WCAT Fact Sheets
Identify. Does the WWS…
- 1. A Maintain an updated inventory of all OT and IT network assets?
- 1.B Have a named role/position/title that is responsible for planning, resourcing, and executing cybersecurity activities within the WWS?
- 1.C Have a named role/position/title that is responsible for planning, resourcing, and executing OT-Specific cybersecurity activities?
- 1.D Provide regular opportunities to strengthen communication and coordination between OT and IT personnel, including vendors?
- 1.E Patch or otherwise mitigate known vulnerabilities within the recommended timeframe?
- 1.G & 1.H Require that all OT vendors and service providers notify the WWS of any security incidents or vulnerabilities in a risk-informed timeframe?
- 1.I Include cybersecurity as an evaluation criterion for the procurement of OT and IT assets and services?
Protect. Does the WWS…
- 2.A Change default passwords?
- 2.B Require a minimum length for passwords?
- 2.C Require unique and separate credentials for users to access OT and IT networks?
- 2.D Immediately disable access to an account or network when access is no longer required due to retirement, change of role, termination, or other factors?
- 2.E Separate user and privileged (e.g., System Administrator) accounts?
- 2.F Segment OT and IT networks and deny connections to the OT network by default unless explicitly allowed (e.g., by IP address and port)?
- 2.G Detect and block repeated unsuccessful login attempts?
- 2.H Require multi-factor authentication (MFA) wherever possible, but at a minimum to remotely access WWS Operational Technology (OT)/Information Technology (IT) networks?
- 2.I Provide at least annual exercises for all WWS personnel that covers basic cybersecurity concepts?
- 2.J Offer OT-specific cybersecurity exercises on at least an annual basis to personnel who use OT as part of their regular duties?
- 2.K Use effective encryption to maintain the confidentiality of data in transit?
- 2.L Use encryption to maintain the confidentiality of stored sensitive data?
- 2.M Use email security controls to reduce common email-based threats, such as spoofing, phishing, and interception?
- 2.N Disable Microsoft Office macros, or similar embedded code, by default on all assets?
- 2.O Maintain current documentation detailing the set-up and settings (i.e., configuration) of critical OT and IT assets?
- 2.P Maintain updated documentation describing network topology (i.e., connections between all network components) across WWS OT and IT networks?
- 2.Q Require approval before new software is installed or deployed?
- 2.R Backup systems necessary for operations (e.g., network configurations, PLC logic, engineering drawings, personnel records) on a regular schedule, store backups separately from the source systems, and test backups on a regular basis?
- 2.S Have a written cybersecurity incident response (IR) plan for critical threat scenarios (e.g., disabled or manipulated process control systems, the loss or theft of operational or financial data, exposure of sensitive information), which is regularly practiced and updated?
- 2.T Collect security logs (e.g., system and network access, malware detection) to use in both incident detection and investigation?
- 2.U Protect security logs from unauthorized access and tampering?
- 2.V Prohibit the connection of unauthorized hardware (e.g., USB devices, removable media, laptops brought in by others) to OT and IT assets?
- 2.W Ensure that assets connected to the public Internet expose no unnecessary exploitable services (e.g., remote desktop protocol)?
- 2.X Eliminate connections between OT assets and the Internet?