Cyber Security What Do I Need to Do Now?

Transcription

1 Cyber Security What Do I Need to Do Now? PA AWWA 2016 Annual Conference Thursday, May 12, :45 3:15 PM Presented by Dick McDonnell Authored by Jeff M. Miller, PE, ENV SP

2 WARNING! Schneider Electric Jeff M. Miller Cyber Security CA-NV AWWA AFC 4pm Wednesday October 28 th,

3 10 Steps to Cyber Security 1. AWARENESS 2. GATHER SUPPORT 3. EDUCATE 4. AUGMENT RESOURCES 5. INVESTIGATE 6. ASSESS 7. DEVELOP 8. CLOSE GAPS 9. ACCEPT 10.DILLEGENCE Schneider Electric Jeff M. Miller Cyber Security CA-NV AWWA AFC 4pm Wednesday October 28 th,

4 10 Steps to Cyber Security DHS Steps for Water Sector 1. AWARENESS 2. GATHER SUPPORT 3. EDUCATE 4. AUGMENT RESOURCES 5. INVESTIGATE 6. ASSESS 7. DEVELOP 8. CLOSE GAPS 9. ACCEPT 10.DILLEGENCE Excerpt from DHS & EPA Water Sector-Specific Plan, An Annex to the National Infrastructure Protection Plan, 2010 Schneider Electric Jeff M. Miller Cyber Security CA-NV AWWA AFC 4pm Wednesday October 28 th,

5 STEP 1: AWARENESS Schneider Electric Jeff M. Miller Cyber Security CA-NV AWWA AFC 4pm Wednesday October 28 th,

6 Step 1: Awareness The World We Live In Cyber Security is a growing Global Threat to Businesses and Industries. With estimated Global losses of over $1Trillion USD Schneider Electric Jeff M. Miller Cyber Security CA-NV AWWA AFC 4pm Wednesday October 28 th,

7 Step 1: Awareness Concept of Risk Threats Vulnerabilities Risk Schneider Electric Jeff M. Miller Cyber Security CA-NV AWWA AFC 4pm Wednesday October 28 th,

8 Step 1: Awareness Typical Vulnerabilities & Threats Vulnerabilities Hardware Access Wireless Cross-Network Connections External Network Connections Hardware Access False Sense of Security with Partial Solutions Threats Malware / Spyware / Viruses Unauthorized Access Hackers, Vandals, Internal Unintended Cyber Events Operator Errors Schneider Electric Jeff M. Miller Cyber Security CA-NV AWWA AFC 4pm Wednesday October 28 th,

9 Step 1: Awareness Miscellaneous Vulnerabilities & Threats Maintenance & Support Version Control Updates and Upgrades Critical Parts Availability Eg. RAID Hard Drives Knowledge Eg. Automation Logic Staff Transitions Environmental Below Grade Locations Temperature Differentials Condensation Cutting Oil Power Supply HVAC Location, Location, Location Conduit Entry Schneider Electric Jeff M. Miller Cyber Security CA-NV AWWA AFC 4pm Wednesday October 28 th,

10 Step 1: Awareness Risk Management Excerpt from NIST Framework for Improving Critical Infrastructure Cybersecurity, 2014 Schneider Electric Jeff M. Miller Cyber Security CA-NV AWWA AFC 4pm Wednesday October 28 th,

11 Step 1: Awareness Risk Management Process and People Safety Environmental Protection Business Continuity Information Confidentiality Reliability & Resiliency Financial Risk Avoidance Excerpt from NIST Framework for Improving Critical Infrastructure Cybersecurity, 2014 Schneider Electric Jeff M. Miller Cyber Security CA-NV AWWA AFC 4pm Wednesday October 28 th,

12 Step 1: Awareness Do I Need to Do Anything? Water Sector Vision Statement: A secure and resilient drinking water and wastewater infrastructure that provides clean and safe water as an integral part of daily life, ensuring the economic vitality of and public confidence in the Nation s drinking water and wastewater service through a layered defense of effective preparedness and security practices in the sector. EPA s Water Security Mission Statement: To provide national leadership in developing and promoting programs that enhance the sector s ability to prevent, detect, respond to and recover from all hazards. Excerpt from DHS & EPA Water Sector-Specific Plan, An Annex to the National Infrastructure Protection Plan, 2010 Schneider Electric Jeff M. Miller Cyber Security CA-NV AWWA AFC 4pm Wednesday October 28 th,

13 Step 1: Awareness Do I Need to Do Anything? Executive Order Improving Critical Infrastructure Cybersecurity, signed by President Obama on Feb. 12, 2013 Sector-Specific Agencies, shall establish a voluntary program to support the adoption of the Cybersecurity Framework by owners and operators of critical infrastructure Schneider Electric Jeff M. Miller Cyber Security CA-NV AWWA AFC 4pm Wednesday October 28 th,

14 STEP 2: GATHER SUPPORT Schneider Electric Jeff M. Miller Cyber Security CA-NV AWWA AFC 4pm Wednesday October 28 th,

15 Step 2: Gather Support Where Do I Start? 1. Gather Preliminary Information 2. Make Case to Internal Stakeholders and Management 3. Find Internal Resources and Skill Sets 4. Appoint a Cybersecurity Champion! Schneider Electric Jeff M. Miller Cyber Security CA-NV AWWA AFC 4pm Wednesday October 28 th,

16 STEP 3: EDUCATE Schneider Electric Jeff M. Miller Cyber Security CA-NV AWWA AFC 4pm Wednesday October 28 th,

17 Step 3: Educate Framework, Tools, and Guidance NIST Framework AWWA CyberSecurity Guidance & Tool DHS ISC-CERT CSET Schneider Electric Jeff M. Miller Cyber Security CA-NV AWWA AFC 4pm Wednesday October 28 th,

18 Step 3: Educate NIST Framework NIST Website framework/ Framework Excel Spreadsheet References and Tools Schneider Electric Jeff M. Miller Cyber Security CA-NV AWWA AFC 4pm Wednesday October 28 th,

19 Step 3: Educate NIST Framework Core Functions Categories Subcategories Informative Reference Tier 1 - Partial 2 - Risk Informed 3 - Repeatable 4 - Adaptive Profile Establish Roadmap Schneider Electric Jeff M. Miller Cyber Security CA-NV AWWA AFC 4pm Wednesday October 28 th,

20 Step 3: Educate NIST Framework Core Identify Protect Detect Respond Recover Excerpt from NIST Framework for Improving Critical Infrastructure Cybersecurity, 2014 Schneider Electric Jeff M. Miller Cyber Security CA-NV AWWA AFC 4pm Wednesday October 28 th,

21 Step 3: Educate NIST Framework Standard Mapping Excerpt from NIST Framework for Improving Critical Infrastructure Cybersecurity, 2014 Schneider Electric Jeff M. Miller Cyber Security CA-NV AWWA AFC 4pm Wednesday October 28 th,

22 Step 3: Educate AWWA CyberSecurity Guidance & Tool Water Sector Specific Website ources-tools/water-andwastewater-utilitymanagement/cybersecuri ty-guidance.aspx Guidance Document Access CyberSecuirty Tool Schneider Electric Jeff M. Miller Cyber Security CA-NV AWWA AFC 4pm Wednesday October 28 th,

23 Step 3: Educate AWWA CyberSecurity Tool Use Cases Schneider Electric Jeff M. Miller Cyber Security CA-NV AWWA AFC 4pm Wednesday October 28 th,

24 Step 3: Educate AWWA CyberSecurity Tool Report Organized by Priorities Priority 1 ~ minimum acceptable level Priority 2 ~ potential for significant improvement Priority 3 ~ additional security as budget allows Priority 4 ~ state of the art protection mechanisms Controls CyberSecurity measures for each priority Applicable Standards Given for each control Schneider Electric Jeff M. Miller Cyber Security CA-NV AWWA AFC 4pm Wednesday October 28 th,

25 Step 3: Educate DHS ICS-CERT Industrial Control Systems Cyber Emergency Response Team Website Cyber Security Evaluation Tool Recommended Practices Standards & References Training and much more Schneider Electric Jeff M. Miller Cyber Security CA-NV AWWA AFC 4pm Wednesday October 28 th,

26 Step 3: Educate DHS ICS-CERT CSET Tool Schneider Electric Jeff M. Miller Cyber Security CA-NV AWWA AFC 4pm Wednesday October 28 th,

27 Step 3: Educate DHS ICS-CERT CSET Tool Schneider Electric Jeff M. Miller Cyber Security CA-NV AWWA AFC 4pm Wednesday October 28 th,

28 Step 3: Educate Cyber Security Best Practices Standards organizations like those in the image below help companies develop effective cyber security strategies. While these organizations have different approaches, they all have a common element to establish a best practice approach to cyber security. Schneider Electric Jeff M. Miller Cyber Security CA-NV AWWA AFC 4pm Wednesday October 28 th,

29 Step 3: Educate Standards and Reference Worth Mentioning Product Security Compliance IEC62443 Certification coming in 2014? Specialist Certifications available today- Certifies a product or system against test criteria/standard ISASecure System Achilles Communication Robustness ISASecure EDSA Achilles Certified Practices IEC62443 / ISA99 Standards System Security Requirements Technical Security Requirements Product Development Process System Deployment Process (SI) System Security Assurance Achilles Communication Robustness Embedded Device Security Assurance Process Domain Security Requirements System Functional Security Product Communications Robustness Product Functional Security Development Lifecycle Schneider Electric Jeff M. Miller Cyber Security CA-NV AWWA AFC 4pm Wednesday October 28 th,

30 Step 3: Educate Integrated Product Security Example Achilles Level 2 Access Control M580 epac Platform Secure Communications Enable/Disable Services Event Logging Secure Operating Modes Encrypted and Digitally Signed Firmware Digitally Signed Unity Pro Executables Schneider Electric Jeff M. Miller Cyber Security CA-NV AWWA AFC 4pm Wednesday October 28 th,

31 STEP 4: AUGMENT RESOURCES Schneider Electric Jeff M. Miller Cyber Security CA-NV AWWA AFC 4pm Wednesday October 28 th,

32 Step 4: Augment Resources What Do I Need Before I Begin? Fill Knowledge and Resource Gaps Find Your CyberSecurity Guru Specialty firms with experience Understanding of both OT & IT worlds (industrial and business systems) Coordinate with Design and Integration Teams Hire Specialized Staff Schneider Electric Jeff M. Miller Cyber Security CA-NV AWWA AFC 4pm Wednesday October 28 th,

33 Step 4: Augment Resources What Can Others Provide? Network and System Engineering Vulnerability Assessments Network and System Audits Network and System Hardening Infrastructure Evaluations Wireless/Wired Network Discovery Security Program Review and Development Incident and Emergency Response Services Information Security Training Backup and Disaster Recovery Training Endpoint Protection Holistic Security Program Implementation Schneider Electric Jeff M. Miller Cyber Security CA-NV AWWA AFC 4pm Wednesday October 28 th,

34 STEP 5: INVESTIGATE Schneider Electric Jeff M. Miller Cyber Security CA-NV AWWA AFC 4pm Wednesday October 28 th,

35 Step 5: Investigate What Needs to Be Looked At? Up-front in-house work can lower costs Develop priorities and scope based on critical nature of assets Inventory Hardware, Software, Firmware Systems and Architecture Use, Support, and Accessibility Schneider Electric Jeff M. Miller Cyber Security CA-NV AWWA AFC 4pm Wednesday October 28 th,

36 STEP 6: ASSESS Schneider Electric Jeff M. Miller Cyber Security CA-NV AWWA AFC 4pm Wednesday October 28 th,

37 Step 6: Access What Method Should be Used? Understand Scope Self Assessment Start with AWWA Tool Refine with CSET Tool Choose standards Outside Assessments CSET architecture can be used as an ongoing system model Advanced 3 rd Party Tools Schneider Electric Jeff M. Miller Cyber Security CA-NV AWWA AFC 4pm Wednesday October 28 th,

38 STEP 7: DEVELOP Schneider Electric Jeff M. Miller Cyber Security CA-NV AWWA AFC 4pm Wednesday October 28 th,

39 Step 7: Develop Do I Need a CyberSecurity Program? Formal Program Policies & Procedures Implement by Priority Enforce 3 rd Party Compliance Schneider Electric Jeff M. Miller Cyber Security CA-NV AWWA AFC 4pm Wednesday October 28 th,

40 Step 7: Develop What Do I Improve? Identify Asset Management Business Environment Governance Risk Assessment Risk Management Strategy Protect Access Control Awareness and Training Data Security Information Protection Processes and Procedures Maintenance Protective Technology Detect Anomalies and Events Security Continuous Monitoring Detection Processes Respond Response Planning Communications Analysis Mitigation Improvements Recover Recovery Planning Improvements Communications Schneider Electric Jeff M. Miller Cyber Security CA-NV AWWA AFC 4pm Wednesday October 28 th,

41 Step 7: Develop AWWA CyberSecurity Report Sample Priority 1 Controls: AU-2: Framework of information security policies, procedures, and controls including management's initial and periodic approval established to provide governance, exercise periodic review, dissemination, and coordination of information security activities. AU-3: Governance framework to disseminate/decentralize decision making while maintaining executive authority and strategic control and ensure that managers follow the security policies and enforce the execution of security procedures within their area of responsibility. CM-7: Monitoring of resources and capabilities with notifications and alarms established to alert management when resources/capabilities fall below a threshold. IA-1: Access control policies and procedures established including unique user ID for every user, appropriate passwords, privilege accounts, authentication, and management oversight. IA-10: Policies and procedures for least privilege established to ensure that users only gain access to the authorized services. IR-2: A security program established to respond to security incidents monitor, discover, and handle security alerts and technical vulnerabilities, collect and analyze security data, limit the organization's risk profile and ensure that management is aware of changing/emerging risks Security perimeters, card controlled gates, manned booths, and procedures for entry control. PE-2: Secure areas protected by entry controls and procedures to ensure that only authorized personnel have access. PE-8: Physical/logical protection against power failure of equipment (UPS).. Schneider Electric Jeff M. Miller Cyber Security CA-NV AWWA AFC 4pm Wednesday October 28 th,

42 STEP 8: CLOSE GAPS Schneider Electric Jeff M. Miller Cyber Security CA-NV AWWA AFC 4pm Wednesday October 28 th,

43 Step 8: Close Gaps Typical Cyber Security Controls Cyber Security Controls Asset Identification Access Controls Change Tracking & Management Logging Patching Backup and Restoration Anti Malware Platform Hardening Schneider Electric Jeff M. Miller Cyber Security CA-NV AWWA AFC 4pm Wednesday October 28 th,

44 Step 8: Close Gaps Defense-in-Depth Architectures Schneider Electric Jeff M. Miller Cyber Security CA-NV AWWA AFC 4pm Wednesday October 28 th,

45 Step 8: Close Gaps Defense-in-Depth Architectures Schneider Electric Jeff M. Miller Cyber Security CA-NV AWWA AFC 4pm Wednesday October 28 th,

46 Step 8: Close Gaps Defense-in-Depth Architectures 6 key steps : 2 1. Security Plan Network Separation 4 3. Perimeter Protection 5 4. Network Segmentation 5. Device Hardening 6. Monitoring & Update Schneider Electric Jeff M. Miller Cyber Security CA-NV AWWA AFC 4pm Wednesday October 28 th,

47 STEP 9: ACCEPT Schneider Electric Jeff M. Miller Cyber Security CA-NV AWWA AFC 4pm Wednesday October 28 th,

48 Step 9: Accept Who Will Keep Us Secure? Putting the Program into Practice Everyone is Responsible Develop a Culture of Security Provide Training Drill and Practice Schneider Electric Jeff M. Miller Cyber Security CA-NV AWWA AFC 4pm Wednesday October 28 th,

49 STEP 10: DILLEGENCE Schneider Electric Jeff M. Miller Cyber Security CA-NV AWWA AFC 4pm Wednesday October 28 th,

50 Step 10: Diligence Where Does it End? Schneider Electric Jeff M. Miller Cyber Security CA-NV AWWA AFC 4pm Wednesday October 28 th,

51 Step 10: Diligence Where Does it End? Excerpt from DHS & EPA Water Sector-Specific Plan, An Annex to the National Infrastructure Protection Plan, 2010 Schneider Electric Jeff M. Miller Cyber Security CA-NV AWWA AFC 4pm Wednesday October 28 th,

52 Questions? Dick McDonnell Business Development Manager Water Wastewater Competency Center 2002 Sproul Road, Suite 302 Broomall, PA Mobile: Jeff M. Miller, PE, ENV SP Solutions Architect Water Wastewater Competency Center 8001 Knightdale Blvd. Knightdale, NC Office: Mobile: Schneider Electric Jeff M. Miller Cyber Security CA-NV AWWA AFC 4pm Wednesday October 28 th,

53 About the Presenter Jeff M. Miller, PE, ENV SP Jeff M. Miller is a Water Solutions Architect for Schneider Electric s Water Wastewater Competency Center. Jeff has a B.S. in Electrical Engineering with over 25 years of experience and has the unique perspective of having also worked for engineering consultants, systems integrators, and utilities. He has delivered on projects ranging in size from small lift stations to 370 MGD treatment plants. Jeff is the co-founder and past chair of the NC AWWA-WEA Automation Committee and is also an active member of several national and regional Automation and Plant O&M related committees. Schneider Electric Jeff M. Miller Cyber Security CA-NV AWWA AFC 4pm Wednesday October 28 th,

54 About the Presenter Dick McDonnell Dick McDonnell is a Business Development Manager for Schneider Electric s Water Wastewater Competency Center. Dick has more than 30 years experience helping engineers, OEMs and end users specify controls, automation and SCADA solutions. Mr. McDonnell also provides help identifying and implementing new system architectures for automation, security, power distribution and data acquisition with a strong emphasis on achieving operational and energy efficiencies. Schneider Electric Jeff M. Miller Cyber Security CA-NV AWWA AFC 4pm Wednesday October 28 th,

55 Schneider Electric Cyber Security Related Links Schneider Electric Cyber Security Solutions Schneider Electric Cyber Security Services Schneider Electric Cyber Security Blog Schneider Electric Cyber Security Support Schneider Electric Security Management Blog Schneider Electric Industrial Ethernet Solutions Schneider Electric Industrial Communications Schneider Electric Wireless Communications Schneider Electric IT Racks and Accessories Schneider Electric Jeff M. Miller Cyber Security CA-NV AWWA AFC 4pm Wednesday October 28 th,

56 Presentation Abstract Cyber security concerns have been growing within the water industry causing the need for utilities to understand the available guidance, tools, standards, and requirements expected of them. The President directed the EPA to guide our nation s water infrastructure with regards to cyber security. Soon after the EPA had NIST develop a cyber security framework to give us a common language in which to assess our industry. The AWWA followed up with a free online tool to walk utilities through an assessment and the standards they should follow. Even with this guidance there are a broad set of security standards to choose from and there is often confusion on exactly what is covered by each specific standard. This presentation will go over the available guidance from NIST and AWWA; some of the tools provided by AWWA and DHS; and key industrial security standards such as ISA99, ISASecure, IEC62443, NERC-CIP, IEC62351, Achilles, etc. The overall objective will be to help utilities understand some of the steps necessary to evaluate and secure their cyber assets in accordance with the latest industry directives. Schneider Electric Jeff M. Miller Cyber Security CA-NV AWWA AFC 4pm Wednesday October 28 th,