cybersecurity in the water sector · 2018-07-11 · cybersecurity guidance is available, but more...
TRANSCRIPT
Cybersecurity in the Water Sector
AWWA’s mission: Providing solutions to effectively manage water, the world’s most important resource.
This seminar is designed teach participants how to use the AWWA Cybersecurity Guidance Tool.
Safety and Comfort
• Emergency exits
• Bathrooms
• Smoking areas
Don DickinsonSenior Business Development Manager, Phoenix Contact USA
• BS Electrical Engineering• 34 years of experience• Member of the AWWA Project Advisory
Committee for development of Process Control System Security Guidance for the Water Sector and Online Tool
• Member of the AWWA Cybersecurity Subcommittee.
• Member of the International Society of Automation (ISA) and the Water Environmental Federation (WEF) Intelligent Water Technology Committee.
• Advanced cyber security training through ISA and other industry organizations
919-633-0147 (c)
Terrell BrownIT Section – Supervisor, Water Resources Department, Greensboro, NC
• BS, Computer Science
• 13 years experience in IT network security and administration
• 5 years experience in SCADA network security and administration
• Advanced cyber security training through ICS-Cert
336-333-6506 (o)
Pavol Segedy, PEHDR
• MS Automation and Controls Systems• 15+ Years of experience as a Automation and
Controls Engineer, Designer and Programmer• ISA - active committee member: ISA112
(SCADA), ISA 101 (Human Machine Interface), ISA/IEC 62443 (Cybersecurity), ISA-18.2 (Alarm Management)
• Active member of IEEE, WEF, AWWA; NC AWWA Automation Committee and Risk Management Committee
• 2018-2019 Director for the ISA Water and Wastewater Industry Division; Past-Chair for the 2016-2017 ISA Water/Wastewater and Automatic Controls [email protected]
919.232.6649 (d)
Perry Gayle, PhD, PERisk and Resilience Leader, AECOM
• PhD Civil Engineering
• 43 yrs of experience
• Conducted over 50 Water Sector risk and resilience projects
• Provided cybersecurity support to DHS, Nashville, Louisville, and DC Water
• Member of AWWA Emergency Preparedness and Security Committee
• Cybersecurity training from ICS-Cert
919.461.1295 (d)
Cybersecurity Guidance Is Available,But More Can Be Done To Promote Its Use*
* GAO-12-92 report on Critical Infrastructure Protection, December 2011
A wide variety of cybersecurity guidance is available for entities in the critical infrastructure sectors including the water sector.
Given the plethora of guidance available, individual entities in the sectors may be challenged in identifying the guidance that is most applicable and effective in improving their security posture.
Description and Purpose
• This seminar consists of five modules that focus on the use cases and controls in AWWA’s Cybersecurity Guidance Tool (Tool). During this seminar you will see a demonstration of how to use the Tool to identify gaps that can be included in a cybersecurity improvement plan.
• The purpose for this seminar is to:
• Learn how the Tool works and how to use the Tool
• Learn the purpose and applications of control system use cases
• Learn the importance of evaluating use cases against the control system
• Demonstrate the Tool
• Address how to move forward with the recommendations of the report produced by the Tool
Course Requirements and Learning Elements
• Course Requirements• Prerequisites: None • Seminar attendance and participation• Participation in hands-on learning checks and quizzes
• Learning Elements• Lesson Plan• Presentation• Hands on activities (demonstration)• Discussion • Participant handout • Quizzes and tests
Agenda - Morning
Welcome and Announcements• Overview of Cyber Threats, Vulnerabilities, and
Consequences from the Perspective of the Water Sector• Developing a Business Case for CybersecurityBreak• Examples of Cybersecurity Mitigation Strategies• Introduction to the AWWA Cybersecurity Guidance & Tool• Selecting Use CasesLunch
Agenda - Afternoon
Lunch• Reviewing Recommended Controls• Executing the ToolBreak• Implementing Recommendations• Aligning Implementation Measures with Industry
Standards• Final Exam• Wrap Up
Overview of Cyber Threat and Vulnerabilities from the Perspective
of the Water Sector
2
Learning Objectives
• Define what we are trying to protect
• Recognize cyber threats are real
• Define water sector vulnerabilities
3
APT Advanced Persistent Threat
ICS Industrial Control System
IT Information Technology
OT Operational Technology
PCS Process Control System
PLC Programmable Logic Controller
PSIMS Physical Security Information Management System
SCADA Supervisory Control and Data Acquisition
Useful Acronyms
4
What are We Trying to Protect
• IT Systems– ?– ?– ?– ?
• OT systems– ?– ?– ?– ?
5
What are We Trying to ProtectIT and OT Priorities
IT priority is CIA– Confidentiality
– Integrity
– Availability
Why is this the case?
OT priority is AIC– Availability
– Integrity
– Confidentiality
6
Threat Actors
Hactivism
Crime
Insider
Espionage
Terrorism
Warfare
7
Notable Cyber Incidents
• December 23, 2015• Power outage in Ukraine was
caused by BlackEnergyMalware
• The infection was implanted with a spear phishing email with a malicious Microsoft Office (MS Word) attachment
• Example of an Advanced Persistent Threat (APT) attack
8
Notable Cyber Incidents
• December 18, 2013• Target stores incident • Loss of 40 million
payment card records• Malware entered
through 3rd party HVAC vendor
• CEO resigns• Millions of customers
have to replace credit and debit cards
9
Notable Cyber Incidents
• May 2017 • Worldwide cyberattack by WannaCry ransomware• Affected more than 200,000 computers across 150 countries• Healthcare, manufacturing, FedEx, others
10
The Threat – New Threats Every Day
10
11
Notable Cyber Incidents
12
Notable Cyber Incidents
• March 2016• Iran infiltrated the
computerized controls of a small dam 25 miles north of New York City
• Hackers broke into the command and control system of the dam in 2016 through a cellular modem
• Could not release water because the sluice gate controls had been disabled
13
Notable Cyber Incidents
• May 2014 • Disgruntled employee shuts down AMR/AMI
in five cities by hacking Tower Gateway Base Stations leading to loss of revenue data and dispatching of personnel to collect meter readings manually
• Insider threats– Employees have legitimate access and vast
opportunity– Extensive statistics on compromising or stealing
business confidential information– Over a third (36%) of companies surveyed
claimed to have experienced insider incidents within the last year (InfoSecurity, Imperva)
14
Spear Phishing
• E-mail fraud attempt that targets a specific organization or person
• Messages appear to come from trusted sources
• May contain malicious attachments or web links
• Seeking unauthorized access to confidential data
• Conducted by sophisticated groups for financial gain, trade secrets, or military information
• Postings on Facebook, Twitter, and LinkedIn can make you more vulnerable
15
Advanced Persistent Threat (APT)
• Not a virus, worm, or glory-basedattack
• The goal is not to crash your computer
• The goal is to steal information• Specific targeting, not
indiscriminant • Very adaptive and agile • May come in multiple packets and
assemble on the target network• Undetectable by anti-virus software• Perpetrators are sophisticated,
determined, coordinated, patient• Maintain a low profile to remain undetectable
16
Timeline of a Typical APT Incident
17
The Threat is Likely Worse Than Reported
18
IT versus OT VulnerabilitiesTopic IT OT
Availability Reboots allowed for applying patches
Maintenance windows are few and far between
Consequences of Downtime /
Outages
Data and production can typically be recovered
Data often not reconstructable,Process restarts are highly disruptive
Endpoint Protection Common and easy to deploy PCS components do not support endpoint protection
Technology Support Lifetime 3 to 4 year lifecycle 20+ year lifecycle
Physical Security of Assets
Offices and data centers are relatively easy to secure
Remote location of some assets make physical security more challenging
System Security Development
Security features designed into all modern hardware and software
Most PCS components designed without security features
Internet Access Systems designed for internet access
Older systems were never intended to be internet attached
19
IT / OT Collaboration Vulnerabilities
20
Third Party Access Vulnerabilities
• Examples of 3rd party access– SCADA vendors– HR software– Payroll software– Customer service software– Asset management software– GIS consultants
• 85% of companies share access to data with business partners
• 28% have security standards for sharing access to data with business partners (AT&T)
21
Flat Network Vulnerabilities
• Networks should be segmented to limit lateral migration
• Separate segments with firewalls
• Traffic can be controlled by whitelisting IP addresses and applications
• Data flow can be controlled by uni-directional diodes
22
Exercise No. 1
• A visitor from off the street comes to the receptionist desk looking for a job and wanted to give the receptionist a resume
• The visitor did not have a hard copy resume, but wanted the receptionist to print a copy from his flash drive
What should the receptionist do?
23
Exercise No. 2
• SCADA System is isolated from the internet
• SCADA operator creates a wireless hotspot using a smart phone to access music website
• Plays music through the SCADA terminal
What is the risk?
24
Exercise No. 3
• Large city water utility has a dedicated surveillance camera network
• The city Office of Emergency Management has a city-wide surveillance camera network
• The utility wishes to integrate their cameras with the city system to achieve improved efficiencies and technical support
What are the risks?
25
Who is Responsible for Cyber Security
• ?
• ?
• ?
• ?
• ?
• ?
• ?
• ?
26
Summary of Typical Cyber Risks
• Phishing, spear phishing, whaling• Other social engineering (flash drives,
elicitation)• Privileged access by external parties• Unauthorized use of employee/customer
credentials• Privileged abuse by employees• System vulnerabilities• Exploitation of know software vulnerabilities
Phishing
Flash drives
Privileged Access
Unauthorized Use
Privileged Abuse
System Vulnerabilities
Software Vulnerabilities
27
Summary and Conclusions
• The threats of a cyber incident are real
• Our systems have vulnerabilities
• Everyone can contribute to cyber security
28
Questions?
Developing a Business Case for Cybersecurity
Key Points on Security
• Security is a process not a task! A journey not a destination!
• Security is not an absolute! It’s a matter of degree.
• Everyone has a role to play, not just IT, and those roles and related responsibilities must be clearly defined and monitored.
• Neither practical nor feasible to fully mitigate all risks. Must allocate available resources as efficiently as possible.
• Goal: Risk management for critical infrastructure.
Critical Infrastructure Protection
…essential to the nation’s security, public health and safety, economic vitality, and way of life.
Cybersecurity Business Driversin the Water Sector
• Potential for Operational and Financial impact
• Loss of Public Confidence caused by cyber breach
• Executive Orders encouraging voluntary action
• Bonding Agencies and Insurance Underwriters taking into consideration Cybersecurity Preparedness
• States beginning topass regulations forCybersecurity programs
4
Cybersecurity Guidance Is Available,But More Can Be Done To Promote Its Use*
* GAO-12-92 report on Critical Infrastructure Protection, December 2011
A wide variety of cybersecurity guidance is available for entities in the seven critical infrastructure sectors including the water sector.
Given the plethora of guidance available, individual entities in the sectors may be challenged in identifying the guidance that is most applicable and effective in improving their security posture.
AWWA G430-14Security Practices for Operation and Management
Purpose is to define the minimum requirements for protective security program for a water or wastewater utility that will promote the protection of employee safety, public health, public safety, and public confidence.
6
ANSI / AWWA G430-14Security Practices for Operation and
Management
• Explicit Commitment to Security: Explicit and visible commitment of senior leadership to security. Periodic review & update of security plan.
• Security plan: Comprehensive plan developed by utility that includes security goals, objectives, strategies, policies & procedures. Coordinate with Emergency Preparedness plan & Business Continuity plan.
7
8
The first step in implementing a security program is to develop a compellingbusiness case for the uniqueneeds of the organization.
ISA-62443 (ISA-99) Security forIndustrial Automation and Control Systems
• Purpose is to define procedures for implementing electronically secure manufacturing and control systems, and security practices and assessing electronic security performance.
ISA-62443 Security for IndustrialAutomation and Control Systems (IACS)
ANSI/ISA–62443-2-1 (99.02.01) – 2009
Establishing an Industrial Automation and Control Systems Security Program
• Describes the elements of a Cyber Security Management System (CSMS)
• Elements relate to policy, procedures, practices and personnel
ISA 62443-2-1Develop a business rationale
4.2.2• DESCRIPTION: A business rationale is based on the
nature and magnitude of financial, health, safety, environmental, and other potential consequences should IACS cyber events occur.
• RATIONALE: Establishing a business rationale is essential for an organization to maintain management buy-in to an appropriate level of investment for the IACS cybersecurity program.
11
ISA 62443-2-1Develop a business rationale
4.2.2.1
REQUIREMENTS: Develop a business rationale
• The organization should develop a high-level business rationale as a basis for its effort to manage IACS cyber security, which addresses the unique dependence of the organization on IACS.
12
ISA 62443-2-1Develop a business rationale
Annex A (informative)
Guidance for developing the elements of a CSMS
• Description of element
• Element-specific information
• Supporting practices– Baseline practices
– Additional practices
• Resources used
13
ISA 62443-2-1Develop a business rationale
A.2.2.3Key components of business rationale• Prioritize business consequences – What events would have
the greatest impact on the organization?• Prioritize threats – Which are the most credible?• Estimated annual business impact – What is the business
impact, if possible, in financial terms?• Cost – What is the estimated cost of the human effort and
technical countermeasures that the business rationale intends to justify?
14
Questions?
Break9:55 – 10:15
Click Insert | Header & Footer to apply a Footer 16