CYBER SECURITY FOR WATER AND WASTEWATER UTILITIES PRESENTED BY: DAVID A. CHANDA, PE

Similar documents
SENATE, No STATE OF NEW JERSEY. 217th LEGISLATURE INTRODUCED DECEMBER 12, 2016

Cyber Security & Homeland Security:

300 Riverview Plaza Odysseus Marcopolus, Chief Operating Officer Trenton, NJ POLICY NO: SUPERSEDES: N/A VERSION: 1.0

NW NATURAL CYBER SECURITY 2016.JUNE.16

An Update on Security and Emergency Preparedness Standards for Utilities

All-Hazards Approach to Water Sector Security & Preparedness ANSI-HSSP Arlington, VA November 9, 2011

How AlienVault ICS SIEM Supports Compliance with CFATS

The Office of Infrastructure Protection

Chapter 18 SaskPower Managing the Risk of Cyber Incidents 1.0 MAIN POINTS

Cybersecurity Presidential Policy Directive Frequently Asked Questions. kpmg.com

Mission: Continuity BUILDING RESILIENCE AGAINST UNPLANNED SERVICE INTERRUPTIONS

Chapter 1. Chapter 2. Chapter 3

The Water Sector Approach to Cybersecurity

Directive on security of network and information systems (NIS): State of Play

NORTH AMERICAN SECURITIES ADMINISTRATORS ASSOCIATION Cybersecurity Checklist for Investment Advisers

Why you should adopt the NIST Cybersecurity Framework

The J100 RAMCAP Method

CYBER SECURITY POLICY REVISION: 12

Overview of NIPP 2013: Partnering for Critical Infrastructure Security and Resilience October 2013

The Office of Infrastructure Protection

Bradford J. Willke. 19 September 2007

DISTRICT OF COLUMBIA WATER AND SEWER AUTHORITY ATTACHMENT A A-1: BACKGROUND AND CONTRACTOR QUALIFICATIONS A-2: SCOPE OF WORK

Plenary Session: Branch Cybersecurity Controls Thursday, February 22 1:15 p.m. 2:15 p.m.

Business Continuity: How to Keep City Departments in Business after a Disaster

ALBEMARLE COUNTY SERVICE AUTHORITY

Understanding Holistic Effects of Cyber Events on Critical Infrastructure

Cyber Security Technologies

EC-Council Certified Incident Handler v2. Prepare to Handle and Respond to Security Incidents EC-COUNCIL CERTIFIED INCIDENT HANDLER 1

DHS Election Task Force Updates. Geoff Hale, Elections Task Force

Defending Our Digital Density.

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

Cyber Security in Europe

The GenCyber Program. By Chris Ralph

University of Pittsburgh Security Assessment Questionnaire (v1.7)

INSPECTOR GENERAL U.S. DEPARTMENT OF THE INTERIOR

Cybersecurity Overview

Boston Chapter AGA 2018 Regional Professional Development Conference Cyber Security MAY 2018

Cyber security tips and self-assessment for business

Welcome to the CyberSecure My Business Webinar Series We will begin promptly at 2pm EDT All speakers will be muted until that time

CALIFORNIA CYBERSECURITY TASK FORCE

Cyber Security What Do I Need to Do Now?

Bonnie A. Goins Adjunct Industry Professor Illinois Institute of Technology

Technical Reference [Draft] DRAFT CIP Cyber Security - Supply Chain Management November 2, 2016

Sage Data Security Services Directory

First aid toolkit for the management of data breaches. Mary Deligianni Senior Associate 15 February 2018

Top 10 ICS Cybersecurity Problems Observed in Critical Infrastructure

ASSEMBLY, No STATE OF NEW JERSEY. 217th LEGISLATURE INTRODUCED FEBRUARY 4, 2016

Cyber Security. February 13, 2018 (webinar) February 15, 2018 (in-person)

New York Cybersecurity. New York Cybersecurity. Requirements for Financial Services Companies (23NYCRR 500) Solution Brief

The NIST Cybersecurity Framework

Resolution: Advancing the National Preparedness for Cyber Security

The SPARKS Project Motivation, Objectives and Results

Disaster Recovery and Business Continuity Planning (Mile2)

2017 SPRING INTERNSHIP PROGRAM OPPORTUNITY

Emerging Issues: Cybersecurity. Directors College 2015

Features of an Active and Effective Protective Program for Water and Wastewater Utilities. Be Prepared Be Secure Be Resilient

NYDFS Cybersecurity Regulations

PIPELINE SECURITY An Overview of TSA Programs

Resiliency and the Need for Re-Thinking our Water Infrastructure. Andrew Bielanski U.S. Environmental Protection Agency June 25, 2015

Securing Industrial Control Systems

2017 Annual Meeting of Members and Board of Directors Meeting

U.S. Department of Homeland Security Office of Cybersecurity & Communications

Continuous protection to reduce risk and maintain production availability

Government Resolution No of February 15, Resolution: Advancing National Regulation and Governmental Leadership in Cyber Security

Methods for Reducing Cybersecurity Vulnerabilities of Power Substations Using Multi-Vendor Smart Devices in a Smart Grid Environment

Updates to the NIST Cybersecurity Framework

Loss of Control Center Functionality: EOP-008-1, CIP-008-3, CIP September 30, 2014

Technology Risk Management in Banking Industry. Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited

Integration of Business Continuity, Emergency Preparedness, and Emergency Response

Defensible Security DefSec 101

Incident Response Services

Grid Security & NERC. Council of State Governments. Janet Sena, Senior Vice President, Policy and External Affairs September 22, 2016

Welcome to Tomorrow... Today

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

ACM Retreat - Today s Topics:

cybersecurity in Europe Rossella Mattioli Secure Infrastructures and Services

Security Standards for Electric Market Participants

DHS Cybersecurity. Election Infrastructure as Critical Infrastructure. June 2017

The Office of Infrastructure Protection

2018 IT Priorities: Cybersecurity, Cloud Outsourcing & Risk Management. Follow Along

Google Cloud & the General Data Protection Regulation (GDPR)

IBM Security Intelligence on Cloud

Cybersecurity Auditing in an Unsecure World

Digital Wind Cyber Security from GE Renewable Energy

Education Network Security

Cyber Security Program

Implementing the Administration's Critical Infrastructure and Cybersecurity Policy

Keys to a more secure data environment

Active and Effective Water Security Programs. Be Informed Be Alert Be Ready

Critical Infrastructure Sectors and DHS ICS CERT Overview

Cybersecurity Checklist Business Action Items

Page 1 of 15. Applicability. Compatibility EACMS PACS. Version 5. Version 3 PCA EAP. ERC NO ERC Low Impact BES. ERC Medium Impact BES

Protecting productivity with Industrial Security Services

Security. Protect your business from security threats with Pearl Technology. The Connection That Matters Most

American Association of Port Authorities. Navigating the Cyber Domain. Homeland Security UNCLASSIFIED

June 5, 2018 Independence, Ohio

security FRAUD PREVENTION Business Checklist Safeguard your money, your credit and your good name.

TSA/FTA Security and Emergency Management Action Items for Transit Agencies

WELCOME ISO/IEC 27001:2017 Information Briefing

EU General Data Protection Regulation (GDPR) Achieving compliance

Transcription:

CYBER SECURITY FOR WATER AND WASTEWATER UTILITIES PRESENTED BY: DAVID A. CHANDA, PE

Cyber Security A Hot Topic NotPetya Cyberattack 2018 Thales Data Threat Report Tempting Cedar Spyware

Implementation Origins Early 2000 s Risk Assessment Methodology for Water (RAM-W) Required by US EPA, based on cybersecurity work by Sandia Labs Threat and vulnerability assessments Consequences Risk assessment and emergency response plan 2010 AWWA Standard J100 Uses RAMCAP TM Risk and resilience analysis and management Identify vulnerabilities threats, natural hazards Methods to evaluate options for addressing weaknesses Focus on significant threats

New Jersey Requirements for Utilities 2016 BPU Utility Cyber Security Program (Docket No. AO160300196) Water Quality Accountability Act (NJSA 58:31-1 et seq)

Water Quality Accountability Act (NJSA 58:31-1 et seq) Water purveyors with > 500 service connections and internet connected controls system(s) Effective date: October 19, 2017 By February 16, 2018 develop a Cyber Security Program (Based on BPU requirements)

2018 WQAA Cyber Security Implementation Provide a copy of program to NJ Cybersecurity and Communications Integration Cell (NJCCIC) Due February 16, 2018 Join NJCCIC within 60 Days of developing the cybersecurity program Cyber Security Program Requirements Cyber Risk Management Situational Awareness Incident Reporting Response and Recovery Security Awareness & Training

Areas of Concern Customer Information Staff Information E-mail System Operating Data Operating Control Cloud-Based Computing vs. On-site Hardware

Approaches for Handling Security Equipment Hardware & Software Physical Security Organization Staff Training Handling of Unsolicited Files Passwords Turning-off Equipment Limiting Physical Access

Typical Network Infrastructure

Typical Network Infrastructure Cont.

Typical Network Infrastructure Cont.

Typical Organization Utility Manager/Director Financial Officer IT Manager Superintendent Coordinates Cyber Security Manages Cyber Security for Financial Systems Manages Operations of SCADA System IT Specialist/Consultant Coordinates Operations of Cyber Security Administrative Assistant System Billing

Monthly Requirements The IT specialist shall Monitor internal and external sources of threat and vulnerability Deliver critical alerts and notifications as they occur Maintain Executive Reports from Firewall including: Threat Identification Threat Protection Intrusion Detection Response Taken Recovery Steps

Quarterly Requirements - Training The IT specialist shall train Staff with access for potential pathways of threats New personnel The IT specialist shall train on Password management Contain both upper- and lower-case letters (case sensitivity). Contain one or more numerical digits. Special characters, e.g. @, #, $ etc. can be included but are not required. All passwords changed every 90 days Recommended minimum of eight characters.

Quarterly Requirements Training Cont. Downloading unlicensed software. Accessing files remotely should be through a secure remote access service (VPN). Safe internet usage, recognize any cyberattacks and vulnerabilities, and avoid any suspicious emails. Trained to recognize a legitimate warning message or alert. Employees should be trained to immediately report the incident so it can be investigated, and any threat reduced or removed.

Long Term Requirements Annual Requirements Perform an annual inventory analysis of critical systems and document any changes from the system architecture as operated in the prior calendar year. Review risk assessment methodology as encountered in the prior calendar year. 24 Month Requirements Create a cyber risk assessment plan and conduct an exercise to the test the Plan every 24 months at a minimum. Establish a Cyber Security Incident Response Plan that follows through the life-cycle of an incident.

Other Resources for Security Ideas CSET US Department of Homeland Security Cyber Resilience Review (CRR) Cyber Self Assessment WaterISAC Water Security Network Organization of water sector professionals Focuses on vulnerability and security of all types New Jersey Office of Homeland Security and Preparedness Currently Developing a checklist to determine internetconnected control system applicability.

Conclusions Cyber Security is an increasing threat to utilities Legislation and regulations currently require higher levels of protection for utilities Need for better protection will be extended to smaller systems, and possibly wastewater systems, over the coming years Effective Cyber Security risk management has several elements Organization Situational Awareness Incident Reporting Response and Recovery Security Awareness & Training Start planning and developing your program ASAP

QUESTIONS? Presenter: David A. Chanda, PE

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback