical Infrastructure Cybersecurity,
https://www.federalregister.gov/documents/2013/02/19/2013-03915/improving-critical-infrastructure-
cybersecurity
4
The text of AWIA §2013 is included in Appendix A.

© Copyright American Water Works Association 2019 7

 • The monitoring practices of the system (including network monitoring); and
• The financial infrastructure of the system (accounting and financial business systems operated
by a utility, such as customer billing and payment systems).
Utilities may have PCS and enterprise systems that are physically or logically connected. In addition,
many business applications that utilities rely on to support critical day-to-day operations reside within
enterprise systems. To account for this, enterprise systems are explicitly included in the AWIA
requirements for the risk and resilience assessment (RRA) and emergency response plan (ERP).
A panel of subject matter experts was consulted to identify the most pressing cybersecurity issues facing
water utilities today. In response to these issues, a recommended grouping of cybersecurity practices
was developed. This grouping identifies cybersecurity practice areas considered to be the most critical
for managing cyber risk in the water sector. This guidance provides a discussion of the recommended
practice areas and why they are important to supporting a robust cybersecurity risk management
strategy.

These recommended practices are defined by a set of 99 cybersecurity controls that are organized in a
manner to facilitate implementation based on actionable tasks. The outputs of the AWWA Assessment
Tool are designed to present these controls to users in a concise, straightforward manner, facilitate
documentation and support future compliance actions and improvement.

The AWWA Assessment Tool generates a prioritized list of recommended controls based on specific
characteristics of the utility. The user provides information about the manner in which their PCS and
enterprise systems are used. Based on these practices, use cases are selected to recommend controls. For
each recommended control, specific references to existing cybersecurity standards are also provided.

The AWWA Assessment Tool emphasizes actionable recommendations with the highest priority assigned
to those that are expected to provide the greatest impact in the short term. It should be noted, however,
that the tool does not assess the extent to which a utility has implemented any of the recommended
controls. This is the responsibility of the utility. To facilitate this, additional tool outputs were added and
are discussed in the following sections.

This resource is a living document, and further revisions and enhancements will be made based on the
quickly evolving cyber-threat landscape and user feedback.

Use of this Guidance to Support AWIA §2013 Compliance

As noted above, one objective of the AWWA Cybersecurity Guidance and Assessment Tool is to support
utilities with AWIA §2013 compliance actions. Additional guidance is provided in subsequent sections of
this document.

Utility staff responsible for AWIA §2013 compliance may not be cybersecurity technologists or
responsible for the secure and reliable operation of the PCS and/or enterprise systems. Therefore, it is
recommended that a utility convene internal and external support staff, including, but not limited to:

• Utility compliance staff responsible for AWIA §2013 compliance.

© Copyright American Water Works Association 2019 8

 • Utility staff responsible for and knowledgeable of the design, operation, and maintenance of the
utility’s PCS and enterprise systems (information technology).
• Utility leadership responsible for overall operation of the utility (utility staff with the authority to
accept risks should be present).
• External support staff including cybersecurity vendors, engineering firms, etc., if needed.

This approach will improve the quality and timeliness of data collection. In addition, it is expected to
reduce the overall time required to complete compliance actions while also improving the cybersecurity
posture 5 of the organization.

Cybersecurity Guidance and Tool Output Information Security

The output of the Assessment Tool should be classified as critical infrastructure security information. In
many states, this means that it is protected from public informaton requests. To maintain a high level of
information security after the output is generated, AWWA strongly recommends the following:
• If your utility has a data classification system in place, treat the output and associated
information as the most protected type of information. It is recommended that this be done
with consideration to the FOIA/sunshine laws in your jurisdiction.
• If your utility does not have a data classification system in place:
o Store this data in a secure location.
o Restrict access to this information as much as possible. For example: do not email this
document.

RECOMMENDED CYBERSECURITY PRACTICES

Overview
These practices are comprised of recommendations to improve the cybersecurity posture of water and
wastewater utilities. They are actionable recommendations designed to produce maximum
improvement in the short term and provide a foundation for longer term implementation of a
comprehensive cybersecurity risk management strategy.
The terminology used within this section and other standards is fundamentally technical. AWWA strived
to make the guidance and user experience as “plain English” as possible. However, some additional
insight into the networking and network component terminology may be helpful to the reader. It is
recommended that the reader refer to Appendix B: Network Architecture Reference Diagram and
Definitions.
Practice Categories
The practice categories were chosen by Subject Matter Experts (SME) teams during a Definition
Workshop. Each team identified important areas of cybersecurity to be addressed and policies,
activities, and systems that should be implemented. The recommendations from the SMEs were
collected, integrated (to avoid duplication), and loosely organized into the ten domains of the Certified
Information Systems Security Professional (CISSP) Common Book of Knowledge. Several reviews and
additions followed until there was consensus that the practives categories and recommendations were
comprehensive. The categories (like their NIST framework counterparts) are not mutually exclusive and
contain significant overlap. In addition, the AWWA Assessment Tool output categorizes the

5
The cumulative strength of a utility’s cybersecurity policies, controls, and how effectively they mitigate risk.

© Copyright American Water Works Association 2019 9

recommended controls into these practice areas. The following is a description of each practice
category.
Governance and Risk Management
This category is concerned with the management and executive control of the security systems of the
organization; it is associated with defining organizational boundaries and establishing a framework of
security policies, procedures, and systems to manage the confidentiality, integrity, and availability (CIA)
of the organization. One of the key components of system governance is developing and maintaining an
accurate, up-to-date inventory of PCS and enterprise system components.
Cyber supply chain risk management is an important component in the design, operation, and
maintenance of PCS and enterprise systems. This includes such things as establishing cybersecurity
requirements for suppliers, communication of these requirements, and verifying the requirements
are met.
From the perspective of long-term security, this is the most important category because it creates a
managed process for increasing security. It also engages the executive team by including security risks as
an important part of enterprise risk management.
Although this category of recommendations represents an essential part of an organization’s security
posture, the related cybersecurity controls have been assigned a slightly lower priority in order to
emphasize actionable recommendations that can have significant short-term effects.
Business Continuity and Disaster Recovery
This category is concerned with ensuring that the control system continues running even when faults
occur and with rapid recovery after a service disruption.
Business Continuity Planning is a structured method for an organization to prepare for and reduce the
probability and impact of systems and operational failure. A key component of Business Continuity
Planning is the Disaster Recovery Plan, which deals with longer disruptions from more impactful events.
Both plans require a managed process that identifies potentially disruptive events, estimates their
impact, and then develops and monitors mitigation strategies.
Server and Workstation Hardening
This category is concerned with securing servers and workstations against cyber-attacks; it identifies
best practices to minimize the probability of unauthorized access to servers, and to maintain the CIA
properties of the servers and the systems within them. For example, this category includes whitelisting,
which restricts the applications that are permitted to run on servers and workstations throughout the
enterprise.
Access Control
This category is concerned with ensuring that only authorized personnel are permitted to access
computing resources within the organization; it pertains to best practices for restricting access to
computing resources and information to authorized users. For example, Single Sign On (SSN) is an access
control mechanism that requires users to sign on only once; the SSN system can then use those
credentials to control access to a variety of applications. However, care should be taken to ensure that
different passwords are used to access PCS and enterprise systems.
Application Security
This category is concerned with ensuring that computer programs do only what they are supposed to
do; for example, suppose that a module of a Supervisory Control And Data Acquisition (SCADA) system is
supposed to receive data from a Programmable Logic Controller (PLC) and save it. Application security

© Copyright American Water Works Association 2019 10

contains best practices to ensure that the module is not susceptible to buffer-overflow attacks and that
the data it receives does not get corrupted as it is handled by the module.
Application Security is a complex and extensive area involving the design, implementation, and testing
of program modules as well as the testing and monitoring of integrated systems after implementation.
Utilities should develop standard design and implementation requirements that define the testing
required by software vendors and system integrators, as well as doing their own testing of the integrity
of results.
Encryption
This category is concerned with ensuring that only appropriate encryption schemes are used within an
organization’s security systems and that the cryptography is used wherever it is needed. For example,
there is general confusion of what is an appropriate encryption scheme: sometimes packing or
compression algorithms are called encryption. Also, cryptographic systems must be used wherever they
are needed, for example, if the data will be traveling on a public channel or via a wireless circuit, or if
there is a need to provide non-repudiation of a message or a document (by using a cryptographic
signature).
Weak encryption schemes are particularly dangerous because they provide little protection and create a
false sense of security and complacency. Proprietary encryption schemes should be avoided since they
typically have not gone through comprehensive testing and often contain flaws. Also, only encryption
schemes that are referenced by appropriate standards and use keys of proper length should be
considered secure.
Data Security
This category is concerned with various types of protected data that a utility may collect, transfer and
store. This includes payment information like credit and debit cards, personally identifiable information
(PII), and health information protected according to Health Insurance Portability and Accountability
(HIPAA) requirements. These requirements are included in this category.
Telecommunications, Network Security, and Architecture
This category is concerned with the security of the network infrastructure from the data connector on
the wall to the enterprise switches, routers, and firewalls. This includes the physical security of the
cables, the telecom closets, and the computer rooms, and the protection of the data as it travels on
public channels and wireless circuits. Spam filtering and website blocking are also included in this
category.
The focus of this category is establishing a “defense-in-depth” network architecture with the network at
its core. It also addresses adherence to new standards for PCS network security, particularly network
topology requirements within the vicinity of PCS systems and PLC controls. Another area addressed in
this category is network management, including port level security.
Physical Security of PCS Equipment
Physical security is a basic requirement for all PCS and enterprise systems. Once physical access to a
network device or server is achieved, compromising equipment or systems is usually a trivial matter. The
recommended practices in this category focus on preventing and restricting physical access to only
authorized personnel with a need to perform some action on the hardware. The recommendations in
this group are also related to monitoring, detecting, and responding to unauthorized physical access.
Service Level Agreements (SLA)
This category is concerned with the definition and management of contracts that specify services
requirements to the organization. The contract manager under the direction of the executive team is

© Copyright American Water Works Association 2019 11

responsible for defining, negotiating, executing, and monitoring these contracts to ensure appropriate
service delivery to the organization.
An SLA is a contract which requires minimum levels of performance for services provided. For example,
the Committed Information Rate (CIR) is part of a typical Wide-Area Network (WAN) SLA and specifies
the minimum bandwidth that a data circuit may have.
SLAs for PCS network systems typically focus on quality of service (QoS) rather than bandwidth. PCS
systems do not require high bandwidth but cannot operate properly if the bandwidth falls below certain
known thresholds. Conversely, SLAs for enterprise systems will focus on confidentiality and integrity of
information stored or in transit on the network.
Operations Security (OPSEC)
OPSEC is concerned with refining operational procedures and workflows to increase the security
properties (CIA) of an organization. For example, a utility may want to restrict what employees post on
their social media pages about the organization’s security procedures. OPSEC also includes access
granting policies and procedures, security guard rotation schedules, backup recovery procedures, etc.
Education
This category is concerned with bringing security awareness to the employees, clients, and service
providers of the organization.
Education involves identifying best practices and providing formal training on the security policies and
procedures of the enterprise as well as security awareness and incident response. It involves test
practice of the key security processes and actions to ensure quick and accurate response to security
incidents within the enterprise.
Personnel Security
This category is concerned with the personal safety of employees, clients, contractors, and the general
public. Personnel security starts as part of the hiring process and ends after the employee leaves the
organization. It handles periodic reaccreditation of employees and updates of the policies and
procedures that govern staff. The purpose of personnel security is to ensure the safety and integrity of
staff within the organization. Personnel security also applies to external contractors and service
personnel, with the objective to ensure appropriate, lower privileged access to facilities.
Cyber-Informed Engineering
Cyber-Informed Engineering (CIE) 6, 7 and the associated Consequence-Centered, Cyber-Informed
Engineering (CCE) 8 are methodologies recently developed and promulgated by Idaho National
Laboratory (INL). The methodologies emphasize the integration of cyber risk considerations into the full
engineering life-cycle to reduce risk. These approaches recognize that, while extremely important, a
cyber-hygiene centered approach cannot address the rapidly evolving cyber threats that all critical
infrastructure owners and operators face. Therefore, utilities need to take additional measures to
ensure that their systems are cyber-resilient.

6
Anderson, Robert S., Benjamin, Jacob, Wright, Virginia L., Quinones, Luis, and Paz, Jonathan. Cyber-Informed
Engineering. United States: N. p., 2017. Web. https://doi.org/10.2172/1369373
7
Wright, Virginia. Cyber-Informed Engineering. Fermilab Colloquium. September 21, 2016.
https://vms.fnal.gov/asset/detail?recid=1944478&recid=1944478
8
Bochman, Andy. The End of Cybersecurity. Harvard Business Review. May 2018.

© Copyright American Water Works Association 2019 12

CYBERSECURITY TOOL USER GUIDANCE
Overview
The Assessment Tool uses several steps to collect user input on the utility’s current cybersecurity
posture and provides recommended controls to facilitate AWIA §2013 compliance and cybersecurity
improvements. PLEASE NOTE: AWWA DOES NOT COLLECT ANY DATA ENTERED INTO THE TOOL OR
ABOUT USERS OF THE TOOL. Rather, this guidance and the Assessment Tool provide the user with
recommended controls based on how the utility describes the application of certain technologies and
practices in their day-to-day operations. No security sensitive information is required or shared by the
user. The process flow of the tool is segmented to address the two primary phases of AWIA §2013, 1)
Risk and Resilience Assessment (RRA; dark blue box) and 2) Emergency Response Planning (ERP; green
box), is illustrated in Figure 1.

Control
User Interface Identification/Priority Output
Self-Assessment Recommendation
Microsoft Excel Output

1. Start Here

Based on the user’s answers, 2. RRA-Control Output

User answers the 3. RRA-Control Status Summary
recommended controls are
questions in the
provided. Each recommended 4. ERP-Improvement Projects
web application
control is assigned a priority.
OPTIONAL:
5. Project Implementation Form
6. Declaration of Due Diligence
7. User Answer Summary

Figure 1. AWWA Cybersecurity Tool Process

The following sections provide additional detail on the individual inputs, processing steps, and outputs
of the AWWA Assessment Tool.
User Interface
First, the user answers questions on the policies, procedures and use of their PCS and enterprise
systems in the web application. The AWWA Assessment Tool automatically maps the utility’s PCS and
enterprise system configuration and practices to the recommended control. The questions designed to
capture the utility’s PCS and enterprise system configuration and practices are included in a worksheet
format in Appendix C of this guidance.

Use-Cases
A use-case is an elemental pattern of behavior as described by the user of a system; the use-cases in this
document are basic descriptions of important processes from the user's perspective. Based on the use-
cases selected, the tool provides recommended cybersecurity controls. Appendix D includes a table

© Copyright American Water Works Association 2019 13

summarizing the use-cases included in the tool. These are no longer visible to the user, but were
retained to maintain consistent mapping of controls.

Cybersecurity Controls
A security control is a measure to support effective cyber defense. Most of the controls in this document
are measures designed to reduce risk; they were developed from many industry standards which were
correlated, integrated, and enhanced. For example, multiple similar controls were merged into a single,
more comprehensive control. Some controls are complex and might resemble an administrative
program, a computer system, or an engineering design methodology. Many cybersecurity service
vendors provide computer systems to implement controls of greater complexity (e.g., network
monitoring tools). Appendix E provides a list of the cybersecurity controls developed for this document
and a table mapping the controls presented in Appendix E to the controls presented in the NIST
Cybersecurity Framework v1.1 is included as Appendix F.

Each control was assigned a priority level based on its criticality and potential impact to the security of
the utility. The recommended controls are categorized into priorities 1, 2, 3, and 4, with priority 1 being
the highest. For each recommended control, a reference is provided to a set of existing cybersecurity
standards. Priority levels are adapted from SANS 9 and are defined as follows:

• Priority 1 Controls – These controls represent the minimum level of acceptable security for PCS and
enterprise systems. If not already in place, these controls should be implemented immediately. In
some cases, they could be considered quick wins that provide solid risk reduction without major
procedural, architectural, or technical changes to an environment. Alternatively, a control may
provide substantial and immediate risk reduction against common attacks. Generally, these will be
cyber-hygiene measures. Utilities with many Priority 1 controls to implement will likely be reactive
to any cyber-attack.

• Priority 2 Controls – These controls build on those in the Priority 1 category. Despite being Priority
2, these controls have the potential to provide a significant and immediate increase in the security
of the organization. Generally, these will be more sophisticated cyber-hygiene measures to improve
the process, architecture, and technical capabilities of the utility. These improvements include
capabilities such as monitoring of networks and computer systems to detect attack attempts, locate
points of entry, identify already-compromised machines, interrupt infiltrated attackers' activities,
and gain information about the sources of an attack.

• Priority 3 Controls – These controls improve information security configuration and hygiene to
reduce the number and magnitude of security vulnerabilities and improve the operations of
networked computer systems, with a focus on protecting against poor security practices by system
administrators and end-users that could give an attacker an advantage. These controls lay the
foundation for sustained implementation of a managed security system. These controls include

9
SANS. CIS Critical Security Controls: Guidelines. https://www.sans.org/critical-security-controls/guidelines. Last
accessed May 1, 2019.

© Copyright American Water Works Association 2019 14

 more sophisticated longer-term approaches to managing cyber-risk including CIE and cyber supply
chain risk management.

• Priority 4 Controls – These controls are more complex and provide proactive protection against
more sophisticated attacks. These include new technologies, policies, and methods that provide
maximum security but are more complex and potentially more expensive than commoditized
security solutions.

Maturity is a concept that is widely used in other sectors. Generally, the maturity of an organization’s
cybersecurity posture is the extent to which a utility has implemented the recommended controls. It is
also reflective of a utility moving from a reactive to a proactive cybersecurity posture. Adapted from
SANS, 10 Figure 2 illustrates notional levels of maturity.

Proactive
Cybersecurity
Long-Term Posture
Sustainment & Management
Culture Change
More
Sophisticated
Hygiene -
Promoting
Awareness &
Minimum Behavior Change
Fiduciary
Responsiblity
Focused
Hygiene

Figure 2. Conceptual Cybersecurity Maturity Levels of an Organization

The maturity levels in Figure 2 are comparable to Tiers 1 through 4 in the NIST Cybersecurity
Framework. The Tiers range from Tier 1 – Partial to Tier 4 - Adaptive. The Tiers describe the degree to
which a utility’s cybersecurity risk management practices exhibit the characteristics defined in the NIST
Cybersecurity Framework. 11
Using this guidance and the Assessment Tool, utilities should assess the controls in place and their
associated implementation status (i.e. maturity) on a recurring basis relative to the current and
anticipated needs of the organization, the current cybersecurity posture of the organization, and the

10
SANS.org. https://www.sans.org/sites/default/files/10_24%20Blog%203%20Commandments.png. Last accessed
May 1, 2019.
11
NIST Cybersecurity Framework. An Introduction to the Components of the Framework.
https://www.nist.gov/cyberframework/online-learning/components-framework. Last accessed May 28, 2019.

© Copyright American Water Works Association 2019 15

threat landscape. Broadly, the objective should be to continuously move from the minimum controls in
place for fiduciary responsibility and a reactive posture to a proactive posture.

Recommended Cybersecurity Practices and Improvement Projects

Each Practice Category identified in has numerous associated recommended controls and potential
improvement projects. Some additional details on potential improvement projects are provided below:

1. Governance and Risk Management

a. Develop a formal, written Cybersecurity Policy that addresses the specific operational needs
of PCS and enterprise systems.
b. Establish an Enterprise Risk Management strategy that associates cybersecurity investments
with enterprise business plans.
c. Perform a vulnerability assessment (e.g. CSET or physical assessment) on a regular basis.
d. To aid in developing contingency plans, maintain current network asset inventory, baseline,
“gold disk,” including:
i. Applications
ii. Data
iii. Servers
iv. Workstations/HMI
v. Field devices (e.g. PLCs)
vi. Communications and network equipment
e. Develop and enforce hardware and software standards in order to limit number of system
components
f. Develop standard specifications language that defines cybersecurity standards for inclusion
in all procurement packages for PCS and enterprise systems

2. Business Continuity and Disaster Recovery

a. Develop resilience plans including: Emergency Response Plan, Continuity of Operations Plan,
and/or Disaster Recovery/Business Continuity Plan. These plans should include:
i. Crisis Management Team (including at least one representative from executive
management) – with authority to declare an alert or a disaster and who monitors
and coordinates the necessary recovery activities.
ii. Manual overrides to allow temporary manual operations of key processes during an
outage or a cyber-attack.
iii. Strategies for system redundancy (or offline standby) to ensure key system
components can be restored within acceptable timeframes.
b. Ensure that corporate Emergency Response Plan, Continuity of Operations Plan, and/or
Disaster Recovery/Business Continuity Plan includes procedures and contact list for PCS and
enterprise systems.
c. Conduct exercises to test and revise plans and build organizational response capabilities.

© Copyright American Water Works Association 2019 16

 d. Implement change management program for PLC software; maintain fully commented
backups for all PLC programs and test restore process on a periodic basis.
e. Implement change management program for enterprise systems with routine backups and
restoration exercises.
f. Test backup and recovery plans regularly.

3. Server and Workstation Hardening

a. Implement whitelisting (allows only specified applications to execute on each specific
computer).
b. Maintain support contracts with HMI software vendor and implement antivirus, anti-
malware, and operating system patches in accordance with vendor’s direction.
c. Implement security patch management program with periodic vulnerability scanning.
d. Implement change management program for applications and infrastructure (routers, etc.)
e. Harden critical servers and workstations.
f. Remove local administrator rights, delete/disable default accounts (OS and application).
g. Rename Administrator account.
h. Disable USB, DVD, and other external media ports.
i. Disable auto-scan of removable media.

4. Access Control
a. Secure PCS and enterprise system access.
i. Physical access to facilities and equipment.
ii. Application access to key software functions.
iii. External access should be controlled. Address requirements for:
1. File exchange into or out of a network. Include system and software
updates.
2. Data exchange between PCS and enterprise systems such as email (alarms),
historical databases, CMMS, LIMS, etc.
3. Establish off-line or isolated system for testing and patch management,
including applications and device programs.
4. Identify what is required for remote access. Restrict remote access to
lowest level of privilege required.
iv. Vendor, contractor system access on plant (incl. package systems). Vendor or
contractor access to system should be manually initiated.
v. Equipment (e.g. network equipment, field devices) access
b. Secure remote access
i. Use VPN technologies to protect information in transit.
ii. Require multifactor authentication (e.g. tokens) for remote access to sensitive
functions.
iii. Limit access to only the minimal level required (e.g. view-only web page).

© Copyright American Water Works Association 2019 17

 c. Implement multi-factor authentication for all workstations.
d. Laptops that are used to control PCS or program field devices should be “dedicated for PCS
use only” and ports to Internet disabled. All non-essential software should be removed.

5. Application Security
a. Require each PCS or enterprise system user to utilize unique credentials (usernames and
passwords) which provide only the required level of access needed to perform their job.
Establish policy for strength of password and periodic renewal. Implement automatic lock
out after adjustable number of failed log-in attempts.
b. Provide separate accounts for administrator and user functions. Do not allow users to
operate with administrator rights unless they are actually administering the system.
c. Provide separate credentials for PCS access compared to enterprise system access. Require
different passwords between systems.
d. Implement audit controls such as logging and monitoring of system access and modification.
e. Aggregate system logs and conduct frequent review of network, application and systems
events.

6. Encryption
a. Implement device and/or storage encryption where theft or loss of a device is a possibility:
i. Smartphones, tablets containing sensitive system information.
ii. Laptops containing programs or other sensitive information.
iii. Equipment (e.g. administrator passwords).
iv. Removable media (e.g. tape, disk, USB removable storage).
b. Implement communications encryption:
i. Wireless communications should be encrypted where possible, regardless of type or
range.
ii. Wired communications over shared infrastructure (e.g. leased, shared) should be
encrypted using VPN technologies to protect sensitive information in transit.
c. Implement “best available” encryption.
i. Use strongest available encryption on existing equipment.
ii. Identify encryption requirements in specifications for new equipment.
d. Implement encryption of confidential data in on-line repositories.

7. Data Security
a. Implement appropriate measures to accept, process, store, and/or transmit customer billing
information. The Payment Card Industry (PCI) priorities include:
i. Remove sensitive authentication data and limit data retention.
ii. Protect systems and networks, and be prepared to respond to a system breach.
iii. Secure payment card applications.
iv. Monitor and control access to your systems.

© Copyright American Water Works Association 2019 18

 v. Protect stored cardholder data.
vi. Finalize remaining compliance efforts, and ensure all controls are in place.
b. Implement controls to protect Personally Identifiable Information (PII)
i. Understand how PII is defined based on local, state, and federal statutes
ii. Develop a privacy policy.
iii. Develop a data breach response policy.
c. Implement controls to achieve and maintain HIPAA compliance
i. Establish a program to maintain minimal compliance with HIPAA requirements.
ii. Develop a privacy policy.
iii. Develop a data breach response policy.

8. Telecommunications, Network Security, and Architecture

a. Implement Layered Network Security with multiple levels of protection
i. Utilize stateful or application layer firewalls, filtering routers, packet filtering or
similar devices between networks.
ii. Implement Intrusion Detection/Prevention Systems to identify and alarm on or
block unauthorized access.
iii. Implement security information and event management (SIEM)/anomaly detection
to provide real-time monitoring of all PCS equipment and enterprise systems.
b. Implement network separation
i. Implement physical (e.g. dedicated hardware) and/or logical separation (IP subnets,
VLANs) to protect sensitive functions:
1. Between PCS, enterprise systems, and other networks.
2. Within PCS and enterprise systems:
a. Servers
b. HMI
c. Field equipment
d. Network management
e. Third party controlled equipment
3. Over shared communications equipment or links
c. Implement port-level security on all network devices.
d. Evaluate the risks and benefits of “pulling the plug” between PCS and the outside world.
e. Develop an architecture that will allow critical operations to continue if isolated.
f. Implement network management system to monitor system performance and identify
potential bottlenecks.
g. Document and periodically review PCS network architecture and enterprise system network
architecture (including definition of network boundaries).

© Copyright American Water Works Association 2019 19

9. Physical Security of PCS Equipment
a. Control access to:
i. Unused network ports
ii. Removable media
iii. Equipment cabinets and closets
iv. Control room
v. Facilities
vi. Communications pathways

10. Service Level Agreements

a. Identify all external dependencies and establish written Service Level Agreements and
support contracts with internal and external support organizations to clearly identify
expectations for response time and restoration of shared or leased network infrastructure
and services, including equipment or services provided by:
i. Equipment or service managed by IT departments
ii. PCS vendors
iii. Telecommunications and Internet providers
iv. Power sources/power supply (within facilities)
v. System vendors
vi. System integrators
b. Leverage procurement policies to limit number of external support organizations.
c. Establish SLA’s with staff and contracted employees for responsiveness and agreement to
respond in emergency conditions.

11. Operations Security (OPSEC)

a. Provide clear demarcation between business and PCS functions. Isolate all non-PCS
functions and block access from PCS equipment to:
i. Internet browsing
ii. Email
iii. Any other non-PCS access to remote systems or services
b. Implement mobile device and portable media controls.

12. Cyber Informed Engineering

a. Conduct a consequence / impact analysis to prioritize scenarios.
b. Design and implement a system architecture to limit the potential impacts of an attack.
c. Include engineered controls in addition to traditional IT controls.
d. Simplify system design to the extent practical.
e. Conduct resilience planning to improve response and recovery actions.
f. Control information on the engineering of the system to prevent unwanted distribution.
g. Control procurement processes.

© Copyright American Water Works Association 2019 20

 h. Control system interdependencies.
i. Establish and maintain a cyber-aware culture of employees, contractors, and visitors.
j. Complete a digital asset inventory to document hardware, software, and firmware currently
in use.

13. Education
a. Implement a cybersecurity awareness program that includes social engineering.
b. Provide on-going cross training for enterprise system and PCS staff that identifies current
best practices and standards for PCS cybersecurity.
c. Provide basic network and radio communications training for PCS technicians.
d. Participate in water sector programs that facilitate cybersecurity knowledge transfer.
e. Identify appropriate certifications for internal and external staff. Include certification
requirements in SLAs and contracts with external service providers.
f. Provide periodic security awareness training to all employees that identifies risky behaviors
and threats.
g. Promote information sharing within your organization.

14. Personnel Security

a. Implement a personnel security program for internal and contracted personnel that
includes:
i. Training
ii. Periodic background checks
b. Require annual and new employee signoff on cybersecurity policy(ies), which includes
agreeing to a confidentiality statement

AWWA Assessment Tool Output

The AWWA Assessment Tool currently produces an automatically generated output file to help utilities
achieve both compliance and improve their cybersecurity posture. This file is designed to facilitate a
cycle of improvement through an easily repeatable and documentable process. These outputs are
detailed in the following sections.
This output is automatically generated as a Microsoft Excel spreadsheet workbook. This file is designed
to support utilities with compliance requirements of AWIA §2013. In addition, the output file is
formatted in a manner to support building an improvement plan. Use of this output file involves the
following steps:
 Step 1. Select the implementation status of each recommended control from a drop-down list
on the RRA-Control tab.
 Step 2. Review the results on the RRA-Control Status Summary tab.
 Step 3. On the ERP-Improvement Projects tab, select the table column headers, navigate to the
Data tab at the top of the spreadsheet, and select the Filter tool in your Excel ribbon. On the
Improvement Project column, click the filter icon in the cell and select "Partially Implemented"
and "Planned and Not Implemented." On the Priority column select "Sort Smallest to Largest."
Sorting by Control Status and Priority allows the user to identify the highest priority

© Copyright American Water Works Association 2019 21

 recommended controls for implementation. Additional grouping of the recommended controls
may be done by sorting of the "Improvement Projects" column.
 Step 4. Use the project implementation plan to design cybersecurity improvement projects.
 Step 5. Complete the Declaration of Due Diligence for communication with utility leadership and
for documenting compliance.
 Step 6. Print the results for inclusion with compliance documentation, communication with
stakeholders, and improvement project/risk and resilience management strategy development.
There are seven tabs in the file, including:
Tab 1. Start Here – This tab provides context and high-level instructions for the use of the output
file.
Tab 2. RRA-Control Output – This summarizes the recommended cybersecurity controls, provides
users the functionality to document the recommenced cybersecurity control status, and
identifies improvement projects. This tab is designed to facilitate compliance with the RRA
requirements included in AWIA §2013. This is the only tab that requires user input.
Tab 3. RRA – Control Status Summary – This tab provides two tables. The first summarizes the
recommended controls’ status by priority. This is shown in a “heat map” format to visually
indicate the number of controls of various priority and their associated status. The second
table identifies the number of controls associated with each improvement project
categories as identified in the guidance document. These projects account for
recommended controls where the user indicated “Partially Implemented” or “Planned and
Not Implemented” on the RRA-Control Output tab.
Tab 4. ERP-Improvement Projects – This tab provides two tables. The first is the same as the
second table on tab 3. The second table is a sorted version of the controls summarized on
tab 2. The intent of this second table is to allow the user to aggregate controls into projects.
This table provides Priority 1 controls across each practice area. This tab is designed to
facilitate compliance with the ERP requirements included in AWIA §2013. Mitigation
strategies and resources may include equipment, policies and people. Once controls are
aggregated into projects on this sheet, these may be grouped together using the Project
Implementation Form included as tab 5.
Tab 5. Project Implementation Form – This is an optional sample project planning form. Full
completion of the information in this form will facilitate successful project delivery.
Tab 6. Declaration of Due Diligence – The optional draft form is provided for use with the AWWA
Assessment Tool output. The draft text is intended to facilitate communication with utility
decision makers and support long-term cybersecurity risk management.
Tab 7. User Answer Summary – This tab provides a summary of AWWA Assessment Tool questions
and associated user answers. Also included on this tab is a control status summary table.
This table is presented in a “heat map” format to visually indicate the importance of
controls by priority and status.
Additional details for the RRA-Control Output (Tab 3) and ERP-Improvement projects tabs (Tab 4) are
provided in the following sections.
RRA-Control Output Tab
The RRA-Control Output tab is designed to facilitate compliance with the RRA requirements included in
AWIA §2013 by supporting “…assessment of the risks to, and resilience of, its system.” This tab lists each
of the controls recommended by the tool based on the user inputs. The recommended controls are
categorized into Priorities 1, 2, 3, and 4, with Priority 1 being the highest. For each control, there are
multiple columns that are available to the user to provide documentation of the level of implementation
of each control at their organization.

© Copyright American Water Works Association 2019 22

Within this tab, the Control Status column is the only column that requires additional user input. The
cells requiring input are colored blue for identification purposes. The user must select the
implementation status of the recommended control within the utility/system/facility under evaluation.
The options for implementation levels include:
1. Not Planned and/or Not Implemented – Risk Accepted – The control is not currently
implemented or planned for implementation. The organization accepts risks associated with the
control not being implemented.
2. Planned and Not Implemented – The control has not been implemented. However,
implementation of the control is planned.
3. Partially Implemented – The control is partially implemented by internal or external resources.
4. Fully Implemented and Maintained – The control is fully implemented and actively maintained
by internal or external resources.
Utility staff should use the output to document controls already in place and those that are most
important to implement. This will likely require working with additional stakeholders to document the
state of implementation of the various recommended controls. Improvement project categories are
provided for each recommended control.
ERP-Improvement Projects Tab (Tab 4)
This tab is designed to facilitate compliance with the ERP requirements included in AWIA §2013 (b)
“Emergency Response Plan”, including:
• “(1) strategies and resources to improve the resilience of the system, including the physical
security and cybersecurity of the system;”
• “(2) plans and procedures that can be implemented, and identification of equipment that can be
utilized, in the event of a malevolent act or natural hazard that threatens the ability of the
community water system to deliver safe drinking water;”
• “(3) actions, procedures, and equipment which can obviate or significantly lessen the impact of
a malevolent act or natural hazard on the public health and the safety and supply of drinking
water provided to communities and individuals, including the development of alternative source
water options, relocation of water intakes, and construction of flood protection barriers; and”
• “(4) strategies that can be used to aid in the detection of malevolent acts or natural hazards that
threaten the security or resilience of the system.”
There are two tables within this output tab. The first is the Cyber Resilience Improvement Projects table.
This table identifies improvement projects and the associated number of controls. Additional rows are
available for user-identified projects. These projects address all recommended controls where the user
indicated “Partially Implemented” or “Planned and Not Implemented.”
The second table is the Control Summary. This table provides a summary of controls and levels of
implementation from user input on the RRA-Control Output tab. This is provided in a heat map format
to allow a utility to easily see a high-level control summary organized by control status and priority.
Utility staff should use this output to create an implementation strategy for the most important controls
identified by the RRA Support Output. It is important to note that this will likely require working with
additional stakeholders to document a strategy for implementation of additional controls.

© Copyright American Water Works Association 2019 23

REFERENCE STANDARDS
To provide the user with more detailed information on the steps necessary to implement the
recommended cybersecurity controls, specific references to existing AWWA, NIST, and International
Society of Automation (ISA) standards are provided. The references provide the specific paragraph or
section number in the referenced standard in which the applicable information can be found. Table 3
provides a list of the referenced standards. Each standard listed is publicly available; however, access to
several of the standards listed below require payment.
List of Standards & Guidance
Name Version/Revision Date
ANSI/AWWA G430-14 Security Practices for Operation November 2014
and Management
ANSI/AWWA G440-17 Emergency Preparedness August 2017
Practices
AWWA J100-10 (R13) Risk and Resilience Management 2013
of Water and Wastewater Systems
AWWA Manual M19 Emergency Planning for Water and 2018
Wastewater Utilities, Fifth Edition
DHS-CAT U.S. Department of Homeland April 2011
Security (DHS) Catalog of Control
Systems Security:
Recommendations for Standards
Developers
DHS ICS-CERT Recommended Practice: September 2016
Improving Industrial Control
Systems Cybersecurity with
Defense-In-Depth Strategies
HIPAA 45 Code of Federal Regulations August 2002
(CFR) Part 160 and Part 164
INL CIE Cyber-Informed Engineering March 2017

ISA 62443-1-1 Security for Industrial Automation October 2007

and Control Systems
Part 1-1: Terminology, Concepts,
and Models
ISA 62443-2-1 Security for Industrial Automation January 2009
and Control Systems
Part 2-1: Establishing an Industrial
Automation and Control Systems
Security Program
ISA TR62443-2-3-2015 Security for industrial automation 2015
and control systems Part 2-3:
Patch management in the IACS
environment
ISA 62443-3-3 Security for industrial automation August 2013
and control systems

© Copyright American Water Works Association 2019 24

 Name Version/Revision Date
Part 3-3: System security
requirements and security levels
ISA-62443-4-1-2018 ANSI/ISA-62443-4-1-2018, 2018
Security for industrial automation
and control systems Part 4-1:
Product security development life-
cycle requirements
ISA-62443-4-2-2018 Security for industrial automation 2018
and control systems Part 4-2:
Technical security requirements for
IACS components
ISO/IEC 27001 Information technology — Security October 2013
techniques — Information security
management systems —
Requirements
ISO/IEC 27003 Information technology — Security February 2010
techniques — Information security
management system
implementation guidance
ISO/IEC 27005 Information technology — Security June 2011
techniques — Information security
risk management
PCI-DSS v3.2.1 Payment Card Industry – Data May 2018
Security Standard
NIST Cybersecurity Framework Cybersecurity Framework v1.1 April 2018

NIST 800-34r1 Contingency Planning Guide for May 2010

Federal Information Systems
NIST 800-53r4 Security and Privacy Controls for April 2013
Federal Information Systems and
Organizations
NIST 800-61r2 Computer Security Incident August 2012
Handling Guide
NIST 800-82r2 Guide to Industrial Control May 2015
Systems (ICS) Security
NIST 800-124r1 Guidelines for Managing the June 2013
Security of Mobile Devices in the
Enterprise
NIST 800-161 Supply Chain Risk Management April 2015
Practices for Federal Information
Systems and Organizations
Various State specific data breach laws Various

© Copyright American Water Works Association 2019 25

Appendix A: America’s Water Infrastructure Act (AWIA) of 2018 §2013
SEC. 2013. COMMUNITY WATER SYSTEM RISK AND RESILIENCE.
(a) Risk and Resilience Assessments.-
(1) In general.-- Each community water system serving a population of greater than 3,300
persons shall conduct an assessment of the risks to, and resilience of, its system. Such an
assessment—
(A) shall include an assessment of—
(i) the risk to the system from malevolent acts and natural hazards;
(ii) the resilience of the pipes and constructed conveyances, physical barriers, source
water, water collection and intake, pretreatment, treatment, storage and distribution
facilities, electronic, computer, or other automated systems (including the security of
such systems) which are utilized by the system;
(iii) the monitoring practices of the system;
(iv) the financial infrastructure of the system;
(v) the use, storage, or handling of various chemicals by the system; and
(vi) the operation and maintenance of the system; and
(B) may include an evaluation of capital and operational needs for risk and resilience
management or the system.
(2) Baseline information.--The Administrator, not later than August 1, 2019, after consultation
with appropriate departments and agencies of the Federal Government and with State and local
governments, shall provide baseline information on malevolent acts of relevance to community
water systems, which shall include consideration of acts that may--
(A) substantially disrupt the ability of the system to provide a safe and reliable supply of
drinking water; or
(B) otherwise present significant public health or economic concerns to the community
served by the system.
(3) Certification.—
(A) Certification.--Each community water system described in paragraph (1) shall submit to
the Administrator a certification that the system has conducted an assessment complying
with paragraph (1). Such certification shall be made prior to—
(i) March 31, 2020, in the case of systems serving a population of 100,000 or more;
(ii) December 31, 2020, in the case of systems serving a population of 50,000 or more
but less than 100,000; and
(iii) June 30, 2021, in the case of systems serving a population greater than 3,300 but
less than 50,000.
(B) Review and revision.--Each community water system described in paragraph (1) shall
review the assessment of such system conducted under such paragraph at least once
every 5 years after the applicable deadline for submission of its certification under
subparagraph (A) to determine whether such assessment should be revised. Upon
completion of such a review, the community water system shall submit to the
Administrator a certification that the system has reviewed its assessment and, if
applicable, revised such assessment.

© Copyright American Water Works Association 2019 26

 (4) Contents of certifications.--A certification required under paragraph (3) shall contain only--
(A) information that identifies the community water system submitting the certification;
(B) the date of the certification; and
(C) a statement that the community water system has conducted, reviewed, or revised the
assessment, as applicable.
(5) Provision to other entities.--No community water system shall be required under State or
local law to provide an assessment described in this section (or revision thereof) to any State,
regional, or local governmental entity solely by reason of the requirement set forth in
paragraph (3) that the system submit a certification to the Administrator.
(b) Emergency Response Plan.--Each community water system serving a population greater than
3,300 shall prepare or revise, where necessary, an emergency response plan that incorporates
findings of the assessment conducted under subsection (a) for such system (and any revisions
thereto). Each community water system shall certify to the Administrator, as soon as reasonably
possible after the date of enactment of America's Water Infrastructure Act of 2018, but not later
than 6 months after completion of the assessment under subsection (a), that the system has
completed such plan. The emergency response plan shall include—
(1) strategies and resources to improve the resilience of the system, including the physical
security and cybersecurity of the system;
(2) plans and procedures that can be implemented, and identification of equipment that can be
utilized, in the event of a malevolent act or natural hazard that threatens the ability of the
community water system to deliver safe drinking water;
(3) actions, procedures, and equipment which can obviate or significantly lessen the impact of a
malevolent act or natural hazard on the public health and the safety and supply of drinking
water provided to communities and individuals, including the development of alternative source
water options, relocation of water intakes, and construction of flood protection barriers; and
(4) strategies that can be used to aid in the detection of malevolent acts or natural hazards that
threaten the security or resilience of the system.

Appendix B: Network Architecture Reference Diagram and Definitions

PCS and enterprise system architecture provides an extensive list of new terminology for users of this
guidance document and AWWA Assessment Tool to learn and understand. The Industrial Control System
– Computer Emergency Response Team (ICS-CERT) has provided an exceptional resource for PCS owners
and operators to refer to. The secure architecture design in Figure 3 12 “is the result of an evolutionary
process of technology advancement and increasing cyber vulnerability presented in the Recommended
Practice document, Control Systems Defense in Depth Strategies.” 13 While this is specifically directed at
PCS owners and operators, much of the terminology is compatible with enterprise systems.

12
ICS-CERT. Secure Architecture Design. https://ics-cert.us-cert.gov/Secure-Architecture-Design#nogo.
Last accessed May 1, 2019
13
DHS. Recommended Practice: Improving Industrial Control System Cybersecurity with Defense-in-Depth
Strategies. https://ics-cert.us-cert.gov/sites/default/files/recommended_practices/NCCIC_ICS-
CERT_Defense_in_Depth_2016_S508C.pdf. Last accessed May 1, 2019. September 2016.

© Copyright American Water Works Association 2019 27

Figure 3. Secure Architecture Design

© Copyright American Water Works Association 2019 28

Appendix C: User Interface Questions

Yes
# Question Additional Details
/No
1 Are any data Examples of electronic data transfer include both automatic (e.g.
transferred to or from automated export of data from the PCS environment) and manual
your PCS network, by (e.g. transfer of data to/from the PCS environment via thumb
any electronic means? drive). Examples of data that may be transferred include:

• Water quality data collected by the PCS and transferred

for regulatory reporting
• Asset performance data for asset management
• Operating system / software patches and updates

2 Do users manually Users include anyone internal or external with access to PCS. This
transfer any electronic may include operators, technicians, and third-party consultants.
data to or from Users are able to initiate transfer of data to and from the PCS.
your PCS environment? Examples of manual data transfer include:

• USB
• Portable media device
• Temporary network connections (an ad hoc network
connection for transferring data from one computer to
another)
• Shared drives
• Cloud file share (e.g. DropBox)

3 Are any electronic data Examples of automated transfer of data include:

transferred to or from
your PCS environment • Automated software or firmware updates
using an automated • Licensing
process, without user • Operating System updates
interaction? • Antivirus signatures
• Database transfer
• Network monitoring by devices external to the PCS

© Copyright American Water Works Association 2019 29

 Yes
# Question Additional Details
/No
4 Are any users allowed Users include any personnel with internal or external access to
to access the PCS environment. These may include operators, technicians,
your PCS environment and third-party consultants. Devices can be any network enabled
remotely? device either corporate supplied or personal. Examples of remote
access include:

• Operations staff access the PCS environment from mobile

device. This includes web view and read only.
• Users have access to remote physical site using any non-
PCS environment.

5 Is remote access to Devices can be any network enabled device either corporate
your PCS network supplied or personal. This includes web view and read only.
allowed via mobile Examples of mobile devices include:
devices?
• Laptops
• Tablets
• Cellphones
• Smart Phones

6 Is remote access to Examples of remote access from physically secured fixed location
your PCS allowed at include:
physically secured fixed
location(s)? • Control center managing remote sites
• Control center remotely managing a treatment center
• Office desktop computer
• Computer at secured office used for managing remote
booster station

7 Do you use resources Examples of resources outside of the organization supporting

outside your and/or maintaining your PCS environment include:
organization to support
and/or maintain • Subsystems owned and operated by 3rd party
your PCS environment? • Systems Integrators
• Equipment Manufacturers
• Consultants
• Vendors

© Copyright American Water Works Association 2019 30

 Yes
# Question Additional Details
/No
8 Do resources (e.g. Examples of resources outside your organization providing
service providers) support by remote access includes:
outside your
organization • "Black box" solution vendor - "Black box" refers to piece
provide PCS support via of equipment on a network with contents and/or function
remote access? that are unknown to the user/owner/operator.
• Vendor panel solution - Vendor panel refers to a control
panel provided by a vendor to monitor or operate a
treatment or distribution process. For example: a vendor
provided ultrafiltration unit would have an accompanying
control panel to control the ultrafiltration process.
• Network administration, from external sources.

9 Do internal staff provide Remote access is from outside (for example, from home) of the
support for your PCS via controlled or control room environments. Devices can be any
remote access? smart phone, tablet, laptop either corporate supplied or personal.
Examples of internal staff providing support by remote access
include:

• Remote operation and monitoring

• Remote troubleshooting

10 Are all changes or • These changes/updates include any programming of logic

updates made to controllers, human machine interfaces, instrumentation,
your PCS environment or any devices involved with the PCS.
first tested in a • System changes or updates do not negatively
development, testbed, impact PCS operation.
non-production, and/or • PCS changes are tested in a non-production environment
training environment before they are made in the field/production
prior to being deployed environment.
and implemented in the • Testing is performed to ensure the proper operation and
field/production interaction with other system components before
environment? deployment.
• Changes or updates may be made by either internal or
external resources.

11 Does your PCS include Examples of 3rd party network communications services include:
3rd party network
communication • Cellular (3G, 4G, 5G)
services? • Dedicated leased line (copper, fiber)
• Communication over internet
• City/county communication network not dedicated to PCS

© Copyright American Water Works Association 2019 31

 Yes
# Question Additional Details
/No
12 Does your PCS network Unlicensed wireless spectrum frequencies – Unlicensed wireless
use licensed or devices operate in one of the frequency bands set aside by the
unlicensed wireless Federal communications Commission (FCC) for industrial,
radios between scientific or medical (ISM) applications. Frequencies within the
facilities? unlicensed wireless spectrum are free to use.

Licensed wireless spectrum frequencies – Frequencies or

frequency bands designated by the Federal Communications
Commission (FCC) as reserved for organizations with licenses.

Examples of licensed or unlicensed wireless spectrum services

include:

• Radio - 450MHz
• Radio - 900MHz
• WiFi - 2.4GHz
• WiFi - 5GHz
• WiFi - 6GHz
• Microwave

13 Does your PCS share Examples of non-PCS equipment include:

a LAN or WAN with
non-PCS equipment? • Security cameras
• Access control equipment
• Enterprise network services at a facility with a shared
communication path
• Voice over Internet Protocol (VOIP)
• Fire Alarms
• Vault or Panel Intrusion Alarms

14 Do you use Wi-Fi within • Does your PCS communication network have wireless
the PCS environment to access points?
transfer data in support • Wi-Fi is defined in IEEE 802.11
of operations or
monitoring?
15 Do you use Virtualization Technology – Technology capable of creating a
virtualization virtual (rather than actual) version of something, including virtual
technology for computer hardware platforms, storage devices, and computer
your PCS? network resources. Examples of virtualization technology include:

• VMware
• Oracle VM
• HyperV

© Copyright American Water Works Association 2019 32

 Yes
# Question Additional Details
/No
16 Is the virtualization Virtualization Technology – Technology capable of creating a
technology dedicated virtual (rather than actual) version of something, including virtual
to PCS only? computer hardware platforms, storage devices, and computer
network resources.

• A separate physical host(s) is used for PCS virtual

machines.
• All non-PCS virtual machines reside on non-PCS physical
host(s).

17 Does your organization This information may be collected and stored for service payment
accept, process, store purposes. Using a third-party company for processing PCI may cut
or transmit credit card down on risk exposure but does not exclude a company
or debit card from PCI DSS compliance. Customer billing information including:
information, or accept
payment with pre-paid • Credit/debit card numbers
cards branded with • Credit/debit card numbers with name, expiration date or
American Express, service code
Discover, JCB, • Sensitive authentication data (including magnetic stripe,
MasterCard or Visa PINs, CVV, etc.)
International logos?
NOTE: Includes organizations that have outsourced payment
services.
18 Does your organization PII is any information that may be used to identify an individual.
own, license, acquire or This includes customers, employees, and contractors. Examples
maintain any personally of PII include:
identifiable information
(PII)? • Customer billing information and addresses
• Employee personal information, including SSN, birthdate,
etc.

Each state has its own data breach notification law(s)

regarding PII. Depending on the state statute, a non-exhaustive
list of possible examples may include (alone or in conjunction with
other information) tax identification numbers, social security
numbers, government issued identification numbers, account
numbers, health information, email addresses in conjunction with
a password, unique biometric information, etc.

© Copyright American Water Works Association 2019 33

 Yes
# Question Additional Details
/No
19 Is your organization an HIPAA defines protected health information (written, electronic,
employer that creates or oral) as information, including demographic data, that
or receives health identifies an individual (or there is a reasonable basis to believe it
information that can identify an individual) and that relates to:
is HIPAA protected?
• the individual’s past, present or future physical or mental
health or condition,
• the provision of health care to the individual, or
• the past, present, or future payment for the provision of
health care to the individual.

Examples of HIPAA protected information include:

• Employee medical records

• Employee vaccine records
• Health and safety records may include HIPAA protected
records
• Individually identifiable health information includes many
common identifiers (e.g., name, address, birth date,
Social Security Number).

20 Is your organization The water/wastewater sector is defined as critical infrastructure

responsible for the by the federal government (42 U.S.C. 5195(e)). Examples of
engineering design and holding responsibility for engineering services include:
implementation of
critical infrastructure? • Utility has an internal engineering department
• Utility hires engineering consultants
• You are part of a stakeholder organization that has
internal resources or hires external resources to design
and implement critical infrastructure

21 Does your organization Do you currently require your supplier to provide any chain-of-
have a supply chain risk custody documents? An example of supply chain risk
management program? management program includes ordering and confirming
treatment chemicals are NSF certified.

© Copyright American Water Works Association 2019 34

 Yes
# Question Additional Details
/No
22 Does your organization Does the supply chain risk management program specify how
have a supply chain risk delivery for procured products – hardware, software, and/or data
management program will be validated and monitored to ensure their integrity?
that specifically Examples of specifically addressing cybersecurity in supply chain
addresses risk management include:
cybersecurity?
• Documenting information protection practices of supplier
• Integrity management program for components provided
by sub-suppliers
• Supplier contracts include appropriate language to meet
objectives of the organization’s cybersecurity program

© Copyright American Water Works Association 2019 35

Appendix D: Cybersecurity Use-Cases
Category/
Use Case Description
Code
Architecture
AR1 Dedicated Process All network and communications infrastructure is dedicated
Control Network exclusively to SCADA with no equipment or communications paths
shared with non-SCADA networks.
AR2 Shared WAN Network wide-area communications infrastructure is shared with
some non-SCADA networks.
AR3 Shared LAN Network local-area communications (within control system) is
shared with non-SCADA networks.
AR4 Unlicensed Network wide-area communications fully or partially comprised of
wireless Wide- wireless links using unlicensed (ISM 900 MHz, 2.4 or 5 GHz)
Area (site-to-site) spectrum.
Network
AR5 Licensed wireless Network wide-area communications fully or partially comprised of
Wide-Area (site- wireless links using licensed spectrum.
to-site) Network
AR6 Communications Network wide-area communications fully or partially comprised of
via Internet links over Internet services using public address space.
AR7 Communications Network wide-area communications fully or partially comprised of
via 3rd party links over 3rd party carrier services (e.g. cellular, Metro-
carrier E/Ethernet/LAN).
AR8 Dedicated process Virtualized server infrastructure dedicated to SCADA/Process
control server Control with no equipment shared with non-SCADA/Process
virtualization Control systems.
AR9 Shared server Virtualized server infrastructure shared between SCADA/Process
virtualization Control and non-SCADA/Process Control systems.
AR10 802.11 Wireless 802.11 unlicensed wireless technologies used within control
used in Control system.
System
AR11 Connection to Connection to non-SCADA network through direct connection or
non-SCADA firewall/DMZ.
Network
Network Management & System Support
NM1 Local network Access to configure network infrastructure located in immediate
management and vicinity of user (serial or network) by SCADA/Process Control
system support by personnel.
SCADA/Process
Control personnel
in physical
proximity of
equipment
NM2 Plant network Access to configure network equipment located on same facility
management and from centralized location by SCADA/Process Control personnel.

© Copyright American Water Works Association 2019 36

Category/
Use Case Description
Code
system support by
SCADA/Process
Control personnel
NM3 Remote network Access to configure network infrastructure located in another
management and physical facility by SCADA/Process Control personnel.
system support by
SCADA/Process
Control personnel
NM4 Local network Access to configure network equipment located in immediate
management and vicinity of user (serial or network) by non-SCADA/Process Control
system support by personnel.
non-
SCADA/Process
Control personnel
NM5 Plant network Access to configure network equipment located in another
management and physical facility by non-SCADA/Process Control personnel.
system support by
non-
SCADA/Process
Control personnel
NM6 Remote network Access to configure network infrastructure located in another
management and physical facility by non-SCADA/Process Control personnel.
system support by
non-
SCADA/Process
Control personnel
Program Access
PA1 Outbound Automated, non-interactive sending of SMTP, SMS or other
messaging outbound alarms and messaging from system.
PA2 Outbound file Interactive sending of files from system to other locations by user.
transfer
PA3 Inbound file Interactive receiving of files from other locations to system by
transfer user.
PA4 Software updates Automated, non-interactive retrieval of licensing, OS updates, anti-
virus signatures and other system data from other locations to
system.
PA5 Data exchange Automated, non-interactive exchange of data (e.g. database-to-
database exchange, ntp or other external data) with systems
located externally. (Implies full-time connection.)
PA6 Network Automated, non-interactive exchange of network management
management data (e.g. syslog, SNMP traps, SNMP polling) with system(s)
communications located external to system. (Implies full-time connection.)

© Copyright American Water Works Association 2019 37

 Category/
Use Case Description
Code
PLC Programming and
Maintenance
PLC1 Local PLC Access to PLC programming and maintenance is local to device
programming and (serial or network).
maintenance
PLC2 Plant PLC Access to PLC programming and maintenance from a centralized
programming and on-site location.
maintenance
PLC3 Remote PLC Access to PLC programming and maintenance from an off-site
programming and location.
maintenance
PLC4 Third party SCADA/PCS equipment (e.g. PLC, RTU) owned and operated by
SCADA/Process third party (e.g. business partner) located on SCADA/Process
Control presence Control network with external access by third party.
PLC5 Third party SCADA/PCS sub-systems owned and operated by third parties
SCADA/Process located within plant facility with direct network connection to
Control package SCADA/Process Control system (package system) with on-site
systems access by third party.
User Access
UA1 Control room Access to system with full read-write capability from on-plant,
system access physically-secure “control room” location.
with control
UA2 Plant system Access to system with full read-write capability from on-plant
access with location, not physically secured (e.g. plant floor).
control from fixed
locations
UA3 Remote system Access to system with full read-write and/or read-only/view-only
access with capability from location outside “control room” environment and
control from fixed located outside the physical perimeter of the facility workstations
locations or HMI.
UA4 Remote system Access to web displays of system data with read-only/view
access with web capability from location outside “control room” environment and
view from fixed located outside the physical perimeter of the facility via web
locations browser on non-dedicated computer.
UA5 Plant system Access to system with full read-write capability from on-plant
access with location, not physically secured (e.g. plant floor) on mobile device.
control from
mobile device
UA6 Remote system Access to system with full read-write capability from location
access with outside “control room” environment and located outside the
control from physical perimeter of the facility on mobile device.
mobile device
UA7 Remote system Access to system with limited read-only/view capability from
access with location outside “control room” environment and located outside
the physical perimeter of the facility on mobile device.

© Copyright American Water Works Association 2019 38

Category/
Use Case Description
Code
view-only from
mobile device
UA8 Remote system Access to web displays of system data with read-only/view
access with web capability from location outside “control room” environment and
view from mobile located outside the physical perimeter of the facility via web
device browser on non-dedicated mobile device.
UA9 Training System training conducted on production SCADA/Process Control
environment system by third parties.
UA10 Development System development conducted on production SCADA/Process
environment by Control network by SCADA/Process Control personnel.
SCADA/Process
Control staff
UA11 Development System development conducted on production SCADA/Process
environment by Control network by non-SCADA/Process Control personnel.
external staff or
third parties
Data Security
DS1 Accept, store or Organization accepts, processes, stores, or transmits credit or
process credit card debit card information or certain pre-paid payment cards.
information
DS2 Storage of PII Organization owns, licenses, acquires or maintains PII.
DS3 Storage or Organization creates or receives protected health information.
maintenance of
protected health
information that is
HIPAA protected.
Cyber Informed Engineering
CIE1 Engineering design A program is in place to engage engineering staff in understanding
and and mitigating high-consequence and constantly evolving cyber
implementation of threat during the design and implementation phase.
critical
infrastructure.
Supply Chain
SU1 Supply chain risk Organization has a supply chain risk management program.
management
program
SU2 Supply chain risk Organization’s supply chain risk management process addresses
management cybersecurity.
program
cybersecurity.

© Copyright American Water Works Association 2019 39

Appendix E: Cybersecurity Controls
AT: Awareness and Training Cybersecurity Additional Details
Practice
Areas/Recommend
ed Projects
AT-1 A general security awareness and response Education An operator finds a USB media device.
program established to ensure staff is aware Based on their cybersecurity training,
of the indications of a potential incident, they know not to use it on the company
security policies, and incident network.
response/notification procedures.
AT-2 Job-specific security training including Education; Cyber- An operator has received what they
incident response training for employees, Informed Engineering believe to be a malicious email. They
contractors and third-party users. recognize that it is a phishing attack
based on security training awareness
programs the company has in place.
AT-3 A forensic program established to ensure that Governance and Risk A SCADA tech believes a machine is
evidence is collected/handled in accordance Management infected. Based on their training, they
with pertinent laws in case of an incident remove the machine from the network
requiring civil or criminal action. and report it to Information Technology
Team (IT) without powering it off to
avoid deleting evidence.
AU: Audit and Accountability Cybersecurity Additional Details
Practice Areas/
Recommended
Projects
AU-1 Audit program established to ensure Application Security; IT schedules an independent review
information systems are compliant with Governance and Risk and examination of records and
policies and standards and to minimize Management activities to assess the adequacy of
disruption of operations. system controls and to ensure
compliance with established policies.
AU-2 Framework of information security policies, Governance and Risk A third-party system integrator asks the
procedures, and controls including Management SCADA tech to email a document with
management's initial and periodic approval sensitive network information. The
established to provide governance, exercise SCADA tech refuses and notifies
periodic review, dissemination, and integrator of the secure file transfer
coordination of information security system in place.
activities.
AU-3 Governance framework to Governance and Risk Data security policy and controls are in
disseminate/decentralize decision making Management place to prevent sharing of private or
while maintaining executive authority and sensitive data outside of the
strategic control and ensure that managers organization.
follow the security policies and enforce the
execution of security procedures within their
area of responsibility.
AU-4 Information security responsibilities defined Governance and Risk All staff are aware of who they would
and assigned. Management report to if they notice suspicious
behavior in the system.

© Copyright American Water Works Association 2019 40

 AU-5 Risk based business continuity framework Business Continuity and The facility has a documented and
established under the auspices of the Disaster Recovery tested contingency plan to operate the
executive team to maintain continuity of facility without the use of SCADA
operations and consistency of policies and software, in the case of attack by
plans throughout the organization. Another ransomware.
purpose of the framework is to ensure
consistency across plans in terms of priorities,
contact data, testing, and maintenance.
AU-6 Policies and procedures established to Governance and Risk The business continuity plan is revised
validate, test, update and audit the business Management; Business annually. Revisions are informed by
continuity plan throughout the organization. Continuity and Disaster planned exercises, actual events, or
Recovery documented changes.
AU-7 Policies and procedures for system Business Continuity and The PCS has a testing/development
instantiation/deployment established to Disaster Recovery environment to allow changes to be
ensure business continuity. implemented without immediate
effects to the production environment.
AU-8 Template for the organization's Governance and Risk Reviews of the organization’s
confidentiality/non-disclosure agreements Management confidentiality/non-disclosure
defined, reviewed, and approved periodically agreements are periodically scheduled
by management. by a responsible party.
CM: Configuration Management Cybersecurity Additional Details
Practice Areas/
Recommended
Projects
CM-1 Policies for defining business requirements Governance and Risk Meetings are periodically scheduled
including data validation and message Management between management and IT to discuss
authenticity established to ensure that current and potential cybersecurity
new/upgraded systems contain appropriate risks and the impact on business
security requirements and controls. decisions.
CM-2 Procedure modification tracking program in Governance and Risk The Emergency Response Plan is stored
place to manage and log changes to policies Management in a central repository and clearly
and procedures. displays the version and date of when it
was implemented.
CM-3 Separation of duties implemented for user Application Security; Operators are only given clearance to
processes including risk of abuse. Governance and Risk areas they are expected to work in.
Management Supervisors have the ability and training
to monitor SCADA tech activities in the
PCS.
CM-4 Separation of duties implemented for Application Security; A SCADA technician must have a second
development, production, and testing work. Personnel Security; technician review changes made to
Governance and Risk production equipment before they are
Management implemented.
CM-5 SLAs for all third parties established, including SLA A security policy that outlines which
levels of service and change controls. access permissions are distributed to
third party employees.
CM-6 Risk based policies and procedures for change Governance and Risk Inviting all affected parties to
controls, reviews, and audits of SLAs. Management discussions to prevent the development
of vulnerabilities in the facility.
CM-7 Monitoring of resources and capabilities with Telecommunications, IT monitors SCADA computers for
notifications and alarms established to alert Network Security, and processor usage that could indicate
management when resources/capabilities fall Architecture; SLA cryptojacking activity.
below a threshold.

© Copyright American Water Works Association 2019 41

A: Identification and Authentication & Access Cybersecurity Additional Details
Control Practice Areas/
Recommended
Projects
IA-1 Access control policies and procedures Access Control; Based on their knowledge of access
established including unique user ID for every Application Security; control policies, operators do not share
user, appropriate passwords, privilege Governance and Risk passwords.
accounts, authentication, and management Management
oversight.
IA-2 Access control for the management, Access Control; Upon staff termination or resignation,
monitoring, review, and audit of accounts Application Security; login credentials are disabled as part of
established including access control, account Governance and Risk the Human Resources process.
roles, privilege accounts, password policies Management
and executive oversight.
IA-3 Role based access control system established Access Control; SCADA software implements unique
including policies and procedures. Application Security; usernames and passwords with
Governance and Risk different levels of control based on
Management roles.
IA-4 Access control for confidential system Access Control; A third-party system integrator asks the
documentation established to prevent Application Security; SCADA tech to email a document with
unauthorized access of trade secrets, Governance and Risk sensitive network information. The
program source code, documentation, and Management SCADA tech refuses and notifies
passwords (including approved policies and integrator of the secure file transfer
procedures). system in place.
IA-5 Access control for diagnostic tools and Access Control PLC programming software is only
resources and configuration ports. available at select workstations and
only accessible to SCADA technicians.
IA-6 Access control for networks shared with other Access Control; Service Contracts with third-party equipment
parties in accordance with contracts, SLAs and Level Agreements; vendors establish security requirements
internal policies. Governance and Risk for remote access to equipment.
Management
IA-7 Wireless and guest-access framework Access Control; To use the plant guest network, users
established for the management, monitoring, Governance and Risk are required to accept a user
review, and audit of wireless and guest access Management agreement.
in place.
IA-8 Policies for security of standalone, lost, and Governance and Risk An operator misplaces a managed
misplaced equipment in place. Management phone. Based on the missing
equipment policy, they contact IT to
report the device lost.
IA-9 Multifactor authentication system established Access Control Remote access to the SCADA system
for critical areas. requires two factor-authentication.
IA-10 Policies and procedures for least privilege Governance and Risk Idle sessions on SCADA screens are
established to ensure that users only gain Management logged off in 15 minutes. If no user is
access to the authorized services. logged in, a read-only view is
presented.
IA-11 Workstation and other equipment Access Control The controls to critical equipment are
authentication framework established to only available at a local secured
secure sensitive access from certain high-risk terminal.
locations.
IA-12 Session controls established to inactivate idle Access Control An operator attempts to connect to a
sessions, provide web content filtering, known hacking website. The connection
prevent access to malware sites, etc. is blocked. The operator and IT are
notified of the attempt.

© Copyright American Water Works Association 2019 42

IR: Incident Response, Contingency Planning, & Cybersecurity Additional Details
Planning Practice Areas/
Recommended
Projects
IR-1 Incident response program established with a Governance and Risk Emergency Response Plan includes
formal Emergency Response Plan to restore Management; Data procedures for recovering SCADA
systems and operations based on their Security system operation from system backup.
criticality and within time constraints and
effect recovery in case of a catalogue of
disruptive events. Exercises conducted to test
and revise plans and build organizational
response capabilities.
IR-2 A security program established with a formal Governance and Risk A SCADA tech believes a machine is
Emergency Response Plan to respond to Management; Data infected and responds according to the
security incidents monitor, discover, and Security utility's emergency response plan for
handle security alerts and technical cybersecurity based incidents.
vulnerabilities, collect and analyze security
data, limit the organization's risk profile and
ensure that management is aware of
changing/emerging risks.
IR-3 A legal/contractual/regulatory framework Governance and Risk The Emergency Response Plan is
established with a formal Emergency Management; Data reviewed and updated once a year by
Response Plan to track Security responsible staff.
legal/contractual/regulatory requirements
and the efforts to meet them with respect to
each important system within the
organization. Another purpose of the
framework is to ensure compliance of policies
and procedures with privacy laws, handling
cryptographic products, intellectual property
rights, and data retention requirements.
MA: Maintenance Cybersecurity Additional Details
Practice Areas/
Recommended
Projects
MA-1 Equipment maintenance/replacement Service Level Based on the company's controlled
program established to maintain business Agreement Governance maintenance program, a utility will
continuity, availability, and integrity. and Risk Management; format network devices to factory
Cyber-Informed settings before sending them out of the
Engineering organization for maintenance.
MA-2 Maintenance of relationships with Governance and Risk The utility is a member of DHS's ICS-
authorities, professional associations, interest Management CERT mailing list to receive frequent
groups etc., formalized. This is done, in part, communications on PCS vulnerabilities
to maintain an up-to-date situational discovered and patches available.
awareness of relevant threats. SCADA techs regularly review alerts to
determine if the alerts are applicable to
their system.
MA-3 Off-site equipment maintenance program Governance and Risk The condition of offsite equipment and
including risk assessment of outside Management risk factors acting on the equipment are
environmental conditions established. periodically reviewed and assessed via
an independent party.

© Copyright American Water Works Association 2019 43

MP: Media Protection Cybersecurity Additional Details
Practice Areas/
Recommended
Projects
MP-1 Storage media management and disposal Governance and Risk When decommissioning a network
program established to ensure that any Management device that was used in the production
sensitive data/software is used appropriately environment, IT is required to return it
and is removed prior to media disposal to factory conditions before it leaves
(including approved policies and procedures). the facility.
MP-2 Information exit mechanisms in place to Governance and Risk The Emergency Response Plan is stored
prevent data, software leaving premises Management in a central repository that records
without authorization or logging. when files are accessed and altered.
MP-3 Policies and procedure repository in place to Governance and Risk Company policies and procedures are
be available to all authorized staff. Management available in a central, secure, shared
location.
PE: Physical and Environmental Protection Cybersecurity Additional Details
Practice Areas/
Recommended
Projects
PE-1 Security perimeters, card-controlled gates, Access Control; Physical Personnel are required to present a
manned booths, and procedures for entry Security badge to access the PCS.
control.
PE-2 Secure areas protected by entry controls and Access Control; Physical Access to the server room is restricted
procedures to ensure that only authorized Security to authorized staff only.
personnel have access.
PE-3 Physical security and procedures for offices, Access Control; Staff lock doors that allow access to PCS
rooms, and facilities. Governance and Risk assets. Security guards inspect doors to
Management; Physical make sure they are locked properly.
Security
PE-4 Physical protection against fire, flood, Access Control; Physical Fire suppression unit installed around
earthquake, explosion, civil unrest, etc. Security critical equipment.
PE-5 Physical security and procedures for working Access Control; Physical Documentation for physical security
in secure areas. Security procedures is included with new
employee training and reviewed at
regular training events.
PE-6 Physical security and procedures for mail Access Control; Physical Server room and PLC cabinets are
rooms, loading areas, etc., established. These Security isolated from areas that delivery
areas must be isolated from PCS enterprise personnel and customers may visit.
system areas.
PE-7 Physical security and procedures against Physical Security The utility monitors facilities using
equipment environmental threats and security cameras.
hazards or unauthorized access.
PE-8 Physical/logical protection against power Physical Security; Uninterruptible power supplies (UPS)
failure of equipment UPS. Service Level are available as power backup for
Agreements critical components.
PE-9 Physical/logical protection against access to Physical Security A utility has a standby power source
power and telecommunications cabling with separated power cabling for
established. critical sites.

© Copyright American Water Works Association 2019 44

PM: Program Management & Security Cybersecurity Additional Details
Assessment and Authorization Practice Areas/
Recommended
Projects
PM-1 Asset management program including a Governance and Risk A database is used to keep track of
repository containing all significant assets of Management; Cyber- building conditions in the facility.
the organization with a responsible party for Informed Engineering
each, periodic inventories, and audits.
PM-2 Policies and procedures for acceptable use of Governance and Risk PLCs that cannot update past a specific
assets and information approved and Management; security revision are not acceptable for
implemented. use in the PCS.
PM-3 Centralized logging system including policies Telecommunications, A utility has a network intrusion
and procedures to collect, analyze and report Network Security, and detection system (NIDS) to monitor
to management. Architecture; network traffic.
Governance and Risk
Management;
PM-4 SLAs for software and information exchange SLAs; Governance and Third parties must review and sign an
with internal/external parties in place Risk Management information exchange policy before
including interfaces between systems and connecting to the system.
approved policies and procedures.
PM-5 Data classification policies and procedures for Governance and Risk A third-party system integrator asks the
handling and labeling based on confidentiality Management SCADA tech to email a document with
and criticality approved and implemented. sensitive network information. The
SCADA tech refuses and notifies the
integrator of the secure file transfer
system in place.
PS: Personnel Security Cybersecurity Additional Details
Practice Areas/
Recommended
Projects
PS-1 Policies and procedures for hiring/terminating Governance and Risk A background check on employees is
processes on employees, contractors, or Management; required before they may be given
support companies to include background Personnel Security access to the PCS system.
checks and contract agreements approved
and implemented.
PS-2 Defined and approved security roles and Governance and Risk A company policy is in place limiting the
responsibilities of all employees, contractors Management; access of third-party users to assets,
and third-party users. Personnel Security systems, and data.
PS-3 A clear desk policy in place including clear Governance and Risk Confidential documents are stored in
papers, media, desktop, and computer Management; locked file cabinets when not in use, as
screens. Personnel Security required by policy.
PS-4 Disciplinary process for security violations Governance and Risk An operator who props open doors to
established. Management; critical areas could face disciplinary
Personnel Security action as outlined in the utility's policies
and procedures.

© Copyright American Water Works Association 2019 45

RA: Risk Assessment Cybersecurity Additional Details
Practice Areas/
Recommended
Projects
RA-1 Risk assessment and approval process before Governance and Risk A third-party system integrator would
granting access to the organization's Management need to contact IT before connecting to
information systems. the system’s network.
RA-2 Third party agreement process to ensure Governance and Risk System integrators can only access the
security on access, processing, Management; SLAs facility's equipment remotely from a
communicating, or managing the Virtual Private Network (VPN)
organization's information or facilities. connection.
SA: System and Services Acquisition Cybersecurity Additional Details
Practice Areas/
Recommended
Projects
SA-1 Authorization process established for new Governance and Risk A change management/review process
systems or changes to existing information Management is used to evaluate suggested changes
processing systems. to facility.
SA-2 Change controls of systems development, Governance and Risk A third-party system integrator is
outsourced development, system Management; SLAs preparing to make changes to SCADA
modification, and testing established, software. The SCADA tech requires the
including acceptance criteria for new systems, integrator to follow the change
monitoring of internal/outsourced procedure and test the changes in a
development, and control of system sandbox environment before they are
upgrades. deployed in production.
SA-3 Change controls of operating systems, Governance and Risk Automatic updates to the operating
network configuration/topology, network Management; Server system are disabled, but monthly
security established, including changes to and Workstation manual updates are reviewed and
IDS/IPS, traffic control/monitoring, new Hardening applied in coordination with
systems, and system upgrades. operations.
SA-4 Risk based mobility policies and procedures Operations Security; Remote access is restricted to only the
established to protect against inherent risk of Governance and Risk most necessary applications and only
mobile computing and communication Management allowed through secure measures.
systems.
SA-5 Periodic review of backup policies and Governance and Risk System backups are tested on a regular
procedures and testing of recovery processes. Management basis by completing a system
restoration to the test environment.
SI: System and Information Integrity Cybersecurity Additional Details
Practice Areas/
Recommended
Projects
SI-1 Electronic commerce infrastructure in place Governance and Risk The company selected to perform
providing integrity, confidentiality and non- Management billing is compliant with pertinent laws,
repudiation and including adherence to regulations, policies and procedures
pertinent laws, regulations, policies, that are relevant to the utility.
procedures, and approval by management.
SI-2 System acceptance standards including data Governance and Risk Acquired assets are inspected,
validation (input/output), message Management assessed, and documented before
authenticity, and system integrity established implementation with existing systems.
to detect information corruption during
processing.

© Copyright American Water Works Association 2019 46

 SI-3 Interactive system for managing password Access Control; When configuring a new user’s
implemented to ensure password strength. Application Security password, it must meet minimum
character length requirements.
SI-4 Organization-wide clock synchronization Telecommunications, All managed network devices
system in place. Network Security, and synchronize their clocks to a known
Architecture good source.
SI-5 Privileged programs controls established to Application Security; Utility has implemented tiered access
restrict usage of utility programs that could Telecommunications, so non-administrator users are unable
reset passwords or override controls as well Network Security, and to make changes to system security
as enterprise system audit tools that can Architecture settings.
modify or delete audit data.
DS: Data Security Cybersecurity Additional Details
Practice Areas/
Recommended
Projects
DS-1 A program established to ensure compliance Governance and Risk The company selected to perform
with the minimum PCI requirements for your Management; Data billing is compliant with the minimum
associated level. Security PCI requirements for the utility's
associated level.
DS-2 A Privacy Policy as well as a Cyber Security Business Continuity and An operator knows how to identify and
Breach Policy are implemented. Disaster Recovery; respond to a suspected cyber breach,
Governance and Risk based on their cybersecurity training.
Management; Data
Security
DS-3 A program is established to ensure Business Continuity and Current practices are reviewed by legal
compliance with the minimum HIPAA Disaster Recovery; counsel for legal compliance with
requirements. Develop a Privacy Policy as well Governance and Risk HIPAA.
as a Cyber Security Breach Policy. Management; Data
Security
CIE: Cyber-Informed Engineering Cybersecurity Additional Details
Practice Areas/
Recommended
Projects
CIE-1 A program is in place to engage engineering Cyber-Informed Engineering staff is fully aware of the
staff in understanding and mitigating high- Engineering potential for a cyber breach. They
consequence and constantly evolving cyber design electrical and mechanical
threats throughout the engineering life-cycle systems to provide functionality in the
including: design, implementation, case of a SCADA system compromise.
maintenance, and decommissioning.
SU: Supply Chain Cybersecurity Additional Details
Practice Areas/
Recommended
Projects
SU-1 A supply chain risk management program. Governance and Risk Chain of custody documentation is
Management required for all chemicals used in
treatment.
SU-2 A supply chain risk management program that Governance and Risk Preferred vendors for computer
includes cybersecurity. Management hardware, software and peripherals are
identified and selected based on
evaluation of their supply chain among
other criteria.

© Copyright American Water Works Association 2019 47

SC: System and Communications Protection Cybersecurity Additional Details
Practice Areas/
Recommended
Projects
SC-1 Policies and procedures governing Governance and Risk When selecting new PLCs for a system
cryptography and cryptographic protocols Management upgrade, SCADA techs evaluate the
including key/certificate-management option of using newer PLCs that offer
established to maximize protection of encryption for communication.
systems and information.
SC-2 Centralized authentication system or single Access Control; Operators have one username and
sign-on established to authorize access Application Security password for PCS equipment which is
from a central system. managed from a central system.
SC-3 Policies and procedures established for Governance and Risk All external communication with the
network segmentation including Management PCS is implemented via DMZ.
implementation of DMZs based on type
and sensitivity of equipment, user roles,
and types of systems established.
SC-4 Intrusion detection, prevention, and Governance and Risk Within the SCADA system network,
recovery systems including approved Management; vendor systems are placed on a
policies and procedures established to Telecommunications, separate subnet.
protect against cyber-attacks. System Network Security, and
includes repository of fault logging, Architecture
analysis, and appropriate actions taken.
SC-5 Anomaly based IDS/IPS established Telecommunications, The IT tech monitors IDS system
including policies and procedures. Network Security, and exception logs daily to determine if
Architecture ongoing attacks are occurring and
works with SCADA tech to address any
issues.
SC-6 Network management and monitoring Governance and Risk An actively managed firewall is in place
established including deep packet Management; to allow secure data transfer via DMZ
inspection of traffic, QoS, port-level Telecommunications, to provide operations data to utility
security, and approved policies and Network Security, and asset managers.
procedures. Architecture
SC-7 Information exchange protection program Governance and Risk When selecting new PLCs for a system
in place to protect data in-transit through Management; upgrade, SCADA techs evaluate the
any communication system including the Telecommunications, option of using newer PLCs that offer
Internet, email, and text messaging and Network Security, and encryption for communications.
approved policies and procedures. Architecture
SC-8 Routing controls established to provide Operations Security; Within the SCADA system network,
logical separation of sensitive systems and Telecommunications, vendor systems are placed on a
enforce the organization's access control Network Security, and separate subnet rather than being on a
policy. Architecture single "flat" network.
SC-9 Process isolation established to provide a Operations Security; A utility will physically separate a pump
manual override “air gap” between highly Telecommunications, station from any sort of information
sensitive systems and regular Network Security, and transfer from any other network. This
environments. Architecture however is only a true air gap when
there is absolutely no information
transfer. If information is transferred
though a DMZ or firewall that would
not be an example of this control. In
that scenario select this control as “Not
Planned and/or Not Implemented - Risk
Accepted”.

© Copyright American Water Works Association 2019 48

SC-10 Program for hardening servers, Server and Workstation Ports are disabled for all network
workstations, routers, and other systems Hardening; Governance devices when not in use.
using levels of hardening based on and Risk Management
criticality established. Program should
include policies and procedures for
whitelisting (deny-all, allow by exception).
SC-11 Framework for hardening of mobile code Server and Workstation A water utility chooses to not allow
and devices established (including Hardening; Governance personal mobile devices to connect to
acceptance criteria and approved policies and Risk Management the control network. The utility does
and procedures). provide mobile devices managed by IT
that can connect to the network.
SC-12 Remote access framework including Access Control; Remote access to the SCADA system
policies and procedures established to Governance and Risk requires two factor-authentication.
provide secure access to telecommuting Management
staff, established for the management,
monitoring, review, and audit of remote
access to the organization.
SC-13 Testing standards including test data Governance and Risk Organization has a FAT procedure that
selection, protection, and system Management requires vendors to demonstrate
verification established to ensure system security of systems before they are
completeness. purchased.
SC-14 Network segregation. Firewalls, deep Operations Security; "Whitelisting" of network components
packet inspection and/or application proxy Telecommunications, is done to manage data transfer
gateways. Network Security, and between and within network segments.
Architecture
SC-15 Logically separated control network. Operations Security; An actively managed firewall is in place
Minimal or single access points between Telecommunications, to allow secure data transfer via DMZ
corporate and control network. Stateful Network Security, and to provide operations data to utility
firewall between corporate and control Architecture asset managers.
networks filtering on TCP and UDP ports.
DMZ networks for data sharing.
SC-16 Defense-in-depth. Multiple layers of Operations Security; A utility employs multiple types of
security with overlapping functionality. Telecommunications, physical and cybersecurity efforts to
Network Security, and protect assets and systems. The efforts
Architecture include such things as locking doors,
physical access control, and unique
login requirements for each staff
member.
SC-17 Virtual Local Area Network (VLAN) for Telecommunications, Within the SCADA system network,
logical network segregation. Network Security, and vendor systems are on a separate
Architecture subnet.
SC-18 Minimize wireless network coverage. Telecommunications, Tests are conducted regularly to
Network Security, and determine if the WiFi signals reach
Architecture outside the intended area of use. If the
signal reaches outside the intended
area, the signal is turned down
accordingly.
SC-19 802.1X user authentication on wireless Telecommunications, No "open" WiFi connections are
networks. Network Security, and allowed.
Architecture
SC-20 Wireless equipment located on isolated Telecommunications, WiFi equipment in the plant does not
network with minimal or single connection Network Security, and connect directly to SCADA network.
to control network. Architecture
SC-21 Unique wireless network identifier SSID for Telecommunications, The WiFi for the control system has a
control network. Network Security, and unique SSID from the business network.
Architecture

© Copyright American Water Works Association 2019 49

SC-22 Separate Microsoft Windows domain for Telecommunications, A wireless LAN specific domain
wireless (if using Windows). Network Security, and controller is in place.
Architecture
SC-23 Wireless communications links encrypted. Encryption; All data transferred via the wireless
Telecommunications, network is encrypted using current
Network Security, and wireless communication best practices.
Architecture
SC-24 Communications links encrypted. Encryption; All data transferred via the wired
Telecommunications, network is encrypted using current
Network Security, and wireless communication best practices.
Architecture
SC-25 VPN using IPsec, SSL or SSH to encrypt Encryption; An operator who can access the system
communications from untrusted networks Telecommunications, remotely must do so through a secured
to the control system network. Network Security, and VPN client configuration.
Architecture

© Copyright American Water Works Association 2019 50

Appendix F: Cross Reference to NIST 1.1 Cybersecurity Framework
The following table provides a cross-reference between the Cybersecurity Controls incorporated into
the AWWA Cybersecurity Guidance Tool and the Framework Core (Appendix A) included in the
Cybersecurity Framework issued by NIST on April 16, 2018.

AWWA Guidance
Function Category Sub-Category Description
Control
IDENTIFY Asset ID.AM-1 Physical devices and systems within the organization PM-2
Management are inventoried
ID.AM-2 Software platforms and applications within the PM-2
organization are inventoried
ID.AM-3 Organizational communication and data flows are PM-2
mapped
ID.AM-4 External information systems are catalogued MA-3
ID.AM-5 Resources (e.g., hardware, devices, data, and software) PM-5
are prioritized based on their classification, criticality,
and business value
ID.AM-6 Cybersecurity roles and responsibilities for the entire PE-4, PS-2
workforce and third-party stakeholders (e.g., suppliers,
customers, partners) are established

Business ID.BE-1 The organization’s role in the supply chain is identified RA-2, PS-2,
Environment and communicated CM-5
ID.BE-2 The organization’s place in critical infrastructure and its MA-2
industry sector is identified and communicated

ID.BE-3 Priorities for organizational mission, objectives, and IR-2

activities are established and communicated
ID.BE-4 Dependencies and critical functions for delivery of IR-2
critical services are established
ID.BE-5 Resilience requirements to support delivery of critical IR-3
services are established
Governance ID.GV-1 Organizational information security policy is established IR-2, AU-2

ID.GV-2 Information security roles & responsibilities are PS-2, AU-4, AU-6
coordinated and aligned with internal roles and external
partners
ID.GV-3 Legal and regulatory requirements regarding IR-3
cybersecurity, including privacy and civil liberties
obligations, are understood and managed
ID.GV-4 Governance and risk management processes address AU-3, AU-5, CM-6
cybersecurity risks
Risk Assessment ID.RA-1 Asset vulnerabilities are identified and documented AU-5, RA-1, IR-2
ID.RA-2 Threat and vulnerability information is received from AU-5, PM-3, IR-2
information sharing forums and sources

© Copyright American Water Works Association 2019 51

 AWWA Guidance
Function Category Sub-Category Description
Control
IDENTIFY – ID.RA-3 Threats, both internal and external, are identified and AU-5, RA-1, IR-2
cont’d documented
ID.RA-4 Potential business impacts and likelihoods are identified AU-5, RA-1, IR-2

ID.RA-5 Threats, vulnerabilities, likelihoods, and impacts are AU-5

used to determine risk
ID.RA-6 Risk responses are identified and prioritized IR-1
Risk ID.RM-1 Risk management processes are established, managed, IR-2
Management and agreed to by organizational stakeholders
Strategy
ID.RM-2 Organizational risk tolerance is determined and clearly SA-4
expressed
ID.RM-3 The organization’s determination of risk tolerance is SC-4
informed by its role in critical infrastructure and sector
specific risk analysis
Supply Chain Risk ID.SC-1: Cyber supply chain risk management processes are SU1
Management identified, established, assessed, managed, and agreed
to by organizational stakeholders

ID.SC-2: Suppliers and third party partners of information SU2

systems, components, and services are identified,
prioritized, and assessed using a cyber supply chain risk
assessment process
ID.SC-3: Contracts with suppliers and third-party partners are SU2
used to implement appropriate measures designed to
meet the objectives of an organization’s cybersecurity
program and Cyber Supply Chain Risk Management Plan
ID.SC-4: Suppliers and third-party partners are routinely SU1
assessed using audits, test results, or other forms of
evaluations to confirm they are meeting their
contractual obligations
PROTECT Access Control PR.AC-1 Identities and credentials are managed for authorized IA-1, RA-1, SC-19
devices and users
PR.AC-2 Physical access to assets is managed and protected PE-1, PE-2, PE-3

PR.AC-3 Remote access is managed IA-7, SC-12, SC-18,

SC-21, RA-2
PR.AC-4 Access permissions are managed, incorporating the IA-3, SC-22
principles of least privilege and separation of duties

PR.AC-5 Network integrity is protected, incorporating network SC-8, SC-9, SC-14,

segregation where appropriate SC-15, SC-16,
SC-17, SC-20, SC-
25

© Copyright American Water Works Association 2019 52

 AWWA Guidance
Function Category Sub-Category Description
Control
PROTECT – Awareness & PR.AT-1 All users are informed and trained AT-1, AT-2
cont. Training
PR.AT-2 Privileged users understand roles & responsibilities AT-1, AT-2

PR.AT-3 Third-party stakeholders (e.g., suppliers, customers, AT-2

partners) understand roles & responsibilities

PR.AT-4 Senior executives understand roles & responsibilities AT-1

PR.AT-5 Physical and information security personnel understand PS-4, AT-1

roles & responsibilities
Data Security PR.DS-1 Data-at-rest is protected PM-5, MP-2

PR.DS-2 Data-in-transit is protected PM-4, SC-14, SC-

23, SC-24

PR.DS-3 Assets are formally managed throughout removal, PM-1

transfers, and disposition

PR.DS-4 Adequate capacity to ensure availability is maintained MA-1, CM-7

PR.DS-5 Protections against data leaks are implemented IA-4

PR.DS-6 Integrity checking mechanisms are used to verify IR-3

software, firmware, and information integrity
PR.DS-7 The development and testing environment(s) are CM-4
separate from the production environment
Information PR.IP-1 A baseline configuration of information SA-3
Protection technology/industrial control systems is created and
Processes and maintained
Procedures (IP) PR.IP-2 A System Development Life Cycle to manage systems is CM-1, CM-6
implemented
PR.IP-3 Configuration change control processes are in place SA-3
PR.IP-4 Backups of information are conducted, maintained, and SA-5
tested periodically
PR.IP-5 Policy and regulations regarding the physical operating PE-4
environment for organizational assets are met

PR.IP-6 Data is destroyed according to policy MP-1

PR.IP-7 Protection processes are continuously improved AU-6

PR.IP-8 Effectiveness of protection technologies is shared with AU-7
appropriate parties
PR.IP-9 Response plans (Incident Response and Business ANSI/AWWA
Continuity) and recovery plans (Incident Recovery and J100/G440/M19
Disaster Recovery) are in place and managed
PR.IP-10 Response and recovery plans are tested PS-4

© Copyright American Water Works Association 2019 53

 AWWA Guidance
Function Category Sub-Category Description
Control
PROTECT – PR.IP-11 Cybersecurity is included in human resources practices AT-2
cont. (e.g., deprovisioning, personnel screening)

PR.IP-12 A vulnerability management plan is developed and AU-5

implemented
Maintenance PR.MA-1 Maintenance and repair of organizational assets is MA-1
performed and logged in a timely manner, with
approved and controlled tools
PR.MA-2 Remote maintenance of organizational assets is MA-1
approved, logged, and performed in a manner that
prevents unauthorized access
Protective PR.PT-1 Audit/log records are determined, documented, PM-3
Technology implemented, and reviewed in accordance with policy

PR.PT-2 Removable media is protected and its use restricted MP-1

according to policy
PR.PT-3 Access to systems and assets is controlled, SC-10, SC-19
incorporating the principle of least functionality
(whitelisting)
PR.PT-4 Communications and control networks are protected IA-7

DETECT Anomalies and DE.AE-1 A baseline of network operations and expected data Not addressed
Events flows for users and systems is established and managed
DE.AE-2 Detected events are analyzed to understand attack SC-5
targets and methods
DE.AE-3 Event data are aggregated and correlated from multiple Not addressed
sources and sensors
DE.AE-4 Impact of events is determined PM-3
DE.AE-5 Incident alert thresholds are established CM-7
Security DE.CM-1 The network is monitored to detect potential CM-7
Continuous cybersecurity events
Monitoring The physical environment is monitored to detect
DE.CM-2 PE-1, CM-7
potential cybersecurity events
DE.CM-3 Personnel activity is monitored to detect potential CM-7, SA-5
cybersecurity events
DE.CM-4 Malicious code is detected SC-5
DE.CM-5 Unauthorized mobile code is detected SA-4
DE.CM-6 External service provider activity is monitored to detect IA-2
potential cybersecurity events
DE.CM-7 Monitoring for unauthorized personnel, connections, PS-1
devices, and software is performed
DE.CM-8 Vulnerability scans are performed IR-2
Detection DE.DP-1 Roles and responsibilities for detection are well defined PS-2
Processes to ensure accountability and adequate awareness of
anomalous events
DE.DP-2 Detection activities comply with all applicable IR-3
requirements

© Copyright American Water Works Association 2019 54

 AWWA Guidance
Function Category Sub-Category Description
Control
DETECT – DE.DP-3 Detection processes are tested ANSI/AWWA
cont. G430, G440
DE.DP-4 Event detection information is communicated to IA-2
appropriate parties
DE.DP-5 Detection processes are continuously improved SC-4
RESPOND Response RS.PL-1 Response plan is executed during or after an event AT-1
Planning
Communications RS.CO-1 Personnel know their roles and order of operations ANSI/AWWA
when a response is needed G430, G440
RS.CO-2 Events are reported consistent with established criteria G430
RS.CO-3 Information is shared consistent with response plans SC-6

RS.CO-4 Coordination with stakeholders occurs consistent with ANSI/AWWA

response plans G430, G440
RS.CO-5 Voluntary information sharing occurs with external MA-2
stakeholders to achieve broader cybersecurity
situational awareness
Analysis RS.AN-1 Notifications from detection systems are investigated SC-5

RS.AN-2 The impact of the incident is understood ANSI/AWWA J100

RS.AN-3 Forensics are performed AT-3
RS.AN-4 Incidents are categorized consistent with response AT-3
plans
Mitigation RS.MI-1 Incidents are contained IR-1
RS.MI-2 Incidents are mitigated IR-1
RS.MI-3 Newly identified vulnerabilities are mitigated or IR-2
documented as accepted risks
Improvements RS.IM-1 Response plans incorporate lessons learned ANSI/AWWA
G430, G440
RS.IM-2 Response strategies are updated ANSI/AWWA
G430, G440
RECOVER Recovery RC.RP-1 Recovery plan is executed during or after an event AU-7
Planning restoration of systems or assets affected by
cybersecurity events
Improvements RC.IM-1 Recovery plans incorporate lessons learned ANSI/AWWA
G430, G440
RC.IM-2 Recovery strategies are updated ANSI/AWWA
G430, G440
Communications RC.CO-1 Public relations are managed ANSI/AWWA
G430, G440
RC.CO-2 Reputation after an event is repaired ANSI/AWWA
G430, G440
RC.CO-3 Recovery activities are communicated to internal ANSI/AWWA
stakeholders and executive and management teams G430, G440

© Copyright American Water Works Association 2019 55

NOTES
___________________________________________________________________________
___________________________________________________________________________
___________________________________________________________________________
___________________________________________________________________________
___________________________________________________________________________
___________________________________________________________________________
___________________________________________________________________________
___________________________________________________________________________
___________________________________________________________________________
___________________________________________________________________________
___________________________________________________________________________
___________________________________________________________________________
___________________________________________________________________________
___________________________________________________________________________
___________________________________________________________________________
___________________________________________________________________________
___________________________________________________________________________
___________________________________________________________________________
___________________________________________________________________________
___________________________________________________________________________
___________________________________________________________________________
___________________________________________________________________________
___________________________________________________________________________
___________________________________________________________________________
___________________________________________________________________________
___________________________________________________________________________
___________________________________________________________________________
___________________________________________________________________________
___________________________________________________________________________
___________________________________________________________________________
___________________________________________________________________________
___________________________________________________________________________
___________________________________________________________________________
___________________________________________________________________________
___________________________________________________________________________
___________________________________________________________________________
___________________________________________________________________________
___________________________________________________________________________
NOTES
___________________________________________________________________________
___________________________________________________________________________
___________________________________________________________________________
___________________________________________________________________________
___________________________________________________________________________
___________________________________________________________________________
___________________________________________________________________________
___________________________________________________________________________
___________________________________________________________________________
___________________________________________________________________________
___________________________________________________________________________
___________________________________________________________________________
___________________________________________________________________________
___________________________________________________________________________
___________________________________________________________________________
___________________________________________________________________________
___________________________________________________________________________
___________________________________________________________________________
___________________________________________________________________________
___________________________________________________________________________
___________________________________________________________________________
___________________________________________________________________________
___________________________________________________________________________
___________________________________________________________________________
___________________________________________________________________________
___________________________________________________________________________
___________________________________________________________________________
___________________________________________________________________________
___________________________________________________________________________
___________________________________________________________________________
___________________________________________________________________________
___________________________________________________________________________
___________________________________________________________________________
___________________________________________________________________________
___________________________________________________________________________
___________________________________________________________________________
___________________________________________________________________________
___________________________________________________________________________
About AWWA
AWWA is an international, nonprofit, scientific and educational society dedicated to providing
total water solutions assuring the effective management of water. Founding 1881, the
Association is the largest organization of water supply professionals in the world. Our
membership includes nearly 4,200 utilities that supply roughly 80 percent of the nation’s
drinking water and treat almost half of the nation’s wastewater. Our over 50,000 total
memberships represent the full spectrum of the water community: public water and
wastewater systems, environmental advocates, scientists, academicians, and others who hold a
genuine interest in water, our most important resource. AWWA unites the diverse water
community to advance public health, safety, the economy, and the environment.