Cybersecurity in the Water Sector

AWWA’s mission: Providing solutions to effectively manage water, the world’s most important resource.

This seminar is designed teach participants how to use the AWWA Cybersecurity Guidance Tool.

Safety and Comfort

• Emergency exits

• Bathrooms

• Smoking areas

Don DickinsonSenior Business Development Manager, Phoenix Contact USA

• BS Electrical Engineering• 34 years of experience• Member of the AWWA Project Advisory

Committee for development of Process Control System Security Guidance for the Water Sector and Online Tool

• Member of the AWWA Cybersecurity Subcommittee.

• Member of the International Society of Automation (ISA) and the Water Environmental Federation (WEF) Intelligent Water Technology Committee.

• Advanced cyber security training through ISA and other industry organizations

ddickinson@phoenixcon.com

919-633-0147 (c)

Terrell BrownIT Section – Supervisor, Water Resources Department, Greensboro, NC

• BS, Computer Science

• 13 years experience in IT network security and administration

• 5 years experience in SCADA network security and administration

• Advanced cyber security training through ICS-Cert

Terrell.Brown@greensboro-nc.gov

336-333-6506 (o)

Pavol Segedy, PEHDR

• MS Automation and Controls Systems• 15+ Years of experience as a Automation and

Controls Engineer, Designer and Programmer• ISA - active committee member: ISA112

(SCADA), ISA 101 (Human Machine Interface), ISA/IEC 62443 (Cybersecurity), ISA-18.2 (Alarm Management)

• Active member of IEEE, WEF, AWWA; NC AWWA Automation Committee and Risk Management Committee

• 2018-2019 Director for the ISA Water and Wastewater Industry Division; Past-Chair for the 2016-2017 ISA Water/Wastewater and Automatic Controls SymposiumPavol.Segedy@hdrinc.com

919.232.6649 (d)

Perry Gayle, PhD, PERisk and Resilience Leader, AECOM

• PhD Civil Engineering

• 43 yrs of experience

• Conducted over 50 Water Sector risk and resilience projects

• Provided cybersecurity support to DHS, Nashville, Louisville, and DC Water

• Member of AWWA Emergency Preparedness and Security Committee

• Cybersecurity training from ICS-Cert

perry.gayle@aecom.com

919.461.1295 (d)

Cybersecurity Guidance Is Available,But More Can Be Done To Promote Its Use*

* GAO-12-92 report on Critical Infrastructure Protection, December 2011

A wide variety of cybersecurity guidance is available for entities in the critical infrastructure sectors including the water sector.

Given the plethora of guidance available, individual entities in the sectors may be challenged in identifying the guidance that is most applicable and effective in improving their security posture.

Description and Purpose

• This seminar consists of five modules that focus on the use cases and controls in AWWA’s Cybersecurity Guidance Tool (Tool). During this seminar you will see a demonstration of how to use the Tool to identify gaps that can be included in a cybersecurity improvement plan.

• The purpose for this seminar is to:

• Learn how the Tool works and how to use the Tool

• Learn the purpose and applications of control system use cases

• Learn the importance of evaluating use cases against the control system

• Demonstrate the Tool

• Address how to move forward with the recommendations of the report produced by the Tool

Course Requirements and Learning Elements

• Course Requirements• Prerequisites: None • Seminar attendance and participation• Participation in hands-on learning checks and quizzes

• Learning Elements• Lesson Plan• Presentation• Hands on activities (demonstration)• Discussion • Participant handout • Quizzes and tests

Agenda - Morning

Welcome and Announcements• Overview of Cyber Threats, Vulnerabilities, and

Consequences from the Perspective of the Water Sector• Developing a Business Case for CybersecurityBreak• Examples of Cybersecurity Mitigation Strategies• Introduction to the AWWA Cybersecurity Guidance & Tool• Selecting Use CasesLunch

Agenda - Afternoon

Lunch• Reviewing Recommended Controls• Executing the ToolBreak• Implementing Recommendations• Aligning Implementation Measures with Industry

Standards• Final Exam• Wrap Up

Overview of Cyber Threat and Vulnerabilities from the Perspective

of the Water Sector

2

Learning Objectives

• Define what we are trying to protect

• Recognize cyber threats are real

• Define water sector vulnerabilities

3

APT Advanced Persistent Threat

ICS Industrial Control System

IT Information Technology

OT Operational Technology

PCS Process Control System

PLC Programmable Logic Controller

PSIMS Physical Security Information Management System

SCADA Supervisory Control and Data Acquisition

Useful Acronyms

4

What are We Trying to Protect

• IT Systems– ?– ?– ?– ?

• OT systems– ?– ?– ?– ?

5

What are We Trying to ProtectIT and OT Priorities

IT priority is CIA– Confidentiality

– Integrity

– Availability

Why is this the case?

OT priority is AIC– Availability

– Integrity

– Confidentiality

6

Threat Actors

Hactivism

Crime

Insider

Espionage

Terrorism

Warfare

7

Notable Cyber Incidents

• December 23, 2015• Power outage in Ukraine was

caused by BlackEnergyMalware

• The infection was implanted with a spear phishing email with a malicious Microsoft Office (MS Word) attachment

• Example of an Advanced Persistent Threat (APT) attack

8

Notable Cyber Incidents

• December 18, 2013• Target stores incident • Loss of 40 million

payment card records• Malware entered

through 3rd party HVAC vendor

• CEO resigns• Millions of customers

have to replace credit and debit cards

9

Notable Cyber Incidents

• May 2017 • Worldwide cyberattack by WannaCry ransomware• Affected more than 200,000 computers across 150 countries• Healthcare, manufacturing, FedEx, others

10

The Threat – New Threats Every Day

10

11

Notable Cyber Incidents

12

Notable Cyber Incidents

• March 2016• Iran infiltrated the

computerized controls of a small dam 25 miles north of New York City

• Hackers broke into the command and control system of the dam in 2016 through a cellular modem

• Could not release water because the sluice gate controls had been disabled

13

Notable Cyber Incidents

• May 2014 • Disgruntled employee shuts down AMR/AMI

in five cities by hacking Tower Gateway Base Stations leading to loss of revenue data and dispatching of personnel to collect meter readings manually

• Insider threats– Employees have legitimate access and vast

opportunity– Extensive statistics on compromising or stealing

business confidential information– Over a third (36%) of companies surveyed

claimed to have experienced insider incidents within the last year (InfoSecurity, Imperva)

14

Spear Phishing

• E-mail fraud attempt that targets a specific organization or person

• Messages appear to come from trusted sources

• May contain malicious attachments or web links

• Seeking unauthorized access to confidential data

• Conducted by sophisticated groups for financial gain, trade secrets, or military information

• Postings on Facebook, Twitter, and LinkedIn can make you more vulnerable

15

Advanced Persistent Threat (APT)

• Not a virus, worm, or glory-basedattack

• The goal is not to crash your computer

• The goal is to steal information• Specific targeting, not

indiscriminant • Very adaptive and agile • May come in multiple packets and

assemble on the target network• Undetectable by anti-virus software• Perpetrators are sophisticated,

determined, coordinated, patient• Maintain a low profile to remain undetectable

16

Timeline of a Typical APT Incident

17

The Threat is Likely Worse Than Reported

18

IT versus OT VulnerabilitiesTopic IT OT

Availability Reboots allowed for applying patches

Maintenance windows are few and far between

Consequences of Downtime /

Outages

Data and production can typically be recovered

Data often not reconstructable,Process restarts are highly disruptive

Endpoint Protection Common and easy to deploy PCS components do not support endpoint protection

Technology Support Lifetime 3 to 4 year lifecycle 20+ year lifecycle

Physical Security of Assets

Offices and data centers are relatively easy to secure

Remote location of some assets make physical security more challenging

System Security Development

Security features designed into all modern hardware and software

Most PCS components designed without security features

Internet Access Systems designed for internet access

Older systems were never intended to be internet attached

19

IT / OT Collaboration Vulnerabilities

20

Third Party Access Vulnerabilities

• Examples of 3rd party access– SCADA vendors– HR software– Payroll software– Customer service software– Asset management software– GIS consultants

• 85% of companies share access to data with business partners

• 28% have security standards for sharing access to data with business partners (AT&T)

21

Flat Network Vulnerabilities

• Networks should be segmented to limit lateral migration

• Separate segments with firewalls

• Traffic can be controlled by whitelisting IP addresses and applications

• Data flow can be controlled by uni-directional diodes

22

Exercise No. 1

• A visitor from off the street comes to the receptionist desk looking for a job and wanted to give the receptionist a resume

• The visitor did not have a hard copy resume, but wanted the receptionist to print a copy from his flash drive

What should the receptionist do?

23

Exercise No. 2

• SCADA System is isolated from the internet

• SCADA operator creates a wireless hotspot using a smart phone to access music website

• Plays music through the SCADA terminal

What is the risk?

24

Exercise No. 3

• Large city water utility has a dedicated surveillance camera network

• The city Office of Emergency Management has a city-wide surveillance camera network

• The utility wishes to integrate their cameras with the city system to achieve improved efficiencies and technical support

What are the risks?

25

Who is Responsible for Cyber Security

• ?

• ?

• ?

• ?

• ?

• ?

• ?

• ?

26

Summary of Typical Cyber Risks

• Phishing, spear phishing, whaling• Other social engineering (flash drives,

elicitation)• Privileged access by external parties• Unauthorized use of employee/customer

credentials• Privileged abuse by employees• System vulnerabilities• Exploitation of know software vulnerabilities

Phishing

Flash drives

Privileged Access

Unauthorized Use

Privileged Abuse

System Vulnerabilities

Software Vulnerabilities

27

Summary and Conclusions

• The threats of a cyber incident are real

• Our systems have vulnerabilities

• Everyone can contribute to cyber security

28

Questions?

Developing a Business Case for Cybersecurity

Key Points on Security

• Security is a process not a task! A journey not a destination!

• Security is not an absolute! It’s a matter of degree.

• Everyone has a role to play, not just IT, and those roles and related responsibilities must be clearly defined and monitored.

• Neither practical nor feasible to fully mitigate all risks. Must allocate available resources as efficiently as possible.

• Goal: Risk management for critical infrastructure.

Critical Infrastructure Protection

…essential to the nation’s security, public health and safety, economic vitality, and way of life.

Cybersecurity Business Driversin the Water Sector

• Potential for Operational and Financial impact

• Loss of Public Confidence caused by cyber breach

• Executive Orders encouraging voluntary action

• Bonding Agencies and Insurance Underwriters taking into consideration Cybersecurity Preparedness

• States beginning topass regulations forCybersecurity programs

4

Cybersecurity Guidance Is Available,But More Can Be Done To Promote Its Use*

* GAO-12-92 report on Critical Infrastructure Protection, December 2011

A wide variety of cybersecurity guidance is available for entities in the seven critical infrastructure sectors including the water sector.

Given the plethora of guidance available, individual entities in the sectors may be challenged in identifying the guidance that is most applicable and effective in improving their security posture.

AWWA G430-14Security Practices for Operation and Management

Purpose is to define the minimum requirements for protective security program for a water or wastewater utility that will promote the protection of employee safety, public health, public safety, and public confidence.

6

ANSI / AWWA G430-14Security Practices for Operation and

Management

• Explicit Commitment to Security: Explicit and visible commitment of senior leadership to security. Periodic review & update of security plan.

• Security plan: Comprehensive plan developed by utility that includes security goals, objectives, strategies, policies & procedures. Coordinate with Emergency Preparedness plan & Business Continuity plan.

7

8

The first step in implementing a security program is to develop a compellingbusiness case for the uniqueneeds of the organization.

ISA-62443 (ISA-99) Security forIndustrial Automation and Control Systems

• Purpose is to define procedures for implementing electronically secure manufacturing and control systems, and security practices and assessing electronic security performance.

ISA-62443 Security for IndustrialAutomation and Control Systems (IACS)

ANSI/ISA–62443-2-1 (99.02.01) – 2009

Establishing an Industrial Automation and Control Systems Security Program

• Describes the elements of a Cyber Security Management System (CSMS)

• Elements relate to policy, procedures, practices and personnel

ISA 62443-2-1Develop a business rationale

4.2.2• DESCRIPTION: A business rationale is based on the

nature and magnitude of financial, health, safety, environmental, and other potential consequences should IACS cyber events occur.

• RATIONALE: Establishing a business rationale is essential for an organization to maintain management buy-in to an appropriate level of investment for the IACS cybersecurity program.

11

ISA 62443-2-1Develop a business rationale

4.2.2.1

REQUIREMENTS: Develop a business rationale

• The organization should develop a high-level business rationale as a basis for its effort to manage IACS cyber security, which addresses the unique dependence of the organization on IACS.

12

ISA 62443-2-1Develop a business rationale

Annex A (informative)

Guidance for developing the elements of a CSMS

• Description of element

• Element-specific information

• Supporting practices– Baseline practices

– Additional practices

• Resources used

13

ISA 62443-2-1Develop a business rationale

A.2.2.3Key components of business rationale• Prioritize business consequences – What events would have

the greatest impact on the organization?• Prioritize threats – Which are the most credible?• Estimated annual business impact – What is the business

impact, if possible, in financial terms?• Cost – What is the estimated cost of the human effort and

technical countermeasures that the business rationale intends to justify?

14

Questions?

Break9:55 – 10:15

Click Insert | Header & Footer to apply a Footer 16