Test Yourself What Do You Know About Cybersecurity for Water and Wastewater? Management Guidance,” developing a formal, written cybersecurity policy that addresses the specific operational needs of a process control system (PCS) and enterprise systems falls under what category of recommended cybersecurity practices?
Donna Kaluzniak
1. P er the Water Information Sharing and Analysis Center (WaterISAC) 15 Cybersecurity Fundamentals for Water and Wastewater Utilities – Best Practices to Reduce Exploitable Weaknesses and Attacks (15 Cybersecurity Fundamentals), since you cannot protect what you do not know you have, the foundation of a cybersecurity risk management strategy is to
a. b. c. d.
analyze past incidents. begin enforcing user controls. perform an asset inventory. tackle insider threats.
2. P er the WaterISAC 15 Cybersecurity Fundamentals, granting an employee access to controls with only the absolute minimum permissions necessary to perform a required task is described as a. b. c. d.
multifactor authentication. password hygiene. principle of least privilege. role-based access control.
3. P er the WaterISAC 15 Cybersecurity Fundamentals, what constitutes a potential insider threat with regards to cybersecurity?
a. b. c. d.
a. b. c. d.
Employees using personal devices for work. Industrial internet of things (IIoT) Power security Supply chain issues
5. P er the American Water Works Association (AWWA) “Water Sector Cybersecurity Risk
a. b. c. d.
usiness continuity and disaster recovery B Data security Governance and risk management Operations security
6. Per the WaterISAC 15 Cybersecurity Fundamentals, what must be done in order to identify and prioritize security gaps and vulnerabilities?
a. b. c. d.
ncrypt communications. E Implement threat detection and monitoring. Perform an asset inventory. Perform a risk assessment.
7. Per the U.S. Environmental Protection Agency (EPA) “Incident Action Checklist – Cybersecurity,” one of the first things a utility should do in response to a cyber incident, if possible, is to
Every person. Disgruntled or malicious people only. Information technology (IT) experts only. The supervisory control and data acquisition (SCADA) technology in use at the facility.
4. P er the WaterISAC 15 Cybersecurity Fundamentals, while it’s vital that all smart/ connected devices are included in the organizational risk management strategy, what is of greatest concern for water utilities?
a. d isconnect compromised computers from the network. b. reboot any affected computers immediately. c. respond to any instructions received on the compromised computers. d. turn off the affected computers and unplug them. 8. Per the WaterISAC 15 Cybersecurity Fundamentals, it’s important to minimize control system exposure. The most commonly identified weakness for an industrial control system (ICS) is a lack of appropriate boundary protection controls. From what exposure do most ICS compromises emanate?
a. b. c. d.
Bluetooth Flash drives IT/business network SCADA upgrades
9. Per the WaterISAC 15 Cybersecurity Fundamentals, technologies to isolate network segments from one another are also used to protect an ICS. A technology that uses a software program or hardware device to filter inbound and outbound traffic between different
40 May 2021 • Florida Water Resources Journal
parts of a network, or between a network and the internet, is a
a. demilitarized zone (DMZ). b. firewall. c. unidirectional gateway. d. virtual local area network (VLAN).
10. Per the WaterISAC 15 Cybersecurity Fundamentals, to protect company assets from unauthorized access, physical and cyber access should be disabled as soon as it’s no longer required. Terminated and voluntarily separated employees, vendors, contractors, and consultants should have access revoked as soon as possible. Likewise, employees transferring into new roles will likely need to have unnecessary access removed. This process is called
a. multifactor authentication. b. offboarding, c. principle of least privilege. d. role-based access control. Answers on page 70
References used for this quiz: • Water Information Sharing and Analysis Center (WaterISAC) 15 Cybersecurity Fundamentals for Water and Wastewater Utilities – Best Practices to Reduce Exploitable Weaknesses and Attacks: https://www.waterisac.org/fundamentals • American Water Works Association (AWWA) “Water Sector Cybersecurity Risk Management Guidance”: https://www. awwa.org/Portals/0/AWWA/ETS/Resources/ AWWACybersecurityGuidance2019. pdf?ver=2019-09-09-111949-960 • U.S. Environmental Protection Agency (EPA) “Incident Action Checklist – Cybersecurity”: https://www.epa.gov/sites/production/ files/2017-11/documents/171013incidentactionchecklist-cybersecurity_form_508c. pdf
Send Us Your Questions
Readers are welcome to submit questions or exercises on water or wastewater treatment plant operations for publication in Test Yourself. Send your question (with the answer) or your exercise (with the solution) by email to: donna@h2owriting.com
