Trends in Cybersecurity in the Water Industry A Strategic Approach to Mitigate Control System Risk

Similar documents
Continuous protection to reduce risk and maintain production availability

Florida Government Finance Officers Association. Staying Secure when Transforming to a Digital Government

RBI GUIDELINES ON CYBER SECURITY AND RAKSHA APPROACH

THE EFFECTIVE APPROACH TO CYBER SECURITY VALIDATION BREACH & ATTACK SIMULATION

LESSONS LEARNED IN SMART GRID CYBER SECURITY

Service. Sentry Cyber Security Gain protection against sophisticated and persistent security threats through our layered cyber defense solution

Industrial Defender ASM. for Automation Systems Management

Panelists. Moderator: Dr. John H. Saunders, MITRE Corporation

Securing Industrial Control Systems

Achieving Cyber-Readiness through Information Sharing Analysis Organizations (ISAOs)

An Update on Security and Emergency Preparedness Standards for Utilities

Digital Wind Cyber Security from GE Renewable Energy

Presenter Jakob Drescher. Industry. Measures used to protect assets against computer threats. Covers both intentional and unintentional attacks.

Technology Risk Management in Banking Industry. Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited

ABB Process Automation, September 2014

Building a Resilient Security Posture for Effective Breach Prevention

Combating Cyber Risk in the Supply Chain

Cybersecurity for Health Care Providers

Cyber Attacks & Breaches It s not if, it s When

ДОБРО ПОЖАЛОВАТЬ SIEMENS AG ENERGY MANAGEMENT

Insider Threat Detection Including review of 2017 SolarWinds Federal Cybersecurity Survey

Technical Reference [Draft] DRAFT CIP Cyber Security - Supply Chain Management November 2, 2016

MANAGING CYBER RISK: THE HUMAN ELEMENTS OF CYBERSECURITY

SOLUTION BRIEF esentire Risk Advisory and Managed Prevention (RAMP)

Securing the Grid and Your Critical Utility Functions. April 24, 2017

Cybersecurity Overview

Defense in Depth Security in the Enterprise

The Water Sector Approach to Cybersecurity

An Overview of ISA-99 & Cyber Security for the Water or Wastewater Specialist

Cybersecurity Presidential Policy Directive Frequently Asked Questions. kpmg.com

Cybersecurity: Operating in a Threat Laden World. Christopher Buse, Assistant Commissioner & CISO

What It Takes to be a CISO in 2017

Maximum Security with Minimum Impact : Going Beyond Next Gen

Cyber Security Panel Discussion Gary Hayes, SVP & CIO Technology Operations. Arkansas Joint Committee on Energy March 16, 2016

PROTECTING MANUFACTURING and UTILITIES Industrial Control Systems

Why you should adopt the NIST Cybersecurity Framework

Security Survey Executive Summary October 2008

The Connected Water Plant. Immediate Value. Long-Term Flexibility.

Cyber Security. June 2015

Control Systems Cyber Security Awareness

Cyber (In)Security. What Business Leaders Need To Know. Roy Luebke Innovation and Growth Consultant. Presented by:

10 KEY WAYS THE FINANCIAL SERVICES INDUSTRY CAN COMBAT CYBER THREATS

Bradford J. Willke. 19 September 2007

Critical Infrastructure Analysis and Protection - A Case for Secure Information Exchange. August 16, 2016

Sage Data Security Services Directory

In the wrong hands it s an open invitation

Chapter 18 SaskPower Managing the Risk of Cyber Incidents 1.0 MAIN POINTS

Defending Our Digital Density.

Meeting PCI DSS 3.2 Compliance with RiskSense Solutions

Measuring and Evaluating Cyber Risk in ICS Components, Products and Systems

Business continuity management and cyber resiliency

Cybersecurity A Regulatory Perspective Sara Nielsen IT Manager Federal Reserve Bank of Kansas City

Cyber Security Audit & Roadmap Business Process and

Mike Spear, Ops Leader Greg Maciel, Cyber Director INDUSTRIAL CYBER SECURITY PROGRAMS

Defensible and Beyond

Ensuring System Protection throughout the Operational Lifecycle

Industry Best Practices for Securing Critical Infrastructure

Cyber security for digital substations. IEC Europe Conference 2017

Best Practices in ICS Security for System Operators

WHITEPAPER HEALTHCARE S KEY TO DEFEATING CYBERATTACKS

McAfee Embedded Control

Security analysis and assessment of threats in European signalling systems?

Keys to a more secure data environment

Cyber Security What Do I Need to Do Now?

Gujarat Forensic Sciences University

Industrial Security - Protecting productivity. Industrial Security in Pharmaanlagen

mhealth SECURITY: STATS AND SOLUTIONS

SECURING THE SUPPLY CHAIN

ANATOMY OF AN ATTACK!

Enhancing infrastructure cybersecurity in Europe Rossella Mattioli Secure Infrastructures and Services

National Policy and Guiding Principles

Cybersecurity governance in Europe. Sokratis K. Katsikas Systems Security Laboratory Dept. of Digital Systems University of Piraeus

QuickBooks Online Security White Paper July 2017

Statement for the Record

Critical Infrastructure Protection for the Energy Industries. Building Identity Into the Network

Evaluating and Improving Cybersecurity Capabilities of the Electricity Critical Infrastructure

K12 Cybersecurity Roadmap

Cyber Security. February 13, 2018 (webinar) February 15, 2018 (in-person)

Information Infrastructure and Security. The value of smart manufacturing begins with a secure and reliable infrastructure

Software & Supply Chain Assurance: Enabling Enterprise Resilience through Security Automation, Software Assurance and Supply Chain Risk Management

NATIONAL DEFENSE INDUSTRIAL ASSOCIATION Homeland Security Symposium

The Office of Infrastructure Protection

ISAO SO Product Outline

All-Hazards Approach to Water Sector Security & Preparedness ANSI-HSSP Arlington, VA November 9, 2011

European Union Agency for Network and Information Security

Written Statement of. Timothy J. Scott Chief Security Officer The Dow Chemical Company

10 FOCUS AREAS FOR BREACH PREVENTION

Healthcare HIPAA and Cybersecurity Update

SAP Cybersecurity Solution Brief. Objectives Solution Benefits Quick Facts

i-pcgrid WORKSHOP 2016 INTERACTIVE REMOTE ACCESS

Security-as-a-Service: The Future of Security Management

Securing Information Systems

Practical SCADA Cyber Security Lifecycle Steps

CCISO Blueprint v1. EC-Council

Future Challenges and Changes in Industrial Cybersecurity. Sid Snitkin VP Cybersecurity Services ARC Advisory Group

STRENGTHENING THE CYBERSECURITY OF FEDERAL NETWORKS AND CRITICAL INFRASTRUCTURE

Training and Certifying Security Testers Beyond Penetration Testing

Addressing Cyber Threats in Power Generation and Distribution

Critical Infrastructure Protection (CIP) as example of a multi-stakeholder approach.

Think Oslo 2018 Where Technology Meets Humanity. Oslo. Felicity March Cyber Resilience - Europe

Transcription:

Trends in Cybersecurity in the Water Industry A Strategic Approach to Mitigate Control System Risk Standards Certification Education & Training Publishing Conferences & Exhibits Steve Liebrecht W/WW Industry Team- Detroit

Presenter Steve Liebrecht 35 years with Rockwell Automation Currently Detroit Water industry Team lead University of Toledo BSEE. Involved in W/WW for 30 years. AWWA Member since 2009 Working with Michigan municipalities, consultants, pump OEM's and systems integrators Cochairman AWWA Mi Water Security Committee Leading Water Cyber Security initiative for Rockwell. 2

Presentation Goals Why should I be concerned with cyber security Understand current cyber security landscape Technology advances in connectivity Internet of things Typical attack methods Process Control System Cyber Security How do they get in? Threat Vectors-Top offenders Industry Specific Tools Guidelines DHS CSET Tool AWWA guidance tool web site 3

What do all these companies have in common?

The Internet- The world is increasingly connected Internet Military Educational Business Industrial Personal Internet Uses Email Information Business Social Networking Shopping Entertainment Gaming, Watching Videos/movies, Music Services- Online Banking, Job Seeking,Airline Tickets, Hotels, 5

Technology Explosion 10 Fold Increase in internet use 1 Billion Facebook users worldwide Most downloaded app in 2012 was Angry Birds and Facebook Internet use by non person entities Gas Stations and Vending Machines Cars Smart Grid Industrial Control systems Increases in capability in Cyber threats Increases in malware for mobile devices Going forward vulnerabilities will be mobile technology Energy and utilities see 60% increase in cyber attacks In the last 6months

ABC News- Cyber Security In the News Latest News Dark energy Ransomware Sites showing current global cyber attacks: https://www.fireeye.com/cyber-map/threat-map.html http://map.norsecorp.com/#/ http://hp.ipviking.com/ 7

Threat Vectors

Phishing Types- Generic or Spear

Social Networking

Control System vulnerabilities

Expansion of Connectivity =Expanded Threats

Security Threat Vectors Application of Patches Natural or Manmade Disasters Worms & Viruses Theft Sabotage Denial of Service Unauthorized Access Unauthorized Employee Actions Unauthorized Remote Access Unintended Employee Actions Security risks increase potential for disruption to system uptime, safe operation, and a loss of intellectual property

Unique Water Sector Challenges Aging Distribution Network -- Disparate Industrial Control & Information Systems

AWWA-Opflow August 2015

How Do They Get In? The ATTACK VECTOR Through USB Flash / Static Drives Software Coding Weaknesses / Flaws Social Engineering (now more than ever!) Click the Link Campaigns Design / Technical Interface Weaknesses / Flaws Lack of effective network segregation & defense in depth

Top Offenders The Pervasive THREATS Passwords (weak, visible, default) Access Control (user login RTUs, PLCs) Internet Access (unrestricted - from the shop floor ) Mixed Domains (lack of network segregation) Encryption (weak or absent) Asset Management (where is it? what s that?) We don t need no stinkin patches (!)

Windows XP- End of Support April 2014

Examples: Fragmented Security Fail Continued use of products beyond vendors support life-cycle No decommission, replacement or mitigation plan (i.e. Window Ungoverned participation by third-party contractors, vendors & de Open uncontrolled access; intended & unintended risks Unknown security gaps within systems & products No assessments, blind to health or knowledge of defenses Inadequate monitoring & detection of breech attempts & success Inability to respond or report to management Invalidated or unknown vendors Significant decrease of security effectiveness

How Can Cyber Events Affect Water Systems? Unauthorized changes to programmed instructions Block data or send false information to operators Change alarm thresholds or disable them Prevent access to account information Interfere with treatment equipment & potentially impact all downstream

A Vendor s Perspective Control System lifecycles are long (20+ years) Products will have vulnerabilities Security is a team sport Vendors & Customers IT & Engineering Pick your teams (point don t go it alone) REMEMBER: Human beings are imperfect Control System safety & security are closely linked Control System security is about managing variables Managing the security variables enhances uptime

Know Your Partners Functional & effective risk management Vetted relationships- SI s, Consultants, OEM s Secure networks & architectures Regulatory compliance local, state & federal Baseline priorities identified Tested communication & response plans

Building the Program 1. Assessment of business needs & specific operational requirements of Industrial Control System. 2. Identify critical assets & data 3. Support asynchronous technology & business change 4. Recognize that no single product or technology is the answer

Defense-in-Depth Framework The basic tenets of this strategic framework are: Know the risks Quantify & qualify Use key resources to mitigate Define each resource s core competency & identify overlaps Abide by existing or emerging security standards Create & customize specific unique controls as needed

Resources and tools to help

Industry Specific- Roadmaps & Guidelines

Department of Homeland Security: CSET-Cyber Security Strategy Evaluate existing system Follow AWWA Roadmap Use Dept Homeland Security CSET (Cyber Security Evaluation Tool) version 6.1 Self evaluation tool http://www.us-cert.gov/control_systems/satool.html Identify plant vulnerabilities Single largest vulnerability is from within Establish strategies to address vulnerabilities Look for ways to improve its robustness, resiliency How does it respond to a power outage/equipment failure Is your control system backed-up? Single largest vulnerabilities may be from within

AWWA Cybersecurity Guidance Tool Developed by AWWA found on: www.awwa.org/cybersecurity 82 Cybersecurity Controls Use Cases describe PCS and cyber exposure Tool determines which controls apply to selected Use Cases and at which Priority (1-4) Priority 1 Do Immediately; Priority 4 Important but not Urgent Tool does not assess current situation

White Paper- Utility Cyber Security Planning

Automation Security Key Points Practice 5 simple, actionable steps to enhance industrial security: 1. Control who has access 2. Employ firewalls and intrusion detection/prevention 3. Patch and update your control system hardware/software 4. Manage your passwords 5. Turn the PLC processor key(s) to Run mode Mandate new CIP projects include cyber security strategy - Defense in Design Consider a holistic/plant wide approach to protecting the plant Establish partnership with a control system vendor Our control products are developed following the latest governmental security guidelines using our design-forsecurity philosophy and include features to facilitate physical and logical access control We also provide free resources to help: www.rockwellautomation.com/security Enhance industrial security to improve robustness, reduce risk, and vulnerability

Steve Liebrecht W/WW Industry Team Leader Detroit Rockwell Automation sjliebrecht@ra.rockwell.com Cell 419-340-6873

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback