SERVING FLORIDA’S WATER AND WASTEWATER INDUSTRY SINCE 1949
Test Yourself Answer Key From page 40
January 2016
Editorial Calendar
January.............. Wastewater Treatment February............ Water Supply; Alternative Sources March................. Energy Efficiency; Environmental Stewardship April................... Conservation and Reuse May .................... Operations and Utilities Management June................... Biosolids Management and Bioenergy Production July .................... Stormwater Management; Emerging Technologies August............... Disinfection; Water Quality September......... Emerging Issues; Water Resources Management October.............. New Facilities, Expansions, and Upgrades November.......... Water Treatment December.......... Distribution and Collection Technical articles are usually scheduled several months in advance and are due 60 days before the issue month (for example, January 1 for the March issue). The closing date for display ad and directory card reservations, notices, announcements, upcoming events, and everything else including classified ads, is 30 days before the issue month (for example, September 1 for the October issue). For further information on submittal requirements, guidelines for writers, advertising rates and conditions, and ad dimensions, as well as the most recent notices, announcements, and classified advertisements, go to www.fwrj.com or call 352-241-6006.
Display Advertiser Index American Ductile ����������������������������������������������������������������������������������������������� 13 AWWA Celebrates Asian/Pacific American Heritage Month �������������������������� 26 AWWA Virtual ACE21 ����������������������������������������������������������������������������������������� 69 Blue Planet ��������������������������������������������������������������������������������������������������������� 71 CEU Challenge ��������������������������������������������������������������������������������������������������� 35 Data Flow ������������������������������������������������������������������������������������������������������������ 34 Ferguson ������������������������������������������������������������������������������������������������������������ 47 Florida Aquastore ���������������������������������������������������������������������������������������������� 45 FSAWWA 2020 FSAWWA Awards �������������������������������������������������������������������� 27 FSAWWA 2021 Fall Conference Call for Papers �������������������������������������������� 22 FSAWWA 2021 Fall Conference Exhibit Registration ������������������������������������� 23 FSAWWA Roy Likins Scholarship Fund ��������������������������������������������������������� 24 FWPCOA Training ���������������������������������������������������������������������������������������������� 65 Gerber Pumps ������������������������������������������������������������������������������������������������������ 9 Heyward ���������������������������������������������������������������������������������������������������������������� 2 Hudson Pump ��������������������������������������������������������������������������������������������������� 59 Hydro International ���������������������������������������������������������������������������������������������� 5 J&S Valve ����������������������������������������������������������������������������������������������������������� 37 Lakeside Construction ���������������������������������������������������������������������������������������� 7 Reiss Engineering ��������������������������������������������������������������������������������������������� 51 Smith & Loveless ����������������������������������������������������������������������������������������������� 19 UF TREEO Center ���������������������������������������������������������������������������������������������� 41 Vaughn Nugent �������������������������������������������������������������������������������������������������� 31 Vogelsang ����������������������������������������������������������������������������������������������������������� 55 Water Treatment & Controls Technology �������������������������������������������������������� 27 Xylem ������������������������������������������������������������������������������������������������������������� 43,72
70 May 2021 • Florida Water Resources Journal
1. C) perform an asset industry.
Per the WaterISAC 15 Cybersecurity Fundamentals, Section 1. Perform Asset Inventories, “Since you cannot protect and secure what you do not know you have, identifying assets is the foundation of a cybersecurity risk management strategy and essential for prioritizing cyber defense.”
2. C) principle of least privilege.
Per the WaterISAC 15 Cybersecurity Fundamentals, Section 4. Enforce User Access Controls, “By applying the principle of least privilege to a user account, only the absolute minimum permissions necessary to perform a required task are assigned. In other words, administrative or other privileged accounts are reserved for special use and are not to be logged in perpetually. Most malware operates with permissions of the logged-in user. By granting access and permissions based on roles and least privilege, malware has limited access to the resources it can compromise.”
3. A) Every person.
Per the WaterISAC 15 Cybersecurity Fundamentals, Section 12. Tackle Insider Threats, “An insider threat is a people problem, not a technology problem; without people, there would be no problem. The bottom line is that every person represents a potential insider threat; however, not all insider threats are malicious. Many insider threats occur due to simple negligence, lacking intent or motive. A tired or distracted employee can make an honest mistake, or an employee who is unaware of a particular risk may not perceive how their actions could perpetuate a threat.”
4. B ) Industrial internet of things (IIoT)
Per the WaterISAC 15 Cybersecurity Fundamentals, Section 14. Address All Smart Devices (IoT, IIoT, mobile, etc.), “While all connected devices need to be addressed, what is known as the industrial internet of things is of great concern to utilities. While IIoT brings convenience and efficiency to water/wastewater management; it is the antithesis of air-gapped industrial deployments. Organizations simply cannot afford to deploy IIoT now and secure later, if at all. The cybersecurity risks and challenges brought about by IIoT cannot be ignored and must be addressed in the initial planning phases.”
5. C) Governance and risk management
Per the American Water Works Association (AWWA) “Water Sector Cybersecurity Risk Management Guidance,” under the section, Recommended Cybersecurity Practices and Improvement Projects, “Each practice category identified has numerous associated recommended controls and potential improvement projects. Some additional details on potential improvement projects are provided below: 1. Governance and Risk Management a. Develop a formal, written cybersecurity policy that addresses the specific operational needs of PCS and enterprise systems. b. Establish an enterprise risk management strategy that associates cybersecurity investments with enterprise business plans. c. Perform a vulnerability assessment (e.g., cybersecurity evaluation tool [CSET] or physical assessment)
on a regular basis. d. To aid in developing contingency plans, maintain current network asset inventory, baseline, “gold disk.” e. Develop and enforce hardware and software standards in order to limit number of system components. f. Develop standard specifications language that defines cybersecurity standards for inclusion in all procurement packages for PCS and enterprise systems.
6. D) Perform a risk assessment.
Per the WaterISAC 15 Cybersecurity Fundamentals, Section 2. Assess Risks, “Risk assessments are instrumental in identifying security gaps and vulnerabilities. They are vital to prioritizing the application of controls and countermeasures to protect the organization. Once an asset inventory has been completed or updated, thorough and regular risk assessments must be conducted to identify and prioritize (or reprioritize) risk to key assets.”
7. A ) disconnect compromised computers from the network.
Per the EPA “Incident Action Checklist – Cybersecurity” under Actions to Respond to a Cyber Incident-Utility, “If possible, disconnect compromised computers from the network to isolate breached components and prevent further damage, such as the spreading of malware. Do not turn off or reboot systems; this preserves evidence and allows for an assessment to be performed.”
8. C) IT/business network
Per the WaterISAC 15 Cybersecurity Fundamentals, Section 3. Minimize Control System Exposure, “As most compromises to ICS networks emanate from the IT/business network, it is vital to eliminate any unnecessary communication channels discovered between devices on the control system network and equipment on other networks. Any connections that remain need to be carefully evaluated, managed, and strengthened to reduce network vulnerabilities.”
9. B) firewall.
Per the WaterISAC 15 Cybersecurity Fundamentals, Section 3. Minimize Control System Exposure, “A firewall is a software program or hardware device that filters inbound and outbound traffic between different parts of a network, or between a network and the internet.”
10. B) offboarding.
Per the WaterISAC 15 Cybersecurity Fundamentals, Section 4. Enforce User Access Controls, “Offboarding - To protect company assets from unauthorized access, physical and cyber access should be disabled as soon as it is no longer required. Terminated and voluntarily separated employees, vendors, contractors, and consultants should have access revoked as soon as possible. Likewise, employees transferring into new roles will likely need to have unnecessary access removed. A rigorous offboarding procedure should be established with human resources and contract managers, as well as information technology (IT) and operational technology (OT) staff. The offboarding procedure should include an audit process to identify disabled and deleted accounts and to confirm appropriate access deprovisioning due to role transfers. The procedure should also incorporate a method to identify any shared accounts, like system administrator, development environment, application, and vendor accounts.”