Vision for Cyber Security in the Water Sector AMWA S 2008 ANNUAL MEETING October 19-22, 2008 New Orleans, Louisiana Seth Johnson and Dave Edwards

Transcription

1 Vision for Cyber Security in the Water Sector AMWA S 2008 ANNUAL MEETING October 19-22, 2008 New Orleans, Louisiana Seth Johnson and Dave Edwards WSSC-CSWG and PCSF Water and Wastewater Representatives, respectively

2

3

4

5

6

7

8

9

10 Cyber events can affect water system operations in a variety of ways, some with potentially significant adverse effects in public health. Cyber events could do the following: Interfere with the operation of water treatment equipment, which can cause chemical over- or under-dosing Make unauthorized changes to programmed instruction in local processors to take control of water distribution or wastewater collection systems, resulting in disabled service, reduced pressure flows of water into fire hydrants, or overflow of untreated sewage into public waterways Modify the control systems software, producing unpredictable results

11 Block data or send false information to operators to prevent them from being aware of conditions or to initiate inappropriate actions Change alarm thresholds or disable them Prevent access to account information Although many facilities have manual backup procedures in place, failures of multiple systems may overtax staff resources -- even if failure is manageable in itself Be used as a ransom-ware

12

13 USGS

14 AGENDA Future Trends Vision for Securing Control Systems Goals and Milestones Key Challenges Next Steps

15 3/06 SCADA/IT Security Forum, Los Angeles, CA 6/06 Process Control Systems Forum La Jolla, CA 10/06 SCADA/IT Security Forum, Sacramento, CA 3/07 Process Control Systems Forum, Atlanta, GA 3/07 SCADA/IT Security Summit, Burbank, CA 6/07 SCADA/IT Security Forum, Denver, CO 9/07 Vision Workshop, San Jose, CA 10/07 WSCC Mtg., Washington D.C. 12/07 Roadmap Workshop, Washington, DC 1/08 SCADA and Process Control Summit, New Orleans, LA 2/08 WSCC Meeting, Washington D.C. 3/08 WSCC Releases Roadmap

16 Paul Bennett, NYC Dept Env. Protection Amy Beth, Denver Water Cliff Bowen, CA Dept Health Services Jake Brodsky, WSSC Erica Brown, AMWA Kim Bui, San Antonio Water System Vic Burchfield, Columbus Water Works Richard Castillon, Orange Co. SD Rick DaPrato, Massachusetts WRA Kim Dyches, UT Dept. Env. Protection Patrick Ellis, Broward County WWS Dave Edwards, Metropolitan WD of So. CA Rod Graupmann, Pima Co. WWM Christina Grooby, Santa Clara Valley WD Darren Hollifield, JEA Seth Johnson, WSSC-CSWG Bruce Larson, American Water Carlon Latson, Denver Water Tony McConnell, WSSC Kevin Morley, WSCC-CSWG Jerry Obrist, Lincoln Water Elissa Ouyang, CA Water Service Co. Kevin Quiggle, Detroit W and S Dept. Alan Roberson, AWWA Candace Sands, EMA, Inc. Cheryl Santor, Metropolitan WD of So. CA Birute Sonta, MWRD of Greater Chicago Keith Smith, MWRD of Greater Chicago Greg Spraul, EPA WSD Walt Wadlow, Santa Clara Valley WD Stan Williams, Santa Clara Valley WD Ray Yep, Santa Clara Valley WD Facilitators: Katie Jereza and Jack Eisenhauer, Energetics Incorporated

17

18

19

20 Develop and Deploy Industrial Control Systems (ICS) Security Programs Assess Risk Develop and Implement Risk Mitigation Measures Partnership and Outreach 80% of water system executives recognize Industrial Control Systems (ICS) security is mission critical IT staff and ICS engineers and operators coordinate cyber security efforts Integrate ICS security as a key goal in every project plan Develop a recommended practices ICS security template for widespread use in the water sector Integrate & elevate ICS security requirements with vendor contracts Isolate ICS from public switched networks Integrate Roadmap with Water Sector Specific Plan Develop ICS risk assessment & reporting guidelines published & available throughout the water sector Identify common metrics for benchmarking ICS risk (threat-vulnerabilitiesconsequence) in the water sector Develop ICS risk assessment tools, such as end-to-end, threatvulnerabilitiesconsequence analysis capability for the water sector Establish working group for developing/ maintaining best practices for ICS network architecture(s) for the water sector Develop cyber response protocol template ICS vendors start to implement or increase their cyber security features by 50% Identify and implement existing security features built into the devices Replace default security passcodes Develop effective federal & state incentives to accelerate investment to secure ICS technologies & practices Increase ICS security awareness between water sector, crosssector, vendor & commercial partners Develop essential body of ICS security knowledge for information sharing

21 Develop and Deploy ICS Security Programs Assess Risk Develop and Implement Risk Mitigation Measures Partnership and Outreach Click to edit Master text styles Conduct sectorwide training on recommended practices ICS security template Integrate ICS security awareness, education, & outreach programs into water sector operations Second Reduce level Conduct sectorwide training on risk assessment tools installation time of ICS patching Third level 50% Frameware by Fourth level by 99.9% Applications System design accommodates Fifth level restarts Develop operator ICS security training program Adopt recommended practices for ICS security in the water sector Develop public communication channels to increase confidence in efforts to prevent or minimize impacts form a cyber event

22 Develop and Deploy ICS Security Programs Assess Risk Develop and Implement Risk Mitigation Measures Partnership and Outreach Click to edit Master text styles Sustain roadmap activities in accordance with the Water Sector Specific Plan Second Develop level & Water sector actively measures ICS security performance & benchmarks with implement selfdefending ICS & infrastructure Third level Require ICS other sectors security in Fourth operator level certification Real-time security state monitoring for intrusions are commercially Fifth level available Establish life cycle investment & framework for cyber security Government maintains ICS threat support Identify, understand, & disseminate timely ICS risk information within the sector & among its partners

23

24 Periodic vulnerability assessments Limited/protected connections to other systems Network monitoring/protection Hardened configuration for control system components Strong authentication methods Regular antivirus updates and patch management Testing and backup practices for control system Strong physical security for control system components Background checks on individuals touching control system Most knowledgeable resources working collaboratively

25

26

27 Seth Johnson Water Sector Coordinating Council Cyber Security Working Group Representative (408) Dave Edwards Process Control Systems Forum Water and Wastewater representative Metropolitan Water District of So. Calif. (213)

28 Working Working separately... together We ll move ahead We move around