Cybersecurity: Water Utility Security Part 9

In this final post on cybersecurity in the water utilities industry, we’ll look at remaining areas of interest that center around information and communication. It’s evident by this point that lack of knowledge is one of the greatest threats to infrastructure security. The more awareness an organization has, the simpler it is to take the necessary steps to create an environment that is resistant to cyber threats.

Education

Who needs to be educated about security practices, policies, and procedures? Internal employees are at the core of any training program. But clients and service providers shouldn’t be overlooked. Any third party that is involved with PCS systems or other vital technology should be aware of potential risks. SLAs should include relevant certifications. As a whole, the water utility should participate in water sector programs that are designed to identify and implement best practices.

Here are a few of the other actions that the AWWA recommends in terms of education:

  • Regular testing of security procedures to evaluate security awareness and incident response
  • Cross-training for IT and PCS staff so knowledge is shared and potential gaps in security can be more readily found
  • Training for all staff to identify common risks and threats such as social engineering
  • Communications training (network & radio) for PCS technicians to ensure proper, secure communication and crisis response capability

Personnel Security

From hiring through termination—and even after—employees and contractors can hold the keys to cybersecurity for an organization. Ensuring that each worker has only the access level required to accomplish their assigned duties is an important aspect of personnel security. Network and facility access should be set up for immediate, automatic revocation upon termination so that no unauthorized individuals are able to infiltrate the system after leaving the organization.

Vetting prospective workers prior to hiring may help spot red flags and at-risk candidates. A formal (standardized) background check process should be implemented for each level of responsibility within the agency. All new hires should also be required to sign appropriately worded confidentiality and cybersecurity policies. Such policies should be reviewed and signed again annually by all workers.

That’s it for our Water Utility Cybersecurity series. We hope you have found this overview helpful. For more information on keeping your facilities and workers safe, contact DKF Solutions for a consultation.

OSHA’s Six Foot Fall Protection Rule Just Got Teeth

Fall protection continues to be an area of controversy between California’s DIOSH and federal OSHA regulators. When tougher protection rules were initially introduced decades ago, the goal was to reduce the risk of falls (still a common cause of death and severe injury in the construction sector). In 2010, Fed-OSHA got serious about enforcement, and many states began phasing in compliance over the next couple of years. But the changes were far from easy.

Safety Rules Didn’t Always Fit with “Business as Usual”

According to John Caulfield’s article for Builder Magazine: “The new (2010) rule now mandates that all employees working six feet or more above the ground must use ‘acceptable’ fall-protection equipment such as guardrails, safety nets, or personal fall-arrest systems that can include full-body harnesses and deceleration devices. Depending on the job, other forms of fall prevention might also be required, such as warning lines and safety monitor systems for steeper roofs.”

Unfortunately, many companies in the construction sector encountered substantial compliance challenges. The use of slide guards (a ubiquitous safety measure in the roofing industry) did not meet OSHA’s requirements for acceptable fall protection systems. Construction companies were faced with completing more paperwork to request exceptions to the ruling or with spending significant sums on fall protection equipment that might, in some cases, create additional tripping hazards on low-pitched roofs.

California Held Back on Switching to Federal Guidelines

As a leader in workplace safety, California initially stood apart from the controversy with its own well-tested fall-protection program. However, OSHA has now announced that it is taking a hard line approach that no longer recognizes Cal/OSHA’s fall protection rules as ‘at least as effective as’ (ALEA) those at the federal level. Fed-OSHA’s Deputy Director for the Directorate of Construction, Dean McKenzie, is seeking a firm commitment from California to adopt the six foot rule to replace the state’s own regulations.

At this time, California remains the sole holdout on this front among all the states. OSHA has indicated that pressure may be brought to bear to force a change. Proposed actions might include withholding funding and stepping in to enforce the six foot trigger rule on California worksites.

Strong Opinions Can’t Hold Back Change

Opponents of Fed-OSHA’s stance report that the proposed changes could have negative impacts on the construction industry. Compliance could prove both costly and impractical—and OSHA has provided little guidance as to how the rules could be realistically applied on a typical construction site. Dissenters advocate forcing Fed-OSHA to take on full oversight for enforcing these regulations (a massive undertaking given the size of California’s residential and commercial construction sectors).

Yet California’s OSHA board has indicated that the state will indeed move toward compliance. They are hoping for a reasonable amount of time to phase in the regulations, understand the economic impact, and seek room for exceptions. This process may take a couple of years. As always, DKF Solutions will be monitoring the situation to understand when our clients need to make changes to maintain compliance.