Copyright 2017 American Water Works Association

Size: px

Start display at page:

Frederica Johnson
5 years ago
Views:

2 TABLE OF CONTENTS INTRODUCTION... 1 COURSE OVERVIEW... 1 COURSE ORGANIZATION... 2 COURSE COORDINATION... 2 TARGET AUDIENCE... 3 COURSE GOAL AND OUTCOMES... 3 CLASS SIZE... 4 HOST ORGANIZATION RESPONSIBILITIES... 4 COURSE AGENDA... 7 INSTRUCTOR: PRESENTATION REQUIREMENTS... 7 LESSON PLANS... 9 SLIDES Copyright 2017 American Water Works Association i Cybersecurity in the Water Sector Instructor Guide

3 INTRODUCTION The Cybersecurity in the Water Sector Course provides participants with training to use the AWWA Cybersecurity Guidance Tool. This tool helps create a list of prioritized cybersecurity controls, based on industry standards that can be used to identify and prioritize gaps in cybersecurity that can be filled as part of the utility s cyber security program. COURSE OVERVIEW Module 1 stresses the importance of cybersecurity within utilities by reviewing the risk associated with a cyber security breach. Current cybersecurity threats are reviewed. Group activities help identify vulnerabilities and consequences of cybersecurity breaches. The Cybersecurity Guidance Tool is introduced to the participants. Module 2 introduces the concept of Use Cases. Utilities who use the cybersecurity tool must select the proper use cases as an input to the tool so that the tool can provide a prioritized list of controls based on the specific control system environment at the utility. Selecting the proper use cases is reinforced through class instruction and a quiz. Module 3 reviews the report and examples of recommended controls that are generated once the selection of Use Cases is complete. Module 4 is an instructor guided live demonstration of the use of the tool. Students are provided with an example utility process control system architecture block diagram and associated details concerning the example system. The participants are stepped through the use of the tool from how to access the tool on the internet, to selecting the appropriate use cases that match the example process control system, to generating and saving a report. Module 5 presents the participants with a recommended approach for using the report provided by the tool as a first step in building a Cybersecurity Improvements Plan. Copyright 2017 American Water Works Association 1 Cybersecurity in the Water Sector Instructor Guide

4 COURSE ORGANIZATION Module # Lesson Title & Description 1 Why is Cybersecurity Important? 2 Selecting Use Cases 3 Reviewing Recommended Controls 4 Executing the Tool 5 Implementing Recommendations COURSE COORDINATION An AWWA Program Coordinator can work with trainers to coordinate the delivery of this course. Please contact AWWA as follows: Stacy Naus Education Development Specialist American Water Works Association Direct: , Fax: snaus@awwa.org Or Chad Weikel Grants, Education & Workforce Manager American Water Works Association Direct: , Cell: cweikel@awwa.org Copyright 2017 American Water Works Association 2 Cybersecurity in the Water Sector Instructor Guide

5 Trainers should be sure to coordinate the following for each class they instruct: Confirm times of instruction. Obtain directions to training facility. Discuss host agency requirements (see Section VI). Obtain lodging recommendations for the instructors. Check the course material. We recommend that you practice your delivery of the workshop at least 2-3 times prior to presenting it. Obtain Class Registration Information Obtain Login for AWWA website so you can run the AWWA Cyber Security Tool. TARGET AUDIENCE The target audiences for this training are utility directors and managers who are responsible for cybersecurity in their utility and subject matter experts who will work with cybersecurity staff to use the tool and select appropriate use cases for their utility. COURSE GOAL AND OUTCOMES Course Goal The overall purpose of this course is to promote cybersecurity within water and wastewater utilities by providing detailed training on the use of the Cybersecurity Guidance Tool. Copyright 2017 American Water Works Association 3 Cybersecurity in the Water Sector Instructor Guide

6 Course Outcomes After completing this course, participants will be able to: CLASS SIZE Recognize the drivers behind cybersecurity Understand the use of the Cybersecurity Guidance Tool including evaluating use cases against a utility s control system environment Explain the priorities of controls recommended by the tool Properly use the tool to generate a report for their utility Utilize the Recommendations Report provided by the Cybersecurity Guidance Tool to develop a plan for bringing their control system environment into alignment with industrial cybersecurity standards. It is recommended that class sizes not exceed 20 people. Participant Handouts should be placed at each participant s seat prior to the beginning of the class. A writing pad and pen also should be provided for each participant. If appropriate, instructor should provide, tent cards for participants name, course evaluation forms, and course certificates. HOST ORGANIZATION RESPONSIBILITIES The requirements below should be carried out by the organization that requests the course session and are as follows: Audiovisual Equipment Requirements Visual aids for this course consist of PowerPoint slides and live demonstration of the use of the Cybersecurity Tool over on the internet. The following is necessary for delivery of this course: We recommend 2-3 LCD projectors, especially as you work through Module 4. However, if you are only able to obtain one projector, these lessons will still work. Projectors should be compatible with notebook computers and cables for proper connection (e.g., InFocus or similar make) Spare projector bulb Electronic remote device to advance slides in PowerPoint presentation, if available Projection screen (at least 6 x 6 ) Copyright 2017 American Water Works Association 4 Cybersecurity in the Water Sector Instructor Guide

7 Large screen LCD monitors (100 or larger) can be used in lieu of projectors and screens Pointer (preferably laser type) Twenty-foot or longer extension cord to power the laptop. Laptop will be provided by instructor. Whiteboard with dry erase pens and eraser, if available Five (5) flip charts with markers Large black markers for participant tent cards (if they are used, at least one for every two participants should be placed at their workspace) Guest WIFI or hardwired internet access (provide name of WIFI source and security password to allow for access to AWWA.org.) Printer, accessible by network or direct connection All equipment should be placed in the room for the instructors to check at least one hour prior to the start of the course. The host organization should provide technical assistance during this time and contact information for technical assistance during the presentation of the course. Room Requirements The room should be large enough to accommodate workspace and chairs for up to 20 participants and 2 instructors plus the aforementioned equipment a large conference room or classroom. Instructors should be able to arrange the classroom as they deem most appropriate given the exact number of participants. (The ideal arrangement allows participants to interact with the instructors and each other; e.g., a U- or V-shape arrangement, clusters of work areas, etc. Avoid lecture hall type of arrangements.) All participants should be able to see the screen and instructors; however, participants and instructors should be able to move about the room without obstruction. A preparation table and presentation table should be provided for the instructors. The room should be in a quiet area and have a lighting system that permits convenient dimming of the lights, especially where the screen is located. The room should include evacuation instructions and instructions for the comfort of participants (such as location of bathrooms, smoking areas, cell phone calling areas, etc.) Copyright 2017 American Water Works Association 5 Cybersecurity in the Water Sector Instructor Guide

8 Local Coordinator s Responsibilities The host agency should identify a local coordinator is responsible for preparing the site prior to the instructor s arrival. It is recommended that the instructors contact the local coordinator to ensure the following items have been addressed. The local coordinator should verify the following accommodations are in place for the training site: Selection of a training room is critical to the success of the course. Great care should be taken to select a room that will not be overcrowded, too hot or too cold, or subject to outside distractions. Reserve a training room for the duration of the course. Check to see if anyone else will be using the room for nighttime functions. Determine if materials and equipment can be left in the room. Training courses requiring special equipment or computers must have after-hours security. Visit the classroom to make certain it meets all of the instructor s requirements. Other considerations for the training room include: Heat or air conditioning-find out if the instructor can control these Adequate shape and size. No poles or obstructions Special arrangements for demonstrations, labs and experiments Seating arrangements Away from kitchen, construction area or other noise distractions Electrical outlets Lighting controls Almost every training course uses visual aids that require a projection screen. It is important to have a room where lighting can be controlled to prevent glare on the screen while not placing the room in total darkness. Since a PowerPoint presentation will be used during instruction, make sure to consider the following room accommodations: Will shades completely darken all windows? Can the lights be selectively dimmed when showing the presentation? Will overhead lights shine directly on the screen? Can a bulb be removed above the screen or will the whiteboard be too dark? Copyright 2017 American Water Works Association 6 Cybersecurity in the Water Sector Instructor Guide

9 COURSE AGENDA Anticipated Duration Lesson Title / Description 1 hour Module 1 30 minutes Module 2 30 minutes Module 3 10 minutes Break 1 hour 30 minutes Module 4 20 minutes Module 5 (Breaks may vary from site to site according to local guidelines or class preference. The breaks listed here are not mandatory.) INSTRUCTOR: PRESENTATION REQUIREMENTS Twenty is the recommended number of participants per workshop. Before the Training Event Preparation List Confirm the training dates, location, and number of participants. 1. Ensure you have the following materials: Instructor Guide, one copy for each instructor PowerPoint Presentation appropriate to the location of the course Participant Handouts Attendance Sign-in Sheets A computer capable of presenting the PowerPoint presentation LCD projectors compatible with the instructor s notebook computer (e.g., InFocus or similar make, if the host organization cannot provide one). We recommend 2-3 LCD projectors, especially as you work through Module 4. However, if you are only able to obtain one projector, these lessons will still work. Cables necessary to connect projector to computer, if the host organization cannot provide the projector Electronic remote device to advance slides in the PowerPoint Presentation, if available Quizzes, Final Exam Course Evaluation Copyright 2017 American Water Works Association 7 Cybersecurity in the Water Sector Instructor Guide

10 2. Read and study the Instructor Guide, PowerPoint presentation, and Handouts. It is especially important to review the Use Case materials related to Module 4. We also recommend that you practice your delivery of the workshop at least 2-3 times before your workshop presentation. 3. Collaborate with local host/coordinator to determine who will provide the following: Certification of completion for each participant. 4. Make sure you have a log-in for the AWWA website so you can run the AWWA Cybersecurity Guidance Tool. Test running the tool before the class. Bring a note with the login credentials with you in the event that you need to use a borrowed laptop. 5. Prepare a Parking Lot flip chart page. (Cover the Parking Lot with the flip chart pad's cover or a blank flip chart page, and leave it covered until you review it during the training event.) The Parking Lot will be used to respectfully capture thoughts/concerns/ideas of participants while allowing the training to proceed. The Parking Lot should also be used to capture unfamiliar terms for review later. The instructor should be aware that it is not the intention of this course to teach cyber security and that the Parking Lot may be needed to focus attention on the training and not specific aspects of cyber security. 6. You may tailor the training event to your needs, but the following provides an example of the ground rules. Write the following ground rules (or similar) on a flip chart page. Cover the page with the flip chart pad's cover or a blank flip chart page, and leave it covered until you review it during the training event. Then post it on the wall so it is visible during the entire event. G R O R U L U E N D S Participate. Be on time. Stay on task. Share responsibility for training. Listen when others talk. Respect the opinions and attitudes of others. Turn off cell phones and pagers. Use flip chart parking lot. 7. Ensure the room is set-up properly (i.e., tables and chairs are arranged to maximize interaction, projectors do not block participants' lines of sight, flip charts are convenient to you and visible to participants, etc.). 8. Test the equipment. Copyright 2017 American Water Works Association 8 Cybersecurity in the Water Sector Instructor Guide

11 9. Arrange materials so they are convenient for you and the participants. Ensure each participant's place has: One copy of the Participant Handouts. One name tag and one name tent. One pen and pad (unless participants have been instructed to bring their own). One black marker for every two participants (so they can write their names on their name tags and name tents if provided). 10. Update the Introduction Slide(s) for actual course instructors. During the Training Event 1. Arrive early. Give yourself plenty of time to get organized. Test the PowerPoint presentation and projection. Test internet access and ability to run the AWWA Cybersecurity Guidance Tool. 2. Circulate the Attendance Sign-in Sheet. Be sure all participants sign-in. 3. Start on time and stay on track. Always start on time, even if not all participants are in the room. Keep exercises within their time limits. End discussions when they cease to be productive. Lead participants away from digressions and tangents and back to the lesson. 4. Be available during breaks and after class for questions. 5. Mentor participants during the activities. Walk among groups in class and on-site as they work on their activities, and answer questions and offer guidance as appropriate. Ensure participants are on track as they work. Give constructive feedback during the presentations and discussions. 6. Ask participants to point out unfamiliar words that you can then capture on the Parking Lot flip chart to discuss later and to help build a glossary for future classes. After the Training Event Have participants complete the Final Exam and Course Evaluations. Collect the evaluations. Collect the attendance sheet. Make sure that the attendance sheet is complete with all information necessary for any potential continuing education credits. LESSON PLANS This section, beginning on the next page, contains the Lesson Plan for all Modules. Copyright 2017 American Water Works Association 9 Cybersecurity in the Water Sector Instructor Guide

SLIDE 1 Cybersecurity in the Water Sector AWWA s mission: Providing solutions to effectively manage water, the world s most important resource.

12 SLIDE 1 Cybersecurity in the Water Sector AWWA s mission: Providing solutions to effectively manage water, the world s most important resource. This seminar is designed teach participants how to use the AWWA Cybersecurity Guidance Tool. Read course Title to make sure folks are attending the proper course. Read AWWA s Mission and purpose of the course. Ask participants to confirm they are attending the correct course Copyright 2017 American Water Works Association 10 Cybersecurity in the Water Sector Instructor Guide

13 SLIDE 2 Safety and Comfort Please review where emergency exits are located. Please review locations of bathrooms and any other rules regarding the meeting space. 2 Review emergency procedures related to the course location. Review location of bathrooms, smoking locations, cell phone call locations. Ask local coordinator for this information before the course begins to relay it to students here. Copyright 2017 American Water Works Association 11 Cybersecurity in the Water Sector Instructor Guide

SLIDE 4 Introduce other presenters Present Parking Lot Present Ground Rules Update this slide before your presentation Leave this slide blank if there is only one instructor teaching the

15 SLIDE 4 Introduce other presenters Present Parking Lot Present Ground Rules Update this slide before your presentation Leave this slide blank if there is only one instructor teaching the workshop, and do not present this slide to participants during the introduction part of the workshop. Copyright 2017 American Water Works Association 13 Cybersecurity in the Water Sector Instructor Guide

16 SLIDE 5 Description and Purpose This seminar consists of five modules that focus on the use cases and controls in AWWA s Cybersecurity Guidance Tool (Tool). During this seminar you will see a demonstration of how to use the Tool to identify gaps that can be included in a cybersecurity improvement plan. The purpose for this seminar is to: Learn how the Tool works and how to use the Tool Learn the purpose and applications of control system use cases Learn the importance of evaluating use cases against the control system Demonstrate the Tool Address how to move forward with the recommendations of the report produced by the Tool 5 Read description and purpose of today s course Mention that the purpose of the course is NOT to make folks experts in cybersecurity. We will use the Parking Lot to capture questions about cybersecurity to allow training on the tool to proceed. Copyright 2017 American Water Works Association 14 Cybersecurity in the Water Sector Instructor Guide

17 SLIDE 6 Course Requirements and Learning Elements Course Requirements Prerequisites: None Seminar attendance and participation Participation in hands-on learning checks and quizzes Learning Elements Lesson Plan Presentation Hands on activities (demonstration) Discussion Participant handout Quizzes and tests 6 Review the Course Requirements and Learning Elements. Highlight that we will be doing a live demonstration of the tool using an example control system information provided as part of the Participant Handouts. Also mention that throughout the course the terms SCADA (Supervisory Control and Data Acquisition), PCS (Process Control System), and ICS (Industrial Control System) will be used interchangeably. Copyright 2017 American Water Works Association 15 Cybersecurity in the Water Sector Instructor Guide

18 SLIDE 7 Agenda Module 1 Why is Cybersecurity Important? Module 2 Selecting Use Cases Module 3 Reviewing Recommended Controls Module 4 Executing Tool Module 5 Implementing Recommendations 7 Read the agenda. Before class, identify an appropriate break time. Identify time for a 10 minute break. Seed the discussion with the time you identified before class. Copyright 2017 American Water Works Association 16 Cybersecurity in the Water Sector Instructor Guide

19 SLIDE 8 Module 1 Why is Cybersecurity Important? 8 Module 1 will review the importance of Cybersecurity. This slide shows the display on a train terminal in Germany that was affected by a recent global cyber-attack. We will later discuss this specific Ransomware attack called Wannacry. After introducing the module, quickly ask if anyone knows what this image shows. Copyright 2017 American Water Works Association 17 Cybersecurity in the Water Sector Instructor Guide

20 SLIDE 9 Module 1 Learning Objectives After completing Module 1, you should be able to: o Recognize Threats Are Real o Identify Vulnerabilities o List Consequences o Know benefits associated with the Cybersecurity Guidance Tool 9 Read the slide to present this Module s Learning Objectives. Copyright 2017 American Water Works Association 18 Cybersecurity in the Water Sector Instructor Guide

21 SLIDE 10 Cybersecurity -> Risk Management Risk Management Considers: Existence of Threat Vulnerability Consequences Risk = Threat X Vulnerability X Consequences 10 Cybersecurity is an exercise in risk management. It must consider the threat, vulnerabilities, and consequences of a breach. Risk is proportional to threat, vulnerability, and consequences. Copyright 2017 American Water Works Association 19 Cybersecurity in the Water Sector Instructor Guide

SLIDE 11 The Threat - Ransomware Spread across the globe - Wannacry 11 The threat is very real. As we learned in early May, global Ransomware outbreaks can strike anyone at any time.

22 SLIDE 11 The Threat - Ransomware Spread across the globe - Wannacry 11 The threat is very real. As we learned in early May, global Ransomware outbreaks can strike anyone at any time. During the recent Wannacry ransomware outbreak, critical services such as health care in Britain were significantly affected. Wannacry ransomware quickly spread within a few hours across the globe on May 12th. Its spread stopped when a researcher registered a website that acted as a kill switch for the Ransomware. The ransomware was able to spread quickly without the need for any user interaction via a vulnerability that Microsoft had patched only two months earlier. Copyright 2017 American Water Works Association 20 Cybersecurity in the Water Sector Instructor Guide

SLIDE 12 The Threat Advanced Persistent Threat (APT) 12 The Advanced Persistent Threat (APT) refers to professional hacking organizations that patiently and expertly targets organizations to gain

23 SLIDE 12 The Threat Advanced Persistent Threat (APT) 12 The Advanced Persistent Threat (APT) refers to professional hacking organizations that patiently and expertly targets organizations to gain access into their systems. Many are considered to be sponsored by nation-states. It is believed that APT actors have normal, 9-5 jobs working to gain access into target organizations. They gain access for crime, espionage as well as for advantages in time of war. The article references hacking targeted at the energy sector in Baltic States. Copyright 2017 American Water Works Association 21 Cybersecurity in the Water Sector Instructor Guide

SLIDE 13 The Threat Even Tools to Protect are Vulnerable 13 Software today is complex and vulnerabilities can be found even in software meant to protect against malware.

24 SLIDE 13 The Threat Even Tools to Protect are Vulnerable 13 Software today is complex and vulnerabilities can be found even in software meant to protect against malware. Microsoft recently provided a software patch to fix a vulnerability in their Malware protection engine. They discovered that system access could be gained if the Malware software scanned a carefully crafted file. The job of the malware protection engine is to continually scan files for threats, but in this case, the act of scanning a file opened a vulnerability. Copyright 2017 American Water Works Association 22 Cybersecurity in the Water Sector Instructor Guide

25 SLIDE 14 The Threat New Threats Every Day 14 Hackers find new ways to exploit vulnerabilities every day with all kinds of software. Hackers found a way to exploit an authorization mechanism used by Google Gmail that lead to over one million junk messages sent by Gmail in one hour. Consider asking how many folks in the room have Gmail accounts, then discuss the hack. Copyright 2017 American Water Works Association 23 Cybersecurity in the Water Sector Instructor Guide

26 SLIDE 15 The Threat Some Statistics 2017 Verizon Data Breach Digest analysis shows increasing threat actions. Source: Data Breach Digest, Verizon, Page Every year, Verizon creates their Verizon Data Breach Digest. It contains statistics about data breach incidents that they helped investigate. This chart shows the increasing numbers of data breach incidents since Note the exponential growth shown. You can obtain a copy of the Digest from this link: Copyright 2017 American Water Works Association 24 Cybersecurity in the Water Sector Instructor Guide

27 SLIDE 16 The Threat Some Statistics 16 Data breach incidents can be very costly for companies. A recent study sponsored by IBM estimated that the average cost for an incident exposing credit card or social security information is $4 Million. You can obtain information about the report from this link: Before displaying this slide, you might ask the audience if they can guess the average cost of a data breach involving credit card information or social security information. Copyright 2017 American Water Works Association 25 Cybersecurity in the Water Sector Instructor Guide

SLIDE 17 The Threat Some Statistics Large percentage of breaches are by outsiders. Many are organized crime. Threat from Espionage is increasing.

Verizon Data Breach report. The right hand chart shows that a large percent of breaches are conducted by outsiders.

28 SLIDE 17 The Threat Some Statistics Large percentage of breaches are by outsiders. Many are organized crime. Threat from Espionage is increasing. Source: 2017 Data Breach Investigations Report, 10 th Edition, Verizon, Page 7 Source: 2017 Data Breach Investigations Report, 10 th Edition, Verizon, Page 5 17 These charts are also taken from the Verizon Data Breach report. The right hand chart shows that a large percent of breaches are conducted by outsiders. The left hand chart shows that data breaches associated with espionage is on the increase. The report indicated that espionage is the category most frequently observed in manufacturing environments. You can obtain a copy of the Digest from this link: Copyright 2017 American Water Works Association 26 Cybersecurity in the Water Sector Instructor Guide

You can view the original article at this link: http://www.zdnet.

29 SLIDE 18 The Threat Likely Worse Than Reported 18 The threat may be much bigger than the preceding statistics may indicate because many cybersecurity incidents are not reported. You can view the original article at this link: Copyright 2017 American Water Works Association 27 Cybersecurity in the Water Sector Instructor Guide

SLIDE 19 The Threat Staying Informed AWWA WaterISAC 19 Since the threat is large and constantly evolving, we need to stay informed about new threats.

30 SLIDE 19 The Threat Staying Informed AWWA WaterISAC 19 Since the threat is large and constantly evolving, we need to stay informed about new threats. Mention that sources of threat intelligence include AWWA and WaterISAC (Water Information Sharing and Analysis Center). Ask how many folks are registered to receive cybersecurity alert notices from AWWA. Copyright 2017 American Water Works Association 28 Cybersecurity in the Water Sector Instructor Guide

31 SLIDE 20 Are We Vulnerable? Group Exercise 10 minutes Please break into 4 groups Please list possible vulnerabilities that can allow bad actors into our Industrial Control Systems Consider External Threat and Insider Threat List even if you consider it common knowledge 20 There are many potential vulnerabilities in our systems. Break participants into a small number of groups (no more than 4). Encourage breaking up groups from the same utility. Provide a sheet of flip-chart paper and markers to each group. Ask groups to list possible vulnerabilities that can allow bad actors into our Industrial Control Systems. Remind the groups to consider external and internal threats and to list the vulnerability even if you feel it is common knowledge. Lead class members to introduce themselves when reporting their results. Groups will stay together for the next exercise. Challenge each group to list the most vulnerabilities within the 10 minute time period. Once 10 minutes is complete, ask the groups to post their vulnerabilities and count the total number each group identified. Copyright 2017 American Water Works Association 29 Cybersecurity in the Water Sector Instructor Guide

32 SLIDE 21 Are We Vulnerable? Examples of vulnerabilities: Disgruntled Employee with Access Shared/Easy Passwords Remote Access by Integrator/vendors USB drives Internet Connection Laptop connections Missing Patches Zero-day vulnerability 21 There are many possible vulnerabilities. Compare to see how many groups identified each of the vulnerabilities listed. Have groups remain together for next exercise. Ask how many groups identified each of the vulnerabilities listed. Have group leaders place check marks on their lists if they hit one of the listed vulnerabilities. Ask groups to remain together for the next exercise. Copyright 2017 American Water Works Association 30 Cybersecurity in the Water Sector Instructor Guide

33 SLIDE 22 What are Potential Consequences? Group Exercise 5 minutes Please break into 4 groups Please list possible consequences of a cyber intrusion Consider External Threat and Insider Threat List even if you consider it common knowledge 22 There are many potential consequences for cybersecurity incidents in our systems. Break the participants into a small number of groups (no more than 4). Provide a sheet of flip-chart paper and markers to each group. Ask each group to list possible consequences associated with a cybersecurity incident in our Industrial Control Systems. Remind the groups to consider external and internal threats and to list the vulnerability even if you feel it is common knowledge. Create a challenge to see which group can list the most consequences within the 5 minutes time period. Once 5 minutes is complete, ask the groups to post their consequences and count the total number each group identified. Copyright 2017 American Water Works Association 31 Cybersecurity in the Water Sector Instructor Guide

34 SLIDE 23 Potential Consequences Examples of consequences: No. 1 Public safety compromised Loss of customer trust Loss of productivity repairing the damage Costs to re-create configurations if backups are bad Equipment could be bricked by bad firmware downloads Equipment damage by improper operation Law suits Loss of data.novs, fines? False/incorrect data 23 There are many possible consequences. Compare to see how many groups identified each of the consequences listed. Participants can return to their seats at the end of the exercise. Since water supply control systems control pressure and water quality, a cyber intrusion may affect the utility s ability to ensure pressure and quality that meet requirements. Ask how many groups identified each of the consequences listed. Have group leaders place check marks on their lists if they hit one of the listed vulnerabilities. Stress the No. 1 potential consequence is possible compromise of public safety. Ask groups to return to their seats at the end of the exercise. Copyright 2017 American Water Works Association 32 Cybersecurity in the Water Sector Instructor Guide

SLIDE 24 Cybersecurity Business Drivers Potential for Operational and Financial impact Loss of Public Confidence caused by cyber breach Executive Orders encouraging voluntary action Bonding Agencies

35 SLIDE 24 Cybersecurity Business Drivers Potential for Operational and Financial impact Loss of Public Confidence caused by cyber breach Executive Orders encouraging voluntary action Bonding Agencies and Insurance Underwriters taking into consideration Cybersecurity Preparedness States beginning to pass regulations for Cybersecurity programs 24 There are many business drivers of cybersecurity in utilities. They include the potential for operational and financial impact, loss of public confidence, executive orders calling for voluntary action, bonding and insurance agency requirements, and, in some states, regulation. The slide shows a copy of executive orders (Feb 12, 2013) and, the very recent, (May 11, 2017) to improve cyber security in critical infrastructure. Copyright 2017 American Water Works Association 33 Cybersecurity in the Water Sector Instructor Guide

36 SLIDE 25 The Cybersecurity Guidance Tool AWWA has created the Cybersecurity Guidance Tool to help create a prioritized list of ways to mitigate risk that is customized to your utility. 25 The AWWA has created the Cybersecurity Guidance Tool to help create a prioritized list of ways to mitigate risk that is customized to your utility. The slide shows a screen copy of the AWWA web page that provides access to the tool. The direct link to this site is: Copyright 2017 American Water Works Association 34 Cybersecurity in the Water Sector Instructor Guide

37 SLIDE 26 The AWWA Guidance Tool is Aligned with NIST Framework.American Water Works Association has issued "Process Control System Security Guidance for the Water Sector" and a supporting "Use-Case Tool." This guidance identifies prioritized actions to reduce cybersecurity risk at a water or wastewater facility. The cybersecurity actions are aligned with the Cybersecurity Framework. This tool is serving as implementation guidance for the Cybersecurity Framework in the Water and Wastewater Systems sector. - USEPA, May The AWWA Cybersecurity Guidance Tool is aligned with the National Institute of Standards and Technology Cybersecurity Framework. This slide shows a copy of the EPA letter referencing the tool as providing implementation guidance for the Cybersecurity Framework in the Water and Wastewater Systems sector. Executive orders required government agencies to report on cybersecurity within the sectors they served. In this letter the EPA is indicating that the tool is aligned with the NIST standards and can serve to provide guidance to the water industry. Copyright 2017 American Water Works Association 35 Cybersecurity in the Water Sector Instructor Guide

38 SLIDE 27 Benefits of the Cybersecurity Guidance Tool Water sector guidance that provides a consistent and repeatable recommended course of action to reduce vulnerabilities in process control systems. Target audience is water utility general managers, chief information officers and utility directors with oversight and responsibility for process control systems. Developed by SME panel of utility representatives, vendors, consultants, Federal agencies Aligns with sector and national priorities, fulfills need for sector-specific guidance as specified in EO Consistent with NIST Framework and compliant with the requirements of DHS 27 The Cybersecurity Guidance Tool provides many benefits including providing a consistent and repeatable recommended course of action to reduce vulnerabilities. The acronym SME stands for Subject Matter Experts. EO is the Executive Order referenced in the EPA letter previously presented. The acronym DHS stands for Department of Homeland Security. Copyright 2017 American Water Works Association 36 Cybersecurity in the Water Sector Instructor Guide

39 SLIDE 28 Seminar Modules Five Modules: Why is Cybersecurity Important Selecting the applicable Use Cases Reviewing the recommended Controls generated by the Tool Executing the Cybersecurity Tool Developing Cybersecurity Improvement Plan based on the recommended Controls 28 The 5 modules that comprise this seminar include this introductory module that stresses the importance of cybersecurity and introduces the Cybersecurity Guidance Tool. Other modules will discuss selecting use cases when using the tool, reviewing the recommended cybersecurity controls contained in the report created by the tool, demonstrating the tool, and discussing the development of cybersecurity improvement plan based on the recommendations provide by the tool. Copyright 2017 American Water Works Association 37 Cybersecurity in the Water Sector Instructor Guide

40 SLIDE 29 Module 1 Q & A Question 1 What are the three factors that are part of The Risk Equation? 29 Review of three factors that are part of the Risk Equation. The equation is Risk = Threat X Vulnerability X Consequence. Ask the class the question. Copyright 2017 American Water Works Association 38 Cybersecurity in the Water Sector Instructor Guide

41 SLIDE 30 Module 1 Q & A Question 2 What does the cybersecurity term APT mean? 30 Review meaning of APT. It stands for Advanced Persistent Threat. It often refers to nation-state sponsored hackers. Ask the class the question. Copyright 2017 American Water Works Association 39 Cybersecurity in the Water Sector Instructor Guide

42 SLIDE 31 Module 1 Q & A Question 3 Who is the target audience for the recommendations provided by the AWWA Cybersecurity Guidance Tool? 31 The target audience for recommendations from the tool are general managers, Chief Information Officers, and directors with responsibility for control systems. Ask the class the question. Copyright 2017 American Water Works Association 40 Cybersecurity in the Water Sector Instructor Guide

43 SLIDE 32 Module 1 Summary The threats of a cyber incident are real Our systems have vulnerabilities Consequences of an incident can be high Risk of a cybersecurity incident can be high To help mitigate risk, the AWWA created the Cybersecurity Guidance Tool to provide a prioritized list of ways to mitigate risk. 32 Summarize what was learned in Module 1. Copyright 2017 American Water Works Association 41 Cybersecurity in the Water Sector Instructor Guide

44 SLIDE 33 Module 2 - Selecting Use Cases 33 Module 2 will discuss how the AWWA Cybersecurity Guidance Tool utilizes use cases to help generate customized recommendations for your utility. The slide shows a screen copy of the AWWA web page that provides access to the tool. The direct link to this site is: Copyright 2017 American Water Works Association 42 Cybersecurity in the Water Sector Instructor Guide

45 SLIDE 34 Module 2 Learning Objectives After completing Module 2, you should be able to: o Describe the Use Case approach o Evaluate each use case against a control system o Select applicable use cases o Successfully complete a self-evaluation (quiz) 34 Learning objectives to Module 2 include describing the use case approach, evaluating each use case against a control system, selecting applicable use cases, Module 2 will discuss how the AWWA Cybersecurity Guidance Tool utilizes use cases to help generate customized recommendations for your utility. Copyright 2017 American Water Works Association 43 Cybersecurity in the Water Sector Instructor Guide

46 SLIDE 35 What is a Use Case? A use case is an elemental pattern of behavior as described by the user of a system; the use cases are basic descriptions of important processes within PCS from the user's perspective. A list of control system capabilities, functionality or practices that define system configuration and characterize user and external interactions with the system. 35 This slide presents the concept of a Use Case. Please read the two definitions of a Use Case that are presented. PCS is an acronym that stands for Process Control System. Explain that we will review examples of Use Cases to help further explain the definitions. Copyright 2017 American Water Works Association 44 Cybersecurity in the Water Sector Instructor Guide

SLIDE 36 Understanding the Cybersecurity Guidance Tool The tool is a use case oriented, web based application in which users review and select use cases which most closely match their situation.

47 SLIDE 36 Understanding the Cybersecurity Guidance Tool The tool is a use case oriented, web based application in which users review and select use cases which most closely match their situation. The use cases included in the tool are categorized as follows: o o o o o Architecture (networks) Network Management & Support Systems Program Access PLC Programming and Maintenance User Access Users review and select from the available use cases in each of these 5 categories that apply to their situation. 36 The Cybersecurity Guidance Tool is a web based tool that relies heavily on the appropriate selection of Use Cases. Use Cases are organized into the following categories: architecture, network management and support systems, program access, PLC programming and maintenance, user access. Users select the use cases that match their control system environment. The slide shows the top section of the web-based tool and also shows a section a little further down to which you need to scroll to show the start of the use case selections. Copyright 2017 American Water Works Association 45 Cybersecurity in the Water Sector Instructor Guide

48 SLIDE 37 How are Use Cases evaluated against the Existing Control System? Users should possesses subject matter expertise and system knowledge to evaluate each use case and determine if it represents their system. The users read each use case to determine if it applies to their system. The use cases that most closely match the utility s PCS configuration and practices should be chosen. Those use cases that do not match the current state of the PCS will not be selected and do not receive further consideration. 37 This slide explains how utility staff interact with the tool to identify and select the appropriate use cases for their utility. It is likely subject matter experts will need to be consulted as each use case is reviewed. Users review each use case and select the use cases that most closely match the utility s Process Control System configuration and practices. Use Cases that do not match the current environment remain unselected. PCS is an acronym that stands for Process Control System. Copyright 2017 American Water Works Association 46 Cybersecurity in the Water Sector Instructor Guide

49 SLIDE 38 Selecting Right Use Cases After reading and evaluating each use case the user selects the use cases that most closely match their control system(s) from each of the 5 categories. The selection is made by clicking the check boxes next to the applicable use cases. See the example below: 38 Appropriate Use Cases are identified and then selected by clicking to check the box next to the applicable use cases. An example of the selection of one Use Case and the rejection of a second use case is presented. Consider using a laser pointer to point at the check mark next to Use Case AR1 to show the successful selection of a Use Case. Copyright 2017 American Water Works Association 47 Cybersecurity in the Water Sector Instructor Guide

50 SLIDE 39 How are Controls Selected by the Cybersecurity Guidance Tool? 39 The Cyber Security Guidance Tool follows a repeatable process to recommend cybersecurity controls based on the use cases selected. Consider using a laser pointer. Point to blue User selects Use Cases. Square. User first selects appropriate use cases. Point to green Use Case box. When this process is completed, the list of Use Cases is identified. Point to blue Based on Use Case Square. Based on the Use Cases, the tool selects the appropriate cyber security controls. Point to the Green Cybersecurity Controls box. The tool selects from a list of 94 detailed cyber security controls. Point to blue For each control box. The tool provides a report with a prioritized list of controls, including references to the appropriate cybersecurity standards that can provide additional details about how to implement the control. Copyright 2017 American Water Works Association 48 Cybersecurity in the Water Sector Instructor Guide

51 SLIDE 40 Use Case Quiz 40 Instructor will now collaborate with participants on completing a Use Case quiz Instructor to hand-out the following materials to participants: o Module 2 Instructor-led Quiz o Use Case Details Document o ACME Water Utility Network Diagram o List of Use Cases from Cybersecurity Guidance Document (starting at page 11) Instructor note: a screenshot of Module 2 Instructor-led Quiz & answers is on next page for your use only. Explain that the quiz will be an interactive discussion/quiz led by the instructor. First distribute quiz materials to participants. Then tell them to read through the Additional Use Case Details Document, as it is used for the quiz & throughout Module 4. Tell participants that after they have read through the Additional Use Case Details Document, you will work together through the Module 2 Use Case Quiz. After discussing all items on the interactive discussion/quiz, review the answers with the class, using answers on the next page of this instructor s guide. Walk them through the process to select each correct answer. Copyright 2017 American Water Works Association 49 Cybersecurity in the Water Sector Instructor Guide

53 SLIDE 41 What is a use case? Module 2 Q & A Question 1 41 Summarize that a use case is an elemental pattern of behavior and is a basic description of important processes within the process control system. A Use Case is also a list of control system capabilities, functionality or practices that define system configuration and describe user and external interactions with the system. See Slide 33. Ask the class the question and build the proper response. Copyright 2017 American Water Works Association 51 Cybersecurity in the Water Sector Instructor Guide

54 SLIDE 42 Module 2 Q & A Question 2 How are use cases evaluated against the PCS? 42 Use Cases are evaluated against the process control system using internal experts who review each use case for applicability to the utility process control system environment. See Slide 35 Ask the question. Work with participants to build the correct answer. Copyright 2017 American Water Works Association 52 Cybersecurity in the Water Sector Instructor Guide

55 SLIDE 43 Module 2 Q & A Question 3 How is the use case tool used? 43 Use Cases that apply to the utility Process Control System environment are selected by checking the box next to the use case in the web-based tool. The user does not check the box for Use Cases that do not apply. The user can then generate a list of recommended controls based on the Use Cases selected. See Slide 36 and 37 Ask the question. Work with participants to build the correct answer. Copyright 2017 American Water Works Association 53 Cybersecurity in the Water Sector Instructor Guide

56 SLIDE 44 Module 2 Summary The Cybersecurity Guidance Tool requires the identification of appropriate Use Cases. A Use Case describes important processes or system configurations. Selection of a proper Use Case often requires participation by a Subject Matter Expert. The Cybersecurity Guidance Tool provides a set of recommendations, customized to your utility, based on your selected Use Cases 44 This Slide summarizes learning within Module 2. Read the summary from the slide. Copyright 2017 American Water Works Association 54 Cybersecurity in the Water Sector Instructor Guide

57 SLIDE 45 Module 3 - Reviewing the Recommended Controls Image source: darpa.mil 45 In Module 2 we discussed the information input into the Cybersecurity Guidance Tool, in Module 3, discuss the recommended cybersecurity controls that are the output of the tool. Stress that Module 2 was about input and Module 3 is now about output from the tool. Copyright 2017 American Water Works Association 55 Cybersecurity in the Water Sector Instructor Guide

58 SLIDE 46 Learning Objectives After completing Module 3, you should be able to: o Understand the concept of a cybersecurity control o Understand the format and presentation of cyber controls provided by the Tool o Identify the sources of the standards that the controls are based on o Understand the rationale behind prioritization of controls by the Tool 46 The Learning objectives for Module 3 are to understand the presentation of the cybersecurity controls provided by the tool, identify the sources of the standards that the controls are based upon, and understand the rationale behind the prioritization of the controls by the tool. Copyright 2017 American Water Works Association 56 Cybersecurity in the Water Sector Instructor Guide

59 SLIDE 47 What is a Control? Security controls are measures, developed from many industry standards, which reduce risk through a variety of strategies such as organization, procedures and technology. The tool automatically associates controls based on the selected use cases. The controls provided by the tool are a simplified restatement of existing standards. 47 A control is a measure that has been developed from industry standards to reduce cybersecurity risk through a variety of strategies including organization, procedures, and technology. The Cybersecurity Guidance Tool will output a list of recommended controls based on the use cases that have bene selected. The controls provided by the tool are simplified restatements of existing standards. Stress that controls are not just limited to technology but include recommendations for procedures and organizational requirements. Copyright 2017 American Water Works Association 57 Cybersecurity in the Water Sector Instructor Guide

60 SLIDE 48 Where do Controls come from? The source of Controls are based on standards* published by the following agencies: ANSI (American National Standards Institute) AWWA (American Water Works Association) DHS (Department of Homeland Security) IEC (International Electrotechnical Commission) ISA (International Society of Automation) ISO (International Organization for Standards) NIST (National Institute of Standards and Technology) * Catalogs, standards, technical guidance, bulletins. 48 The controls recommended by the tool are drawn from standards created by internationally recognized organizations. Review the list of agency acronyms and the associated full name of the agency. Copyright 2017 American Water Works Association 58 Cybersecurity in the Water Sector Instructor Guide

61 SLIDE controls are organized in 13 categories o Awareness and Training o Audit and Accountability o Configuration Management o Identification and Authentication o Incident Response o Media Protection o Physical and Environmental Protection o Program Management o Personal Security o Risk Assessment o System and Services Acquisition o System and Communications Protection o System and information Integrity 49 The tool contains a set of 94 controls that are organized into 13 categories. Instructor can read example categories from the list on the slide. Note that the controls categories include areas that folks might often not consider part of cyber security such as Incident Response and System and Service Acquisition (Purchasing). System and Service Acquisition is receiving increased attention these days to help assure, as early as the purchasing process, that security is not compromised by outside services or non-secure equipment and software. Copyright 2017 American Water Works Association 59 Cybersecurity in the Water Sector Instructor Guide

62 SLIDE 50 One Use case can generate multiple controls and multiple use case requirements can result in the same control Use Case A Control 1 Use Case B Use Case C Use Case D Use Case E Guidance Tool Control 2 Control 3 Control 4 Control 5 50 The Cybersecurity Guidance Tool provides recommendations based on the use cases selected. One use case can result in the recommendation of multiple controls. Similarly, different use cases might have overlapping recommendations where the same control is recommended by multiple selected use cases. Using a laser pointer indicate that Use Case A might recommend Control 1, 2 and 3. Then indicate that Use Case B might recommend Controls 3, 4, and 5. In this example, Control 3 was recommended by both Use Case A and Use Case B. Copyright 2017 American Water Works Association 60 Cybersecurity in the Water Sector Instructor Guide

63 SLIDE 51 Controls are Prioritized Controls are assigned Priorities 1 4 Each control recommendation is accompanied by at least one reference to the applicable standards. Usually more than one standard is associated with a control. 51 The Cybersecurity Guidance Tool provides a Prioritized list of controls. Priorities range from 1 to 4 with 1 being the highest priority. On the Guidance Tool report, each control is accompanied by at least one reference to a standard from the organizations previously mentioned. Often, more than one standard is referenced. Slide 46 lists the standards creating agencies. Copyright 2017 American Water Works Association 61 Cybersecurity in the Water Sector Instructor Guide

64 SLIDE 52 Priority 1 Priority 1 controls represent the minimum level of acceptable security for SCADA/PCS. If not already in place, these controls should be implemented immediately. 52 The highest priority controls are listed as priority 1. These controls represent the minimum level of acceptable security for SCADA/PCS. It is recommended that, if these controls are not already in place, that they be implemented immediately. When this slide is first presented, mention that we will now look at each priority in more detail. Point out that the slide shows an example of a portion of a Cybersecurity Guidance Tool report for priority 1 controls. Use the laser pointer to highlight the heading for Priority 1, the control reference (AT-3), the description of the control in simplified language, and the applicable standards (DHS CAT: 2.7.7) Note that the report includes links to the website for the applicable standards organization for each standard referenced. Copyright 2017 American Water Works Association 62 Cybersecurity in the Water Sector Instructor Guide

65 SLIDE 53 Priority 2 Priority 2 controls have the potential to provide a significant and immediate increase in the security of the organization. 53 Priority 2 controls have the potential to provide a significant and immediate increase in the security of the organization. Point out that the slide shows an example of a portion of a Cybersecurity Guidance Tool report for priority 2 controls. Use the laser pointer to highlight the heading for Priority 2, the control reference (AT-1), the description of the control in simplified language, and the applicable standards (DHS CAT: 2.11 and ISA ) Copyright 2017 American Water Works Association 63 Cybersecurity in the Water Sector Instructor Guide

66 SLIDE 54 Priority 3 Priority 3 controls provide additional security against cybersecurity attack of PCS Systems and lay the foundation for implementation of a managed security system. These controls should be implemented as soon as budget allows. 54 Priority 3 controls provide additional security and lay the foundation for implementation of a managed security program. These controls should be implemented as soon as budget allows. Point out that the slide again shows an example of a portion of a Cybersecurity Guidance Tool report, this time for priority 3 controls. Use the laser pointer to highlight the heading for Priority 3 and the control reference (AU-8), read the description of the control in simplified language, and point out the applicable standard (ISO/IEC-27001) Copyright 2017 American Water Works Association 64 Cybersecurity in the Water Sector Instructor Guide

67 SLIDE 55 Priority 4 Priority 4 controls are more complex and provide protection for more sophisticated attacks (which are less common). Many Priority 4 controls are related to policies and procedures; others involve state of the art protection mechanisms. 55 Priority 4 controls are more complex and provide protection for more sophisticated attacks (which are less common). Many priority 4 controls are related to policies and procedures while others involve state of the art protection mechanisms. Point out that the slide shows an example of a portion of a Cybersecurity Guidance Tool report for priority 4 controls. The layout is similar to what we have seen for the other controls. Copyright 2017 American Water Works Association 65 Cybersecurity in the Water Sector Instructor Guide

68 SLIDE 56 Recommended Controls Priorities The Tool provides a prioritized list of recommended controls as follows: Priority 1 controls represent the minimum level of acceptable security for SCADA/PCS. If not already in place, these controls should be implemented immediately. Priority 2 controls have the potential to provide a significant and immediate increase in the security of the organization. Priority 3 controls provide additional security against cybersecurity attack of PCS Systems and lay the foundation for implementation of a managed security system. These controls should be implemented as soon as budget allows. Priority 4 controls are more complex and provide protection for more sophisticated attacks (which are less common). Many Priority 4 controls are related to policies and procedures; others involve state of the art protection mechanisms. PRIORITY 1 CONTROLS Control 1 PRIORITY 2 CONTROLS Control 2 Control 3 PRIORITY 3 CONTROLS Control 4 PRIORITY 4 CONTROLS Control 5 56 In summary, the Cybersecurity Guidance Tool provides a report containing prioritized lists of recommended controls. By reading the slide, the instructor will summarize the essence of each of the 4 priority categories. When finished presenting the slide, point out that we do not say that lower priority controls are unimportant. All the controls are important. The tool prioritizes the controls to aid in implementation planning. Copyright 2017 American Water Works Association 66 Cybersecurity in the Water Sector Instructor Guide

SLIDE 57 Reviewing Controls Quiz 57 We will now take a self-evaluation quiz. Instructor to hand out Module 3 Reviewing Controls Quiz. Guide participants to start the quiz.

69 SLIDE 57 Reviewing Controls Quiz 57 We will now take a self-evaluation quiz. Instructor to hand out Module 3 Reviewing Controls Quiz. Guide participants to start the quiz. Instruct participants to indicate when they have finished. Review the quiz using answers on the next page of this instructor s guide. Copyright 2017 American Water Works Association 67 Cybersecurity in the Water Sector Instructor Guide

71 SLIDE 58 Module 3 Q & A Question 1 What does the acronym NIST represent? 58 NIST stands for the National Institute of Standards and Technology. Ask the class the question and build the appropriate response. Copyright 2017 American Water Works Association 69 Cybersecurity in the Water Sector Instructor Guide

72 SLIDE 59 Module 3 Q & A Question 2 Where do controls come from? 59 The controls recommended by the tool are drawn from standards created by internationally recognized organizations. Examples include NIST, ISA, AWWA Slide 46 Ask the question and build the appropriate response. Ask the class if they can name some of the standards organizations. Copyright 2017 American Water Works Association 70 Cybersecurity in the Water Sector Instructor Guide

73 SLIDE 60 Module 3 Summary Controls are a means that can reduce risk through organization, procedures, or technologies. The controls provided by the tool are simplified restatements of existing standards. The tool draws from standards produced by National Institute of Standards and Technology (NIST), International Society of Automation (ISA), American Water Works Association (AWWA), and others. 60 Module 3 focused on the output of the Cybersecurity Guidance Tool, namely the controls recommended by the tool. The tool provides simplified descriptions for each recommended control. The controls are drawn from standards produced by internationally recognized organizations such as NIST, ISA, and AWWA. Copyright 2017 American Water Works Association 71 Cybersecurity in the Water Sector Instructor Guide

74 SLIDE 61 Module 3 Summary (continued) The Cybersecurity Guidance Tool presents recommended controls based on the selected use cases The Tool presents controls in order of priority Highest priority provide minimum level of acceptable security Lowest priority provide complex protection for more sophisticated attacks. 61 The Cybersecurity Guidance Tool recommends controls based on the Use Cases that are selected. The recommended controls are presented in order of priority ranging from Priority 1 controls that represent a minimum level of security to priority 4 controls that provide protection for more sophisticated attacks. Copyright 2017 American Water Works Association 72 Cybersecurity in the Water Sector Instructor Guide

75 SLIDE 62 Module 4 - Executing the Tool 62 Now that we have discussed the inputs and outputs of the tool, in Module 4 we will step through a live demonstration of the tool. Copyright 2017 American Water Works Association 73 Cybersecurity in the Water Sector Instructor Guide

76 SLIDE 63 Learning Objectives After completing Module 4, you should be able to: o Access the Cybersecurity Guidance Tool from the AWWA website o Use the tool by selecting appropriate use cases. o Generate a report o Save a report 63 After completing Module 4, participants should be able to access the tool from the web, use the tool by selecting appropriate use cases, generate a report and save a report. Copyright 2017 American Water Works Association 74 Cybersecurity in the Water Sector Instructor Guide

77 SLIDE 64 Introduction to Executing the Tool We will walk through a specific example Your packet includes the following: A Block Diagram of the example system A document describing additional details about the example system. A print-out of the resulting PDF report. Please follow along with this specific example and avoid substituting your own example or use cases. We apologize in advance if we experience difficulties with network connectivity or website activity time-outs. Let s get started! 64 This slide sets the ground rules for the demonstration of the tool. The demonstration will use a specific example. Details are provided in the student handout package. The Block Diagram of the system we will use is the ACME Water Utility Network Diagram that was used during the Module 2 instructor-led quiz. The participants should also have the Module 4 Additional Use Case Details document, a print of the AWWACybersecurityguide.pdf, and a print of the report that will result from the Module 4 demonstration. Re-enforce the request that students follow along with the instructor and avoid the temptation to build use cases for their own utility. Selection of use cases is critical for appropriate use of the tool. It is anticipated that participants will need to consult subject matter experts in their utility, who may not be present today, to properly select use cases. Also re-enforce that this course is not intended to teach cybersecurity. Copyright 2017 American Water Works Association 75 Cybersecurity in the Water Sector Instructor Guide

SLIDE 65 Executing the Tool Browse https://www.awwa.org Or Google AWWA cybersecurity tool Home - American Water Works Association Cybersecurity Guidance & Tool https://www.awwa.org/resourcestools/water-and-wastewater-utilitymanagement/cybersecurityguidance/cybersecurity-tool.

78 SLIDE 65 Executing the Tool Browse Or Google AWWA cybersecurity tool Home - American Water Works Association Cybersecurity Guidance & Tool Cybersecurity Tool 65 This slide provides a launching pad for access to the tool. Links are provided in the event that the instructor is unable to navigate to the AWWA website to access the tool. A script for the live demonstration is included in Appendix A of this Instructor s Guide. Instructor must be able to log into the AWWA website to use the tool. Be sure to have login credentials ready. Test login before the class starts. Google AWWA cybersecurity tool and click on link to open the page. Once the AWWA cybersecurity tool page opens, follow the script in Appendix A. If you are having difficulty navigating to the AWWA Cybersecurity Guidance Tool, click on the green Cybersecurity Tool link and pick up the script at that point. Copyright 2017 American Water Works Association 76 Cybersecurity in the Water Sector Instructor Guide

79 SLIDE 66 Demonstration of Executing the Tool The instructor will now lead you through a live demonstration of the creation of the example Cybersecurity Report. 66 Demonstration of the tool will begin. You can minimize the PowerPoint presentation. The AWWA.org cybersecurity tool web page should be displayed on the browser and be capable of being projected. In addition, the second instructor should have the ACME Water Utility Network Diagram 1 and Module 4 - Additional Use Case Details Document able to be displayed on a second projector. Lastly, the instructor should have a printed copy of the Module 4 Demonstration Script so that it is available for reference as h/she steps through the demonstration. The Module 4 Demonstration Script is contained in Appendix A of the Instructor Guide. Move to the next slide once the demonstration is complete. Copyright 2017 American Water Works Association 77 Cybersecurity in the Water Sector Instructor Guide

SLIDE 67 Congratulations! We have our report! 67 Congratulations on successfully working through the use cases to generating the Cybersecurity Report. The slide shows the first page of the report.

80 SLIDE 67 Congratulations! We have our report! 67 Congratulations on successfully working through the use cases to generating the Cybersecurity Report. The slide shows the first page of the report. ICS-CERT publishes an Assessment Report each year to show summarized results from cybersecurity assessments they have completed for the past year. The 2016 report showed that a large percentage of assessments they have completed are for water utilities and there is still a high occurrence of vulnerabilities, even for simply locking down access. This Guidance Tool Report will list controls that help mitigate these vulnerabilities. Share this information with the participants. Copyright 2017 American Water Works Association 78 Cybersecurity in the Water Sector Instructor Guide

81 SLIDE 68 Module 4 Q & A Question 1 From what Website do we access the Cybersecurity Tool? 68 We access the Cybersecurity Tool from AWWA.org. Ask the class the question and acknowledge the correct response. Copyright 2017 American Water Works Association 79 Cybersecurity in the Water Sector Instructor Guide

82 SLIDE 69 Module 4 Q & A Question 2 True or False: Priority 4 controls are not important? 69 Priority 4 controls are more complex and provide protection for more sophisticated attacks (which are less common). All recommended controls are important for a proper cybersecurity program. Slide 53 Ask the class the question and build the proper response. Copyright 2017 American Water Works Association 80 Cybersecurity in the Water Sector Instructor Guide

83 SLIDE 70 Module 4 Summary AWWA s website provides access to the Cybersecurity Tool When using the tool, you select those use cases that apply to your systems. A report is first generated online. It can be downloaded and saved in PDF format. 70 Access and use of the Cybersecurity Guidance Tool was demonstrated in Module 4. The tool is accessed from American Water Works Association website, AWWA.org. When using the tool, you select the use cases that apply to your systems. When you generate the report, it is presented online, but can also be downloaded as a PDF file. Please mention that, since the tool can time-out, it is recommended that folks note the use cases as they proceed through the use of the tool, so they can quickly re-select the appropriate use cases in the event that their session times-out. Also point out that the tool does not save the report online, so it is recommended that folks download the report in PDF format. Copyright 2017 American Water Works Association 81 Cybersecurity in the Water Sector Instructor Guide

84 SLIDE 71 Module 5 - Implementing Recommendations Image source: Nasa.gov 71 Now that you know how to use the tool and have the resulting Cybersecurity Report, Module 5 will discuss how the report can be used to build an implementation plan for cybersecurity improvements. Copyright 2017 American Water Works Association 82 Cybersecurity in the Water Sector Instructor Guide

85 SLIDE 72 Learning Objectives After completing Module 5, you should be able to: o Use the output of the Tool in the preparation of a cybersecurity improvement plan 72 In Module 5 we will learn how to use the output of the tool to build a cybersecurity improvement plan. Copyright 2017 American Water Works Association 83 Cybersecurity in the Water Sector Instructor Guide

86 SLIDE 73 What are the next steps in the process? Carefully review the report generated by the Tool Compare current state to recommended controls Go control-by-control to check whether or not systems and/or procedures are in place Be honest and realistic about current state May require physical testing of the system The discovery that occurs during this process will produce valuable, actionable results that should be addressed in an implementation plan 73 Once you have created the Cybersecurity Report for your organization, these are the recommended next steps towards creating an improvements plan. First, carefully review the output of the tool. For each control, review the current state of implementation in your organization. Be honest and realistic. If necessary, perform testing. Document your discovery so that gaps are identified and form the basis for an improvements implementation plan. Copyright 2017 American Water Works Association 84 Cybersecurity in the Water Sector Instructor Guide

87 SLIDE 74 Implementation Plan Discussion To achieve the required improvements an effective blend of technology and procedures should be implemented. Develop a formal Cybersecurity Improvements Plan for recommended controls that are not currently in place Assign roles and responsibilities for the implementation of the recommended controls Establish a budget and implementation schedule for cybersecurity improvements An implementation plan is a highly sensitive document. Please check with your legal counsel to confirm coverage by applicable Freedom of Information Act (FOIA) exemption laws. 74 From the gaps identified by comparing the recommended controls against those currently in place, a cybersecurity improvement plan can be developed. The improvements plan will likely contain a mix of technology and procedures. As with any well-run project, assign roles and responsibilities for implementation of each control identified in the plan and establish a budget and schedule for the improvements. Note that the cybersecurity improvements plan is a highly sensitive document whose content should be protected. Please consult with legal counsel to ensure proper protection of this information. Copyright 2017 American Water Works Association 85 Cybersecurity in the Water Sector Instructor Guide

88 SLIDE 75 Implementation Plan Summary Steps in Order of Key Action Step Core Question Implementation To achieve the required improvements an effective blend of technology and procedures should be implemented. 1 Identify Use Cases that apply working with What do your systems look like Develop a formal Subject Cybersecurity Matter Experts Improvements (SMEs) Plan for today? recommended controls that are not currently in place 2 Run the AWWA Cybersecurity Tool What, in total, needs to be in Assign roles and responsibilities for the implementation place? of the recommended controls 3 Compare recommended controls against What is missing? Establish a budget those that and are implementation already in place schedule for cybersecurity improvements 4 Develop a formal Cybersecurity How will you address what is An implementation plan is a highly sensitive document. Please check with Improvements Plan missing? your legal counsel to confirm coverage by applicable Freedom of Information Act 5 (FOIA) exemption Reference the laws. Freedom of Information Act Who has a right to see the (FOIA) plan? 6 Establish a budget and schedule/assign roles and responsibilities What does it cost and when will it be done?/who does each part? 75 In summary, development of an implementation plan will include these key steps for implementation. As these steps are implemented, the corresponding core questions should be answered. The following slides (#76 - #81) are designed for an activity that provides progressive disclosure. After discussing the potential barriers and responses for each slide, click through to reveal examples of answers for the Potential Barrier column and the Response to Barrier column on each slide. Copyright 2017 American Water Works Association 86 Cybersecurity in the Water Sector Instructor Guide

89 SLIDE 76 Exercise - Potential Barriers & Responses Key Action Step Number 1 Key Action Step Core Question Potential Barrier Response to Barrier 1. Identify Use Cases that apply working with subject Matter Experts (SMEs) What do your systems look like today? Water utility staff SMEs too few/too busy/lack expertise. Establish a network / dialogue with water utility professionals who also attended the AWWA Cybersecurity in the Water Sector Workshop and / or AWWA online training to identify and define alternative staffing solutions. 76 Let s now work through an exercise to identify potential barriers for each step in the process to make improvements and possible strategies to respond to the barriers. Key Action Step Number one is the identification of Use Cases that apply when working with Subject Matter Experts (SMEs). The question to ask for this step is What do your systems look like today? Work interactively with the participants by brainstorming for potential barriers and noting them on a common flip-chart. Leave room to note possible response to the barrier. You will be repeating this process for each of the Key Action Steps. Since we are near the end of the class, do not linger too long on any one key action step. After interactive discussion of this slide, click once to reveal a possible Potential Barrier. Then click once again to reveal a possible Response to Barrier. Copyright 2017 American Water Works Association 87 Cybersecurity in the Water Sector Instructor Guide

90 SLIDE 77 Exercise - Potential Barriers & Responses Key Action Step Number 2 Key Action Step Core Question Potential Barrier Response to Barrier 2. Run the AWWA Cybersecurity Tool What, in total, needs to be in place? Only one utility staff member is proficient / trained in using the AWWA Cybersecurity Tool making it difficult to communicate. Train additional utility staff in AWWA Cybersecurity in the Water Sector Workshop and / or AWWA online training modules. Engage departments to enlist SMEs to help select use cases. 77 The next Key Action Step is to run the AWWA Cybersecurity Tool, where utilities determine what cybersecurity measures need to be in place. Repeat the interactive process described for Key Action Step 1 above. After interactive discussion of this slide, click once to reveal a possible Potential Barrier. Then click once again to reveal a possible Response to Barrier. Copyright 2017 American Water Works Association 88 Cybersecurity in the Water Sector Instructor Guide

91 SLIDE 78 Exercise - Potential Barriers & Responses Key Action Step Number 3 Key Action Step Core Question Potential Barrier Response to Barrier 3. Compare recommended controls against those that are already in place. What is missing? Staff not familiar with cybersecurity controls that are in place. Gaps in current controls and recommended controls are unclear / not readily apparent. Engage with established water utility network colleagues who attended AWWA Cybersecurity in the Water Sector Workshop / online training to discuss general gap analysis interpretation. Engage SMEs to identify controls that are in place so they can be compared to recommendations. Use results of external cybersecurity audit. Engage DHS for audit. 78 After identifying SME use cases and running the tool to determine what needs to be in place, you will need to compare recommended controls against those that are already in place to identify what is missing. Repeat the interactive brainstorming process described for Key Action Step 1 above. After interactive discussion of this slide, click once to reveal a possible Potential Barrier. Then click once again to reveal a possible Response to Barrier. Copyright 2017 American Water Works Association 89 Cybersecurity in the Water Sector Instructor Guide

92 SLIDE 79 Exercise - Potential Barriers & Responses Key Action Step Number 4 Key Action Step Core Question Potential Barrier Response to Barrier 4. Develop a formal Cybersecurity Improvements Plan How will you address what is missing? Water utility staff expertise / overall staff support has been assessed as limited. Confirmed via AWWA networking. Evaluate need for external assistance, such as a professional consultancy. 79 Development of the formal Cybersecurity Improvements Plan will begin here. The plan will describe how the missing items that were determined in the previous step will be addressed. Repeat the interactive brainstorming process described for Key Action Step 1 above. After interactive discussion of this slide, click once to reveal a possible Potential Barrier. Then click once again to reveal a possible Response to Barrier. Copyright 2017 American Water Works Association 90 Cybersecurity in the Water Sector Instructor Guide

93 SLIDE 80 Exercise - Potential Barriers & Responses Key Action Step Number 5 Key Action Step Core Question Potential Barrier Response to Barrier 5. Reference the Freedom of Information Act (FOIA) Who has a right to see the plan? After referencing FOIA, it is unclear who, specifically, should see the plan and what liabilities are involved therein. Evaluate need for professional (legal) consultancy. 80 At this point, the Freedom of Information Act needs to be referenced to determine who can see the plan that has been developed. Repeat the interactive brainstorming process described for Key Action Step 1 above. After interactive discussion of this slide, click once to reveal a possible Potential Barrier. Then click once again to reveal a possible Response to Barrier. Copyright 2017 American Water Works Association 91 Cybersecurity in the Water Sector Instructor Guide

SLIDE 81 Exercise - Potential Barriers & Responses Key Action Step Number 6 Key Action Step Core Question Potential Barrier Response to Barrier 6.

94 SLIDE 81 Exercise - Potential Barriers & Responses Key Action Step Number 6 Key Action Step Core Question Potential Barrier Response to Barrier 6. Establish a budget and schedule / assign roles and responsibilities. What does it cost and when will it be done? / Who does each part? Limited budget and staff availability. Need for external assistance confirmed. Consult water utility leadership / governance board to obtain budget and to retain external assistance, if needed, to complete Steps 4 & Once all of the steps have been completed, it is time to establish a budget and schedule and to assign roles and responsibilities. Then you will need to determine what it costs, what is the time line, and who is responsible for each part? Repeat the interactive brainstorming process described for Key Action Step 1 above. Thank the class for their hard work and mention that it is hoped that the discussions helped provide strategies for overcoming barriers they may face to making cybersecurity improvements. After interactive discussion of this slide, click once to reveal a possible Potential Barrier. Then click once again to reveal a possible Response to Barrier. Copyright 2017 American Water Works Association 92 Cybersecurity in the Water Sector Instructor Guide

95 SLIDE 82 Module 5 Q & A Question 1 True or False? The output of the Cybersecurity Guidance Tool shows you where your cybersecurity is weak. 75 The output of the Cybersecurity Guidance Tool shows recommended controls for your environment. Since the tool does not know what controls you may already have in place, it does not show weaknesses by itself. The recommendations of the tool must be compared against your existing controls to identify gaps that represent weaknesses. Ask the class the question. The Answer is False. Build the proper answer from classes responses as explained in the Key Message for this slide. Copyright 2017 American Water Works Association 93 Cybersecurity in the Water Sector Instructor Guide

96 SLIDE 83 Module 5 Q & A Question 2 What should be done with the report generated by the tool? 76 The report generated by the Cybersecurity Guidance Tool should be used as an input into the building of a Cybersecurity Improvements Plan. Copyright 2017 American Water Works Association 94 Cybersecurity in the Water Sector Instructor Guide

97 SLIDE 84 Module 5 Summary The Cybersecurity Guidance Tool presents prioritized recommended controls based on your selected use cases. Controls should be compared to existing systems or procedures to identify gaps. A cybersecurity program should be built to address gaps associated with the highest priority controls first. The cybersecurity program must be ongoing since recommendations may change and your environment changes. 77 The report generated by the Cybersecurity Guidance Tool provides prioritized recommended controls for your organization. The recommended controls should be compared to those you currently have in place to identify gaps in your cybersecurity. A cybersecurity improvements plan should be built to address the gaps starting with gaps associated with the highest priority controls. Cybersecurity evaluation should be an ongoing effort since recommendations change and the cyber security environment changes. Please stress the importance of having an ongoing cybersecurity program that is frequently evaluating risk. Copyright 2017 American Water Works Association 95 Cybersecurity in the Water Sector Instructor Guide

98 SLIDE 85 Seminar Summary During this workshop, the following information was presented to help attendees prepare to use the Tool. The five modules included: Why cybersecurity is important Selecting the appropriate use cases for your environment Reviewing the recommended controls generated by the Cybersecurity Guidance Tool Executing the tool Implementing recommendations by developing a Cybersecurity Improvements Plan 78 This slide is a summary of the 5 modules covered by the seminar.. This slide simply restates the agenda. Copyright 2017 American Water Works Association 96 Cybersecurity in the Water Sector Instructor Guide

99 SLIDE 86 Seminar Summary (continued) Now that you have attended this Workshop you should be able to: Recognize the drivers behind cybersecurity Understand the importance of evaluating use cases against your control system Explain the priorities of controls generated by the Tool Properly use the Cybersecurity Guidance Tool to generate a report for your system Take the steps necessary to bring your system into alignment with industrial cybersecurity standards 79 This slide provides an overall summary of the seminar. Participants should understand that the risk associated with a cybersecurity event is real They understand importance of evaluating use cases Students can explain the 4 categories of priorities assigned to each recommended control. They can access the tool and use it to generate Cybersecurity Report. They can use the report to build an improvements plan that will bring their environment into alignment with industrial cybersecurity standards. Copyright 2017 American Water Works Association 97 Cybersecurity in the Water Sector Instructor Guide

SLIDE 87 Ask if there are any final questions and thank the students for their participation. If present, thank the coordinator and host organization. Hand out final exam.

100 SLIDE 87 Ask if there are any final questions and thank the students for their participation. If present, thank the coordinator and host organization. Hand out final exam. Hand out course evaluation sheets. Make yourself available to students who might prefer a one-on-one question after the seminar. Keep your computer available in case you need to review slides or access the tool on the internet. Collect attendance sheet, course evaluation, and final exam. Confirm that everyone included the appropriate information on the attendance sheet to receive credit for attendance. Grade the final exam. Copyright 2017 American Water Works Association 98 Cybersecurity in the Water Sector Instructor Guide

Cybersecurity for Health Care Providers

Cybersecurity for Health Care Providers Montgomery County Medical Society Provider Meeting February 28, 2017 T h e MARYLAND HEALTH CARE COMMISSION Overview Cybersecurity defined Cyber-Threats Today Impact