Who Goes There? Access Control in Water/Wastewater Siemens AG All Rights Reserved. siemens.com/ruggedcom

Similar documents
Potential Mitigation Strategies for the Common Vulnerabilities of Control Systems Identified by the NERC Control Systems Security Working Group

ANATOMY OF AN ATTACK!

Top 10 ICS Cybersecurity Problems Observed in Critical Infrastructure

An Overview of ISA-99 & Cyber Security for the Water or Wastewater Specialist

K12 Cybersecurity Roadmap

Future Challenges and Changes in Industrial Cybersecurity. Sid Snitkin VP Cybersecurity Services ARC Advisory Group

Industrial Security - Protecting productivity. Industrial Security in Pharmaanlagen

Protecting productivity with Industrial Security Services

Presenter Jakob Drescher. Industry. Measures used to protect assets against computer threats. Covers both intentional and unintentional attacks.

Compliance with NIST

Security+ SY0-501 Study Guide Table of Contents

AUTHORITY FOR ELECTRICITY REGULATION

NW NATURAL CYBER SECURITY 2016.JUNE.16

Firewalls (IDS and IPS) MIS 5214 Week 6

The Common Controls Framework BY ADOBE

Industrial Cyber Security. ICS SHIELD Top-down security for multi-vendor OT assets

Cyber Security Requirements for Electronic Safety and Security

Altius IT Policy Collection Compliance and Standards Matrix

QuickBooks Online Security White Paper July 2017

Cloud Computing. Faculty of Information Systems. Duc.NHM. nhmduc.wordpress.com

Functional. Safety and. Cyber Security. Pete Brown Safety & Security Officer PI-UK

May 14, :30PM to 2:30PM CST. In Plain English: Cybersecurity and IT Exam Expectations

Altius IT Policy Collection Compliance and Standards Matrix

Submitted on behalf of the DOE National SCADA Test Bed. Jeff Dagle, PE Pacific Northwest National Laboratory (509)

Information Technology Enhancing Productivity and Securing Against Cyber Attacks

TOP 10 IT SECURITY ACTIONS TO PROTECT INTERNET-CONNECTED NETWORKS AND INFORMATION

Cybersecurity and Communications Based Train Control

How do you track devices that have been approved for use? Are you automatically alerted if an unapproved device connects to the network?

Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud

2018 WTA Spring Meeting Are You Ready for a Breach? Troy Hawes, Senior Manager

NIST Revision 2: Guide to Industrial Control Systems (ICS) Security

Sneak Peak at CIS Critical Security Controls V 7 Release Date: March Presented by Kelli Tarala Principal Consultant Enclave Security

Process System Security. Process System Security

A (sample) computerized system for publishing the daily currency exchange rates

Securing the Smart Grid. Understanding the BIG Picture 11/1/2011. Proprietary Information of Corporate Risk Solutions, Inc. 1.

HikCentral V1.3 for Windows Hardening Guide

Data Security and Privacy Principles IBM Cloud Services

Secure Access & SWIFT Customer Security Controls Framework

How to Align with the NIST Cybersecurity Framework

A Measurement Companion to the CIS Critical Security Controls (Version 6) October

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

Cyber Criminal Methods & Prevention Techniques. By

Expanding Cyber Security Management for Critical Infrastructure

WHITE PAPER. Vericlave The Kemuri Water Company Hack

University of Pittsburgh Security Assessment Questionnaire (v1.7)

Protecting Buildings Operational Technology (OT) from Evolving Cyber Threats & Vulnerabilities

RIPE RIPE-17. Table of Contents. The Langner Group. Washington Hamburg Munich

Cybersecurity and Hospitals: A Board Perspective

T22 - Industrial Control System Security

Cyber Risk in the Marine Transportation System

Securing Plant Operation The Important Steps

Securing Industrial Control Systems

Software Development & Education Center Security+ Certification

HikCentral V.1.1.x for Windows Hardening Guide

Methods for Reducing Cybersecurity Vulnerabilities of Power Substations Using Multi-Vendor Smart Devices in a Smart Grid Environment

NCCoE TRUSTED CLOUD: A SECURE SOLUTION

ДОБРО ПОЖАЛОВАТЬ SIEMENS AG ENERGY MANAGEMENT

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

Checklist: Credit Union Information Security and Privacy Policies

NIST Cybersecurity Framework Protect / Maintenance and Protective Technology

IPM Secure Hardening Guidelines

Introduction to ICS Security

IE156: ICS410: ICS/SCADA Security Essentials

Altius IT Policy Collection

Mapping Your Requirements to the NIST Cybersecurity Framework. Industry Perspective

Data Security and Privacy : Compliance to Stewardship. Jignesh Patel Solution Consultant,Oracle

BeOn Security Cybersecurity for Critical Communications Systems

Security Issues and Best Practices for Water Facilities

Function Category Subcategory Implemented? Responsible Metric Value Assesed Audit Comments

Industry Best Practices for Securing Critical Infrastructure

White Paper. The North American Electric Reliability Corporation Standards for Critical Infrastructure Protection

the SWIFT Customer Security

EBOOK 4 TIPS FOR STRENGTHENING THE SECURITY OF YOUR VPN ACCESS

Network Security Policy

Cyber Defense Operations Center

TECHNICAL AND ORGANIZATIONAL DATA SECURITY MEASURES

How NOT To Get Hacked

Remote Desktop Security for the SMB

i-pcgrid WORKSHOP 2016 INTERACTIVE REMOTE ACCESS

Cyber Security Standards Developments

Information Security Controls Policy

TOP 10 VULNERABILITIES OF CONTROL SYSTEMS AND THEIR ASSOCIATED MITIGATIONS 2007

How CyberArk can help mitigate security vulnerabilities in Industrial Control Systems

Information Security Policy

Education Network Security

Cybersecurity Training

Cyber Security. February 13, 2018 (webinar) February 15, 2018 (in-person)

CS 356 Operating System Security. Fall 2013

Security analysis and assessment of threats in European signalling systems?

Google Cloud Platform: Customer Responsibility Matrix. April 2017

Centralized Control System Architecture

Information Technology Security Plan Policies, Controls, and Procedures Protect: Identity Management and Access Control PR.AC

Security Standards for Electric Market Participants

FRAMEWORK MAPPING HITRUST CSF V9 TO ISO 27001/27002:2013. Visit us online at Flank.org to learn more.

IBM Secure Proxy. Advanced edge security for your multienterprise. Secure your network at the edge. Highlights

Welcome to the CyberSecure My Business Webinar Series We will begin promptly at 2pm EDT All speakers will be muted until that time

DEVELOP YOUR TAILORED CYBERSECURITY ROADMAP

Evolution Of Cyber Threats & Defense Approaches

Cyber security tips and self-assessment for business

Cyber Security for Process Control Systems ABB's view

Transcription:

WEAT Webinar Who Goes There? Access Control in Water/Wastewater Siemens AG 2018. siemens.com/ruggedcom

ACCESS CONTROL WEBINAR TABLE OF CONTENTS TOPIC Why Access Control? Risks If Not Used Factors of Authentication Role-Based Access Control NIST & AWWA Guidelines for Access Control Ways to Enforce Access Control Summary PAGE : 2

ACCESS CONTROL Why Access Control? Access Control is a key component to a layered defense strategy. It s tough to hack something if you cannot get in. Access control tries to ensure that no unauthorized parties can get into a system. PAGE : 3

ACCESS CONTROL The principle of least privilege (PoLP) is an information security term that refers to a user or program having the least authority possible to perform its job PAGE : 4

DEFENSE IN DEPTH PAGE : 5

SCADA VULNERABILITIES PAGE : 6

SECURITY PHASE CHANGE LEGACY MODERN Security Phase Change describes devices that transition from electrical to computer-controlled to eventually networked. Automobiles Voting machines Programmable Logic Controllers (PLCs) PAGE : 7

SOUTH HOUSTON WATER HACK o o o In 2011, the City of South Houston Water Department was hacked The hacker provided documents from the plant as proof Poor configuration of services, bad passwords, and no access controls for SCADA interfaces were blamed PAGE : 8

CYBER SECURITY STATISTICS Can you name three of the top five countries where hacks originate? China, USA (17%), Turkey, Brazil and Russia What famous billionaire said cyberattacks are the greatest threat to mankind even more of a threat than nuclear weapons? Warren Buffet Which country has the highest number of malware-infected computers in the world? China at 57%. Runner-up is Taiwan at 49% followed by Turkey at 42.5%. PAGE : 9

WHY PCS SECURITY IS DIFFICULT PAGE : 10

FACTORS OF AUTHENTICATION What is a factor? A factor is a type of authentication. When you claim to be someone, you need to provide further information to prove that you are who you say you are. PAGE : 11

FACTORS OF AUTHENTICATION Factor #4: Somewhere you are Internet Protocol (IP) address Media Access Control (MAC) address Geolocation services Factor #5: Something you do Windows 8 Picture Password SureSwipe login from Capital One PAGE : 12

ROLE-BASED ACCESS CONTROL Role-Based Access Control RBAC defines the users security roles, permissions, authorization, and role hierarchy to access critical systems in an industrial control system (ICS). PAGE : 13

NATIONAL INSTITUTE of STANDARDS and TECHNOLOGY (NIST) The National Institute of Standards and Technology (NIST) was founded in 1901 and now part of the U.S. Department of Commerce. NIST is one of the nation's oldest physical science laboratories. Congress established the agency to remove a major challenge to U.S. industrial competitiveness at the time a second-rate measurement infrastructure that lagged behind the capabilities of the United Kingdom, Germany, and other economic rivals. PAGE : 14

NATIONAL INSTITUTE of STANDARDS and TECHNOLOGY (NIST) The NIST Framework Core consists of five concurrent and continuous Functions Identify, Protect, Detect, Respond, Recover. Identify Assets Protect Access Control Data Security Information Protection Protective Technology Detect Configuration Management Firewall Management Authorized Access PAGE : 15

NIST GUIDELINES Identity Management, Authentication and Access Control Access to physical and logical assets and facilities limited to authorized users, processes and devices managed according to the assessed risk. PR.AC-1: Identities and credentials managed/verified for authorized devices, users and processes PR.AC-2: Physical access to assets managed and protected PR.AC-3: Remote access managed PR.AC-4: Access permissions managed using least privilege and separations of duty PR.AC-5: Network integrity is protected (segregation, segmentation) PR.AC-6: Identities proofed and bound to credentials PR.AC-7: Users, devices, and other assets authenticated (singlefactor/multi-factor) commensurate with the risk of the transaction (individual and organizational risks) PAGE : 16

WATER/WASTEWATER CYBERSECURITY GUIDELINES AWWA using NIST as guide Updated guideline issued in 2017 Security framework includes best practices from NIST, AWWA, WaterISAC and others Practice Categories: Governance and Risk Management Business Continuity/Disaster Recovery Server and Workstation Hardening Access Control Application Security Encryption Telecom, Network Security & Architecture Physical Security Service Level Agreements (SLAs) Operations Security (OPSEC) Education Personnel Security PAGE : 17

SECURE COMMUNICATIONS Unprotected wired and wireless communications can be intercepted or manipulated in transit. Preventative Controls: Secure Channel Cryptography Robust Channel Cryptography Available Channel Anti-Denial of Service Anomaly Detection Device Hardening Robust access controls Patch management PAGE : 18

SECURE REMOTE ACCESS Undertake a formal threat and risk assessment Eliminate all direct connections to critical assets Secure modem access Good Practices for Secure Remote Access Use Demilitarized Zones (DMZ) to segment business and control architecture Establish user-specific authentication servers PAGE : 19

SECURE REMOTE ACCESS Good Practices for Secure Remote Access Create a security assurance policy for all remote access Use only full tunneling cryptographic technology Use a password policy specific to remote access Use multifactor authentication where possible Use role-based authorization levels PAGE : 20

SECURE REMOTE ACCESS Virtual Private Networks (VPN) provide access control and authentication for remote access to business networks and process control systems PAGE : 21

SECURE REMOTE ACCESS Client Client Client Corporate or Control Center Secure Access Manager Network Upstream Reporting i.e. SIEM RSA SecurID Sample of Network Architecture to Remote Site Active Directory Controller Authentication Server Network Client Station Access Controller Gateway Remote Site IED IED IED IED Page All Rights 22 Reserved. PAGE : 22

CALL TO ACTION Understand what assets you have in your Process Control System (asset inventory) Determine who should have access to what assets (and who should not) Decide what type of access control and authentication meets your business needs and risk levels PAGE : 23

CONTACT PAGE Todd Wedge Business Development Manager RUGGEDCOM Solutions Siemens Industry Mobile: +1 (206) 427-8892 E-mail: todd.wedge@siemens.com Answers for industry. PAGE : 24

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback