Cybersecurity Update

Public Utilities BoardOctober 27, 2021

1

Yesterday

2

Today

3

Field Staff

Data Center

Electric

Water

Telecommuters

Cloud ServicesData

DataData

Business Partners

Data DataData

Threats

● Organized Crime Groups● Nation States● Black Hat ● Hactivists● Insiders Gone Rogue

4

● Malware● Ransomware● Data Theft● Denial of Service ● Phishing

Types of Attacks Bad Actors

Cyber Attacks

5

Data BreachesRansomware

Energy / Water Breaches

Colonial Pipeline – Ransomware, Fuel pipeline shutdown

Oldsmar Water – Increased sodium hydroxide to dangerous levels

Supply Chain Hack

Police Dept.

Protecting APU & Customer Data

● Risk Management● Defense In Depth - Layering● Least Privilege● Privacy● Zero Trust

6

Guiding Principles

NIST Cybersecurity Framework

7

800-53

National Institute of Standards & Technology

Billing / Customer

InfoMeter Data Work &

Asset Mgt

All other City Department

Systems

CustomersCloud

Services

Business Partners

City Network Environment

8

Remote City Employees

How We Protect APU & Data

● Physical Security◌ Badges, Doors, Locks,◌ Guards, Cameras

● Firewalls ● Email Filtering● Website Filtering

9

● User Access Controls● Network Permissions● End-point Security● Encryption● Operating System Patching● Vulnerability Scanning

Technical Controls

How We Protect APU & Data

● Policies & Procedures◌ Technology Use◌ Passwords ◌ Customer Data Access◌ Third-Party Agreements / NDAs◌ Change Management

● Cybersecurity Plan● Security Assessments

10

● Awareness and Training● Cyber Liability Insurance● Industry Information Sharing

Administrative Controls

Recent Improvements

● 24/7 Security Operations Center (SOC)● Security Information & Event Management (SIEM)● Next Generation Firewalls● Malicious Domain Blocking● Email Link Protection / External Alert● Remote Access Control● Laptop Hard Drive Encryption● Water Reclamation Facility SCADA Network● New Backup Solution with Immutable Storage

11

Current Initiatives

● System Upgrades (Middleware, Meter Data Management, …)● IVR Payment Processing (migrate to Cloud)● Cybersecurity Incident Response Plan Update● Water Network and Camera Upgrade● Social Engineering (Phishing) Assessment

12

The Future

● Continuous and Incremental Improvements● System Upgrades

◌ Customer Information / Web Portal◌ Work and Asset Management◌ Advanced Meter Infrastructure, …

● Zero Trust Architecture● Multi-Factor Authentication● City WiFi Improvements● Selective Cloud Services

13

Cloud Security Responsibility

14

XaaS <X> “as a Service”• IaaS = Infrastructure• PaaS = Platform• SaaS = Software

Data

Application/Database

Operating System

Servers, Virtualization

Compute, Network, Storage

Physical Facility

Middleware

Anah

eim

On Premises IaaS PaaS SaaS

Clou

d Pr

ovid

erAn

ahei

m

Clou

d Pr

ovid

erAn

ahei

m

Clou

d Pr

ovid

erA

Types of Cloud Services

Security is a Journey, not a Destination

Thank you

15