Cyber for Water & Critical Infrastructure Partners

Cybersecurity Guidance for Water/Wastewater Sector and all Critical Infrastructure Partners

Critical Infrastructure in Oregon contains both private and public State, Local, Tribal, and Territorial (SLTT) government entities. While Enterprise Information Services (EIS) is responsible for cybersecurity with the executive branch of public government, protecting Oregon's most vital resources from an impact due to a cyber event or incident is a shared challenge across all partners.

In partnership with the Oregon TITAN Fusion Center, this page includes some recommendations and resources for the Water/Wastewater Sector and all of Oregon's partners that care for Oregon's Critical Infrastructure.

Initial Recommendations

Initial recommendations include the below and involve other actions to help protect vital services provided to Oregon:

Communicate with your State & Federal cyber teams
Reduce exposure to public-facing internet
Conduct regular cybersecurity assessments
Change default passwords immediately
Conduct an inventory of OT/IT assets
Develop and exercise cybersecurity incident response and recovery plans
Backup OT/IT systems, immutable if possible
Reduce exposure to vulnerabilities
Conduct cybersecurity awareness training

All-Sector Services and Resources

Cybersecurity and Infrastructure Security Agency (CISA)

CISA offers many free and low-cost services to organizations to improve their cybersecurity posture. See CISA's Resources & Tools page and their free services and tools page for an idea of all there is to offer, or reach out to your regional advisor for more information. Services include:

Cyber Hygiene (CyHy)/Vulnerability Scanning
Cyber Tabletop Exercises (TTXs) and Tabletop Exercise Package (CTEP)
Assessments - both self-administered and facilitated
ICS training available through CISA via their virtual learning portal
Past and upcoming training that can be filtered by type
Critical Infrastructure Sectors page that includes information and resources for each sector

Center for Internet Security (CIS)

CIS has several services and the Information Security and Analysis Center (ISAC) which comes with a host of free services and collects, analyzes, and disseminates information on cyber threats to members. See the CIS tools and resources page for a full list of services, which include the following free resources:

Multi-State ISAC (MS-ISAC) (SLTT only)
Elections Infrastructure ISAC (EI-ISAC) (SLTT only)
CIS Risk Assessment Method (CIS RAM)
CIS Controls (for over 100 technologies)
CIS Workbench

National Institute of Standards and Technology (NIST)

Cybersecurity Framework (CSF)
Protecting Data from Ransomware and Other Data Loss Events: A guide for Managed Service Providers (MSPs) to conduct, maintain, and test backup files

Sector-Specific Services and Resources

While the services above are available and can involve all or multiple sectors, some are tailored to specific areas. See CISA's Critical Infrastructure Sectors page, which contains sector information, resources, and plans from CISA and federal agency partners for each of the sectors below. Sector-specific resources included below will be updated as new resources are discovered.

Chemical

From the CISA link above, resources for this sector include a sector-specific plan, risk management fact sheet, National Infrastructure Protection Plan (NIPP), council charters and membership, and additional publications.

Commercial Facilities

From the CISA link above, resources for this sector include a sector-specific plan and additional publications.

Communications

From the CISA link above, resources for this sector include a sector-specific plan, councils and working groups, and additional publications.

Critical Manufacturing

From the CISA link above, resources for this sector include a sector-specific plan, council charters and membership, in-person events, and additional publications.

Dams

From the CISA link above, resources for this sector include a sector-specific plan, councils and working groups, and additional publications.

Defense Industrial Base

From the CISA link above, resources for this sector include a sector-specific plan, working groups, and additional publications.

Emergency Services

From the CISA link above, resources for this sector include a sector-specific plan, council charters and membership, initiatives, training, and additional publications.

Energy

From the CISA link above, resources for this sector include a sector-specific plan, working groups, and additional publications. The Department of Energy cybersecurity page also includes resources on information and strategy for the sector.

Financial Services

From the CISA link above, resources for this sector include a sector-specific plan, working groups, and additional publications. The Department of Treasury cybersecurity page also includes resources and information and strategy for the sector.

Food and Agriculture

From the CISA link above, resources for this sector include a sector-specific plan, working groups, and additional publications. The Food and Drug Administration (FDA) cybersecurity page also includes resources on information and strategy for the sector.

Government Facilities

From the CISA link above, resources for this sector include a sector-specific plan, working groups, and additional publications.

Healthcare and Public Health

From the CISA link above, resources for this sector include a sector-specific plan, working groups, and additional publications. The Department of Health and Human Services (HHS) cybersecurity page also includes resources on information and strategy for the sector.

Information Technology

From the CISA link above, resources for this sector include a sector-specific plan, councils and working groups, and additional publications.

Nuclear Reactors, Materials, and Waste

From the CISA link above, resources for this sector include a sector-specific plan, cyber framework guidance, training, cross-sector information, and additional resources and publications.

Transportation Systems

From the CISA link above, resources for this sector include a sector-specific plan, working groups, and additional publications. The Department of Transportation (DOT) cybersecurity page also includes information on mission and topic points of contact, and resources for the sector.

Water and Wastewater

From the CISA link above, resources for this sector include a sector-specific plan, working groups, and additional publications. Additional sector-specific pages from federal partners and groups include:

CISA's Water and Wastewater Systems Cybersecurity page
EPA's Drinking Water and Wastewater Resilience page
EPA's Cybersecurity for the Water sector page which includes cybersecurity assessments, planning, training, response, and funding resources and information.
EPA's Cybersecurity Technical Assistance Program that will support organizations in conducting an asset inventory.
EPA's Cybersecurity Incident Action Checklist
Water Information Sharing and Analysis Center (Water ISAC)