Cybersecurity: Water Utility Security Part 3

The threat to infrastructure from online attackers has become a matter of national security over the past few years. According to the Department of Homeland Security, “The Water and Wastewater Systems Sector is vulnerable to a variety of attacks, including contamination with deadly agents, physical attacks such as the release of toxic gaseous chemicals and cyberattacks. If these attacks were realized, the result could be large numbers of illnesses or casualties and/or a denial of service that would also impact public health and economic vitality.” The DHS points out that critical services and systems such as firefighting and healthcare, energy, food, agriculture, and transportation systems would all face challenges or break down altogether if water service was interrupted.

Process Control Systems Are Already Under Attack

The American Water Works Association offers additional insight into the scope of the problem: “Cybersecurity is an increasingly important issue for water systems for a few reasons. First, water systems have become more automated to improve operational efficiency, including the expanded use of supervisory control and data acquisition systems for treatment plant and distribution system operations. Second, hackers and state-sponsored organizations are increasingly targeting process control systems (PCSs) for malevolent attacks. Discussions with water systems and reported incidents reveal that many systems receive hundreds of attempted attacks and probes on a daily basis.”

It’s evident that, as one of the 16 critical infrastructure sectors in the U.S., water utilities need to do a better job of protecting their process control systems from cyber-threats. But how exactly can this be accomplished?

A Framework for Cybersecurity Has Been Created

The National Institute of Standards and Technology has collaborated with the AWWA to develop guidelines to help water and wastewater utilities better protect their critical systems. As of 2014, this cybersecurity framework covers 12 key areas:

  1. Governance and Risk Management
  2. Business Continuity and Disaster Recovery
  3. Server and Workstation Hardening
  4. Access Control
  5. Application Security
  6. Encryption
  7. Telecom, Network Security, and Architecture
  8. Physical Security of PCS Equipment
  9. Service Level Agreements
  10. Operations Security
  11. Education
  12. Personnel Security

In the ensuing months, we will explore each of these areas of cybersecurity for the water utility sector. Stay tuned next month for a look at Governance & Risk Management—the big picture stuff that needs to be understood at the outset of developing a comprehensive plan for reducing security risks.


Is Your Wellness Program Compliant?

Workplace wellness initiatives can offer significant benefits to both employers and employees. The prevalence of chronic, preventable illness in the U.S. workforce costs companies dearly in lost productivity and high healthcare costs. That’s one reason so many employers are taking on the challenge of improving worker health in ways that go beyond OSHA programs. Employees who are in good health enjoy a better quality of life and can be safer and more successful at work.

Workplace Wellness Is Big Business in California

Due to high demand for information on this topic, California’s Department of Industrial Relations has developed a guide to serve as starting point for developing a workplace wellness program. It covers many of the common options including stress management, smoking cessation, and fitness along with tips for getting workers involved. The guide also points out that integrating wellness with occupational safety and health is the best way to encourage worker buy-in. A wellness initiative that is an extension of a properly-designed health and safety program makes a lot of sense—especially for organizations that want to achieve measurable results.

However, there are pitfalls associated with developing any workplace wellness program. Setting up the wrong type of program could actually cause an employer to run afoul of federal and state compliance in a number of areas. Here are three ways a program might fail the compliance test:

ADA (Americans with Disabilities Act)

ADA regulations are in place to protect against discrimination on the grounds of disability. Historically, that’s why employers have been prohibited from asking probing questions about medical conditions that might reveal potential disabilities. Invasive health questionnaires and medical screenings that are part of a wellness program can pose a serious problem. If the program is strictly voluntary, that’s one thing. But the use of certain incentives may tip the balance into making a program involuntary in the eyes of the ADA. A health program that excludes people with disabilities by failing to make reasonable accommodations for access can be another area of non-compliance.

HIPAA (Health Insurance Portability and Accountability Act)

This set of health privacy regulations is very strict. Employers who begin collecting detailed medical information from employees as part of a wellness program can be at risk for fines and penalties if this data is inadvertently or deliberately disclosed. Only collecting as much information as necessary and having a qualified third party manage all health data may be the smartest option to reduce liability.

OSHA (Occupational Safety & Health Administration)

Having a fitness facility on-site can be a boon for employees. But ensuring that such amenities do not create additional hazards can be tricky. For example, hosting a boot camp on company property that results in injury is obviously a poor workplace safety outcome. Damaged or broken workout equipment can also pose a risk, while failure to properly clean shared facilities can lead to the spread of pathogens (such as fungus). Routine inspection of all equipment and a thorough evaluation of any activities offered on-site are important employer responsibilities.

Are you wondering how to integrate a compliant wellness program with your health and safety practices? Contact DKF Solutions for a consultation.