cyber competency and readiness at wrrfs
TRANSCRIPT
9/7/2017
1
Cyber Competency and Readiness at WRRFs
Thursday September 7, 20171:00pm-3:00pm EST
Sponsored by:WEF AUTOMATION & IT COMMITTEE
9/7/2017
2
How to Participate Today
• Audio Modes
• Listen using Mic & Speakers
• Or, select “Use Telephone” and dial the conference (please remember long distance phone charges apply).
• Submit your questions using the Questions pane.
• A recording will be availablefor replay shortly after thiswebcast.
• Automation & IT Committee Chair 2017-2018• Automation & IT Committee Vice-Chair 2015-2016
Today’s ModeratorDavid Chamberlain P.Eng, BDSEramosa Engineering Inc.Guelph, Ontario
9/7/2017
3
Today’s Presenters representing a common concern on the topic of Cyber Competency and Readiness
Presenter
Don Dickinson
Senior Business Development Manager –Water Sector
Phoenix Contact USA
9/7/2017
4
Cybersecurity – Going Beyond Protection to Boost Resiliency
NIST Cybersecurity FrameworkISA 62443 Operational Technology
Security
Presentation Outline
Managing Cyber Threats
Protecting Critical Infrastructure
NIST Cybersecurity Framework (CSF)
CSF Core Functions
ISA 62443
Sustainable Infrastructure
9/7/2017
5
Security breaches are inevitable…Being a headline is not ® Mandiant – A FireEye™ Company
Tough questions after attack…Could you have done more to prevent this
attack?
Will I lose my job?
What is the impact on public safety?
What is the environmental impact?
How will this impact your requests for funding?
What are the expected costs of fines and
litigation?
How will this impact the public’s confidence in
your utility?
9/7/2017
7
…anyone in the world, can take down some of the web’s most visible companies…
14
WannaCry ransomware attack affects more than 200,000 computers in 150 countries.
9/7/2017
8
2017 Annual Threat Report
• Key Findings From 2016: Cyber Criminal Advances
2017 Annual Threat Report
• Key Findings From 2016: Cyber Criminal Advances
9/7/2017
11
2016 Dell Security –Annual Threat Report
Breaches in 2015 succeeded not because the victims lacked security altogether, but because thieves found and exploited a small hole in their security program.
Why security will become even more challenging…
9/7/2017
12
Source: www.opinno.com
DHS: 5 Cybersecurity Questions for CEOs
1) How Is Our Executive Leadership Informed About the Current Level and Business Impact of Cyber Risks to Our Company?
2) What Is the Current Level and Business Impact of Cyber Risks to Our Company? What Is Our Plan to Address Identified Risks?
3) How Does Our Cybersecurity Program Apply Industry Standards and Best Practices?
4) How Many and What Types of Cyber Incidents Do We Detect In a Normal Week? What is the Threshold for Notifying Our Executive Leadership?
5) How Comprehensive Is Our Cyber Incident Response Plan? How Often Is It Tested?
www.us-cert.gov
9/7/2017
13
Last Published Date: December 30, 2016
16 sectors vital to US security, economic security & national health and safety
9/7/2017
14
Resilience or Resiliency
[ri-zil-yuh ns, -zil-ee-uh ns] noun
1.the power or ability to return to the original form,
position, etc., after being bent, compressed, or stretched;
elasticity.
2.ability to recover readily from illness, depression,
adversity, or the like; buoyancy.
resiliency. (n.d.). Dictionary.com Unabridged. Dictionary.com website http://www.dictionary.com/browse/resiliency
NIST Cybersecurity Framework
• Voluntary, risk-based approach for managing cybersecurity risks for critical infrastructure
• References industry standards and best practices to help organizations manage cybersecurity risks
• Addresses broad security needs of all critical sectors but is not a one-size-fits-all approach. Sector-specific guidance needed to address unique needs of each sector
• More info: www.nist.gov/cyberframework
9/7/2017
15
NIST FRAMEWORK
Tiers Core Profiles
Implementation Tiers
• Framework Implementation Tiers (“Tiers”) provide context on how an organization views cybersecurity risk and the processes in place to manage that risk.
• Progression to higher Tiers is encouraged when such a change would reduce cybersecurity risk and be cost effective.• Tier 1: Partial• Tier 2: Risk Informed• Tier 3: Repeatable• Tier 4: Adaptive
9/7/2017
16
Profiles
• Alignment of Core functions with the business requirements, risk tolerance, and resources of the organization
• Useful in establishing a roadmap to move from “current” profile to “target” profile
• Does not prescribe Profile templates
CORE
IDENTIFY
PROTECT
DETECTRESPOND
RECOVER
Framework Core
9/7/2017
18
FUNCTION
• IDENTIFY (ID)
CATEGORY
• ASSET MANAGEMENT
(ID.AM)
SUBCATEGORY
• Physical devices and
systems inventoried (ID.AM-1)
INFORMATIVE REFERENCES
• ISA 62443-2-1 2009: 4.2.3.4
Linking function toInformative References
CSF Informative References
9/7/2017
19
CORE
IDENTIFY
PROTECT
DETECTRESPOND
RECOVER
Framework Core
NIST CSF Informative References
• NIST SP 800-53 Rev4: Security and Privacy Controls for Federal Information Systems and Organizations
• COBIT: Control Objectives for Information and Related Technology
• ISO/IEC 27001: Information technology – Security techniques –Information security management system – Requirements
• CCS CSC: Council on Cybersecurity Top 20 Critical Security Controls
• ISA 62443: Security for Industrial Automation and Control Systems (multipart standard)
9/7/2017
20
Planned PublishedIn Process Published(under revision)
Published as
Published as
Published as
Published as
ISA-62443 Security for IndustrialAutomation and Control Systems (IACS)
ANSI/ISA–62443-2-1 (99.02.01) – 2009
Establishing an Industrial Automation and Control Systems Security Program
Describes the elements of a Cyber Security
Management System (CSMS)
Elements relate to policy, procedures, practices and
personnel
9/7/2017
21
Cyber Security Management SystemRisk analysis
Business RationalRisk identification,
classification and assessment
Addressing risk with the CSMS
Security policy, organization and awareness
Selected security countermeasures
Implementation
CSMS scope Personnel securityRisk management and
implementation
Organize for securityPhysical and environmental
securitySystem development and
maintenance
Staff training and security awareness
Network segmentationInformation and document
management
Business continuity planAccess control: Account
administrationIncident planning and response
Security policies and procedures
Access control: Authentication
Access control: Authorization
Monitoring and improving the CSMS
ConformanceReview, improve and
maintain the CSMS
Sustainable or Sustainability
[suh-stey-nuh-buh l] adjective
1.capable of being supported or upheld, as by having its
weight borne from below.
2.pertaining to a system that maintains its own viability by using techniques that allow for continual reuse
3.able to be maintained or kept going, as an action or process
sustainable. (n.d.). Dictionary.com Unabridged. Dictionary.com website http://www.dictionary.com/browse/sustainable
9/7/2017
22
Sustainable Infrastructure
Key points on cybersecurity
• Security is a process not a task! It is a journey not a destination!
• Security is not an absolute! It’s a matter of degree.
• Neither practical nor feasible to fully mitigate all risks. Must allocate available resources as efficiently as possible.
• Goal: Risk management for critical infrastructure.
9/7/2017
23
Summary
• Managing cyber risks is now the norm.
• Protecting critical infrastructure, including water and wastewater systems is essential to our country’s economic and national security.
• The NIST Cybersecurity Framework provides guidance and informative references for a utility-wide security plan.
• The ISA 62443 multipart standard provides guidance for a comprehensive OT cybersecurity plan.
Answers for the tough questions…
Could you have done more to prevent this
attack?
Just 2 years till retirement!
Because we have a comprehensive security plan we were able to detect the
cyber activity early and implement countermeasures quickly to mitigate the event. As a result the impact on
public safety, the environment and our operations were minimized.
9/7/2017
24
Easy questions for me?
Presenter
Don Dickinson
Senior Business Development Manager – Water Sector
Phoenix Contact USA
e-mail: [email protected]
Request white paper: “Cyber White Paper” in Subject Line
Cybersecurity: Going Beyond Protection to Boost Resiliency
9/7/2017
25
49
VSAT Web - EPA’s New Vulnerability Self-Assessment Tool for the Water Sector
Water Environment Federation webinarSeptember 7, 2017
Preparedness Resources f W U ili i 50
What is VSAT?
• VSAT is used for all-hazards risk assessments of water and wastewater utilities of all sizes
• Identifies the risks of priority threats to critical utility assets
• Performs a cost-benefit analysis of additional countermeasures to reduce risk
• Helps utilities target resources to reduce risk and enhance resilience for maximum benefit!
9/7/2017
26
Preparedness Resources f W U ili i 51
How Does VSAT Work?
R = C ● V ● T
Risk (R) is the product of
Consequences (C): public health and economic
Vulnerability (V): likelihood of consequences if threat occurs
Threat (T): likelihood of threat
R = C ● V ● T
• Asset/Threat pair based
• Countermeasures can reduce C, V, and/or T
Preparedness Resources f W U ili i 52
Helpful Tools Inside VSAT Web
• WHEAT (Water Health and Economic Analysis Tool)
– Calculates health and economic consequences for: (1) Loss of operating asset; (2) Hazardous gas release; (3) Finished water contamination
• VULNERABILITY LIKELIHOOD CALCULATOR
– Based on qualitative estimate (“low” to “very high”) for 3 capability factors:
> Man-made threats: detect, delay, and respond
> Natural hazards: preparation/resilience; active response; and recovery
• Natural hazards: geographic frequency and map links
– v
9/7/2017
27
Preparedness Resources f W U ili i 53
VSAT Web Outputs• Reports that show:
○ The risk that threats present to utility assets
○ Net benefits of customized countermeasure packages
$0
$500,000
$1,000,000
$1,500,000
CP 1 CP 2 CP 3 CP 4
Net Benefits
• VSAT complies with the J100 Standard and is designated under the DHS SAFETY Act
Preparedness Resources f W U ili i 54
How to Get VSAT Web
• Older desktop version of VSAT is still available at:
https://www.epa.gov/waterriskassessment/conduct-drinking-water-or-wastewater-utility-risk-assessment
Now Available from EPA
• Access VSAT Web at: https://vsat.epa.gov
• Free with unrestricted access
• No user data is stored by or available to EPA
• Works on mobile devices (Android and iOS) and PCs
9/7/2017
28
Questions about VSAT?
Dan Schmelling
U.S. Environmental Protection Agency
Water Security Division
202-557-0683
Cybersecurity Risk Management in the Water Sector
• Kevin M. Morley, PhD
• Manager, Federal Relations for the American Water Works Association (AWWA)
9/7/2017
29
Overview
• Reality of the Threat Environment
• Water Sector Cyber Risk Management
• Key Resources
Connectivity = Exposure
Source: ICS-CERT
• Process Control Systems
SCADA
AMR/AMI
Telecommunications
HVAC
• Enterprise Systems
Employee Payroll
Service Contracts
Customer Billing
LIMS etc
9/7/2017
30
Cyber Threats are Very Real• Director of National Intelligence confirms
multiple directed attacks against control systems for exploitation
• Ransomeware attack on Lansing Board of Water and Light (2016)
• BlackEnergy & Havex malware (2014-15)
• Former employee remotely modified Sacramento River control (2007)
• Malware attack on Harrisburg Water System (2006)
• Disgruntled job applicant causes massive Sewage Spill in Maroochy Shire (2000)
Water Sector & Cybersecurity
• Y2K• BT Act
2002
2008 Critical MilestoneDevelop a recommended practices ICS security template for widespread use in the water sector
2013 #1 Priority Advance the development of sector-specific cybersecurity resources
9/7/2017
31
Standards & GuidanceANSI/AWWA G430-14: Security Practices for Operation & Management
Information protection and continuity is a requirement
ANSI/AWWA J100-10: RAMCAP® Standard for Risk & Resilience Management of Water & Wastewater Systems Cyber is required threat domain
ANSI/AWWA G440-11: Emergency Preparedness Practices Consideration of key business & operating system recovery
Business Continuity Plans for Water Utilities (WRF, AWWA, EPA) Cyber recovery plan is required action item
Process Control System Security Guidance for the Water Sector (AWWA) Supports voluntary adoption of NIST Cybersecurity Framework
Water Sector Approach
Process Control System Security Guidance for the Water Sector (WITAF #503)
• Develop water sector guidance that provides a consistent and repeatable recommended course of action to reduce vulnerabilities in process control systems.
• Aligns with sector and national priorities, fulfills need for sector-specific guidance as specified in EO 13636.
• Released February 2014, updated 2016, www.awwa.org/cybersecurity
9/7/2017
32
Utility Driven
• Organized based on HOW the utility uses or operates their process control system
• It does NOT evaluate current security profile
• Generates prioritized list of controls that empowers utility to consider appropriate actions to reduce potential vulnerabilities
12 Core Practice Categories
Governance &
Risk Management
Business Continuity
Server and Workstation Hardening
Access Control
Application Security
Encryption
Telecom, Network
Security, & Architecture
Physical Security of PCS Equipment
Service Level Agreements
Operations Security
EducationPersonnel Security
9/7/2017
33
Use-Case Tool• 94 Cybersecurity Controls mapped to NIST
CSF• Use Cases describe PCS and cyber exposure• Tool determines which controls apply to
selected Use Cases and at which priority (1 –4) Priority 1 – do immediately Priority 4 – important, but not urgent
• Tool does not assess existing security level
9/7/2017
35
How is it Used?1. As a stand-alone tool to identify an appropriate
cybersecurity baseline.
2. As part of a larger cybersecurity assessment to validate findings and recommendations.
3. As basis for a cybersecurity improvements program.
9/7/2017
36
AWWA Guidance & Use-Case ToolAligns w/NIST Cyber Framework
Cyber Security Evaluation Tool(CSET®) Assessment of policy & procedures relative to NIST 800-52 & NIST 800-53
Design Architectural Review (DAR)Evaluates network access/egress, design, configuration, applications and rules.
Network Architecture Verification and Validation (NAVV)Baseline network architecture, communication protocols, discover rogue connections, & identify configuration errors.
One Step at a Time
Supported by ICS-CERT
US Voluntary Approach….American Water Works Association has issued "Process Control System Security Guidance for the Water Sector" and a supporting "Use-Case Tool." …. This tool is serving as implementation guidance for the Cybersecurity Framework in the Water and Wastewater Systems sector.
- USEPA, May 2014
9/7/2017
37
Educational Outreach
• Pilot deployments began in Q2-17 Pacific Northwest Rocky Mountain Texas Virginia
• Rollout via AWWA Sections starting Q4-17
?? Questions ??
Kevin M. Morley, Ph.D.Manager, Federal Relations
AWWA – Government Affairs202-628-8303 or [email protected]
www.awwa.org/CYBERSECURITY