HomeMy WebLinkAbout08.b EDB Cybersecurity-AI Policy FY 25-26 EXECUTIVE SUMMARY
AGENDA ITEM:
Consideration and Adoption of the Cybersecurity and Artificial Intelligence (AI)Use Policy
Date: May 29, 2026
BACKGROUND:
CCUA operates critical public infrastructure where a digital breach can pose a direct threat to public
health, operational safety,utility uptime, and customer data. Modern water infrastructure relies heavily on
interconnected digital systems; while this maximizes efficiency, our vulnerability to sophisticated
ransomware and data leaks also increases. CCUA has made considerable investments in modernizing most
of the electronic systems. With this modernization, staff requests the Board approve a Cybersecurity and
AI Use Policy.
To mitigate these risks, this proposed policy provides a formalized governance framework that transitions
the utility to a strict, audited resilience model. The policy draws a definitive line of defense around our
corporate enterprise networks (Information Technology, IT) and our physical operational systems
(Operational Technology, OT/Supervisory Control and Data Acquisition, SCADA) while establishing
safety guardrails for employee use of AI in strict alignment with state and federal laws. Crucially, legal
counsel from CCUA's insurance provider notes that formalizing this framework significantly enhances
our cyber insurability and will expand our vendor options in the commercial insurance market and
positioning the organization for measurable premium savings.
Key Policy Mandates & Safeguards
• Network Segmentation: Keeps the corporate IT network and the critical OT/SCADA network
completely separate. This ensures a security breach on a corporate laptop cannot spread to our
operational systems.
• Strict AI Governance: Prohibits any AI tool from autonomously adjusting operational
parameters; final operational decisions must always be executed by a human professional.
Employees are prohibited from entering sensitive data or information into public, unsecure AI
engines.
• Access Control & Mandatory MFA: Multi-Factor Authentication is mandatory for all system
users. Shared credentials are strictly prohibited, and user access permissions will be audited semi-
annually.
• Ransomware-Proof Backups: Requires dual backup redundancy, on-site backups for operational
recovery, and off-site cloud backups that are logically isolated from the network to survive a
facility-wide cyber incident.
• Regulatory Compliance: Brings CCUA into immediate alignment with the Florida State
Cybersecurity Act (§ 282.3185 F.S.), the Florida Information Protection Act (FIPA), and federal
American Water Infrastructure Act (AWIA) mandates.
//PV(Author)
//JDJ,AE(Review)
//PV(Final)
Accountability& Continuous Auditing
• Mandatory Reporting: Enforces strict state and federal compliance by requiring confirmed
digital breaches to be reported to the Florida Digital Service and CISA within 48 hours.
• Staff Training: Requires all employees to undergo annual cybersecurity and AI awareness
training,backed by unannounced phishing simulations.
• Independent Oversight: Mandates a comprehensive cyber risk assessment annually, alongside
an independent third-party professional security audit every two years to validate our defensive
posture.
RECOMMENDATION:
Staff respectfully requests the Board of Supervisors approve and adopt the Cybersecurity and Artificial
Intelligence Use Policy to formalize a standards-aligned cybersecurity governance structure and reinforce
CCUA's on-going commitment to operational reliability, regulatory compliance, and risk mitigation.
ATTACHMENTS:
Cybersecurity and Artificial Intelligence Use Policy
//PV(Author)
//JDJ,AE(Review)
//PV(Final)
Clay Connh l;[iliry '\a[horiry
Cybersecurity and
Artificial Intelligence
Use Policy
K, --,,,, ,0„-- ,
Table of Contents
Section 1 Purpose 1
Section 2 Scope 1
Section 3 Goals and Objectives 1
Section 4 Regulations and Guiding Standards 2
Section 5 Definitions 2
Section 6 Roles and Responsibilities 3
Section 7 Acceptable Use 4
Section 8 Access Control 4
Section 9 Network and System Security 4
Section 10 Data Protection and Backup 5
Section 11 Incident Response,Recovery and Reporting 5
Section 12 Physical Security 5
Section 13 Training and Awareness 5
Section 14 Risk Assessment and Compliance 6
Section 15 Third Party and Vendor Security 6
Section 16 Policy Review 6
Cybersecurity and Artificial Intelligence Use Policy
Effective Date: June 2, 2026
Revision Date:
Section 1. Purpose
1.1. The Authority establishes this Cybersecurity and Artificial Intelligence (AI) Policy to
safeguard the confidentiality, integrity, and availability of the Authority's enterprise
information systems, operational technology, and critical infrastructure. The policy
supports compliance with applicable regulations and ensures the continued safe and
reliable delivery of drinking water and wastewater services as well as protecting
customer and employee information.
Section 2. Scope
2.1. Scope of Applicability: This policy applies to all individuals and entities that interact
with the utility's digital or physical infrastructure, specifically:
2.1.1. Internal Personnel: All full-time and part-time employees across all
departments.
2.1.2. External Contractors: Any independent contractors or consultants hired to
perform specialized tasks or project-based work.
2.1.3. Third-Party Vendors: All service providers and equipment manufacturers,
particularly those granted remote access for maintenance or software updates.
2.1.4. System Users: Any individual who has been granted credentials or access to the
utility's internal network, hardware assets, or data repositories.
2.2. Asset Coverage
2.2.1. The policy is designed to protect two distinct but interconnected environments:
2.2.2. Operational Technology (OT): The Supervisory Control and Data Acquisition
(SCADA) network, including pumps, sensors, and Programmable Logic
Controllers (PLCs) responsible for water distribution.
2.2.3. Information Technology (IT): The corporate office network used for billing,
customer records, GIS data, and internal communications.
Section 3. Goals and Objectives
3.1. The primary objective of this policy is to ensure the continuous delivery of safe
drinking water and the protection of the Authority's assets.
3.1.1. Operational Safety: The Authority shall operate safely and reliably while
protecting customers, employees, and organizational data.
3.1.2. Public Health Protection: The Authority shall prevent unauthorized physical or
digital tampering with water treatment processes or chemical dosing.
3.1.3. Technology Leverage: The Authority shall leverage technology to operate
efficiently while mitigating and minimizing evolving cybersecurity threats.
3.1.4. Infrastructure Resilience: The Authority shall maintain the capability to restore
water service quickly during a digital compromise, including the ability to
transition to manual operations if necessary.
3.1.5. Resilience Framework: The Authority shall develop, implement, and maintain
a Cybersecurity Incident Response Plan (CIRP), a Business Continuity Plan
(BCP), and Incident Reporting Standard Operating Procedures (IR SOPs).
3.1.6. Data Sovereignty & AI Sanitization: The Authority shall maintain complete
control over sensitive data. Any use of AI or external tools mandates the
removal of proprietary identifiers (IPs, names, locations) before input.
3.1.7. Regulatory Alignment and Compliance: The Authority adopts a defensible
security posture aligned with the NIST Cybersecurity Framework. The
Authority shall align its practices with the Florida"State Cybersecurity Act" as
amended from time to time.
3.1.8. Business Continuity: The Authority shall maximize continuity while
minimizing or eliminating IT and OT system downtime.
3.1.9. Risk Reporting: The Authority shall regularly report on cybersecurity risks,
threats, and issues to internal leadership and relevant external stakeholders.
3.1.10. Policy Evolution: The Authority shall review this policy annually to ensure it
remains current with the changing threat landscape.
Section 4. Regulations and Guiding Standards
4.1 Florida Statutory Requirements
4.1.1 Florida Information Protection Act (FIPA), s. 501.171, F.S.: This statute
dictates the Authority's mandatory data security standards and required
notification procedures in the event of a breach involving personal information.
4.1.2 Florida Public Records Law (Chapter 119, F.S.): The Authority shall manage
public records requests while ensuring that security-sensitive information—
such as network diagrams, vulnerability assessments, and passwords—is
strictly exempt from disclosure as provided by law.
4.1.3 Florida State Cybersecurity Act: The Authority aligns its operational practices
with this Act to ensure consistency with state-level cybersecurity resilience
goals.
4.2 National& Industry Mandates
4.2.1 American Water Infrastructure Act(AWIA)2018:The Authority shall maintain
compliance with federal requirements for Risk and Resilience Assessments
(RRA) and Emergency Response Plans (ERP).
4.2.2 NIST Cybersecurity Framework (CSF): The Authority shall align its
cybersecurity program with the NIST CSF to provide a structured approach to
identifying, protecting, detecting, responding to, and recovering from digital
threats.
4.2.3 NSDI Geospatial Data Guidelines: These guidelines are utilized to manage and
protect the Authority's GIS and critical infrastructure mapping data from
unauthorized access.
Section 5. Definitions
5.1. Technical Infrastructure
5.1.1. OT: The hardware and software used to control and monitor devices within the
Authority's pump stations, Water Treatment Plants (WTPs), and Water
Reclamation Facilities (WRFs).
5.1.2. SCADA: The network of computer systems (including HMIs and PLCs)
providing visibility and control over industrial processes.
5.1.3. Remote Access: Accessing the Authority's computers or networks from a
location outside of physical facilities by employees, vendors, or contractors.
2
5.2. AI & Data Governance
5.2.1. AI: Analytical and predictive models using large data sets to mimic human
intelligence and decision-making.
5.2.2. Generative AI: A subset of AI used to generate unique text, graphics, imagery,
or audio.
5.2.3. Intellectual Property(IP):Intangible creations protected by law,including trade
secrets, network maps, and proprietary utility configurations.
5.2.4. Sensitive Personal Information (SPI): Employee and/or customer information
to be protected.
5.3. Resilience & Recovery
5.3.1. Recovery Point Objective (RPO): The maximum acceptable age of files to be
recovered from backups to resume operations after a disruption.
5.3.2. Recovery Time Objective (RTO): The maximum duration a system can be
inoperable before significant operational damage occurs.
5.3.3. Business Continuity Plan(BCP): The strategy used to keep water delivery and
business functions running during a system outage.
5.4. Cloud & Authority Structure
5.4.1. Cloud Services (SaaS/PaaS/IaaS): IT resources delivered over the internet,
including "Tenant" environments like Microsoft 365.
5.4.2. Senior Leadership Team(SLT):The Executive Management Group responsible
for the Authority's strategic decisions.
Section 6. Roles and Responsibilities
6.1. Senior Leadership Team (SLT)
6.1.1. The SLT oversees policy governance, ensuring resources are available for
cyber-resilience and approving the safe adoption of AI technologies.
6.2. IT and SCADA Management
6.2.1. The IT and SCADA Managers are responsible for the technical execution of
this policy, including:
6.2.1.1. System Integrity: Maintaining security controls across IT(business)
and OT (field operations) networks.
6.2.1.2. AI Oversight: Maintaining a registry of approved AI tools and
ensuring they meet privacy standards.
6.2.1.3. Risk Reporting: Maintaining a documented Risk Register and
coordinating with the Risk/Safety Manager semi-annually to ensure
adequate insurance coverage.
6.3. All Employees
6.3.1. Every employee is responsible for the secure use of the Authority's assets:
6.3.1.1. Reporting: Immediately notifying IT of suspicious activity,
potential breaches, or AI-generated "deepfake" scams.
6.3.1.2. AI Safety: Prohibiting the input of sensitive utility data(such as,but
not limited to, infrastructure maps, SPI, chemical formulas,
employee data, and customer data) into unapproved or public AI
tools.
6.3.1.3. Compliance: Adhering to all password, access, and data-handling
protocols.
3
6.4. Third-Party Partners
6.4.1. Vendors, contractors, and consultants must comply with the Authority's
security standards and disclose any AI use involved in managing Authority
infrastructure.
Section 7. Acceptable Use(IT, OT, and AI)
7.1. Business Purpose: Authority systems are for business use only. Per Florida Sunshine
Law (Ch. 286.011, F.S.), all work must be conducted on Authority devices and stored
on Authority network drives or Authority-approved cloud applications and platforms.
7.2. Personal Devices: Connecting personal devices to Authority IT or OT networks is
strictly prohibited.
7.3. AI: Employees are encouraged to use approved AI tools (e.g., Microsoft Copilot).
7.3.1. Data Security: Sensitive information including,but not limited to employee and
customer data, chemical formulas, infrastructure and operational data, as well
as IT or SCADA architecture must not be entered into public AI tools.
7.3.2. Verification: AI output is a tool for development; final decisions remain the
responsibility of the human employee/licensed professional.
7.3.2.1. AI shall never be used to autonomously adjust any operational
settings without direct human verification and manual execution.
7.3.2.2. The Authority expects employees with professional licensing from
the State of Florida to use their education, experience, and expertise
in the development of their work products and services. We expect
information from AI tools to be used as a tool for information,
consideration, and development, not the basis of final decision
making.
Section 8. Access Control
8.1. Permissions: Access is granted based on job necessity. IT and SCADA Managers shall
review user permissions semi-annually.
8.2. Authentication: Multi-Factor Authentication (MFA) is mandatory for all IT and OT
systems. Sharing credentials is prohibited and subject to disciplinary action.
8.3. Termination of Access:
8.3.1. Involuntary: Access disabled immediately.
8.3.2. Voluntary: Access disabled within 24 hours.
8.3.3. Facilities shall revoke physical badge access, and IT shall collect all devices
upon departure.
Section 9. Network and System Security
9.1. Maintenance: The IT Department shall manage firewalls and security patches to
protect endpoints (phones, tablets, computers).
9.2. System Segmentation: IT (Enterprise) and OT (SCADA) networks must remain
segmented to prevent a cyber incident from spreading between systems.
9.3. The Authority's IT Department shall actively maintain the security position of
enterprise system firewalls, routers, controllers, endpoints, computers,phones, tablets,
and other electronic devices by promptly applying and testing security patches.
9.4. The Authority's SCADA(OT)Department shall actively maintain the security position
of operations systems firewalls, routers, controllers, endpoints, computers, phones,
tablets, and other electronic devices by promptly applying and testing security patches.
9.5. The Authority's IT Department shall actively maintain Intrusion Detection Systems
(IDS) and Intrusion Prevention Systems (IPS) on the enterprise systems.
4
9.6. The Authority's SCADA (OT) Department shall actively maintain Intrusion Detection
Systems (IDS) and Intrusion Prevention Systems (IPS) of the operations systems.
9.7. The IT systems and the OT systems shall be separated and segmented to maximize
security.
Section 10. Data Protection and Backup
10.1. Safeguards: Systems should utilize encryption, anti-malware, and regular security
updates to protect data from corruption, unauthorized access, or ransomware.
10.2. Redundancy: To ensure business continuity, IT and SCADA shall maintain two
distinct types of backups:
10.2.1. Local Backups: A copy of critical data kept on-site for immediate restoration of
utility operations and water treatment processes.
10.2.2. Offsite Backups: A secure copy of critical data stored in a geographically
separate location (e.g., secure cloud storage or a secondary physical site) to
protect against facility-wide disasters.
10.3. Continuity & Testing: Backups shall be logically isolated from the primary network
to prevent cross-contamination by malware. The IT and SCADA Managers shall verify
the integrity of these backups periodically to ensure they are functional for recovery.
Section 11. Incident Response, Recovery, and Reporting
11.1. Response Plan: The IT and SCADA Managers shall maintain a Cybersecurity Incident
Response, Recovery, and Reporting (CIRRR) Plan. This document shall be the
authoritative guide for responding to system threats.
11.2. Annual Review: The CIRRR Plan must be reviewed,updated with current emergency
contact info, and submitted to the SLT by October 1st each year.
11.3. Mandatory Reporting: In the event of a confirmed breach, the IT/SCADA Managers
shall follow state and federal reporting requirements (e.g., Florida Digital Service and
CISA) within 48 hours according to by Florida Statute § 282.3185.
11.4. Recovery Goals: The Authority will establish Recovery Time Objectives (RTO) for
critical water operations and business systems within the CIRRR Plan to guide
restoration efforts.
Section 12. Physical Security
12.1. Device Care: Employees are responsible for the physical security of assigned devices
and must follow the Facility Security policy in the Employee Handbook.
12.2. Critical Infrastructure Access: All server rooms, SCADA command centers, and
field panels (PLCs/HMIs) must remain locked and secured.
12.3. Access Reviews: The IT, SCADA, and Facilities Managers shall review physical
access permissions semi-annually to ensure only authorized personnel have entry to
sensitive technical areas.
Section 13. Training and Awareness
13.1. Annual Training: All employees must complete cybersecurity and AI awareness
training annually. Records will be maintained by Human Resources.
13.1.1. Phishing Simulations: The Authority shall conduct unannounced phishing
simulations. Employees who demonstrate repeated vulnerability may be
required to undergo additional remedial training to ensure organizational
resilience.
5
13.2. Specialized Training: IT and SCADA staff shall complete advanced technical training
annually, aligned with CISA guidelines.
13.3. Threat Intelligence: The IT and SCADA Managers shall monitor alerts from industry
sources (e.g., CISA, EPA, WaterISAC, and Florida State agencies) to stay ahead of
emerging infrastructure threats.
Section 14. Risk Assessment and Compliance
14.1. Compliance Assessments: The IT and SCADA Managers shall conduct a
cybersecurity risk assessment at least annually. This review shall satisfy the
requirements of America's Water Infrastructure Act (AWIA) and Florida Statute
§282.3185.
14.2. Collaboration: This assessment may be conducted in coordination with the
Authority's general risk and safety reviews to ensure a unified approach to physical
and digital threats.
14.3. Independent Audit: Every year, an external professional shall evaluate the
Authority's security posture and provide recommendations to the SLT.
Section 15. Third-Party and Vendor Security
15.1. Contract Standards: All vendors and contractors with system access must comply
with the Authority's cybersecurity and data protection standards.
15.2. Periodic Review: The IT Manager and Risk Manager shall review these contract terms
annually to ensure they align with insurance requirements and current law.
Section 16. Policy Review
16.1. Annual Update: This policy shall be reviewed annually by the IT, SCADA, and Risk
Managers. Any material changes must be approved by the SLT and the Board of
Supervisors.
PROCEDURES & RESPONSIBILITIES
To.
CHANGE LOG
Date of Change Description of Change
6