The critical-infrastructure protection program assessment aligns with the recently released
National Institute of Standards and Technology cybersecurity framework 2.0

Cyber Florida, in partnership with Idaho National Laboratory (INL), has updated its critical
infrastructure protection program to align with the recently released National Institute of
Standards and Technology (NIST) Cybersecurity Framework (CSF) 2.0, widely used to reduce
cybersecurity risk across public and private sectors and subsectors. Cyber Florida’s multi-
assessment platform leverages the Department of Homeland Security (DHS) cybersecurity
evaluation tool containing both the CSF 2.0 standard question set and ransomware readiness
assessment (RRA) modules. The tools and resources available through the program are state-
funded and provided at no charge for Florida’s private and public critical infrastructure
organizations.

The CSF 2.0 is designed for all audiences, businesses, critical infrastructure sectors, and
organizations, regardless of their degree of cybersecurity sophistication. The NIST has added
governance to the CSF’s core guidance to help organizations assess and achieve their
cybersecurity goals.

“Since October 2022, more than 655 Florida organizations, companies, businesses, and
government agencies have participated in the program,” said Bryan Langley, lead program
manager at Cyber Florida. “We continue to support, develop, and adopt greater cybersecurity
measures and services to support Florida’s public and private sector owners and operators.”

The Florida Legislature has funded the risk assessment effort to support the state’s public and
private sector entities with numerous, no-cost benefits for participating organizations,
companies, and businesses. The assessment covers the CSF 2.0 desired outcomes and provides
several reports detailing an organization’s strengths and weaknesses to determine and leverage
cyber risk reduction resources from Florida agencies, universities, and colleges. Measuring
success comes from both the improvements made by the participants based on their individual
reports and using the customized statewide dashboard (visualization tool) developed by INL to
analyze sector/subsector risk across the state.

The program is intended to assist small- and medium-sized enterprises and resource-constrained
county and municipal government entities in implementing basic cybersecurity protocols and
policies to achieve a fundamental cybersecurity posture. This comprehensive initiative is
designed to fortify the cybersecurity resilience of public and private critical infrastructure across
the state.

In an era of increasing cyber threats and incidents, safeguarding critical infrastructure is
paramount. The program aims to empower organizations by providing high-quality cybersecurity
resources, training, and support to defend against evolving cyber risks and recover from
incidents. The resources available on the platform include the following:

– A 20-question RRA based on the most reported cybersecurity gaps from the initial statewide
risk assessment period between October 2022 and June 2023.
– A cybersecurity incident response plan template to help organizations think through and plan
how to recover from a cyber incident.
– A 154-question assessment that covers key cybersecurity desired outcomes and practices
outlined in CSF 2.0 and the RRA.

To learn more about the program and how an organization can participate, please visit the
program’s official webpage at www.cyberflorida.org/cip or contact the program lead, Bryan
Langley, at bjlangley@cyberflorida.org.

The Florida Center for Cybersecurity at the University of South Florida, commonly referred to as
Cyber Florida at USF, was established by the Florida Legislature in 2014. Its mission is to
position Florida as a national leader in cybersecurity through comprehensive education, cutting-
edge research, and extensive outreach. Cyber Florida leads various initiatives aimed at inspiring
and educating both current and future cybersecurity professionals, advancing industry research,
and enhancing cybersecurity awareness and safety of individuals and organizations.

The U.S. Environmental Protection Agency (EPA) is urging municipalities across
the United States to take additional security precautions in the wake of recent
cybersecurity attacks.
The attacks were seemingly committed by hackers from foreign nations and
targeted small communities in Texas and Pennsylvania. This, in combination with
an EPA inspection of drinking water systems across the U.S., revealed
cybersecurity weaknesses and prompted their warning to utilities, including some
in Michigan.
Some of the actions EPA recommends drinking water systems take to strengthen
their security include:
 Reducing exposure to public-facing internet
 Conducting regular cybersecurity assessments
 Changing default passwords immediately
 Conducting an inventory of operational technology/information technology
(OT/IT) assets
 Developing and exercising cybersecurity incident response and recovery
plans.
 Backup OT/IT systems
 Reducing exposure to vulnerabilities
 Conducting cybersecurity awareness training
Along with steps laid out by EPA, there are many other critical questions that
community leaders need to ask themselves when it comes to evaluating how
vulnerable their water systems might be to a cyber attack.
Some security system failures identified by EPA in its inspections of utilities
included default passwords that had not been updated for some time, in addition
to single logins that could be easily compromised.
While attacks in some states were resolved quickly (despite one in Texas causing a
water system to overflow) a worst-case scenario could mean total contamination
of a water system, and EPA believes this is not the last time the U.S. will face this
kind of threat.

The EPA said it’s offering technical assistance, training, and educational resources
to any communities that might need them as they navigate potential security
system updates.
Along with discovering cybersecurity weaknesses, EPA inspections also revealed
that more than 70 percent of water systems studied do not meet the clean water
standards outlined in the Safe Drinking Water Act.
For that reason, it’s increasing planned inspections.