Ventura County Grand Jury
• 2021-2022
• Agency Response
Response to:
Cybersecurity of Water Providers in Ventura County
County of Ventura*
⚠️ Aviso de traducción: Este contenido ha sido traducido automáticamente. El texto original en inglés es la versión oficial. La traducción puede contener errores.
⚠️ Este contenido ha sido traducido automáticamente. El texto original en inglés es la versión oficial. La traducción puede contener errores.
Findings and Recommendations 9 findings
F01
I (we) agree with the Findings numbered:
Related Recommendations (1)
R01
The Grand Jury recommends that the investigated public water providers regularly assess their cybersecurity, addressing both IT and SCADA, consistent, with EPA and CISA recommended best practices. (F-01, F-02, F-03, F-05) Ventura Water already regularly assesses its cybersecurity, addressing both IT and SCADA. Ventura Water is also in the process of doing a full assessment of IT systems, OT systems, and related equipment. It is anticipated that this full assessment will be complete The City of Ventura's Information Technology Department will be conducting a City-wide assessment starting in 2023 that will build upon the findings of the Ventura Water specific assessment. With the completion of these assessments a strategic plan can be developed to address any shortcomings as they relate to EPA and CISA recommended guidelines. For a timeframe for implementation, Ventura Water cannot provide a timeline of implementing these recommendations until the assessments is complete, but it is anticipated that implementation will commence within the fiscal year of 2023-2024. Ventura Water will work diligently to implement those recommendations in a timely manner.
F02
to F-09 I (we) disagree wholly or partially with the Findings numbered: . (Attach a statement specifying any portions of the Findings that are disputed; include an explanation of the reasons.) RECOMMENDATIONS Recommendations numbered . have been implemented. (Attach a summary describing the implemented actions.) Recommendations numbered R-01 to R-06 have not yet been . implemented but will be implemented in the future. (Attach a summary indicating the timeframe for implementation.) Recommendations numbered require further analysis. (Attach an explanation to include: scope and parameters of the analysis or study and timeframe for the matter to be prepared for discussion with the agency or department head. The timeframe shall not exceed six months from the date of publication of the report.) Recommendations numbered will not be implemented because they are not warranted or are not reasonable. (Attach an explanation.) 08/24/2022 Date: Signed: 6111 4, 1022 13 30 POT Title: General Manger - Ventura Water Number of pages attached: 83 FINDINGS:
Related Recommendations (1)
R02
The Grand Jury recommends that the investigated public water providers regularly share and exchange information regarding cybersecurity threats, attacks, protections, and remedies, and provide training, using such forums as the AWAVC. (F-01, F-02, F-03, F-04, F-06, F-07) Ventura Water reached out to the AWAVC to address using the AWA as a forum to address cybersecurity with its regional water agency members. AWAVC was willing to assist and placed this topic as an item for discussion on its July 27, 2022, safety committee workshop. A presentation was provided by a member agency and the topic was discussed. There is a level of uncertainty between agencies if information should be shared and how beneficial it would be to focus a cybersecurity group if there are such strong concerns about sharing information. Ventura Water will continue to look to forums such as the AWAVC and the EPA to provide training and updated materials. Without regulated standards that structure how cybersecurity threats should be shared at the agency level, Ventura Water will be hesitant to participate in sharing information at this time. For a timeframe for implementation, regarding training, Ventura Water already provides training to its employees regarding cybersecurity threats, attacks, protections, and remedies. Ventura Water will provide additional regular training based on the results of the assessment. Ventura Water does not have anything further to add regarding timing for implementation of this recommendation.
F03
The Grand Jury finds inconsistent levels of cybersecurity of SCADA systems among the investigated water providers. Ventura Water cannot agree or disagree with this finding that there are inconsistencies with the cybersecurity of SCADA among other agencies as this is not information agencies share nor does Ventura Water provide information to other agencies on its level of cybersecurity with SCADA.
Related Recommendations (1)
R03
The Grand Jury recommends that the investigated public water providers use free federal and state expert assistance to enhance cybersecurity. (F-01, F-02, F-3, F-05, F-06, F-07, F-08) After the completion of the above-mentioned assessment Ventura Water will make an effort to utilize any state or federal resources to assist in developing a strategic plan to meet recommended guidelines for critical infrastructure in regard to cybersecurity and disaster recovery. For a timeframe for implementation, again, Ventura Water anticipates that a water specific I assessment will be completed and will pursue relevant federal and state expert assistance to enhance cybersecurity thereafter.
F04
The Grand Jury finds that the level of training on cybersecurity is inconsistent among the investigated water providers. Ventura Water cannot agree or disagree with this finding as it is not aware of what level of training is provided or needed at other agencies.
Related Recommendations (1)
R04
The Grand Jury recommends that the investigated public water providers regularly conduct cybersecurity awareness training. (F-01, F-02, F-03, F-04) Ventura Water already conducts cybersecurity awareness training with employees. Ventura Water is also in the process of developing an extensive employee onboarding process that will require onboard training to employees prior to use and working on programs and equipment that hold cybersecurity risks. Ventura Water adheres to the policies and procedures of the City of Ventura's IT Department and receives routine training and technical assistance with cybersecurity issues. For a timeframe for implementation, this measure is already being implemented and will continue to be implemented.
F05
The Grand Jury finds that the level and frequency of cybersecurity assessments are inconsistent among the investigated water providers Ventura Water cannot agree or disagree with this finding as it is unaware of what level and frequencies cybersecurity assessments are being conducted at other agencies.
Related Recommendations (1)
R05
The Grand Jury recommends that the investigated public water providers address recovery from cybersecurity incidents in their business recovery plans. (F-01, F-02, F-03, F-09) Ventura Water is in the process of doing a full assessment of IT systems, OT systems, and related equipment. With the completion of this assessment cybersecurity incident recovery will be \in {}^{\mathcal{K}} integrated into our business recovery plans. For a timeframe for implementation, Ventura Water anticipates that this assessment will be completed by 2022.
F06
The Grand Jury finds that knowledge of cyber incident reporting requirements is inadequate among the investigated water providers. Ventura Water cannot agree or disagree with this finding as it is not the regulating authority that cyber incidents are reported to and does not correspond with other agencies regarding cyber incident reports. Ventura Water has sufficient knowledge of cybersecurity requirements, but as discussed below we will continue to seek additional information and resources to supplement our knowledge.
Related Recommendations (1)
R06
The Grand Jury recommends that each investigated public water provider establish a CISA- compliant internal protocol for reporting cyber incidents. (F-01, F-02, F-03, F-06) Ventura Water appreciates the recommendation and we have familiarized ourselves with CISA Incident Reporting System. Any incidents will be reported to the CISA Incident Reporting System and if necessary to the CISA Malware Analysis Submission Form. This procedure will be integrated into our business recovery plans. For a timeframe for implementation, this recommendation is being implemented immediately, and will also be integrated into our strategic business and recovery plans by fiscal year 2023-2024. .
F07
The Grand Jury finds that there is insufficient information exchange among the interviewed water providers regarding cybersecurity threats, attacks, protections, and remedies. Ventura Water partially agrees with this finding that there are insufficient information exchanges among water providers regarding cybersecurity threats, attacks, protection, and remedies. Due to the sensitive nature of cybersecurity and legal constraints it is often unclear what information can and should be shared with other agencies. Concerns for what should be made public and that could pose an exposure to security risk prohibit the sharing of information. There is no established communication protocol between agencies that would allow for private secure conversations to discuss freely.
No recommendations for this finding
F08
The Grand Jury finds that there is insufficient awareness among public water providers of available government expert cybersecurity services and support for water provider systems. Ventura Water cannot agree or disagree with this finding that there is insufficient awareness among public water providers of available water expert cybersecurity services and support for water provider systems as it does not know what information other agencies have received or what resources they have in obtaining information to achieve awareness. Ventura Water has sufficient awareness of available government expert cybersecurity services and support and will continue to seek additional information and resources to supplement our awareness.
No recommendations for this finding
F09
The Grand Jury finds that not all the investigated water providers' business recovery plans addressed recovery from cyber incident. Ventura Water cannot agree or disagree with the finding that not all investigated water providers' business recovery plans addressed recovery from cyber incident as is does not have access to other agencies business recovery plans. Ventura Water in the process of doing a full assessment of IT systems, OT systems, and related equipment. With the completion of this assessment cybersecurity incident recovery will be integrated into our business recovery plans. RECOMMENDATIONS
No recommendations for this finding
* This report's PDF did not contain easily extractable text and required Optical Character Recognition (OCR) for analysis. There may be minor errors in the extracted findings and recommendations due to OCR limitations with scanned documents.