The Water Sector Approach to Cybersecurity

Similar documents
All-Hazards Approach to Water Sector Security & Preparedness ANSI-HSSP Arlington, VA November 9, 2011

The J100 RAMCAP Method

An Update on Security and Emergency Preparedness Standards for Utilities

Overview of NIPP 2013: Partnering for Critical Infrastructure Security and Resilience October 2013

Why you should adopt the NIST Cybersecurity Framework

The NIST Cybersecurity Framework

Framework for Improving Critical Infrastructure Cybersecurity

Business Continuity: How to Keep City Departments in Business after a Disaster

Cybersecurity Presidential Policy Directive Frequently Asked Questions. kpmg.com

2016 Webinar Sponsors

Panelists. Moderator: Dr. John H. Saunders, MITRE Corporation

Cyber Security & Homeland Security:

End-to-End Trust, Segmentation and Segregation in the IIoT

Cyber Security What Do I Need to Do Now?

Bradford J. Willke. 19 September 2007

The Road Ahead for Healthcare Sector: What to Expect in Cybersecurity Session CS6, February 19, 2017 Donna F. Dodson, Chief Cybersecurity Advisor,

CYBER SECURITY FOR WATER AND WASTEWATER UTILITIES PRESENTED BY: DAVID A. CHANDA, PE

Updates to the NIST Cybersecurity Framework

Stephanie Zierten Associate Counsel Federal Reserve Bank of Boston

Trends in Cybersecurity in the Water Industry A Strategic Approach to Mitigate Control System Risk

Top 10 ICS Cybersecurity Problems Observed in Critical Infrastructure

Critical Infrastructure Sectors and DHS ICS CERT Overview

NATIONAL DEFENSE INDUSTRIAL ASSOCIATION Homeland Security Symposium

NW NATURAL CYBER SECURITY 2016.JUNE.16

NCSF Foundation Certification

CYBERSECURITY FOR STARTUPS AND SMALL BUSINESSES OVERVIEW OF CYBERSECURITY FRAMEWORKS

Chapter 1. Chapter 2. Chapter 3

Cybersecurity Assessment Tool

Executive Order & Presidential Policy Directive 21. Ed Goff, Duke Energy Melanie Seader, EEI

Business Continuity Planning

Summary of Cyber Security Issues in the Electric Power Sector

Emerging Issues: Cybersecurity. Directors College 2015

ICBA Summary of FFIEC Cybersecurity Assessment Tool (May 2017 Update)

The Office of Infrastructure Protection

DISTRICT OF COLUMBIA WATER AND SEWER AUTHORITY ATTACHMENT A A-1: BACKGROUND AND CONTRACTOR QUALIFICATIONS A-2: SCOPE OF WORK

Developing a Model for Cyber Security Maturity Assessment

METHODOLOGY AND CRITERIA FOR THE CYBERSECURITY REPORTS

FDA & Medical Device Cybersecurity

Homeland Security Perspectives: Oregon Fire District Directors Association October 25, 2018

National Policy and Guiding Principles

Centralized Control System Architecture

FFIEC Cyber Security Assessment Tool. Overview and Key Considerations

Using the NIST Cybersecurity Framework to Guide your Security Program August 31, 2017

STRATEGY ATIONAL. National Strategy. for Critical Infrastructure. Government

Cybersecurity Overview

Active and Effective Water Security Programs. Be Informed Be Alert Be Ready

MassMutual Business Continuity Disclosure Statement

NIST Cybersecurity Testbed for Transportation Systems. CheeYee Tang Electronics Engineer National Institute of Standards and Technology

Bonnie A. Goins Adjunct Industry Professor Illinois Institute of Technology

Cyber Resilience. Think18. Felicity March IBM Corporation

Security Metrics. February 25, Annabelle Lee Senior Technical Executive

The Evolving Threat to Corporate Cyber & Data Security

Outreach and Partnerships for Promoting and Facilitating Private Sector Emergency Preparedness

ISA99 - Industrial Automation and Controls Systems Security

Achieving Cyber-Readiness through Information Sharing Analysis Organizations (ISAOs)

Securing Industrial Control Systems

CyberUSA Government Cyber Opportunities for your Region: The Federal Agenda - Federal, Grants & Resources Available to Support Community Cyber

DHS Cybersecurity Services and Resources

Appendix 12 Risk Assessment Plan

A Controls Factory Approach To Operationalizing a Cyber Security Program Based on the NIST Cybersecurity Framework

Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure

Symantec Business Continuity Solutions for Operational Risk Management

The Office of Infrastructure Protection

cybersecurity in Europe Rossella Mattioli Secure Infrastructures and Services

Information sharing in the EU policy on NIS & CIIP. Andrea Servida European Commission DG INFSO-A3

Framework for Improving Critical Infrastructure Cybersecurity

Texas Reliability Entity, Inc. Strategic Plan for 2017 TEXAS RE STRATEGIC PLAN FOR 2017 PAGE 1 OF 13

Implementing the Administration's Critical Infrastructure and Cybersecurity Policy

COMMENTARY. Federal Banking Agencies Propose Enhanced Cyber Risk Management Standards

Appendix 12 Risk Assessment Plan

cybersecurity in Europe Rossella Mattioli Secure Infrastructures and Services

Network Architectural Design for Cybersecurity in a Virtual World

COMPASS FOR THE COMPLIANCE WORLD. Asia Pacific ICS Security Summit 3 December 2013

ISRAEL NATIONAL CYBER SECURITY STRATEGY IN BRIEF

Cybersecurity: Considerations for Internal Audit. Gina Gondron Senior Manager Frazier & Deeter Geek Week August 10, 2016

Cybersecurity for the Electric Grid

Robert Hayes Senior Director Microsoft Global Cyber Security & Data Protection Group

Understanding Holistic Effects of Cyber Events on Critical Infrastructure

Defense Security Service. Strategic Plan Addendum, April Our Agency, Our Mission, Our Responsibility

Overview of the Cybersecurity Framework

GUIDELINES ON MARITIME CYBER RISK MANAGEMENT

CYBER RESILIENCE & INCIDENT RESPONSE

Cyber Hygiene: A Baseline Set of Practices

Control Systems Cyber Security Awareness

DHS Cybersecurity: Services for State and Local Officials. February 2017

Use Case: Data Diode Cybersecurity Implementation Protects Water Utility OT Network

Presented by Joe Burns Kentucky Rural Water Association July 19, 2005

ISAO SO Product Outline

Integrating Cyber Security with Business Continuity Management to Build the Resilient Enterprise

Cybersecurity. Can Standards Bring Clarity from the Confusion? Speaker: David Doggett

Apr. 10, Vulnerability disclosure and handling processes strengthen security programs

10 Cybersecurity Questions for Bank CEOs and the Board of Directors

INFORMATION ASSURANCE DIRECTORATE

Maritime Bulk Liquids Transfer Cybersecurity Framework Profile

RBI GUIDELINES ON CYBER SECURITY AND RAKSHA APPROACH

Enterprise Risk Management (ERM) and Cybersecurity. Na9onal Science Founda9on March 14, 2018

Institute of Internal Auditors 2019 CONNECT WITH THE IIA CHICAGO #IIACHI

Regional Workshop on Frameworks for Cybersecurity and CIIP Feb 2008 Doha, Qatar

Copyright 2017 American Water Works Association

Evaluating and Improving Cybersecurity Capabilities of the Electricity Critical Infrastructure

Transcription:

The Water Sector Approach to Cybersecurity Standards Certification Education & Training Publishing Conferences & Exhibits Kevin M. Morley, PhD American Water Works Association 2016 ISA Water / Wastewater and Automatic Controls Symposium August 2-4, 2016 Orlando, Florida, USA

Complex and Evolving Systems Process Control Systems AMR/AMI SCADA Communications Enterprise Systems Employee/Payroll Customer/Billing LIMS etc Source: ICS-CERT

Water Sector & Cybersecurity Y2K BT Act 2002 2008 Critical Milestone Develop a recommended practices ICS security template for widespread use in the water sector 2013 #1 Priority Advance the development of sector-specific cybersecurity resources

AWWA Standards & Guidance ANSI/AWWA G430-14: Security Practices for Operation & Management Information protection and continuity is a requirement ANSI/AWWA J100-10: Risk & Resilience Management of Water & Wastewater Systems Cyber is required threat domain ANSI/AWWA G440-11: Emergency Preparedness Practices Consideration of key business & operating system recovery Business Continuity Plans for Water Utilities Cyber recovery plan is required action item Process Control System Security Guidance for the Water Sector Supports voluntary adoption of NIST Cybersecurity Framework

ANSI/AWWA G430-14: Security Practices for Operations and Management Requirements: a) Explicit Commitment to Security b) Security Culture c) Defined Security Roles and Employee Expectations d) Up-To-Date Assessment of Risk (Vulnerability) e) Resources Dedicated to Security and Security Implementation Priorities f) Access Control and Intrusion Detection g) Contamination, Detection, Monitoring and Surveillance h) Information Protection and Continuity i) Design and Construction j) Threat Level-Based Protocols k) Emergency Response and Recovery Plans and Business Continuity Plan l) Internal and External Communications m) Partnerships n) Verification

National Call to Action Executive Order 13636: Improving Critical Infrastructure Cybersecurity (Feb 2013) NIST Cybersecurity Framework (Feb 2014) 1. Framework Core 2. Framework Profile 3. Framework Implementation Tiers Voluntary guidance to assist critical infrastructure and business s improve cybersecurity. 6

Excellent Foundation but Abstract to Many

Water Sector Approach Process Control System Security Guidance for the Water Sector (WITAF #503) Develop water sector guidance that provides a consistent and repeatable recommended course of action to reduce vulnerabilities in process control systems. Target audience for this resource are water utility general managers, chief information officers and utility directors with oversight and responsibility for process control systems. Aligns with sector and national priorities, fulfills need for sector-specific guidance as specified in EO 13636. Released February 2014, www.awwa.org/cybersecurity

Utility Driven Organized based on HOW the utility uses or operates their process control system It does NOT evaluate current security profile, but provides means for self-evaluation Generates prioritized list of controls that empowers utility to consider appropriate actions to manage cyber risks

Use-Case Tool 82 Cybersecurity Controls Use Cases describe PCS and cyber exposure Tool determines which controls apply to selected Use Cases and at which priority (1 4) Priority 1 do immediately; Priority 4 important, but not urgent If you do xx, then here are the appropriate controls for managing cyber risk

How is it Used? 1. As a stand-alone tool to identify an appropriate cybersecurity baseline. 2. As part of a larger cybersecurity assessment to validate findings and recommendations. 3. As basis for a cybersecurity improvements program.

One Step at a Time AWWA Guidance & Use-Case Tool Aligns w/nist Cyber Framework Cyber Security Evaluation Tool (CSET ) Assessment of policy & procedures relative to NIST 800-52 & NIST 800-53 Design Architectural Review (DAR) Evaluates network access/egress, design, configuration, applications and rules. Supported by ICS-CERT Network Architecture Verification and Validation (NAVV) Baseline network architecture, communication protocols, discover rogue connections, & identify configuration errors.

Principle Water Sector Needs 1. Education/Capacity Development Building awareness of not just the threat, but contextualize the potential consequences 2. Support/Incentivize Voluntary Action Insurance underwriters & bonding firms 3. Mitigation is what matters to owner/operator What is least disruptive mitigation action?

Summary.American Water Works Association has issued "Process Control System Security Guidance for the Water Sector" and a supporting "Use-Case Tool.". This tool is serving as implementation guidance for the Cybersecurity Framework in the Water and Wastewater Systems sector. - USEPA, May 2014

Questions Kevin M. Morley, PhD Manager - Security & Preparedness AWWA Government Affairs 202-628-8303 or kmorley@awwa.org www.awwa.org/cybersecurity

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback