Name: AWWA G430 2014 RA 2020 PDF - PDF Standards Store
Price: 76.92 USD
Availability: InStock

This standard covers the minimum requirements for a protective security program for a water, wastewater, or reuse utility.

PDF Catalog

PDF Pages	PDF Title
1	ANSI/AWWA G430-14(R20) (Revision of ANSI/AWWA G430-09) (Reaﬃrmed without revision 2020) Security Practices for Operation and Management Security Practices for Operation and Management Eﬀective date: Dec. 1, 2020. Eﬀective date: Dec. 1, 2020. First edition approved by Board of Directors Jan. 25, 2009. This Reaﬃrmation approved Oct. 26, 2020. Approved by American National Standards Institute Aug. 4, 2020. Designation by the Department of Homeland SAFETY Act on Dec. 14, 2022. Since 1881 SM
2	AWWA Management Standard AWWA Management Standard This document is an American Water Works Association (AWWA) management standard. It is not a specification. AWWA management standards describe consensus requirements for utility management practices. The use of AWWA management standards is entirely voluntary. This standard does not supersede or take precedence over or displace any applicable law, regulation, or codes of any governmental authority. AWWA management standards are intended to represent a consensus of the water industry of requirements and pract American National Standard American National Standard An American National Standard implies a consensus of those substantially concerned with its scope and provisions. An American National Standard is intended as a guide to aid the manufacturer, the consumer, and the general public. The existence of an American National Standard does not in any respect preclude anyone, whether that person has approved the standard or not, from manufacturing, marketing, purchasing, or using products, processes, or procedures not conforming to the standard. American National Sta CAUTION NOTICE: The American National Standards Institute (ANSI) approval date on the front cover of this standard indicates completion of the ANSI approval process. This American National Standard may be revised or withdrawn at any time. ANSI procedures require that action be taken to reaffirm, revise, or withdraw this standard no later than five years from the date of publication. Purchasers of American National Standards may receive current information on all standards by calling or writing the American ISBN-13, print: 978-1-64717-031-8 ISBN-13, electronic: 978-1-61300-571-2 DOI: http://dx.doi.org/10.12999/AWWA.G430.20 All rights reserved. No part of this publication may be reproduced or transmitted in any form or by any means, electronic or mechanical, including scanning, recording, or any information or retrieval system. Reproduction and commercial use of this material is prohibited, except with written permission from the publisher. Please send any requests or questions to [email protected]. All rights reserved. No part of this publication may be reproduced or transmitted in any form or by any means, electronic or mechanical, including scanning, recording, or any information or retrieval system. Reproduction and commercial use of this material is prohibited, except with written permission from the publisher. Copyright © 2020 by American Water Works Association Printed in USA ii Figure
3	Committee Personnel Committee Personnel The AWWA Standards Committee on Security Practices for Operation and Management, which reaffirmed this standard without revision, had the following personnel at the time of reaffirmation. Clyde R. Dugan, Chair Management Interest C.L. C.L. C.L. Bowen, Pleasant Hill, Calif. B. B. Jakubovic, CYBRA Corporation, Yonkers, N.Y. T. T. Kelley (liaison), Martinsburg, W.V. J. J. Laws, Department of Homeland Security, Washington, D.C. M.J. M.J. M.J. Martinez, Cedar Park, Tex. K. K. Morley, AWWA, Washington, D.C. L. L. Ralph (liaison), Standards Engineer Liaison, AWWA, Denver, Colo. Consultant Members C. Herndon, Herndon Solutions Group, Las Vegas, Nev. I.L. Jones, Alexandria, Va. J.W. J.W. J.W. McLaughlin, Merrick & Company, Charlotte, N.C. A. A. Ohrt, West Yost Associates, Golden Valley, Minn. K. K. Owens, Control Cyber Inc., Pullman, Wash. C.R. Sapp, Sugar Hill, Ga. L.P. Warren, Launch! Consulting LLC, Charlottesville, Va. User Members S. Datema, Tarrant Regional Water District, Fort Worth, Tex. C.R. C.R. C.R. Dugan, East Lansing Meridian Water and Sewer Authority, East Lansing, Mich. J. J. Hines, Las Vegas Valley Water District, Las Vegas, Nev. M.I. M.I. M.I. Inyang, Massachusetts Water Resources Authority, Southborough, Mass. P. P. Lamb, Boone, N.C. D.P. Lopez, Long Beach Water Department, Long Beach, Calif. S.D. S.D. S.D. Spence, Norwalk, Conn. M. M. Stuhr, Chiloquin, Ore. iii Figure
4	Figure
5	Contents All AWWA standards follow the general format indicated subsequently. Some variations from this format may be found in a particular standard. SEC. SEC. SEC. PAGE SEC. PAGE Foreword Foreword Foreword 4.4 Up-To-Date Assessment of Risk …… 8 I ………………………………. ………………………………. ………………………………. vii I.A Background I.A Background Introduction……………………………… vii 4.5 Resources Dedicated to Security 4.5 Resources Dedicated to Security and Security Implementation Priorities ……………………………… ……………………………… 8 I.B History I.B History I.B History …………………………………….. vii 4.6 4.6 4.6 Access Control and Intrusion Detection Detection Detection I.C Acceptance ……………………………….. vii ……………………………. 9 II II Special Issues …………………………….. vii 4.7 Contamination Detection, Special Issues …………………………….. vii 4.7 Contamination Detection, II.A Advisory Information on Monitoring, and Surveillance …. 11 Application of Standards ……….. vii 4.8 Information Protection and 4.8 Information Protection and Continuity Continuity ………………………….. 14 II.B Origination of Standard ……………… viii II.B Origination of Standard ……………… viii II.C Safety Act Designation II.C Safety Act Designation II.C Safety Act Designation ……………….. viii ……………….. viii 4.9 Design and Construction ……………. 16 4.10 4.10 4.10 Threat-Level–Based Protocols ………. 16 III Use of This Standard ………………….. viii III Use of This Standard ………………….. viii III.A Options and Alternatives…………….. viii III.A Options and Alternatives…………….. viii 4.11 Emergency Response and Recovery 4.11 Emergency Response and Recovery Plans and Business Continuity III.B Modification to Standard III.B Modification to Standard III.B Modification to Standard ……………. ix Plan Plan Plan ……………………………………. 17 IV V Comments V Comments Major Revisions…………………………. ix 4.12 Internal and External ……………………………….. ix Communications …………………. 18 4.13 4.13 4.13 Partnerships ………………………………. 19 Management Standard Management Standard 5 5 5 5 Verification 1 1 1 General 5.1 5.1 5.1 Documentation Required ……………. 19 1.1 Scope……………………………………….. 1 1.1 Scope……………………………………….. 1 5.2 5.2 5.2 Human Resources ……………………… 22 1.2 1.2 1.2 Purpose ……………………………………. 1 5.3 5.3 5.3 Equipment ……………………………….. 23 1 1.3 Application……………………………….. 6 6 6 Delivery …………………………………… 23 1 2 References ……………………………….. 3 3 3 Definitions ………………………………. 2 Appendix Appendix A A Resources Resources …………………………………. 25 4 4 4 Requirements 4.1 4.1 4.1 Explicit Commitment to Security…. 6 Table 4.2 4.2 4.2 Security Culture ………………………… 6 1 Supporting Documentation 4.3 4.3 Defined Security Roles and Defined Security Roles and Required by this Standard by Employee Expectations ………….. 7 Section ……………………………….. 20 v Figure
6	Figure
7	Foreword This foreword is for information only and is not a part of ANSI/AWWA G430. I. Introduction I.A. Background. The AWWA Management Standards Program is designed to serve water, wastewater, and reuse utilities and their customers, owners, service providers, and government regulators. The standards developed under the program are intended to improve a utility’s overall operation and service. Among these standards is this effort to establish formal management and operational guidelines. These guidelines identify appropriate practices, procedures, and behaviors the implementation of which will provide e AWWA’s standards process has been used for more than 90 years to produce American National Standards Institute (ANSI)–recognized standards for materials and processes that are used by the Water Sector. These standards are recognized worldwide and have been adopted by many utilities and organizations. Likewise, this management standard is developed using the same ANSI-recognized formal process. Volunteer standards committees establish standard practices in a uniform and appropriate format. Formal standards committees have been and continue to be formed to address the individual standard practices for the diverse areas of the Water Sector. A formal standards committee was created in 2007 to develop a standard for security. This standard is the outcome from the Security Practices for Operation and Management Committee. I.B. History. The first edition of this standard was approved by the AWWA Board of Directors on Jan. 25, 2009. This edition was approved on June 8, 2014 and reaffirmed without revision on Oct. 26, 2020. I.C. Acceptance. No applicable information for this standard. II. Special Issues. II.A. Advisory Information on Application of Standards. This standard includes only those requirements that are limited exclusively to security practices for operation and management of a drinking water, wastewater, or reuse system. Separate standards will cover utility programs such as distribution system operation and management, emergency preparedness, financial management, water treatment, source water American National Standards Institute, 25 West 43rd Street, Fourth Floor, New York, NY 10036. vii Figure
8	protection, communications and customer relations, and business systems. At the time of issuance of this standard, neither the Department of Homeland Security* (DHS) nor the US Environmental Protection Agency (USEPA)has developed regulatory standards for the Water Sector. † II.B. Origination of Standard. This standard originates from recommendations prepared by the USEPA’s National Drinking Water Advisory Council (NDWAC) on water security practices, incentives, and measures, dated June 2005. A subsequent workgroup was convened in February 2007 by the Critical Infrastructure Partnership Advisory Council(CIPAC) to develop a national performance measurement system and revise the NDWAC recommendations to track with the Water Sector-Specific Plan (Water SSP), which is also describe ‡ § II.C. SAFETY Act Designation. The American Water Works Association Standards G430 and J100 have been awarded SAFETY Act designation by the US Department of Homeland Security. The designation carries important liability protection for the association and for utilities that properly implement these standards. The Support Anti-terrorism by Fostering Effective Technologies Act (SAFETY Act) of 2002 was enacted by Congress in the wake of the terrorist attacks on Sept. 11, 2001. The SAFETY Act was created in part because of the extraordinarily large liability entities might face if a terrorist attack occurs despite deployment of anti-terrorism security measures already in place. Congress designed the SAFETY Act as an incentive for the creation and deployment of technologies and services with anti-terrorism capabiliti III. Use of This Standard. It is the responsibility of the user of an AWWA standard to determine that the products described in that standard are suitable for use in the particular application being considered. III.A. Options and Alternatives. There is no applicable information in this section. * US Department of Homeland Security, Washington, DC 20528. * US Department of Homeland Security, Washington, DC 20528. † US Environmental Protection Agency, Ariel Rios Building, 1200 Pennsylvania Avenue, NW, Washington, DC 20460. † US Environmental Protection Agency, Ariel Rios Building, 1200 Pennsylvania Avenue, NW, Washington, DC 20460. ‡ National Drinking Water Advisory Council, Office of Ground Water and Drinking Water (4601), Ariel Rios Building, 1200 Pennsylvania Avenue, NW, Washington, DC 20460. ‡ National Drinking Water Advisory Council, Office of Ground Water and Drinking Water (4601), Ariel Rios Building, 1200 Pennsylvania Avenue, NW, Washington, DC 20460. Critical Infrastructure Partnership Advisory Council, US Department of Homeland Security, Washington, DC 20528. § viii Figure
9	III.B. Modification to Standard. No applicable information for this section. IV. Major Revisions. The major changes made to the standard in this revision include the following: 1. Realignment of vulnerability assessment to risk assessment in accordance with ANSI/AWWA J100, Risk and Resilience Management of Water and Wastewater Systems 2. 2. 2. Integration of new AWWA cybersecurity guidance and use-case tool 3. 3. Integration of ANSI/AWWA G440, Emergency Preparedness Practices 4. 4. Revision/update of federal directives 5. 5. Adjustment of reference to the ASCE materials formerly known as WISE V. Comments. If you have any comments or questions about this standard, please contact AWWA Engineering and Technical Services at 303.794.7711; FAX at 303.795.7603; write to the department at 6666 West Quincy Avenue, Denver, CO 80235-3098; or email at . [email protected] ix Figure
10	Figure
11	ANSI/AWWA G430-14(R20) (Revision of ANSI/AWWA G430-09) (Reaffirmed without revision 2020) AWWA Management Standard Security Practices for Operation and Management SECTION 1: GENERAL Sec. 1.1 Scope This standard covers the minimum requirements for a protective security program for a water, wastewater, or reuse utility. Sec. 1.2 Purpose The purpose of this standard is to define the minimum requirements for a protective security program for a water, wastewater, or reuse utility that will promote the protection of employee safety, public health, public safety, and public confidence. Sec. 1.3 Application This standard can be referenced in the evaluation of security practices. The stipulations of this standard apply when this document has been referenced and then only to the security practices of the utility. SECTION 2: REFERENCES This standard references the following documents. In their latest editions, or as specified, they form a part of this standard to the extent specified within Figure
12	2 AWWA G430-14(R20) the standard, whether mentioned specifically or not. In any case of conflict, the requirements of this standard shall prevail. ANSI/AWWA G440—Emergency Preparedness Practices. ANSI/AWWA J100—Risk and Resilience Management of Water and Wastewater Systems. AWWA, Process Control System Security Guidance for the Water Sector (2013). National Electric Code Article 708. Water Research Foundation (WRF),* ® Business Continuity Planning for Water (2008). Utilities SECTION 3: DEFINITIONS The following definitions shall apply in this standard. 1. 1. 1. All Hazards: An approach for prevention, protection, preparedness, response, and recovery that addresses a full range of threats and hazards, including domestic terrorist attacks, natural and man-made disasters, accidental disruptions, and other emergencies. 2. 2. Asset: An item of value or importance. In the context of critical water and wastewater infrastructure, an asset is something of importance or value that if targeted, exploited, destroyed, or incapacitated could result in injury, death, economic damage to the owner of the asset or to the community it serves, could result in destruction of property, or could profoundly damage a nation’s prestige and confidence. Assets may include physical elements (tangible property), cyber elements (information and communica a. Critical Asset is an asset the absence or unavailability of which would significantly degrade the ability of a utility to carry out its mission or would have unacceptable financial or political consequences for the owner or the community. 3. Business Continuity Plan (BCP): A plan designed to maintain essential business functions and preserve the utility’s ability to perform its mission or function during an incident and recovery. For example, a BCP should be designed to preserve the utility’s ability to acquire and pay for essential supplies, personnel, components or services; to receive funds; and to maintain a record of all transactions for subsequent accounting, billing, or reimbursement. * Water Research Foundation, 6666 West Quincy Avenue, Denver, CO 80235. * Water Research Foundation, 6666 West Quincy Avenue, Denver, CO 80235. Figure
13	SECURITY PRACTICES FOR OPERATION AND MANAGEMENT 3 4. 4. 4. Consequence: The immediate, short-term, and long-term effects of a malevolent attack or natural, technological, or human-caused hazard. These effects include losses suffered by the owner of the asset and by the community served by that asset, human and property losses, environmental damages, lifeline interruptions, and qualitative losses. 5. 5. Incident: An occurrence or event, either natural or man-made, that requires a response to protect life or property. Incidents can, for example, include major disasters, emergencies, terrorist attacks, terrorist threats, civil unrest, wild-land or urban fires, floods, hazardous material spills, nuclear accidents, aircraft-related disasters, earthquakes, hurricanes, tornadoes, tropical storms, tsunamis, war-related disasters, public health and medical emergencies, and other occurrences requiring an emergency 6. 6. Incident Command System (ICS): A standardized on-scene, all hazards incident management approach that allows for the integration of facilities, equipment, personnel, procedures, and communications operating within a common organizational structure. ICS enables a coordinated response among various jurisdictions and functional agencies, both public and private, and establishes common processes for planning and managing resources. ICS is flexible and can be used for incidents of any type, scope, and complexity 7. 7. InfraGard: An information sharing and analysis effort serving the interests and combining the knowledge bases of a wide range of members. At its most basic level, InfraGard is a partnership between the Federal Bureau of Investigation (FBI) and the private sector. InfraGard is an association of businesses, academic institutions, state and local law enforcement agencies, and other participants dedicated to sharing information and intelligence to prevent hostile acts against the United States. † 8. 8. Intrusion Detection System (IDS): Intrusion detection for industrial control systems (which may also be called Process Control System) is not a single product or a single piece of technology, even though commercial “systems” are available. Instead, intrusion detection is a comprehensive set of tools and processes providing network monitoring that can give an administrator a complete picture of how the network is being used. Implementing a variety of these tools helps to create † FBI Headquarters, 935 Pennsylvania Avenue, NW, Washington, DC 20535-0001. † FBI Headquarters, 935 Pennsylvania Avenue, NW, Washington, DC 20535-0001. Figure
14	4 AWWA G430-14(R20) a defense-in-depth architecture that can be more effective in identifying attacker activities and using the tools in a manner that can be preventative. Additional information on securing industrial control systems and supervisory control and data acquisition (SCADA) systems can be found in appendix A. 9. 9. 9. National Incident Management System (NIMS): NIMS provides a systematic, proactive approach to guide departments and agencies at all levels of government, nongovernmental organizations, and the private sector to work seamlessly to prevent, protect against, respond to, recover from, and mitigate the effects of incidents, regardless of cause, size, location, or complexity, to reduce the loss of life. NIMS was developed by the US Department of Homeland Security (US DHS) so that responders from different jurisdi 10. 10. National Infrastructure Protection Plan (NIPP): The NIPP provides the unifying structure for the integration of existing and future critical infrastructure and key resources (CIKR) protection efforts and resiliency strategies into a single national program to achieve this goal. The NIPP framework supports the prioritization of protection and resiliency initiatives and investments across sectors to ensure that government and private sector resources are applied where they offer the most benefit for mitigatin 11. 11. Physical hardening: A process designed to deter and/or help mitigate physical damage, service disruption, or other serious consequences of an attack by Figure
15	SECURITY PRACTICES FOR OPERATION AND MANAGEMENT 5 making the facility harder to attack, by delaying entry until responders arrive, or by reducing the effect an attack may have. 12. 12. 12. Preparedness: A continuous cycle of planning, organizing, training, equipping, exercising, evaluating, and taking corrective action in an effort to ensure effective coordination during the incident response and recovery, including continuity of operations plans, continuity of government plans, and preparation of resources for rapid restoration of function. 13. 13. Risk: A function of consequences, hazard frequency or likelihood, and vulnerability, which with point estimates is the product of the terms. It is the expected value of the consequences of an initiating event weighted by the likelihood of the event’s occurrence and the likelihood that the event will result in the consequences, given that it occurs. Risk is based on identified events or event scenarios. 14. 14. Risk Analysis and Management: A process for analyzing and managing the risks associated with malevolent attacks and naturally occurring hazards against critical infrastructure as defined in ANSI/AWWA J100. 15. 15. Sector-Specific Plans (SSPs): SSPs support the NIPP by establishing a coordinated approach to national priorities, goals, and requirements for critical infrastructure and key resource (CIKR) protection. The SSPs provide the means by which the NIPP is implemented across critical infrastructure and key resource sectors, as well as a national framework for each sector to address its unique characteristics and risk landscape. This coordinated approach allows federal funding and resources to be applied in the mo for the Water Sector can be found at http://www.dhs.gov/water-and-wastewater – 16. 16. Security Plan: A comprehensive plan, developed by the utility, that includes its security goals, objectives, strategies, policy or policies, and procedures. The security plan should coordinate closely with the utility’s emergency preparedness plan and business continuity plan. 17. 17. Vulnerability: An inherent state of a system (e.g., physical, technical, organizational, cultural) that can be exploited by an adversary or impacted by a natural hazard to cause harm or damage. Such weaknesses can occur in building characteristics; equipment properties; personnel behavior; location of people, equipment and buildings; or operational and personnel practices. Vulnerability is expressed as the likelihood of an event’s having the estimated consequences, given that the event occurs. Figure
16	6 AWWA G430-14(R20) 18. 18. 18. Vulnerability assessment/analysis: A systematic examination of the ability of an asset to withstand a specific threat or undesired event, including current security and emergency preparedness procedures and controls. A vulnerability assessment often suggests countermeasures, mitigation measures, and other security improvements. 19. 19. Water Sector: The NIPP defines the Water Sector as both drinking water and wastewater utilities. For the purpose of this standard, this definition will expressly include water reuse facilities. 20. 20. Water Sector Information Sharing and Analysis Center (WaterISAC): WaterISAC is a highly secure, subscription-based Internet portal that provides a source for sensitive security information and alerts to help the US drinking water and wastewater community protect consumers and the environment. SECTION 4: REQUIREMENTS This standard is intended to apply to water, wastewater, or reuse utilities, regardless of size, location, ownership, or regulatory status. This standard builds on the long-standing practice among utilities of using a multiple-barrier approach for the protection of public health, public safety, and the environment. The requirements of this standard are designed to support a protective utility-specific security program that will result in consistent and measurable outcomes. Sec. 4.1 Explicit Commitment to Security 4.1.1 Explicit and visible commitment of senior leadership to security. The utility shall establish an explicit, visible, easily communicated, enterprise-wide commitment to security. This shall be represented by the development of a security plan, by policies, and by other documents that make security a part of daily operations visible to employees and customers. 4.1.1.1 Periodic review and update of security plan, policies, or documents. The utility shall establish and maintain a schedule for periodic review of its security plan, policies, and documents, and update them as needed. Sec. 4.2 Security Culture 4.2.1 Promote security awareness throughout the utility. The utility shall promote a culture whereby every person understands, appreciates, and contributes to enhanced security. Figure
17	SECURITY PRACTICES FOR OPERATION AND MANAGEMENT 7 4.2.1.1 Employee reports and suggestions. The utility shall establish a process for employees to report security violations or concerns and to make suggestions for improvement. 4.2.1.2 Employee training. The utility shall train employees and other responsible parties in security awareness, individual responsibility, and appropriate responses. 4.2.1.3 Incorporating security into job descriptions. The utility shall include security in job performance evaluations and rate employees, including top management, on their performance. 4.2.1.4 Measure security activities and progress. The utility shall establish a means of measuring security activity, establish goals for improvement, and monitor progress. The utility should review the recommended performance measures under the Water SSP of the NIPP and consider them as a standardized mechanism for measurement and reporting that may supplement the requirements of this standard. The utility should also consider using the self-assessment questions included there-in as a guide for improvement 4.2.1.5 Visible identification. The utility shall establish a means of visible identification of employees and others authorized to access utility facilities, and ensure every person routinely complies. 4.2.2 Reward employees for appropriate security activities. The utility shall have a means of rewarding appropriate security awareness and response by employees and others. Sec. 4.3 Defined Security Roles and Employee Expectations 4.3.1 Identify managers and employees who are responsible for security. The utility shall identify managers and employees responsible for creating, maintaining, and implementing the security plan; for performing and maintaining the vulnerability or risk assessment; and for providing security leadership. Other security-related roles and responsibilities include security program management, physical intrusion and contamination detection, and incident command roles during emergency response and recovery. Addit 4.3.2 Establish security expectations for staff. The utility shall identify and disseminate security expectations for staff, and periodically review performance. Figure
18	8 AWWA G430-14(R20) Sec. 4.4 Up-to-Date Assessment of Risk 4.4.1 Perform a risk assessment. The utility shall perform a risk assessment. The utility’s risk assessment may use publicly or commercially available tools, consistent with ANSI/AWWA J100, that allow the assessment to be replicated and based on the following steps: 1. 1. 1. Asset characterization 2. 2. Threat characterization 3. 3. Consequence analysis 4. 4. Vulnerability analysis 5. 5. Threat likelihood analysis 6. 6. Risk/resilience likelihood 7. 7. Risk/resilience analysis 4.4.2 Review and update. The utility shall review and update its risk assessment as new hazards and threats emerge, when facilities are constructed or removed from service, and when other changes occur that significantly affect the results of the risk assessment. 4.4.2.1 Periodic review. The utility shall establish and maintain a schedule for periodic review and update of the risk assessment, based on the utility-specific circumstances. The schedule for review shall not exceed 5 years but can be more frequent based on operational changes or other incidents that warrant further review. Sec. 4.5 Resources Dedicated to Security and Security Implementation Priorities 4.5.1 Sustain focus on security. The utility shall sustain a focus on security by maintaining security as a current priority. 4.5.1.1 Maintain focus. Executives and line managers shall maintain a focus on security throughout the years by doing one or more of the following items, or a defined alternative: • • • Include security in periodic progress reports to the governing body • • Make security a standing item on executive management agendas • • Make security a routine item in manager or supervisor meetings with employees or other authorized persons 4.5.1.2 Resources. The utility shall invest staff time and resources in security by including security considerations in budgets for personnel and training or, if appropriate, by explicitly assigning security responsibilities to existing staff and budgeting accordingly. Figure
19	SECURITY PRACTICES FOR OPERATION AND MANAGEMENT 9 4.5.1.3 Exercises. The utility shall include security exercises in operational planning and identify associated training costs in budgets. 4.5.2 Identify security priorities. The utility shall establish a security improvement plan that identifies security priorities based on its risk assessment (see Sec. 4.4). 4.5.2.1 Integrate security plan. The utility shall integrate the security improvement plan with other operational plans and investments and shall establish the appropriate relationship of security priorities based on the utility’s vulnerability assessment in context with other organizational priorities. 4.5.2.2 Identify resources required for the security plan. The utility shall identify and commit resources dedicated to security programs and planned security improvements. Based upon the relationship with other organizational priorities, the utility shall identify and plan for the resources required to maintain the security program and make necessary improvements. Sec. 4.6 Access Control and Intrusion Detection 4.6.1 Identify utility assets requiring access control. Through the risk assessment or other means, the utility shall identify assets or facilities that require controlled access based on criticality to maintain normal operations (identified critical assets). 4.6.2 Establish and maintain physical control of access to identified critical assets. The utility shall establish and maintain a means of physically controlling access to identified critical assets. Examples of physical access controls include the following and can be used individually or in combination: • • • Substantial buildings with intrusion prevention devices on windows and access points • • Fences • • Barriers • • Locked gates, hatches, and doors • • Monitored intrusion alarms • • Tamper-resistant devices at key distribution or collection points 4.6.3 Implement annual inspections of identified critical assets. The utility shall implement and maintain annual inspections to assure that security features are adequate and functioning, and to identify if any corrective work is necessary to maintain access control or other security features. 4.6.4 Establish and maintain a means of detecting and assessing intrusion. The utility shall establish and maintain a means of detecting and assessing intrusion Figure
20	10 AWWA G430-14(R20) into identified critical assets by unauthorized persons in a manner that is timely and enables the utility to respond effectively. Monitoring for physical intrusion can include physical and procedural improvements. Examples of physical improvements include installing detection devices such as motion detectors and intrusion alarms, or improved assessment tools such as well-lighted facility perimeters or monitoring with closed circuit TV (CCTV). Procedural improvements include the use of neighborhood watches, 4.6.5 Establish and maintain procedures to control personnel access to identified critical assets. The utility shall establish and maintain procedural controls to limit access to identified critical assets to authorized persons only. Examples of procedural access controls include the following and can be used individually or in combination: • • • Inventory and control keys • • Develop procedure that limits access rights to employees to maximum extent possible • • Develop hierarchical key and/or access card system to limit access to extent possible • • Change access codes regularly • • Require security passes for access • • Establish a security presence at access points • • Require visitors to have scheduled appointments and/or have a protocol to address unscheduled visitors • • Require employees and other authorized persons to display identification at all times when on-site, if appropriate • • Require visitors to sign in and display identification at all times when on-site • • Implement chemical delivery and testing procedures including chain-ofcustody control or tamper-evident packaging requirements – • • Limit delivery hours • • Check deliveries to ascertain the nature of the material 4.6.6 Establish and maintain a means of restricting authorization for access. The utility shall establish and maintain a means of restricting unescorted access to identified critical assets. 4.6.6.1 Background checks. Where legally permissible and appropriate, the utility shall institute a system of background checks on employees, contractors, Figure
21	SECURITY PRACTICES FOR OPERATION AND MANAGEMENT 11 temporary workers, or any other person authorized to access identified assets without an escort. The level or complexity of background checks utilized should be commensurate with the level of access and the privileges granted to the person. Other benefits of background checks, depending on the level employed, may include verifying identity, establishing citizenship, determining previous criminal activity, and determining work eligibility. 4.6.6.2 Other means of identity verification. When background checks are not permitted or appropriate, the utility shall establish a defined alternative method of verifying identity and granting access rights and privileges to a person seeking authorization. 4.6.7 Establish a protocol for employees or others that have been terminated, has resigned, or have had a relevant change of status. The utility shall establish and maintain a protocol to recover keys, revise passwords, and take other appropriate actions immediately on termination, resignation, or re-assignment of an employee or the relevant change of status of other personnel who have access to high-risk assets. Other personnel may include vendors, consultants, contractors, public officials, or others that 4.6.8 Testing. The utility shall test physical and procedural access controls routinely to ensure performance. The tests shall be conducted annually, or more frequently if required by law or regulation. Sec. 4.7 Contamination Detection, Monitoring, and Surveillance 4.7.1 Surveillance and response for chemical, biological, or radiological contamination. The utility shall develop and implement a surveillance and response system. A surveillance and response system provides a proactive approach to managing threats that uses monitoring technologies/strategies and enhanced surveillance activities to collect, integrate, analyze, and communicate information. However, it should not be merely a collection of monitors and equipment placed throughout a water distribution system to alert of intrusion or contamination, but rather should be an exercise in information acquisition and management. Different information streams are captured, manage Figure
22	12 AWWA G430-14(R20) The recommended components of a surveillance and response system are briefly described as follows: • • • Online water quality monitoring involves monitoring for typical water quality parameters throughout the distribution system and comparison with an established base-state to detect possible contamination incidents. The utility should stay current on developments in online contaminant monitoring systems and should consider implementing such systems if feasible. • • Sampling and analysis involve the collection of distribution system samples that are analyzed for various contaminants and contaminant classes for the purpose of establishing a baseline of contaminant occurrence (contaminants detected, levels detected, and frequency of detections) and method performance, as well as for the purpose of investigating suspected contamination incidents triggered by other monitoring and surveillance components. • • Enhanced security monitoring includes the equipment and procedures that detect and respond to security breaches at distribution system facilities. • • Consumer complaint surveillance enhances and automates the collection and analysis of consumer calls reporting unusual water quality concerns and compares trends against an established base-state to detect possible contamination incidents. • • Public health surveillance involves the analysis of health-related data sources to identify illness in the community that may stem from drinking water contamination. The utility is directed to Appendix A, Section A.2—Water Security Initiative (WSi), for more discussion of guidance developed by USEPA and others. 4.7.2 Monitoring or surveillance of indicators of contamination. Although typical water quality parameters (surrogate parameters) may not be a direct indication of chemical, biological, or radiological contamination, the utility may find that monitoring surrogate parameter concentrations or trends is useful and appropriate in its individual circumstance. Recognizing that surrogate parameter changes may be difficult to interpret from a security perspective, the utility should review and consider any physical • • • Pressure change abnormalities • • Free and total chlorine residual Figure
23	SECURITY PRACTICES FOR OPERATION AND MANAGEMENT 13 • • • Temperature • • Dissolved oxygen • • Conductivity • • Oxygen-reduction potential • • Total dissolved solids • • Turbidity • • pH • • Color • • Odor • • Taste 4.7.3 Laboratory testing for contaminants. The utility shall routinely sample and monitor the water or wastewater system as required by law or regulation and shall include additional test parameters or elevated sampling frequencies if appropriate to a specific security concern or threat notification. The utility should consider identifying and prequalifying laboratories that have the necessary capabilities. 4.7.4 Communication with customers and public health authorities as a means of identifying contamination. The utility shall monitor customer complaints and initiate or improve communications with local public health authorities or networks. 4.7.4.1 Documentation of complaints. The utility shall establish a means to record and analyze customer complaints and evaluate them as an indicator of possible system contamination. This system should include communications with customer communities that receive bulk water deliveries, if appropriate. 4.7.4.2 Communication. The utility shall establish and maintain two-way communications and relationships with local public health authorities and health providers to expedite the potential identification of public health anomalies that may be indicators of system contamination. 4.7.5 Adjacent utilities. The utility shall establish and maintain two-way communications with adjacent utility systems to identify any contamination. In the case of a water utility, this may be an upstream water or wastewater utility. In the case of a wastewater utility, this may be downstream users or others that assess the receiving stream quality. 4.7.6 Incident detection and response. The utility shall establish written procedures for, at a minimum, the following key components of a surveillance and response system: (1) the criteria that will be used to identify a potential Figure
24	14 AWWA G430-14(R20) contamination event and trigger an investigation, (2) the criteria that will be used to declare that a contamination incident has occurred, and (3) the response protocol for a contamination incident. This response protocol should be a part of the utility’s emergency response plan (see Sec. 4.11). Sec. 4.8 Information Protection and Continuity 4.8.1 Define security-sensitive systems and information. For most systems, information technology (IT), Process Control Systems, and SCADA systems are essential to the efficient and continuous operations of a utility. The utility shall identify critical IT, Process Control Systems, or SCADA systems as security sensitive. The utility shall also identify other security-sensitive information. This information review shall consider facility maps and other geographic sources on utility operations, security plans 4.8.1.1 Secure information. The utility shall evaluate information it shares with vendors, bidders, or the public (e.g., facility tours, brochures, or Internet access). Where appropriate and practicable, security-sensitive information shall be removed or controlled. 4.8.1.2 Regulations. The utility shall consider any applicable freedom-ofinformation or Sunshine Act provisions with which it must comply, to understand and abide by limitations on controlling information. – 4.8.2 Protecting IT, Process Control Systems, and SCADA systems. The utility should review the AWWA Process Control System Security Guidance for the Water Sector (see Appendix A, Section A.7) as an aid in evaluating appropriate practices and controls for securing Process Control System and/or SCADA vulnerabilities. These strategies may also be useful in securing critical business IT systems for the business continuity plan. 4.8.2.1 Restricting access. The utility shall identify and implement steps necessary to control access to critical IT, Process Control Systems, and SCADA systems to only authorized persons conducting official utility business. Physical hardening and procedural controls shall be considered and implemented. Examples of procedural controls include: • Restricting access to data networks Figure
25	SECURITY PRACTICES FOR OPERATION AND MANAGEMENT 15 • • • Safeguarding critical data through backups and storage in safe places • • Establishing procedures to restrict network access • • • Implementing policies to ensure that IT contractors or their products will not negatively affect IT systems Examples of physical steps include: • • Installing and maintaining firewalls • • Screening for viruses • • Separating business systems from operational systems • • Installing a system for virus protection • • Ensuring security at each location of SCADA components • • Incorporating encryption technologies • • Establishing and routinely changing access codes 4.8.2.2 Uninterruptible power supply. The utility shall establish and maintain an uninterruptible power supply for critical IT, Process Control Systems, and SCADA systems, and the means of providing for backup generators or backup power supplies for critical facilities in accordance with National Electric Code, Article 708. 4.8.3 Establish and maintain physical and procedural controls to restrict access to sensitive information. The utility shall establish and maintain appropriate access restrictions and procedural controls on security-sensitive information. Access restrictions should consider the legal framework in which the utility is operating, and ensure appropriate access is granted for employees and others to perform their duties efficiently. 4.8.4 Detect unauthorized access. The utility shall establish and maintain the means to detect unauthorized access or intrusion to IT, Process Control Systems, or SCADA systems or to security-sensitive information, and the means to respond in an appropriate and timely manner. For additional information on intrusion detection systems and defense-in-depth strategies, see Appendix A, Section A.7. 4.8.5 Ensure information and communications systems will function during emergency response and recovery. 4.8.5.1 Critical information. The utility shall identify critical information and ensure its preservation and accessibility during emergency response and recovery. Off-site backup of critical data should be considered for preservation and accessibility. Figure
26	16 AWWA G430-14(R20) 4.8.5.2 Critical communications. The utility shall identify critical internal and external communications and ensure their functionality during emergency response and recovery. Sec. 4.9 Design and Construction 4.9.1 Incorporate security objectives into utility design and construction standards. Consistent with the recommendations of the vulnerability or risk assessment where applicable, the utility shall incorporate its security objectives into the design of infrastructure repairs or replacements, or the acquisition or construction of new assets. 4.9.1.1 Physical hardening of identified critical assets. The utility shall include physical hardening in the repair/replacement of identified critical assets, or in the design and construction of new assets. Physical hardening is intended to protect or help mitigate physical damage, service disruption, or other serious consequences of an attack by making the facility harder to attack or by reducing the effect an attack may have. Examples of physical hardening include: • • • Location of critical assets within a facility • • Use of substantial building materials • • Designing in inherent redundancy for critical services Design choices should also consider the ability to ensure continuity of operations and rapid recovery in the event of an attack, natural disaster, or other event. 4.9.1.2 Adoption of security risk technologies or approaches. The utility shall consider the adoption of security technologies or approaches that have the demonstrated capability of reducing or mitigating the consequences of an attack, natural disaster, or other event when making design or technology choices. Examples of such technologies and approaches include Crime Prevention Through Environmental Design (CPTED), increased redundancy of critical components, increased interconnections with adjacent utiliti Sec. 4.10 Threat-Level–Based Protocols 4.10.1 Monitor available threat-level information. The utility shall establish an appropriate means to stay apprised of changes in threat levels. Sources of information may include the US Department of Homeland Security (DHS), local police or FBI office, WaterISAC, InfraGard, or other credible sources. The utility Figure
27	SECURITY PRACTICES FOR OPERATION AND MANAGEMENT 17 should research and establish communications with networks and information sources appropriate to its security environment. 4.10.2 Escalate security procedures in response to relevant threats. The utility shall establish a procedure to escalate security operations in the event of a relevant increase in the threat level or a significant local event. Sec. 4.11 Emergency Response and Recovery Plans and Business Continuity Plan 4.11.1 Incorporate security into emergency response and recovery plans, business continuity plans, and operations. 4.11.1.1 Update plans. The utility shall revise its emergency response and recovery plans and business continuity plans as necessary to incorporate security considerations into the plans. Additional guidance is provided in ANSI/AWWA G440 and the * (Water RF 2008). Business Continuity Planning for Water Utilities 4.11.1.2 Emergency response. The utility shall comply with the National Incident Management System (NIMS) guidelines and use Incident Command System (ICS) protocol for emergency response. 4.11.2 Test emergency response and recovery plans and business continuity plans regularly. The utility shall establish and maintain a schedule for testing its emergency response and recovery plans and business continuity plans. Testing may include training, table-top exercises or drills, or real-time simulated responses. 4.11.3 Update emergency response and recovery plans and business continuity plans as necessary. 4.11.3.1 Review and update. The utility shall perform a timely review and update its emergency response and recovery plans and business continuity plans as necessary to correct identified deficiencies after exercises or actual implementation (lessons learned) in accordance with ANSI/AWWA G440. 4.11.3.2 Routine reviews. The utility shall perform a timely review and update of its emergency response and recovery plans and business continuity plans routinely and as necessary to reflect relevant changes in potential threats, physical infrastructure, utility operations, critical interdependencies, or response protocols in partner organizations. In no event shall the interval exceed five years, and the review and update can be more frequent if required by law or regulation. 4.11.3.3 The utility should consider participating in a mutual aid and assistance agreement. The utility should consider participating in a mutual aid and assistance agreement with local, regional, and state utilities, as appropriate, to *. https://www.waterrf.org/research/projects/business-continuity-plans-water-utilities Figure
28	18 AWWA G430-14(R20) expedite response and recovery of service. This may include, but not be limited to, joining the state Water and Wastewater Agency Response Network (WARN), if applicable. 4.11.4 Contact list. The utility shall establish, maintain current, and distribute a list of contacts to include key employees and key contacts for critical customers and support organizations. This list shall include names, phone numbers, and other information necessary to establish contact with those persons or designated alternates during an emergency. 4.11.5 Response to contamination threat. The emergency plan shall have a procedure for responding to potential contamination events or threats, which includes reporting out, field verification, credibility assessments, site sampling, lab qualification, lab analysis, and public notification. 4.11.6 Protection of public health. The utility must be prepared to consider contamination evidence carefully and make public health decisions with incomplete data and analysis. Sec. 4.12 Internal and External Communications 4.12.1 Establish and maintain strategies for regular and ongoing communications with employees. The utility shall establish and maintain strategies for effective communications with employees about security issues. These strategies should be designed to maintain security awareness, to motivate staff to take security seriously, to allow staff to notify security personnel or others about security concerns or suspicious events or activities, to promote employee safety during an event, and to enable effective e 4.12.2 Establish and maintain strategies for regular and ongoing relationships and communications with response organizations. The utility shall establish and maintain strategies for effective relationships and communications with response organizations. The utility’s strategies should focus on ensuring clarity and reliability of information during an emergency. The utility shall evaluate the need and means for providing backup systems that will maintain communications with agencies such as police, fire, an 4.12.3 Establish strategies for regular and ongoing communications with customers. The utility shall establish strategies for effective communications with customers prior to any emergency. Communications strategies should especially Figure
29	SECURITY PRACTICES FOR OPERATION AND MANAGEMENT 19 consider the most effective way to reach customers with information, both in terms of delivery and source, and ways to get information from customers about unusual events or suspicious activities. The utility’s strategies should consider key messages, which person is equipped and trusted to deliver the messages, and the need for consistency, especially during an emergency. 4.12.4 Establish strategies for regular and ongoing communications with regulatory agencies. The utility shall establish strategies for effective communications with relevant regulatory agencies. Communications strategies should consider timely two-way communications in the event of an actual incident or threat. Sec. 4.13 Partnerships 4.13.1 Forge reliable and collaborative partnerships with communities served, with managers of critical interdependent infrastructure, and with response organizations. 4.13.1.1 Identify key partnerships. The utility shall identify key agencies that are essential to emergency response and recovery and establish and maintain collaborative partnerships with these agencies. Customer community agencies such as police and fire, managers of critical interdependent infrastructure such as power companies, first-responder agencies, and adjacent utilities are typically included as key agencies. 4.13.1.2 Establish collaborative partnerships. The utility shall establish collaborative partnerships with key agencies as appropriate to ensure cooperation and effective coordination during emergency response and recovery. SECTION 5: VERIFICATION Sec. 5.1 Documentation Required • • • The utility shall define critical security activities and create written procedures for them. • • The utility shall have an up-to-date vulnerability or risk assessment. • • The utility shall have an up-to-date emergency response and recovery plan that incorporates security objectives. • • The utility shall have a training component for personnel. • • The utility shall maintain an adequate recordkeeping system so that compliance with this standard can be measured. 5.1.1 General. The documentation shall include: • Documented statements of a security policy and security objectives. Figure
30	20 AWWA G430-14(R20) • • • Documented procedures required by this standard. • • Records required by this standard. Note: Where the term documented procedure appears within this standard, this means that the procedure is established, documented, implemented, and maintained. 5.1.2 Required documentation. Documentation shall be sufficient to support the requirements in Section 4, including the documents listed by section in Table 1. Table 1 Supporting documentation required by this standard by section Reference Section 4 Documents Required 4.1.1 Written enterprise-wide security policy. 4.1.1.1 Documented procedure and schedule for review of security policy. Record of updates. 4.2.1 Documented procedures for identification requirements. Training documents. Job descriptions indicating security as a component of evaluation. Record of employee reports and suggestions. Security goals and progress reports. Documentation utilizing the Water Sector performance measurement system under the Water SSP of the NIPP, or equivalent. 4.2.2 Record of rewards or acknowledgements for employees. 4.3.1 Record identifying person(s) assigned primary responsibility for security. 4.3.2 Record identifying security as a part of each employee’s responsibility. 4.4.1 Documentation demonstrating a vulnerability or risk assessment has been completed. 4.4.2 Documented procedure and schedule for review and update of vulnerability or risk assessment. Documentation showing compliance with the schedule. 4.5.1 Documentation such as reports, agendas, minutes, or other documents demonstrating security as a topic of current discussion. Budget item/resource assignments for security and security training. Record of security exercises performed. Record of security inspections performed. Record identifying person(s) assigned primary responsibility for security. 4.5.2 Operations and capital plan or budget identifying security investments or priorities in relation to other utility priorities. 4.6.1 Documentation showing that critical assets and facilities are identified. NIPP—National Infrastructure Protection Plan, SSP—sector-specific plan Figure
31	SECURITY PRACTICES FOR OPERATION AND MANAGEMENT 21 Table 1 Supporting documentation required by this standard by section (continued) Reference Section 4 Documents Required 4.6.2 Documented procedures or protocols for physically securing critical assets and facilities. 4.6.3 Procedures and documentation of annual inspections. 4.6.4 Documented procedure demonstrating intrusion detection methodologies. Documented procedures for responses to intrusion indication. 4.6.5 Documented procedure demonstrating control of access to authorized personnel only. 4.6.6 Documentation demonstrating screening methods for authorization of security privileges. 4.6.7 Documented procedures for review or revocation of security access rights for employees or others who have had a change of status. 4.6.8 Documentation of test results and evaluations of physical and procedural access controls. 4.7 Documented procedures and protocols for detecting contamination incidents. 4.8.1 Documentation demonstrating identification of security-sensitive information and systems. 4.8.2 Documented procedures for protecting and maintaining critical IT and SCADA systems. 4.8.3 Documented procedures for securing security-sensitive information. 4.8.4 Documented process for detecting unauthorized access, such as an intrusion detection system, and documented procedures for responding to unauthorized access. 4.8.5 Documented procedures and protocols for testing and maintaining IT, SCADA, and communications systems during emergency response and recovery. 4.9 Documentation of security objectives in design and construction standards, or of considerations for security hardening and risk reduction. 4.10 Documentation of information sources on threat levels. Documented procedures for escalated security responses for relevant elevated threat levels. 4.11.1 Emergency response and recovery plans demonstrating that security objectives have been incorporated. Business continuity plans demonstrating security objectives have been incorporated. Documented procedure for compliance with NIMS and ICS protocols. 4.11.2 Documented procedure for testing emergency response and recovery plans and business continuity plans. 4.11.3 Documentation of timely reviews and appropriate updates. 4.11.4 Documented procedure and current contact list. 4.12 Procedures and documentation of ongoing communications. 4.13 Documentation demonstrating identification and establishment of appropriate partnerships. ICS—Incident Command System, NIMS—National Incident Management System, SCADA—supervisory control and data acquisition Figure
32	22 AWWA G430-14(R20) 5.1.3 Control of documents. Documents required for this standard shall be controlled. Records are a special type of document and shall be controlled according to the requirements given in Sec. 5.1.4. A documented procedure shall be established to define the controls needed: • • • To approve documents for adequacy prior to issue. • • To review and update as necessary and re-approve documents. • • To ensure that changes and the current revision status of documents are identified. • • To ensure that relevant versions of applicable documents are available at points of use. • • To ensure that documents remain legible and readily identifiable. • • To ensure that documents of external origin are identified, and their distribution controlled. • • To prevent the unintended use of obsolete documents, and to apply suitable identification to them if they are retained for any purpose. 5.1.4 Control of records. Records shall be established and maintained to provide evidence of conformity to requirements and evidence of the effective operation of this standard. Records shall remain legible, readily identifiable, and retrievable. A documented procedure shall be established to define the controls needed for the identification, storage, protection, retrieval, retention time, and disposition of records. Sec. 5.2 Human Resources 5.2.1 General. Personnel performing work affecting system security shall be competent on the basis of appropriate education, training, skills, and experience. 5.2.2 Competence, awareness, and training. The utility shall: • • • Determine the necessary competence for personnel performing work affecting security. • • Provide training or take other actions to satisfy these needs. • • Evaluate the effectiveness of the actions taken. • • Ensure that its personnel are aware of the relevance and importance of their activities. • • Retain appropriate records of education, training, skills, and experience (see Sec. 5.1.3). Figure
33	SECURITY PRACTICES FOR OPERATION AND MANAGEMENT 23 Sec. 5.3 Equipment 5.3.1 General. Utilities should field test security devices (i.e., motion detectors, intrusion sensors) quarterly, and field test passive measures (i.e., fences, gates, doors) every six months or as required by law or regulation. SECTION 6: DELIVERY This standard has no applicable information for this section. Figure
34	Figure
35	APPENDIX A Resources This appendix is for information only and is not a part of ANSI/AWWA G430. SECTION A.1: US DEPARTMENT OF HOMELAND SECURITY: INDUSTRIAL CONTROL SYSTEMS CYBER EMERGENCY RESPONSE TEAM (ICS-CERT) The ICS-CERT works with the control systems community to ensure that the recommended practices available have been vetted by industry subject matter experts before being published in support of this program. Recommended practices are developed to help users reduce their exposure and susceptibility to cyber-attacks. The following website provides a current information resource to help industry understand and prepare for ongoing and emerging systems cybersecurity issues, vulnerabilities, and mitigation strate . http://ics-cert.us-cert.gov/Introduction-Recommended-Practices SECTION A.2: WATER SECURITY INITIATIVE (WSI) The Water Security initiative (WSi) is a US Environmental Protection Agency (USEPA) program that addresses the risk of contamination of drinking water distribution systems. USEPA established this research initiative in response to Homeland Security Presidential Directive 9, under which the agency is charged with developing “robust, comprehensive, and fully coordinated surveillance and monitoring systems, including international information, for…water quality that provides early detection and awareness of di 25 Figure
36	USEPA is implementing the WSi in three phases: • • • • Phase I: Develop the conceptual design for a system that achieves timely detection of and response to contamination and other water quality incidents in drinking water distribution systems to mitigate public health and economic impacts. ○ USEPA completed this phase in 2006 with the design of a comprehensive water quality surveillance and response system. • • • Phase II: Demonstrate and evaluate water quality surveillance and response systems through pilots at drinking water utilities and municipalities. ○ USEPA completed this phase in 2013. Pilot systems were designed, deployed, and evaluated in Cincinnati, San Francisco, New York City, Philadelphia, and Dallas. • • Phase III: Develop practical guidance and outreach to promote voluntary national adoption of effective and sustainable water quality surveillance and response systems. ○ At the time of publication, this phase is currently under way. USEPA expects to release the Water Quality Surveillance and Response System Deployment Tool in 2014. This tool will translate lessons learned from the demonstration pilots into a software application that will assist utilities with developing individualized water quality surveillance and response systems. For current information, the utility is directed to the USEPA’s Water Security initiative website at: . At the time of publication, the following products are also available on the WSi website: http://water.epa.gov/infrastruture/watersecurity/lawsregs/ initiative.cfmr • • • Water Security Initiative: Interim Guidance on Planning for Surveillance and Response System Deployment, EPA817-R07-005, May 2007 – • • Water Security Initiative: Interim Guidance on Developing an Operational Strategy for Surveillance and Response Systems, EPA817-R-08-002, September 2008 – 26 Figure
37	• • • Water Security Initiative: Interim Guidance on Developing Consequence Management Plans for Drinking Water Utilities, EPA-817-R-08-001, September 2008 • • Water Security Initiative: Cincinnati Pilot Post-Implementation System Status, EPA-817-R-08-004, September 2008 • • Water Security Initiative: Commissioning Security Systems for Drinking Water Utilities, EPA 817-R-12-002, February 2012 • • Water Security Initiative: Guidance for Building Laboratory Capabilities to Respond to Drinking Water Contamination, EPA 817-R-13-001, March 2013 • • Water Quality Event Detection System Challenge: Methodology and Findings, EPA 817-R-13-002, April 2013 • • Water Security Initiative: Interim Guidance on Developing Risk Communication Plans for Drinking Water Utilities, EPA 817-F13-003, April 2013 – SECTION A.3: HOMELAND SECURITY INFORMATION NETWORK (HSIN) The Homeland Security Information Network (HSIN) is a free trusted web-based portal for information sharing and collaboration among federal, state, local, tribal, territorial, private sector, and international partners engaged in the homeland security mission. HSIN is made up of a network of communities called communities of interest (COIs). COIs are organized by state organizations, federal organizations, or mission areas such as emergency management, law enforcement, critical sectors, and intelligence. Users can securely share within their communities or reach out to other communities as needed. For additional information, see . http://www.dhs.gov/homeland – security-information-network 27 Figure
38	SECTION A.4: GUIDELINES FOR THE PHYSICAL SECURITY OF WATER UTILITIES (ANSI/ ASCE/EWRI 56-10) AND GUIDELINES FOR THE PHYSICAL SECURITY OF WASTEWATER/ STORMWATER UTILITIES (ANSI/ASCE/EWRI 57-10) These guidelines were developed through the Voluntary Water Infrastructure Security Enhancement (WISE) Initiative, a joint effort of the American Water Works Association (AWWA) and the American Society of Civil Engineers (ASCE), with technical input from the Water Environment Federation (WEF), with a grant from the US Environmental Protection Agency (USEPA). The two guidelines apply to physical security for facilities used in (1) potable water systems and (2) wastewater treatment and collection systems and Both guidelines are included as a single publication. This publication is available for purchase in both printed and PDF editions from the ASCE bookstore and other outlets. 28 Figure
39	SECTION A.5: RESPONSE PROTOCOL TOOLBOX (RPTB): PLANNING FOR AND RESPONDING TO DRINKING WATER CONTAMINATION THREATS AND INCIDENTS The USEPA developed and wrote the RPTB, building on the experience and expertise of several drinking water utilities, particularly that of the Metropolitan Water District of Southern California. The RPTB is organized in modular format and is intended to assist utilities with emergency response preparedness. The RPTB can be downloaded from USEPA’s Water Security website at: / index.cfm. http://water.epa.gov/infrastructure/watersecurity/emerplan SECTION A.6: RPTB RESPONSE GUIDELINES This USEPA document is a companion to the RPTB and contains many forms, checklists and report formats to help a water system organize information for emergency response planning. The Response Guidelines are not intended to replace the RPTB, but rather represent the application of the same principles as the RPTB during an actual incident. These documents can also be downloaded from USEPA’s Water Security website at: . http://water.epa.gov/infrastr ucture/watersecurity/ upload/2004_11_24_rptb_response_guidelines.pdf 29 Figure
40	SECTION A.7: AMERICAN WATER WORKS ASSOCIATION (AWWA): PROCESS CONTROL SYSTEM SECURITY GUIDANCE FOR THE WATER SECTOR In February 2013, the American Water Works Association (AWWA) Water Utility Council initiated project WITAF 503 to address the absence of practical, step-by-step guidance for protecting Water Sector Process Control Systems (PCS) from cyber-attacks. A panel of industry subject matter experts has been consulted to identify the most pressing cybersecurity issues facing water utilities today. In response to these issues, a list of recommended cybersecurity practices has been developed. This list identifies practices considered to be the most critical for managing the cybersecurity risk to Process Control Systems in the Water Sector. A copy of this report can be downloaded from AWWA at the following: A supporting interactive use-case tool is also available from this site. http://www.awwa.org/cybersecurity. SECTION A.8: CYBER SECURITY EVALUATION TOOL (CSET) Critical infrastructures are dependent on information technology systems and computer networks for essential operations. Particular emphasis is placed on the reliability and resiliency of the systems that comprise and interconnect these infrastructures. The Department of Homeland Security (DHS) National Cyber Security Division (NCSD) collaborates with partners from across public, private, and international communities to advance this goal by developing and implementing coordinated security measures to prote The DHS Control Systems Security Program (CSSP) has released Version 5.1 of the Cyber Security Evaluation Tool (CSET). This newest version of the tool can be downloaded from the CSSP website, ® 30 Figure
41	at . The CSET is a product that assists organizations in protecting their key national cyber assets. It was developed under the direction of the NCSD by cybersecurity experts and with assistance from the National Institute of Standards and Technology. This tool provides users with a systematic and repeatable approach for assessing the security posture of their cyber systems and networks. It includes both high-level and detailed questions related to all industrial control and IT systems. https://us-cert.cisa.gov/ics/Assessments ® 31 Figure
42	Figure
43	Figure
44	6666 West Quincy Avenue Denver, CO 80235-3098 T 800.926.7337 www.awwa.org Dedicated to the world’s most important resource, AWWA sets the standard for water knowledge, management, and informed public policy. AWWA members provide solutions to improve public health, protect the environment, strengthen the economy, and enhance our quality of life. 1P 8.5C 47430-14(R20) (2020) 11/20 QI 9 781647 170318 Figure Figure Figure To access AWWA Standards online, visit awwa.org/envoi ISBN 978-1-64717-031-8 Figure
45	AWWA Management Standard This document is an American Water Works Association (AWWA) management standard. It is not a specification. AWWA management standards describe consensus requirements for utility management practices. The use of AWWA management standards is entirely voluntary. This standard does not supersede or take precedence over or displace any applicable law, regulation, or codes of any governmental authority. AWWA management standards are intended to represent a consensus of the water industry of requirements and pract American National Standard An American National Standard implies a consensus of those substantially concerned with its scope and provisions. An American National Standard is intended as a guide to aid the manufacturer, the consumer, and the general public. The existence of an American National Standard does not in any respect preclude anyone, whether that person has approved the standard or not, from manufacturing, marketing, purchasing, or using products, processes, or procedures not conforming to the standard. American National Sta CAUTION NOTICE: The American National Standards Institute (ANSI) approval date on the front cover of this standard indicates completion of the ANSI approval process. This American National Standard may be revised or withdrawn at any time. ANSI procedures require that action be taken to reaffirm, revise, or withdraw this standard no later than five years from the date of publication. Purchasers of American National Standards may receive current information on all standards by calling or writing the American ISBN-13, print: 978-1-64717-031-8 ISBN-13, electronic: 978-1-61300-571-2 DOI: http://dx.doi.org/10.12999/AWWA.G430.20 All rights reserved. No part of this publication may be reproduced or transmitted in any form or by any means, electronic or mechanical, including scanning, recording, or any information or retrieval system. Reproduction and commercial use of this material is prohibited, except with written permission from the publisher. Copyright © 2020 by American Water Works Association Printed in USA ii All rights reserved. No part of this publication may be reproduced or transmitted in any form or by any means, electronic or mechanical, including scanning, recording, or any information or retrieval system. Reproduction and commercial use of this material is prohibited, except with written permission from the publisher. Please send any requests or questions to [email protected]. Figure
46	Committee Personnel The AWWA Standards Committee on Security Practices for Operation and Management, which reaffirmed this standard without revision, had the following personnel at the time of reaffirmation. Clyde R. Dugan, Chair Management Interest C.L. C.L. C.L. Bowen, Pleasant Hill, Calif. B. B. Jakubovic, CYBRA Corporation, Yonkers, N.Y. T. T. Kelley (liaison), Martinsburg, W.V. J. J. Laws, Department of Homeland Security, Washington, D.C. M.J. M.J. M.J. Martinez, Cedar Park, Tex. K. K. Morley, AWWA, Washington, D.C. L. L. Ralph (liaison), Standards Engineer Liaison, AWWA, Denver, Colo. Consultant Members C. Herndon, Herndon Solutions Group, Las Vegas, Nev. I.L. Jones, Alexandria, Va. J.W. J.W. J.W. McLaughlin, Merrick & Company, Charlotte, N.C. A. A. Ohrt, West Yost Associates, Golden Valley, Minn. K. K. Owens, Control Cyber Inc., Pullman, Wash. C.R. Sapp, Sugar Hill, Ga. L.P. Warren, Launch! Consulting LLC, Charlottesville, Va. User Members S. Datema, Tarrant Regional Water District, Fort Worth, Tex. C.R. C.R. C.R. Dugan, East Lansing Meridian Water and Sewer Authority, East Lansing, Mich. J. J. Hines, Las Vegas Valley Water District, Las Vegas, Nev. M.I. M.I. M.I. Inyang, Massachusetts Water Resources Authority, Southborough, Mass. P. P. Lamb, Boone, N.C. D.P. Lopez, Long Beach Water Department, Long Beach, Calif. S.D. S.D. S.D. Spence, Norwalk, Conn. M. M. Stuhr, Chiloquin, Ore. iii Figure
47	Figure
48	Contents All AWWA standards follow the general format indicated subsequently. Some variations from this format may be found in a particular standard. SEC. SEC. PAGE SEC. PAGE Foreword Foreword Foreword 4.4 Up-To-Date Assessment of Risk …… 8 I ………………………………. ………………………………. ………………………………. vii I.A Background I.A Background Introduction……………………………… vii 4.5 Resources Dedicated to Security 4.5 Resources Dedicated to Security and Security Implementation Priorities ……………………………… ……………………………… 8 I.B History I.B History I.B History …………………………………….. vii 4.6 4.6 4.6 Access Control and Intrusion Detection Detection Detection I.C Acceptance ……………………………….. vii ……………………………. 9 II II Special Issues …………………………….. vii 4.7 Contamination Detection, Special Issues …………………………….. vii 4.7 Contamination Detection, II.A Advisory Information on Monitoring, and Surveillance …. 11 Application of Standards ……….. vii 4.8 Information Protection and 4.8 Information Protection and Continuity Continuity ………………………….. 14 II.B Origination of Standard ……………… viii II.B Origination of Standard ……………… viii II.C Safety Act Designation II.C Safety Act Designation II.C Safety Act Designation ……………….. viii ……………….. viii 4.9 Design and Construction ……………. 16 4.10 4.10 4.10 Threat-Level–Based Protocols ………. 16 III Use of This Standard ………………….. viii III Use of This Standard ………………….. viii III.A Options and Alternatives…………….. viii III.A Options and Alternatives…………….. viii 4.11 Emergency Response and Recovery 4.11 Emergency Response and Recovery Plans and Business Continuity III.B Modification to Standard III.B Modification to Standard III.B Modification to Standard ……………. ix Plan Plan Plan ……………………………………. 17 IV V Comments V Comments Major Revisions…………………………. ix 4.12 Internal and External ……………………………….. ix Communications …………………. 18 4.13 4.13 4.13 Partnerships ………………………………. 19 Management Standard Management Standard 5 5 5 5 Verification 1 1 1 General 5.1 5.1 5.1 Documentation Required ……………. 19 1.1 Scope……………………………………….. 1 1.1 Scope……………………………………….. 1 5.2 5.2 5.2 Human Resources ……………………… 22 1.2 1.2 1.2 Purpose ……………………………………. 1 5.3 5.3 5.3 Equipment ……………………………….. 23 1 1.3 Application……………………………….. 6 6 6 Delivery …………………………………… 23 1 2 References ……………………………….. 3 3 3 Definitions ………………………………. 2 Appendix Appendix A A Resources Resources …………………………………. 25 4 4 4 Requirements 4.1 4.1 4.1 Explicit Commitment to Security…. 6 Table 4.2 4.2 4.2 Security Culture ………………………… 6 1 Supporting Documentation 4.3 4.3 Defined Security Roles and Defined Security Roles and Required by this Standard by Employee Expectations ………….. 7 Section ……………………………….. 20 v Figure
49	Figure
50	Foreword This foreword is for information only and is not a part of ANSI/AWWA G430. I. Introduction I.A. Background. The AWWA Management Standards Program is designed to serve water, wastewater, and reuse utilities and their customers, owners, service providers, and government regulators. The standards developed under the program are intended to improve a utility’s overall operation and service. Among these standards is this effort to establish formal management and operational guidelines. These guidelines identify appropriate practices, procedures, and behaviors the implementation of which will provide e AWWA’s standards process has been used for more than 90 years to produce American National Standards Institute (ANSI)–recognized standards for materials and processes that are used by the Water Sector. These standards are recognized worldwide and have been adopted by many utilities and organizations. Likewise, this management standard is developed using the same ANSI-recognized formal process. Volunteer standards committees establish standard practices in a uniform and appropriate format. Formal standards committees have been and continue to be formed to address the individual standard practices for the diverse areas of the Water Sector. A formal standards committee was created in 2007 to develop a standard for security. This standard is the outcome from the Security Practices for Operation and Management Committee. I.B. History. The first edition of this standard was approved by the AWWA Board of Directors on Jan. 25, 2009. This edition was approved on June 8, 2014 and reaffirmed without revision on Oct. 26, 2020. I.C. Acceptance. No applicable information for this standard. II. Special Issues. II.A. Advisory Information on Application of Standards. This standard includes only those requirements that are limited exclusively to security practices for operation and management of a drinking water, wastewater, or reuse system. Separate standards will cover utility programs such as distribution system operation and management, emergency preparedness, financial management, water treatment, source water American National Standards Institute, 25 West 43rd Street, Fourth Floor, New York, NY 10036. vii Figure
51	protection, communications and customer relations, and business systems. At the time of issuance of this standard, neither the Department of Homeland Security* (DHS) nor the US Environmental Protection Agency (USEPA)has developed regulatory standards for the Water Sector. † II.B. Origination of Standard. This standard originates from recommendations prepared by the USEPA’s National Drinking Water Advisory Council (NDWAC) on water security practices, incentives, and measures, dated June 2005. A subsequent workgroup was convened in February 2007 by the Critical Infrastructure Partnership Advisory Council(CIPAC) to develop a national performance measurement system and revise the NDWAC recommendations to track with the Water Sector-Specific Plan (Water SSP), which is also describe ‡ § II.C. SAFETY Act Designation. The American Water Works Association Standards G430 and J100 have been awarded SAFETY Act designation by the US Department of Homeland Security. The designation carries important liability protection for the association and for utilities that properly implement these standards. The Support Anti-terrorism by Fostering Effective Technologies Act (SAFETY Act) of 2002 was enacted by Congress in the wake of the terrorist attacks on Sept. 11, 2001. The SAFETY Act was created in part because of the extraordinarily large liability entities might face if a terrorist attack occurs despite deployment of anti-terrorism security measures already in place. Congress designed the SAFETY Act as an incentive for the creation and deployment of technologies and services with anti-terrorism capabiliti III. Use of This Standard. It is the responsibility of the user of an AWWA standard to determine that the products described in that standard are suitable for use in the particular application being considered. III.A. Options and Alternatives. There is no applicable information in this section. * US Department of Homeland Security, Washington, DC 20528. * US Department of Homeland Security, Washington, DC 20528. † US Environmental Protection Agency, Ariel Rios Building, 1200 Pennsylvania Avenue, NW, Washington, DC 20460. † US Environmental Protection Agency, Ariel Rios Building, 1200 Pennsylvania Avenue, NW, Washington, DC 20460. ‡ National Drinking Water Advisory Council, Office of Ground Water and Drinking Water (4601), Ariel Rios Building, 1200 Pennsylvania Avenue, NW, Washington, DC 20460. ‡ National Drinking Water Advisory Council, Office of Ground Water and Drinking Water (4601), Ariel Rios Building, 1200 Pennsylvania Avenue, NW, Washington, DC 20460. Critical Infrastructure Partnership Advisory Council, US Department of Homeland Security, Washington, DC 20528. § viii Figure
52	III.B. Modification to Standard. No applicable information for this section. IV. Major Revisions. The major changes made to the standard in this revision include the following: 1. Realignment of vulnerability assessment to risk assessment in accordance with ANSI/AWWA J100, Risk and Resilience Management of Water and Wastewater Systems 2. 2. 2. Integration of new AWWA cybersecurity guidance and use-case tool 3. 3. Integration of ANSI/AWWA G440, Emergency Preparedness Practices 4. 4. Revision/update of federal directives 5. 5. Adjustment of reference to the ASCE materials formerly known as WISE V. Comments. If you have any comments or questions about this standard, please contact AWWA Engineering and Technical Services at 303.794.7711; FAX at 303.795.7603; write to the department at 6666 West Quincy Avenue, Denver, CO 80235-3098; or email at . [email protected] ix Figure
53	Figure
54	ANSI/AWWA G430-14(R20) (Revision of ANSI/AWWA G430-09) (Reaffirmed without revision 2020) AWWA Management Standard Security Practices for Operation and Management SECTION 1: GENERAL Sec. 1.1 Scope This standard covers the minimum requirements for a protective security program for a water, wastewater, or reuse utility. Sec. 1.2 Purpose The purpose of this standard is to define the minimum requirements for a protective security program for a water, wastewater, or reuse utility that will promote the protection of employee safety, public health, public safety, and public confidence. Sec. 1.3 Application This standard can be referenced in the evaluation of security practices. The stipulations of this standard apply when this document has been referenced and then only to the security practices of the utility. SECTION 2: REFERENCES This standard references the following documents. In their latest editions, or as specified, they form a part of this standard to the extent specified within Figure
55	2 AWWA G430-14(R20) the standard, whether mentioned specifically or not. In any case of conflict, the requirements of this standard shall prevail. ANSI/AWWA G440—Emergency Preparedness Practices. ANSI/AWWA J100—Risk and Resilience Management of Water and Wastewater Systems. AWWA, Process Control System Security Guidance for the Water Sector (2013). National Electric Code Article 708. Water Research Foundation (WRF),* ® Business Continuity Planning for Water (2008). Utilities SECTION 3: DEFINITIONS The following definitions shall apply in this standard. 1. 1. 1. All Hazards: An approach for prevention, protection, preparedness, response, and recovery that addresses a full range of threats and hazards, including domestic terrorist attacks, natural and man-made disasters, accidental disruptions, and other emergencies. 2. 2. Asset: An item of value or importance. In the context of critical water and wastewater infrastructure, an asset is something of importance or value that if targeted, exploited, destroyed, or incapacitated could result in injury, death, economic damage to the owner of the asset or to the community it serves, could result in destruction of property, or could profoundly damage a nation’s prestige and confidence. Assets may include physical elements (tangible property), cyber elements (information and communica a. Critical Asset is an asset the absence or unavailability of which would significantly degrade the ability of a utility to carry out its mission or would have unacceptable financial or political consequences for the owner or the community. 3. Business Continuity Plan (BCP): A plan designed to maintain essential business functions and preserve the utility’s ability to perform its mission or function during an incident and recovery. For example, a BCP should be designed to preserve the utility’s ability to acquire and pay for essential supplies, personnel, components or services; to receive funds; and to maintain a record of all transactions for subsequent accounting, billing, or reimbursement. * Water Research Foundation, 6666 West Quincy Avenue, Denver, CO 80235. * Water Research Foundation, 6666 West Quincy Avenue, Denver, CO 80235. Figure
56	SECURITY PRACTICES FOR OPERATION AND MANAGEMENT 3 4. 4. 4. Consequence: The immediate, short-term, and long-term effects of a malevolent attack or natural, technological, or human-caused hazard. These effects include losses suffered by the owner of the asset and by the community served by that asset, human and property losses, environmental damages, lifeline interruptions, and qualitative losses. 5. 5. Incident: An occurrence or event, either natural or man-made, that requires a response to protect life or property. Incidents can, for example, include major disasters, emergencies, terrorist attacks, terrorist threats, civil unrest, wild-land or urban fires, floods, hazardous material spills, nuclear accidents, aircraft-related disasters, earthquakes, hurricanes, tornadoes, tropical storms, tsunamis, war-related disasters, public health and medical emergencies, and other occurrences requiring an emergency 6. 6. Incident Command System (ICS): A standardized on-scene, all hazards incident management approach that allows for the integration of facilities, equipment, personnel, procedures, and communications operating within a common organizational structure. ICS enables a coordinated response among various jurisdictions and functional agencies, both public and private, and establishes common processes for planning and managing resources. ICS is flexible and can be used for incidents of any type, scope, and complexity 7. 7. InfraGard: An information sharing and analysis effort serving the interests and combining the knowledge bases of a wide range of members. At its most basic level, InfraGard is a partnership between the Federal Bureau of Investigation (FBI) and the private sector. InfraGard is an association of businesses, academic institutions, state and local law enforcement agencies, and other participants dedicated to sharing information and intelligence to prevent hostile acts against the United States. † 8. 8. Intrusion Detection System (IDS): Intrusion detection for industrial control systems (which may also be called Process Control System) is not a single product or a single piece of technology, even though commercial “systems” are available. Instead, intrusion detection is a comprehensive set of tools and processes providing network monitoring that can give an administrator a complete picture of how the network is being used. Implementing a variety of these tools helps to create † FBI Headquarters, 935 Pennsylvania Avenue, NW, Washington, DC 20535-0001. † FBI Headquarters, 935 Pennsylvania Avenue, NW, Washington, DC 20535-0001. Figure
57	4 AWWA G430-14(R20) a defense-in-depth architecture that can be more effective in identifying attacker activities and using the tools in a manner that can be preventative. Additional information on securing industrial control systems and supervisory control and data acquisition (SCADA) systems can be found in appendix A. 9. 9. 9. National Incident Management System (NIMS): NIMS provides a systematic, proactive approach to guide departments and agencies at all levels of government, nongovernmental organizations, and the private sector to work seamlessly to prevent, protect against, respond to, recover from, and mitigate the effects of incidents, regardless of cause, size, location, or complexity, to reduce the loss of life. NIMS was developed by the US Department of Homeland Security (US DHS) so that responders from different jurisdi 10. 10. National Infrastructure Protection Plan (NIPP): The NIPP provides the unifying structure for the integration of existing and future critical infrastructure and key resources (CIKR) protection efforts and resiliency strategies into a single national program to achieve this goal. The NIPP framework supports the prioritization of protection and resiliency initiatives and investments across sectors to ensure that government and private sector resources are applied where they offer the most benefit for mitigatin 11. 11. Physical hardening: A process designed to deter and/or help mitigate physical damage, service disruption, or other serious consequences of an attack by Figure
58	SECURITY PRACTICES FOR OPERATION AND MANAGEMENT 5 making the facility harder to attack, by delaying entry until responders arrive, or by reducing the effect an attack may have. 12. 12. 12. Preparedness: A continuous cycle of planning, organizing, training, equipping, exercising, evaluating, and taking corrective action in an effort to ensure effective coordination during the incident response and recovery, including continuity of operations plans, continuity of government plans, and preparation of resources for rapid restoration of function. 13. 13. Risk: A function of consequences, hazard frequency or likelihood, and vulnerability, which with point estimates is the product of the terms. It is the expected value of the consequences of an initiating event weighted by the likelihood of the event’s occurrence and the likelihood that the event will result in the consequences, given that it occurs. Risk is based on identified events or event scenarios. 14. 14. Risk Analysis and Management: A process for analyzing and managing the risks associated with malevolent attacks and naturally occurring hazards against critical infrastructure as defined in ANSI/AWWA J100. 15. 15. Sector-Specific Plans (SSPs): SSPs support the NIPP by establishing a coordinated approach to national priorities, goals, and requirements for critical infrastructure and key resource (CIKR) protection. The SSPs provide the means by which the NIPP is implemented across critical infrastructure and key resource sectors, as well as a national framework for each sector to address its unique characteristics and risk landscape. This coordinated approach allows federal funding and resources to be applied in the mo for the Water Sector can be found at http://www.dhs.gov/water-and-wastewater – 16. 16. Security Plan: A comprehensive plan, developed by the utility, that includes its security goals, objectives, strategies, policy or policies, and procedures. The security plan should coordinate closely with the utility’s emergency preparedness plan and business continuity plan. 17. 17. Vulnerability: An inherent state of a system (e.g., physical, technical, organizational, cultural) that can be exploited by an adversary or impacted by a natural hazard to cause harm or damage. Such weaknesses can occur in building characteristics; equipment properties; personnel behavior; location of people, equipment and buildings; or operational and personnel practices. Vulnerability is expressed as the likelihood of an event’s having the estimated consequences, given that the event occurs. Figure
59	6 AWWA G430-14(R20) 18. 18. 18. Vulnerability assessment/analysis: A systematic examination of the ability of an asset to withstand a specific threat or undesired event, including current security and emergency preparedness procedures and controls. A vulnerability assessment often suggests countermeasures, mitigation measures, and other security improvements. 19. 19. Water Sector: The NIPP defines the Water Sector as both drinking water and wastewater utilities. For the purpose of this standard, this definition will expressly include water reuse facilities. 20. 20. Water Sector Information Sharing and Analysis Center (WaterISAC): WaterISAC is a highly secure, subscription-based Internet portal that provides a source for sensitive security information and alerts to help the US drinking water and wastewater community protect consumers and the environment. SECTION 4: REQUIREMENTS This standard is intended to apply to water, wastewater, or reuse utilities, regardless of size, location, ownership, or regulatory status. This standard builds on the long-standing practice among utilities of using a multiple-barrier approach for the protection of public health, public safety, and the environment. The requirements of this standard are designed to support a protective utility-specific security program that will result in consistent and measurable outcomes. Sec. 4.1 Explicit Commitment to Security 4.1.1 Explicit and visible commitment of senior leadership to security. The utility shall establish an explicit, visible, easily communicated, enterprise-wide commitment to security. This shall be represented by the development of a security plan, by policies, and by other documents that make security a part of daily operations visible to employees and customers. 4.1.1.1 Periodic review and update of security plan, policies, or documents. The utility shall establish and maintain a schedule for periodic review of its security plan, policies, and documents, and update them as needed. Sec. 4.2 Security Culture 4.2.1 Promote security awareness throughout the utility. The utility shall promote a culture whereby every person understands, appreciates, and contributes to enhanced security. Figure
60	SECURITY PRACTICES FOR OPERATION AND MANAGEMENT 7 4.2.1.1 Employee reports and suggestions. The utility shall establish a process for employees to report security violations or concerns and to make suggestions for improvement. 4.2.1.2 Employee training. The utility shall train employees and other responsible parties in security awareness, individual responsibility, and appropriate responses. 4.2.1.3 Incorporating security into job descriptions. The utility shall include security in job performance evaluations and rate employees, including top management, on their performance. 4.2.1.4 Measure security activities and progress. The utility shall establish a means of measuring security activity, establish goals for improvement, and monitor progress. The utility should review the recommended performance measures under the Water SSP of the NIPP and consider them as a standardized mechanism for measurement and reporting that may supplement the requirements of this standard. The utility should also consider using the self-assessment questions included there-in as a guide for improvement 4.2.1.5 Visible identification. The utility shall establish a means of visible identification of employees and others authorized to access utility facilities, and ensure every person routinely complies. 4.2.2 Reward employees for appropriate security activities. The utility shall have a means of rewarding appropriate security awareness and response by employees and others. Sec. 4.3 Defined Security Roles and Employee Expectations 4.3.1 Identify managers and employees who are responsible for security. The utility shall identify managers and employees responsible for creating, maintaining, and implementing the security plan; for performing and maintaining the vulnerability or risk assessment; and for providing security leadership. Other security-related roles and responsibilities include security program management, physical intrusion and contamination detection, and incident command roles during emergency response and recovery. Addit 4.3.2 Establish security expectations for staff. The utility shall identify and disseminate security expectations for staff, and periodically review performance. Figure
61	8 AWWA G430-14(R20) Sec. 4.4 Up-to-Date Assessment of Risk 4.4.1 Perform a risk assessment. The utility shall perform a risk assessment. The utility’s risk assessment may use publicly or commercially available tools, consistent with ANSI/AWWA J100, that allow the assessment to be replicated and based on the following steps: 1. 1. 1. Asset characterization 2. 2. Threat characterization 3. 3. Consequence analysis 4. 4. Vulnerability analysis 5. 5. Threat likelihood analysis 6. 6. Risk/resilience likelihood 7. 7. Risk/resilience analysis 4.4.2 Review and update. The utility shall review and update its risk assessment as new hazards and threats emerge, when facilities are constructed or removed from service, and when other changes occur that significantly affect the results of the risk assessment. 4.4.2.1 Periodic review. The utility shall establish and maintain a schedule for periodic review and update of the risk assessment, based on the utility-specific circumstances. The schedule for review shall not exceed 5 years but can be more frequent based on operational changes or other incidents that warrant further review. Sec. 4.5 Resources Dedicated to Security and Security Implementation Priorities 4.5.1 Sustain focus on security. The utility shall sustain a focus on security by maintaining security as a current priority. 4.5.1.1 Maintain focus. Executives and line managers shall maintain a focus on security throughout the years by doing one or more of the following items, or a defined alternative: • • • Include security in periodic progress reports to the governing body • • Make security a standing item on executive management agendas • • Make security a routine item in manager or supervisor meetings with employees or other authorized persons 4.5.1.2 Resources. The utility shall invest staff time and resources in security by including security considerations in budgets for personnel and training or, if appropriate, by explicitly assigning security responsibilities to existing staff and budgeting accordingly. Figure
62	SECURITY PRACTICES FOR OPERATION AND MANAGEMENT 9 4.5.1.3 Exercises. The utility shall include security exercises in operational planning and identify associated training costs in budgets. 4.5.2 Identify security priorities. The utility shall establish a security improvement plan that identifies security priorities based on its risk assessment (see Sec. 4.4). 4.5.2.1 Integrate security plan. The utility shall integrate the security improvement plan with other operational plans and investments and shall establish the appropriate relationship of security priorities based on the utility’s vulnerability assessment in context with other organizational priorities. 4.5.2.2 Identify resources required for the security plan. The utility shall identify and commit resources dedicated to security programs and planned security improvements. Based upon the relationship with other organizational priorities, the utility shall identify and plan for the resources required to maintain the security program and make necessary improvements. Sec. 4.6 Access Control and Intrusion Detection 4.6.1 Identify utility assets requiring access control. Through the risk assessment or other means, the utility shall identify assets or facilities that require controlled access based on criticality to maintain normal operations (identified critical assets). 4.6.2 Establish and maintain physical control of access to identified critical assets. The utility shall establish and maintain a means of physically controlling access to identified critical assets. Examples of physical access controls include the following and can be used individually or in combination: • • • Substantial buildings with intrusion prevention devices on windows and access points • • Fences • • Barriers • • Locked gates, hatches, and doors • • Monitored intrusion alarms • • Tamper-resistant devices at key distribution or collection points 4.6.3 Implement annual inspections of identified critical assets. The utility shall implement and maintain annual inspections to assure that security features are adequate and functioning, and to identify if any corrective work is necessary to maintain access control or other security features. 4.6.4 Establish and maintain a means of detecting and assessing intrusion. The utility shall establish and maintain a means of detecting and assessing intrusion Figure
63	10 AWWA G430-14(R20) into identified critical assets by unauthorized persons in a manner that is timely and enables the utility to respond effectively. Monitoring for physical intrusion can include physical and procedural improvements. Examples of physical improvements include installing detection devices such as motion detectors and intrusion alarms, or improved assessment tools such as well-lighted facility perimeters or monitoring with closed circuit TV (CCTV). Procedural improvements include the use of neighborhood watches, 4.6.5 Establish and maintain procedures to control personnel access to identified critical assets. The utility shall establish and maintain procedural controls to limit access to identified critical assets to authorized persons only. Examples of procedural access controls include the following and can be used individually or in combination: • • • Inventory and control keys • • Develop procedure that limits access rights to employees to maximum extent possible • • Develop hierarchical key and/or access card system to limit access to extent possible • • Change access codes regularly • • Require security passes for access • • Establish a security presence at access points • • Require visitors to have scheduled appointments and/or have a protocol to address unscheduled visitors • • Require employees and other authorized persons to display identification at all times when on-site, if appropriate • • Require visitors to sign in and display identification at all times when on-site • • Implement chemical delivery and testing procedures including chain-ofcustody control or tamper-evident packaging requirements – • • Limit delivery hours • • Check deliveries to ascertain the nature of the material 4.6.6 Establish and maintain a means of restricting authorization for access. The utility shall establish and maintain a means of restricting unescorted access to identified critical assets. 4.6.6.1 Background checks. Where legally permissible and appropriate, the utility shall institute a system of background checks on employees, contractors, Figure
64	SECURITY PRACTICES FOR OPERATION AND MANAGEMENT 11 temporary workers, or any other person authorized to access identified assets without an escort. The level or complexity of background checks utilized should be commensurate with the level of access and the privileges granted to the person. Other benefits of background checks, depending on the level employed, may include verifying identity, establishing citizenship, determining previous criminal activity, and determining work eligibility. 4.6.6.2 Other means of identity verification. When background checks are not permitted or appropriate, the utility shall establish a defined alternative method of verifying identity and granting access rights and privileges to a person seeking authorization. 4.6.7 Establish a protocol for employees or others that have been terminated, has resigned, or have had a relevant change of status. The utility shall establish and maintain a protocol to recover keys, revise passwords, and take other appropriate actions immediately on termination, resignation, or re-assignment of an employee or the relevant change of status of other personnel who have access to high-risk assets. Other personnel may include vendors, consultants, contractors, public officials, or others that 4.6.8 Testing. The utility shall test physical and procedural access controls routinely to ensure performance. The tests shall be conducted annually, or more frequently if required by law or regulation. Sec. 4.7 Contamination Detection, Monitoring, and Surveillance 4.7.1 Surveillance and response for chemical, biological, or radiological contamination. The utility shall develop and implement a surveillance and response system. A surveillance and response system provides a proactive approach to managing threats that uses monitoring technologies/strategies and enhanced surveillance activities to collect, integrate, analyze, and communicate information. However, it should not be merely a collection of monitors and equipment placed throughout a water distribution system to alert of intrusion or contamination, but rather should be an exercise in information acquisition and management. Different information streams are captured, manage Figure
65	12 AWWA G430-14(R20) The recommended components of a surveillance and response system are briefly described as follows: • • • Online water quality monitoring involves monitoring for typical water quality parameters throughout the distribution system and comparison with an established base-state to detect possible contamination incidents. The utility should stay current on developments in online contaminant monitoring systems and should consider implementing such systems if feasible. • • Sampling and analysis involve the collection of distribution system samples that are analyzed for various contaminants and contaminant classes for the purpose of establishing a baseline of contaminant occurrence (contaminants detected, levels detected, and frequency of detections) and method performance, as well as for the purpose of investigating suspected contamination incidents triggered by other monitoring and surveillance components. • • Enhanced security monitoring includes the equipment and procedures that detect and respond to security breaches at distribution system facilities. • • Consumer complaint surveillance enhances and automates the collection and analysis of consumer calls reporting unusual water quality concerns and compares trends against an established base-state to detect possible contamination incidents. • • Public health surveillance involves the analysis of health-related data sources to identify illness in the community that may stem from drinking water contamination. The utility is directed to Appendix A, Section A.2—Water Security Initiative (WSi), for more discussion of guidance developed by USEPA and others. 4.7.2 Monitoring or surveillance of indicators of contamination. Although typical water quality parameters (surrogate parameters) may not be a direct indication of chemical, biological, or radiological contamination, the utility may find that monitoring surrogate parameter concentrations or trends is useful and appropriate in its individual circumstance. Recognizing that surrogate parameter changes may be difficult to interpret from a security perspective, the utility should review and consider any physical • • • Pressure change abnormalities • • Free and total chlorine residual Figure
66	SECURITY PRACTICES FOR OPERATION AND MANAGEMENT 13 • • • Temperature • • Dissolved oxygen • • Conductivity • • Oxygen-reduction potential • • Total dissolved solids • • Turbidity • • pH • • Color • • Odor • • Taste 4.7.3 Laboratory testing for contaminants. The utility shall routinely sample and monitor the water or wastewater system as required by law or regulation and shall include additional test parameters or elevated sampling frequencies if appropriate to a specific security concern or threat notification. The utility should consider identifying and prequalifying laboratories that have the necessary capabilities. 4.7.4 Communication with customers and public health authorities as a means of identifying contamination. The utility shall monitor customer complaints and initiate or improve communications with local public health authorities or networks. 4.7.4.1 Documentation of complaints. The utility shall establish a means to record and analyze customer complaints and evaluate them as an indicator of possible system contamination. This system should include communications with customer communities that receive bulk water deliveries, if appropriate. 4.7.4.2 Communication. The utility shall establish and maintain two-way communications and relationships with local public health authorities and health providers to expedite the potential identification of public health anomalies that may be indicators of system contamination. 4.7.5 Adjacent utilities. The utility shall establish and maintain two-way communications with adjacent utility systems to identify any contamination. In the case of a water utility, this may be an upstream water or wastewater utility. In the case of a wastewater utility, this may be downstream users or others that assess the receiving stream quality. 4.7.6 Incident detection and response. The utility shall establish written procedures for, at a minimum, the following key components of a surveillance and response system: (1) the criteria that will be used to identify a potential Figure
67	14 AWWA G430-14(R20) contamination event and trigger an investigation, (2) the criteria that will be used to declare that a contamination incident has occurred, and (3) the response protocol for a contamination incident. This response protocol should be a part of the utility’s emergency response plan (see Sec. 4.11). Sec. 4.8 Information Protection and Continuity 4.8.1 Define security-sensitive systems and information. For most systems, information technology (IT), Process Control Systems, and SCADA systems are essential to the efficient and continuous operations of a utility. The utility shall identify critical IT, Process Control Systems, or SCADA systems as security sensitive. The utility shall also identify other security-sensitive information. This information review shall consider facility maps and other geographic sources on utility operations, security plans 4.8.1.1 Secure information. The utility shall evaluate information it shares with vendors, bidders, or the public (e.g., facility tours, brochures, or Internet access). Where appropriate and practicable, security-sensitive information shall be removed or controlled. 4.8.1.2 Regulations. The utility shall consider any applicable freedom-ofinformation or Sunshine Act provisions with which it must comply, to understand and abide by limitations on controlling information. – 4.8.2 Protecting IT, Process Control Systems, and SCADA systems. The utility should review the AWWA Process Control System Security Guidance for the Water Sector (see Appendix A, Section A.7) as an aid in evaluating appropriate practices and controls for securing Process Control System and/or SCADA vulnerabilities. These strategies may also be useful in securing critical business IT systems for the business continuity plan. 4.8.2.1 Restricting access. The utility shall identify and implement steps necessary to control access to critical IT, Process Control Systems, and SCADA systems to only authorized persons conducting official utility business. Physical hardening and procedural controls shall be considered and implemented. Examples of procedural controls include: • Restricting access to data networks Figure
68	SECURITY PRACTICES FOR OPERATION AND MANAGEMENT 15 • • • Safeguarding critical data through backups and storage in safe places • • Establishing procedures to restrict network access • • • Implementing policies to ensure that IT contractors or their products will not negatively affect IT systems Examples of physical steps include: • • Installing and maintaining firewalls • • Screening for viruses • • Separating business systems from operational systems • • Installing a system for virus protection • • Ensuring security at each location of SCADA components • • Incorporating encryption technologies • • Establishing and routinely changing access codes 4.8.2.2 Uninterruptible power supply. The utility shall establish and maintain an uninterruptible power supply for critical IT, Process Control Systems, and SCADA systems, and the means of providing for backup generators or backup power supplies for critical facilities in accordance with National Electric Code, Article 708. 4.8.3 Establish and maintain physical and procedural controls to restrict access to sensitive information. The utility shall establish and maintain appropriate access restrictions and procedural controls on security-sensitive information. Access restrictions should consider the legal framework in which the utility is operating, and ensure appropriate access is granted for employees and others to perform their duties efficiently. 4.8.4 Detect unauthorized access. The utility shall establish and maintain the means to detect unauthorized access or intrusion to IT, Process Control Systems, or SCADA systems or to security-sensitive information, and the means to respond in an appropriate and timely manner. For additional information on intrusion detection systems and defense-in-depth strategies, see Appendix A, Section A.7. 4.8.5 Ensure information and communications systems will function during emergency response and recovery. 4.8.5.1 Critical information. The utility shall identify critical information and ensure its preservation and accessibility during emergency response and recovery. Off-site backup of critical data should be considered for preservation and accessibility. Figure
69	16 AWWA G430-14(R20) 4.8.5.2 Critical communications. The utility shall identify critical internal and external communications and ensure their functionality during emergency response and recovery. Sec. 4.9 Design and Construction 4.9.1 Incorporate security objectives into utility design and construction standards. Consistent with the recommendations of the vulnerability or risk assessment where applicable, the utility shall incorporate its security objectives into the design of infrastructure repairs or replacements, or the acquisition or construction of new assets. 4.9.1.1 Physical hardening of identified critical assets. The utility shall include physical hardening in the repair/replacement of identified critical assets, or in the design and construction of new assets. Physical hardening is intended to protect or help mitigate physical damage, service disruption, or other serious consequences of an attack by making the facility harder to attack or by reducing the effect an attack may have. Examples of physical hardening include: • • • Location of critical assets within a facility • • Use of substantial building materials • • Designing in inherent redundancy for critical services Design choices should also consider the ability to ensure continuity of operations and rapid recovery in the event of an attack, natural disaster, or other event. 4.9.1.2 Adoption of security risk technologies or approaches. The utility shall consider the adoption of security technologies or approaches that have the demonstrated capability of reducing or mitigating the consequences of an attack, natural disaster, or other event when making design or technology choices. Examples of such technologies and approaches include Crime Prevention Through Environmental Design (CPTED), increased redundancy of critical components, increased interconnections with adjacent utiliti Sec. 4.10 Threat-Level–Based Protocols 4.10.1 Monitor available threat-level information. The utility shall establish an appropriate means to stay apprised of changes in threat levels. Sources of information may include the US Department of Homeland Security (DHS), local police or FBI office, WaterISAC, InfraGard, or other credible sources. The utility Figure
70	SECURITY PRACTICES FOR OPERATION AND MANAGEMENT 17 should research and establish communications with networks and information sources appropriate to its security environment. 4.10.2 Escalate security procedures in response to relevant threats. The utility shall establish a procedure to escalate security operations in the event of a relevant increase in the threat level or a significant local event. Sec. 4.11 Emergency Response and Recovery Plans and Business Continuity Plan 4.11.1 Incorporate security into emergency response and recovery plans, business continuity plans, and operations. 4.11.1.1 Update plans. The utility shall revise its emergency response and recovery plans and business continuity plans as necessary to incorporate security considerations into the plans. Additional guidance is provided in ANSI/AWWA G440 and the * (Water RF 2008). Business Continuity Planning for Water Utilities 4.11.1.2 Emergency response. The utility shall comply with the National Incident Management System (NIMS) guidelines and use Incident Command System (ICS) protocol for emergency response. 4.11.2 Test emergency response and recovery plans and business continuity plans regularly. The utility shall establish and maintain a schedule for testing its emergency response and recovery plans and business continuity plans. Testing may include training, table-top exercises or drills, or real-time simulated responses. 4.11.3 Update emergency response and recovery plans and business continuity plans as necessary. 4.11.3.1 Review and update. The utility shall perform a timely review and update its emergency response and recovery plans and business continuity plans as necessary to correct identified deficiencies after exercises or actual implementation (lessons learned) in accordance with ANSI/AWWA G440. 4.11.3.2 Routine reviews. The utility shall perform a timely review and update of its emergency response and recovery plans and business continuity plans routinely and as necessary to reflect relevant changes in potential threats, physical infrastructure, utility operations, critical interdependencies, or response protocols in partner organizations. In no event shall the interval exceed five years, and the review and update can be more frequent if required by law or regulation. 4.11.3.3 The utility should consider participating in a mutual aid and assistance agreement. The utility should consider participating in a mutual aid and assistance agreement with local, regional, and state utilities, as appropriate, to *. https://www.waterrf.org/research/projects/business-continuity-plans-water-utilities Figure
71	18 AWWA G430-14(R20) expedite response and recovery of service. This may include, but not be limited to, joining the state Water and Wastewater Agency Response Network (WARN), if applicable. 4.11.4 Contact list. The utility shall establish, maintain current, and distribute a list of contacts to include key employees and key contacts for critical customers and support organizations. This list shall include names, phone numbers, and other information necessary to establish contact with those persons or designated alternates during an emergency. 4.11.5 Response to contamination threat. The emergency plan shall have a procedure for responding to potential contamination events or threats, which includes reporting out, field verification, credibility assessments, site sampling, lab qualification, lab analysis, and public notification. 4.11.6 Protection of public health. The utility must be prepared to consider contamination evidence carefully and make public health decisions with incomplete data and analysis. Sec. 4.12 Internal and External Communications 4.12.1 Establish and maintain strategies for regular and ongoing communications with employees. The utility shall establish and maintain strategies for effective communications with employees about security issues. These strategies should be designed to maintain security awareness, to motivate staff to take security seriously, to allow staff to notify security personnel or others about security concerns or suspicious events or activities, to promote employee safety during an event, and to enable effective e 4.12.2 Establish and maintain strategies for regular and ongoing relationships and communications with response organizations. The utility shall establish and maintain strategies for effective relationships and communications with response organizations. The utility’s strategies should focus on ensuring clarity and reliability of information during an emergency. The utility shall evaluate the need and means for providing backup systems that will maintain communications with agencies such as police, fire, an 4.12.3 Establish strategies for regular and ongoing communications with customers. The utility shall establish strategies for effective communications with customers prior to any emergency. Communications strategies should especially Figure
72	SECURITY PRACTICES FOR OPERATION AND MANAGEMENT 19 consider the most effective way to reach customers with information, both in terms of delivery and source, and ways to get information from customers about unusual events or suspicious activities. The utility’s strategies should consider key messages, which person is equipped and trusted to deliver the messages, and the need for consistency, especially during an emergency. 4.12.4 Establish strategies for regular and ongoing communications with regulatory agencies. The utility shall establish strategies for effective communications with relevant regulatory agencies. Communications strategies should consider timely two-way communications in the event of an actual incident or threat. Sec. 4.13 Partnerships 4.13.1 Forge reliable and collaborative partnerships with communities served, with managers of critical interdependent infrastructure, and with response organizations. 4.13.1.1 Identify key partnerships. The utility shall identify key agencies that are essential to emergency response and recovery and establish and maintain collaborative partnerships with these agencies. Customer community agencies such as police and fire, managers of critical interdependent infrastructure such as power companies, first-responder agencies, and adjacent utilities are typically included as key agencies. 4.13.1.2 Establish collaborative partnerships. The utility shall establish collaborative partnerships with key agencies as appropriate to ensure cooperation and effective coordination during emergency response and recovery. SECTION 5: VERIFICATION Sec. 5.1 Documentation Required • • • The utility shall define critical security activities and create written procedures for them. • • The utility shall have an up-to-date vulnerability or risk assessment. • • The utility shall have an up-to-date emergency response and recovery plan that incorporates security objectives. • • The utility shall have a training component for personnel. • • The utility shall maintain an adequate recordkeeping system so that compliance with this standard can be measured. 5.1.1 General. The documentation shall include: • Documented statements of a security policy and security objectives. Figure
73	20 AWWA G430-14(R20) • • • Documented procedures required by this standard. • • Records required by this standard. Note: Where the term documented procedure appears within this standard, this means that the procedure is established, documented, implemented, and maintained. 5.1.2 Required documentation. Documentation shall be sufficient to support the requirements in Section 4, including the documents listed by section in Table 1. Table 1 Supporting documentation required by this standard by section Reference Section 4 Documents Required 4.1.1 Written enterprise-wide security policy. 4.1.1.1 Documented procedure and schedule for review of security policy. Record of updates. 4.2.1 Documented procedures for identification requirements. Training documents. Job descriptions indicating security as a component of evaluation. Record of employee reports and suggestions. Security goals and progress reports. Documentation utilizing the Water Sector performance measurement system under the Water SSP of the NIPP, or equivalent. 4.2.2 Record of rewards or acknowledgements for employees. 4.3.1 Record identifying person(s) assigned primary responsibility for security. 4.3.2 Record identifying security as a part of each employee’s responsibility. 4.4.1 Documentation demonstrating a vulnerability or risk assessment has been completed. 4.4.2 Documented procedure and schedule for review and update of vulnerability or risk assessment. Documentation showing compliance with the schedule. 4.5.1 Documentation such as reports, agendas, minutes, or other documents demonstrating security as a topic of current discussion. Budget item/resource assignments for security and security training. Record of security exercises performed. Record of security inspections performed. Record identifying person(s) assigned primary responsibility for security. 4.5.2 Operations and capital plan or budget identifying security investments or priorities in relation to other utility priorities. 4.6.1 Documentation showing that critical assets and facilities are identified. NIPP—National Infrastructure Protection Plan, SSP—sector-specific plan Figure
74	SECURITY PRACTICES FOR OPERATION AND MANAGEMENT 21 Table 1 Supporting documentation required by this standard by section (continued) Reference Section 4 Documents Required 4.6.2 Documented procedures or protocols for physically securing critical assets and facilities. 4.6.3 Procedures and documentation of annual inspections. 4.6.4 Documented procedure demonstrating intrusion detection methodologies. Documented procedures for responses to intrusion indication. 4.6.5 Documented procedure demonstrating control of access to authorized personnel only. 4.6.6 Documentation demonstrating screening methods for authorization of security privileges. 4.6.7 Documented procedures for review or revocation of security access rights for employees or others who have had a change of status. 4.6.8 Documentation of test results and evaluations of physical and procedural access controls. 4.7 Documented procedures and protocols for detecting contamination incidents. 4.8.1 Documentation demonstrating identification of security-sensitive information and systems. 4.8.2 Documented procedures for protecting and maintaining critical IT and SCADA systems. 4.8.3 Documented procedures for securing security-sensitive information. 4.8.4 Documented process for detecting unauthorized access, such as an intrusion detection system, and documented procedures for responding to unauthorized access. 4.8.5 Documented procedures and protocols for testing and maintaining IT, SCADA, and communications systems during emergency response and recovery. 4.9 Documentation of security objectives in design and construction standards, or of considerations for security hardening and risk reduction. 4.10 Documentation of information sources on threat levels. Documented procedures for escalated security responses for relevant elevated threat levels. 4.11.1 Emergency response and recovery plans demonstrating that security objectives have been incorporated. Business continuity plans demonstrating security objectives have been incorporated. Documented procedure for compliance with NIMS and ICS protocols. 4.11.2 Documented procedure for testing emergency response and recovery plans and business continuity plans. 4.11.3 Documentation of timely reviews and appropriate updates. 4.11.4 Documented procedure and current contact list. 4.12 Procedures and documentation of ongoing communications. 4.13 Documentation demonstrating identification and establishment of appropriate partnerships. ICS—Incident Command System, NIMS—National Incident Management System, SCADA—supervisory control and data acquisition Figure
75	22 AWWA G430-14(R20) 5.1.3 Control of documents. Documents required for this standard shall be controlled. Records are a special type of document and shall be controlled according to the requirements given in Sec. 5.1.4. A documented procedure shall be established to define the controls needed: • • • To approve documents for adequacy prior to issue. • • To review and update as necessary and re-approve documents. • • To ensure that changes and the current revision status of documents are identified. • • To ensure that relevant versions of applicable documents are available at points of use. • • To ensure that documents remain legible and readily identifiable. • • To ensure that documents of external origin are identified, and their distribution controlled. • • To prevent the unintended use of obsolete documents, and to apply suitable identification to them if they are retained for any purpose. 5.1.4 Control of records. Records shall be established and maintained to provide evidence of conformity to requirements and evidence of the effective operation of this standard. Records shall remain legible, readily identifiable, and retrievable. A documented procedure shall be established to define the controls needed for the identification, storage, protection, retrieval, retention time, and disposition of records. Sec. 5.2 Human Resources 5.2.1 General. Personnel performing work affecting system security shall be competent on the basis of appropriate education, training, skills, and experience. 5.2.2 Competence, awareness, and training. The utility shall: • • • Determine the necessary competence for personnel performing work affecting security. • • Provide training or take other actions to satisfy these needs. • • Evaluate the effectiveness of the actions taken. • • Ensure that its personnel are aware of the relevance and importance of their activities. • • Retain appropriate records of education, training, skills, and experience (see Sec. 5.1.3). Figure
76	SECURITY PRACTICES FOR OPERATION AND MANAGEMENT 23 Sec. 5.3 Equipment 5.3.1 General. Utilities should field test security devices (i.e., motion detectors, intrusion sensors) quarterly, and field test passive measures (i.e., fences, gates, doors) every six months or as required by law or regulation. SECTION 6: DELIVERY This standard has no applicable information for this section. Figure
77	Figure
78	APPENDIX A Resources This appendix is for information only and is not a part of ANSI/AWWA G430. SECTION A.1: US DEPARTMENT OF HOMELAND SECURITY: INDUSTRIAL CONTROL SYSTEMS CYBER EMERGENCY RESPONSE TEAM (ICS-CERT) The ICS-CERT works with the control systems community to ensure that the recommended practices available have been vetted by industry subject matter experts before being published in support of this program. Recommended practices are developed to help users reduce their exposure and susceptibility to cyber-attacks. The following website provides a current information resource to help industry understand and prepare for ongoing and emerging systems cybersecurity issues, vulnerabilities, and mitigation strate . http://ics-cert.us-cert.gov/Introduction-Recommended-Practices SECTION A.2: WATER SECURITY INITIATIVE (WSI) The Water Security initiative (WSi) is a US Environmental Protection Agency (USEPA) program that addresses the risk of contamination of drinking water distribution systems. USEPA established this research initiative in response to Homeland Security Presidential Directive 9, under which the agency is charged with developing “robust, comprehensive, and fully coordinated surveillance and monitoring systems, including international information, for…water quality that provides early detection and awareness of di 25 Figure
79	USEPA is implementing the WSi in three phases: • • • • Phase I: Develop the conceptual design for a system that achieves timely detection of and response to contamination and other water quality incidents in drinking water distribution systems to mitigate public health and economic impacts. ○ USEPA completed this phase in 2006 with the design of a comprehensive water quality surveillance and response system. • • • Phase II: Demonstrate and evaluate water quality surveillance and response systems through pilots at drinking water utilities and municipalities. ○ USEPA completed this phase in 2013. Pilot systems were designed, deployed, and evaluated in Cincinnati, San Francisco, New York City, Philadelphia, and Dallas. • • Phase III: Develop practical guidance and outreach to promote voluntary national adoption of effective and sustainable water quality surveillance and response systems. ○ At the time of publication, this phase is currently under way. USEPA expects to release the Water Quality Surveillance and Response System Deployment Tool in 2014. This tool will translate lessons learned from the demonstration pilots into a software application that will assist utilities with developing individualized water quality surveillance and response systems. For current information, the utility is directed to the USEPA’s Water Security initiative website at: . At the time of publication, the following products are also available on the WSi website: http://water.epa.gov/infrastruture/watersecurity/lawsregs/ initiative.cfmr • • • Water Security Initiative: Interim Guidance on Planning for Surveillance and Response System Deployment, EPA817-R07-005, May 2007 – • • Water Security Initiative: Interim Guidance on Developing an Operational Strategy for Surveillance and Response Systems, EPA817-R-08-002, September 2008 – 26 Figure
80	• • • Water Security Initiative: Interim Guidance on Developing Consequence Management Plans for Drinking Water Utilities, EPA-817-R-08-001, September 2008 • • Water Security Initiative: Cincinnati Pilot Post-Implementation System Status, EPA-817-R-08-004, September 2008 • • Water Security Initiative: Commissioning Security Systems for Drinking Water Utilities, EPA 817-R-12-002, February 2012 • • Water Security Initiative: Guidance for Building Laboratory Capabilities to Respond to Drinking Water Contamination, EPA 817-R-13-001, March 2013 • • Water Quality Event Detection System Challenge: Methodology and Findings, EPA 817-R-13-002, April 2013 • • Water Security Initiative: Interim Guidance on Developing Risk Communication Plans for Drinking Water Utilities, EPA 817-F13-003, April 2013 – SECTION A.3: HOMELAND SECURITY INFORMATION NETWORK (HSIN) The Homeland Security Information Network (HSIN) is a free trusted web-based portal for information sharing and collaboration among federal, state, local, tribal, territorial, private sector, and international partners engaged in the homeland security mission. HSIN is made up of a network of communities called communities of interest (COIs). COIs are organized by state organizations, federal organizations, or mission areas such as emergency management, law enforcement, critical sectors, and intelligence. Users can securely share within their communities or reach out to other communities as needed. For additional information, see . http://www.dhs.gov/homeland – security-information-network 27 Figure
81	SECTION A.4: GUIDELINES FOR THE PHYSICAL SECURITY OF WATER UTILITIES (ANSI/ ASCE/EWRI 56-10) AND GUIDELINES FOR THE PHYSICAL SECURITY OF WASTEWATER/ STORMWATER UTILITIES (ANSI/ASCE/EWRI 57-10) These guidelines were developed through the Voluntary Water Infrastructure Security Enhancement (WISE) Initiative, a joint effort of the American Water Works Association (AWWA) and the American Society of Civil Engineers (ASCE), with technical input from the Water Environment Federation (WEF), with a grant from the US Environmental Protection Agency (USEPA). The two guidelines apply to physical security for facilities used in (1) potable water systems and (2) wastewater treatment and collection systems and Both guidelines are included as a single publication. This publication is available for purchase in both printed and PDF editions from the ASCE bookstore and other outlets. 28 Figure
82	SECTION A.5: RESPONSE PROTOCOL TOOLBOX (RPTB): PLANNING FOR AND RESPONDING TO DRINKING WATER CONTAMINATION THREATS AND INCIDENTS The USEPA developed and wrote the RPTB, building on the experience and expertise of several drinking water utilities, particularly that of the Metropolitan Water District of Southern California. The RPTB is organized in modular format and is intended to assist utilities with emergency response preparedness. The RPTB can be downloaded from USEPA’s Water Security website at: / index.cfm. http://water.epa.gov/infrastructure/watersecurity/emerplan SECTION A.6: RPTB RESPONSE GUIDELINES This USEPA document is a companion to the RPTB and contains many forms, checklists and report formats to help a water system organize information for emergency response planning. The Response Guidelines are not intended to replace the RPTB, but rather represent the application of the same principles as the RPTB during an actual incident. These documents can also be downloaded from USEPA’s Water Security website at: . http://water.epa.gov/infrastr ucture/watersecurity/ upload/2004_11_24_rptb_response_guidelines.pdf 29 Figure
83	SECTION A.7: AMERICAN WATER WORKS ASSOCIATION (AWWA): PROCESS CONTROL SYSTEM SECURITY GUIDANCE FOR THE WATER SECTOR In February 2013, the American Water Works Association (AWWA) Water Utility Council initiated project WITAF 503 to address the absence of practical, step-by-step guidance for protecting Water Sector Process Control Systems (PCS) from cyber-attacks. A panel of industry subject matter experts has been consulted to identify the most pressing cybersecurity issues facing water utilities today. In response to these issues, a list of recommended cybersecurity practices has been developed. This list identifies practices considered to be the most critical for managing the cybersecurity risk to Process Control Systems in the Water Sector. A copy of this report can be downloaded from AWWA at the following: A supporting interactive use-case tool is also available from this site. http://www.awwa.org/cybersecurity. SECTION A.8: CYBER SECURITY EVALUATION TOOL (CSET) Critical infrastructures are dependent on information technology systems and computer networks for essential operations. Particular emphasis is placed on the reliability and resiliency of the systems that comprise and interconnect these infrastructures. The Department of Homeland Security (DHS) National Cyber Security Division (NCSD) collaborates with partners from across public, private, and international communities to advance this goal by developing and implementing coordinated security measures to prote The DHS Control Systems Security Program (CSSP) has released Version 5.1 of the Cyber Security Evaluation Tool (CSET). This newest version of the tool can be downloaded from the CSSP website, ® 30 Figure
84	at . The CSET is a product that assists organizations in protecting their key national cyber assets. It was developed under the direction of the NCSD by cybersecurity experts and with assistance from the National Institute of Standards and Technology. This tool provides users with a systematic and repeatable approach for assessing the security posture of their cyber systems and networks. It includes both high-level and detailed questions related to all industrial control and IT systems. https://us-cert.cisa.gov/ics/Assessments ® 31 Figure
85	Figure
86	Figure
87	Figure 6666 West Quincy Avenue Denver, CO 80235-3098 T 800.926.7337 www.awwa.org Dedicated to the world’s most important resource, AWWA sets the standard for water knowledge, management, and informed public policy. AWWA members provide solutions to improve public health, protect the environment, strengthen the economy, and enhance our quality of life. To access AWWA Standards online, visit awwa.org/envoi ISBN 978-1-64717-031-8 Figure 1P 8.5C 47430-14(R20) (2020) 11/20 QI 9 781647 170318 Figure Figure

Published By	Publication Date	Number of Pages
AWWA	2014


PDF Format	Searchable	Printable	Preview Now

Standard Title	AWWA G430-14(R20) Security Practices for Operation and Management
Published Code	AWWA
Publication Date	2014

AWWA G430 2014 RA 2020

PDF Catalog

Related products

NY BuildingCode 10:2010 Edition

AWWA OpGuide J100 2021