4/27/2020

1

AWIA CYBERSECURITYEMERGENCY RESPONSE PLAN

Agenda• Cyber Resilience

• Risk and Resilience Assessment Recap

• The Cyber ERP Process

• Stumbling Blocks

• Final Thoughts

1

2

4/27/2020

2

Cyber Resilience

What is Cyber ResilienceResilience nounre· sil· ience | \ ri-ˈzil-yən(t)s \Definition of resilience1: the capability of a strained body to recover its size and shape after deformation caused especially by compressive stress2: an ability to recover from or adjust easily to misfortune or change

3

4

4/27/2020

3

The Cyber Threat

Terrorist Criminal Nation‐State

EquipmentEmployee Natural Disaster

Resilience Mindset• Accept that an event WILL happen

• “The Success Equation”• Event + Reaction = Outcome

5

6

4/27/2020

4

RRA Recap

Assessment Principles• Create an Assessment Team

• Operations• Information Technology• Plant Management• Senior / Executive Management

• Determine the Scope • Operational / IT Environment?

• Standards

• Due Diligence

7

8

4/27/2020

5

Tools• VSAT 2.0 (EPA)

• Cybersecurity Guidance and Tool (AWWA)

• Cybersecurity Evaluation Tool (DHS)

Cybersecurity Guidance / Tool (AWWA)• “Voluntary sector specific approach for implementing

applicable cybersecurity controls and recommendations”• Scoping – 22 Questions

9

10

4/27/2020

6

Answering the Questions• Question & Answer

• Is there a documented process?

• Is process known / trained?

• Is process followed?

• Where is the evidence?

Cybersecurity Guidance / Tool (AWWA)• Controls Output

• “Suggested Controls” – must input YOUR status

11

12

4/27/2020

7

Cybersecurity Guidance / Tool (AWWA)• Control Status Summary

The Cyber ERP

13

14

4/27/2020

8

Risk Reduction Controls

IT Disaster Recovery Plan

Risk‐based Immediate Actions

Three Outcomes from RRA

Risk Reduction Controls• Improvement Projects

15

16

4/27/2020

9

Immediate Action• Cyber Incident Response Plan

• Roles / Responsibilities• Identified Risks• Reporting Timelines• Phased Response (next slide)• Contact Lists (Internal / External)• Checklists

Cyber Incident Response PhasesEmployee training, policy, 

tools, procedures, governance, etc.

Determine the priority, scope, and root cause of 

the incident.

Discovery of the event with tools or notification.  

Includes declaration and initial classification.

Identify and isolate affected system.  Notify affected 

parties and mitigate effects.  Communicate!

Post‐incident repair.  Notify affected parties.  

Regulatory reporting.  

After action review for procedural / policy improvements.

17

18

4/27/2020

10

IT Disaster Recovery Plan• Essential Elements

• Roles & Responsibilities• Inventory

• Hardware / Software / System Passwords

• Backups• Communications Plan• Critical Suppliers / Service Providers

• Equipment & Software• Consultants & Vendors

Stumbling Blocks

19

20

4/27/2020

11

I’m glad water isn’t a target!

Energy Defense

Finance Healthcare

This can’t happen to us…

We’re okay… We’re not connected to the Internet…

21

22

4/27/2020

12

IT & Operations will never work together

Final Thoughts

23

24

4/27/2020

13

Final Thoughts

Final Thoughts

Risk Management

Training & 

Exercising

Reporting

Accountability

Procure ment

Teamwork

Resilience is ALWAYS a Leadership Issue!

25

26

4/27/2020

14

Final Final Thought

Doug ShortResiliency and Cybersecurity ChairTexas Section AWWAshortd@trinityra.orgdoug@defensorsolutions.com

27

28