Trends in Cybersecurity in the Water Industry A Strategic Approach to Mitigate Control System Risk Standards Certification Education & Training Publishing Conferences & Exhibits Steve Liebrecht W/WW Industry Team- Detroit
Presenter Steve Liebrecht 35 years with Rockwell Automation Currently Detroit Water industry Team lead University of Toledo BSEE. Involved in W/WW for 30 years. AWWA Member since 2009 Working with Michigan municipalities, consultants, pump OEM's and systems integrators Cochairman AWWA Mi Water Security Committee Leading Water Cyber Security initiative for Rockwell. 2
Presentation Goals Why should I be concerned with cyber security Understand current cyber security landscape Technology advances in connectivity Internet of things Typical attack methods Process Control System Cyber Security How do they get in? Threat Vectors-Top offenders Industry Specific Tools Guidelines DHS CSET Tool AWWA guidance tool web site 3
What do all these companies have in common?
The Internet- The world is increasingly connected Internet Military Educational Business Industrial Personal Internet Uses Email Information Business Social Networking Shopping Entertainment Gaming, Watching Videos/movies, Music Services- Online Banking, Job Seeking,Airline Tickets, Hotels, 5
Technology Explosion 10 Fold Increase in internet use 1 Billion Facebook users worldwide Most downloaded app in 2012 was Angry Birds and Facebook Internet use by non person entities Gas Stations and Vending Machines Cars Smart Grid Industrial Control systems Increases in capability in Cyber threats Increases in malware for mobile devices Going forward vulnerabilities will be mobile technology Energy and utilities see 60% increase in cyber attacks In the last 6months
ABC News- Cyber Security In the News Latest News Dark energy Ransomware Sites showing current global cyber attacks: https://www.fireeye.com/cyber-map/threat-map.html http://map.norsecorp.com/#/ http://hp.ipviking.com/ 7
Threat Vectors
Phishing Types- Generic or Spear
Social Networking
Control System vulnerabilities
Expansion of Connectivity =Expanded Threats
Security Threat Vectors Application of Patches Natural or Manmade Disasters Worms & Viruses Theft Sabotage Denial of Service Unauthorized Access Unauthorized Employee Actions Unauthorized Remote Access Unintended Employee Actions Security risks increase potential for disruption to system uptime, safe operation, and a loss of intellectual property
Unique Water Sector Challenges Aging Distribution Network -- Disparate Industrial Control & Information Systems
AWWA-Opflow August 2015
How Do They Get In? The ATTACK VECTOR Through USB Flash / Static Drives Software Coding Weaknesses / Flaws Social Engineering (now more than ever!) Click the Link Campaigns Design / Technical Interface Weaknesses / Flaws Lack of effective network segregation & defense in depth
Top Offenders The Pervasive THREATS Passwords (weak, visible, default) Access Control (user login RTUs, PLCs) Internet Access (unrestricted - from the shop floor ) Mixed Domains (lack of network segregation) Encryption (weak or absent) Asset Management (where is it? what s that?) We don t need no stinkin patches (!)
Windows XP- End of Support April 2014
Examples: Fragmented Security Fail Continued use of products beyond vendors support life-cycle No decommission, replacement or mitigation plan (i.e. Window Ungoverned participation by third-party contractors, vendors & de Open uncontrolled access; intended & unintended risks Unknown security gaps within systems & products No assessments, blind to health or knowledge of defenses Inadequate monitoring & detection of breech attempts & success Inability to respond or report to management Invalidated or unknown vendors Significant decrease of security effectiveness
How Can Cyber Events Affect Water Systems? Unauthorized changes to programmed instructions Block data or send false information to operators Change alarm thresholds or disable them Prevent access to account information Interfere with treatment equipment & potentially impact all downstream
A Vendor s Perspective Control System lifecycles are long (20+ years) Products will have vulnerabilities Security is a team sport Vendors & Customers IT & Engineering Pick your teams (point don t go it alone) REMEMBER: Human beings are imperfect Control System safety & security are closely linked Control System security is about managing variables Managing the security variables enhances uptime
Know Your Partners Functional & effective risk management Vetted relationships- SI s, Consultants, OEM s Secure networks & architectures Regulatory compliance local, state & federal Baseline priorities identified Tested communication & response plans
Building the Program 1. Assessment of business needs & specific operational requirements of Industrial Control System. 2. Identify critical assets & data 3. Support asynchronous technology & business change 4. Recognize that no single product or technology is the answer
Defense-in-Depth Framework The basic tenets of this strategic framework are: Know the risks Quantify & qualify Use key resources to mitigate Define each resource s core competency & identify overlaps Abide by existing or emerging security standards Create & customize specific unique controls as needed
Resources and tools to help
Industry Specific- Roadmaps & Guidelines
Department of Homeland Security: CSET-Cyber Security Strategy Evaluate existing system Follow AWWA Roadmap Use Dept Homeland Security CSET (Cyber Security Evaluation Tool) version 6.1 Self evaluation tool http://www.us-cert.gov/control_systems/satool.html Identify plant vulnerabilities Single largest vulnerability is from within Establish strategies to address vulnerabilities Look for ways to improve its robustness, resiliency How does it respond to a power outage/equipment failure Is your control system backed-up? Single largest vulnerabilities may be from within
AWWA Cybersecurity Guidance Tool Developed by AWWA found on: www.awwa.org/cybersecurity 82 Cybersecurity Controls Use Cases describe PCS and cyber exposure Tool determines which controls apply to selected Use Cases and at which Priority (1-4) Priority 1 Do Immediately; Priority 4 Important but not Urgent Tool does not assess current situation
White Paper- Utility Cyber Security Planning
Automation Security Key Points Practice 5 simple, actionable steps to enhance industrial security: 1. Control who has access 2. Employ firewalls and intrusion detection/prevention 3. Patch and update your control system hardware/software 4. Manage your passwords 5. Turn the PLC processor key(s) to Run mode Mandate new CIP projects include cyber security strategy - Defense in Design Consider a holistic/plant wide approach to protecting the plant Establish partnership with a control system vendor Our control products are developed following the latest governmental security guidelines using our design-forsecurity philosophy and include features to facilitate physical and logical access control We also provide free resources to help: www.rockwellautomation.com/security Enhance industrial security to improve robustness, reduce risk, and vulnerability
Steve Liebrecht W/WW Industry Team Leader Detroit Rockwell Automation sjliebrecht@ra.rockwell.com Cell 419-340-6873