The Water Act Regulation: Cybersecurity Assessment ...

Presentation titlePresenter

Organization

The Water Act Regulation: Cybersecurity Assessment Completed, Now What?

David Brearley, GICSP, PMP

OT Cybersecurity Director

[email protected]


Organization

Agenda

01 Cybersecurity Risk Tolerance

02 Understanding Threat Vectors

03 Selecting Mitigations

04 Q&A


Organization

Cybersecurity Risk Tolerance


Organization

You have to be right 100% of the time,

the cyber criminals only have to be

right once!


Organization

Cybersecurity = Risk Management Mitigation of cybersecurity risk in system(s)/organizations is a/the practice of risk management

Risk management assumes you cannot eliminate risk, but you can mitigate risk

Mitigating your risk requires that you know your risk

Knowing your risk requires risk assessment

Risk Management is a continuous lifecycle

Security Risk = Impact x (Threats x Vulnerabilities)

X X X


Organization

Potential Consequences of Breach

Information Technology

Financial

Loss of Client Data

Loss of HIPPA Data

Encrypted Data (Ransom)

Loss of Engineering Data

Consumer Confidence

Legal

Loss of procurement and

billing functions CIA Triad

Availability

Operational Technology

Financial – Equipment damage, remediation, revenue loss, mitigations, emergency response….

Legal

Reputation

Permit Violations

Life Safety – Loss of ability to produce or distribute water, treat wastewater, produce power, etc

Life Safety - Personnel


Organization

Control System Risk Tolerance Considerations How critical is the control system to operations?

Reliance on automation, consider:

Can treatment occur without any automation?

Remote Sites

Loss of trust in VFD, Switchgear, and other programmable devices

Critical Assets and Packaged Systems

In the event of a breach…

Recovery time objective

Recovery point objective

Sustainability of manual operations – staffing, logistics, communications


Organization

Risk Tolerance / Financial Capabilities

Risk = Threats x Vulnerabilities x Consequence

Does the size of your utility change…

Threat likelihood? Consequence?

Capital Funding (assessment and mitigation)

O&M Funding for threat/network monitoring, patching and maintenance, training and incident response

Staff (remote operations, contract IT/OT)

Source: AWWA Water Sector Cybersecurity Risk Management Guidance

Risk management is not one-size fits all. Mitigations

need to achieve owner defined risk tolerance, level of

investment, maintainability, and operability.


Organization

Understanding Threat Vectors


Organization

Who is the adversary?General Classifications

Insider Threat / Outsider Threat

Motivated vs. Non-Motivated

Skilled vs. Unskilled

Outside Groups

Nation States

Ransomware as a Service (RaaS)

Hacking Groups

Activists, disgruntled individuals

Many other possibilities….

Cybersecurity & Infrastructure Security Agency (CISA) Current Nation States Threats


Organization

Successful Attacks

2000 2010 2013 2016 2018

2009 2012 2014 2017 2021Marooshy

Shire, Au

Sewage Spill

Texas road

sign

Zombies

STUXNET

IL Municipal

Water

(From

Russia

w/Love)

Bowman

Ave Dam,

NY

Smart

Meter

Attacks (5

Cities)

Ukraine

power grid

Kemuri

Water Co

(KWC)

Chemical

Dosing

Changes

Saudi Arabia

(TRISIS)

Saipem

O&G

(Shamoon)

Triconex

Safety

System

Attacks (multiple -

TRISIS)

Jan. Ryuk

Ransomware

Attack ($30M /

24-72hr ICS

Outage)

Feb. EKANS

(ICS-Malware)

Jan.

Sunburst Attack

(Solarwinds / FireEye /

18,000 installations)

Feb.

Oldsmar WTP

Chemical System

Setpoint Changes

Mar.

Ellington Kansas

May

Colonial Pipeline

In 2019, OT targeting increased 2000% over one year with more attacks on ICS and OT

infrastructure than any of the prior three years. Most observed attacks involved a combination

of known vulnerabilities within SCADA and ICS hardware as well as password-spraying. -- IBM

X-Force, 2020


Organization

Common Vulnerabilities

26% of attacks attributed to insiders

Back doors exist in almost all control systems

Improper input validation

Security configuration and maintenance

Credentials management

Improper authentication

Permission, privileges and access controls

The weakest link is you!


Organization

Selecting Mitigations


Organization

Vulnerability / Detailed Risk AssessmentMethodology

Systematic approach

Comprehensive Network Inventory

Network Data Captures (PCAP)

Configuration Capture/Scans

Develop Purdue Model Network

Diagram with Data Flows

Identify Vulnerabilities

National Vulnerability Database (NVD)

ICS-CERT Advisories

OEM Vendor AlertsSource: ISA 62443-2-1 (Figure B.4)


Organization

PrioritizationBalanced Return on Investment

Mitigation cost vs. Consequence

Security vs. Convenience vs. Operability

Likelihood vs. Costs (Mitigation &

Consequence)

Prioritization

Vulnerability Exposure

Insider vs. Outsider

Consequence / System Criticality

Low Hanging Fruit: Backups, Training,

Response Plans


Organization

Mitigation Costs

• Significant investment in monitoring solution and staff time to monitor

• Additional networking equipment and more advanced skillset to maintain

• Lower investment in solution and staffing. Reactive response rather than lowering the likelihood or breadth of impact.

Cost

• Network Monitoring

• Network Segmentation

• Backup Testing and Disaster Recover Plans

Mitigation VS

Balanced investment for risk tolerance and maintainability

Investments in technologies, staff and time


Organization

PEOPLE, Processes & Technologies

Establish risk management leadership team

Establish or adopt a risk management framework

Commitment to follow best practices and industry

standards

Training staff on role-specific cybersecurity

Establish roles and responsibilities

Incident response, tabletop simulations, and

“manual operation” days

Management support is critical to success

Technology

Processes

People


Organization

People, PROCESSES & Technologies Develop cybersecurity policies

Set expectations of staff

IT and OT systems

Include special risk systems - SIS,

communications, etc.

Procedures for system interaction

Vendor and Procurement requirements

Incident response plans and disaster recoveryplans for cyber attacks

Risk assessments at frequency defined by policy

Policies & Procedures

Regulations Standards Guidelines Law Conduct Constraint Plan Solution

Get organized and establish a vision for staff


Organization

People, Processes & TECHNOLOGIESImplement Network Defense in Depth

Secure existing infrastructure (use

standards)

Leverage technology to:Protect against human error

Enforce policies through auditing

Aide in procedures

Limit accessibility

Detect anomalies

Recover from attacks

Provide staff the tools for success

Connected devices (and data flows) must

have a business purpose

Least functionality & least privilege

Data Security

App Security

Endpoint Security

Network Security

Perimeter Security

Critical

Assets


Organization

Defense in Depth: Remote Site ExamplePhysical Protections and Deterrents

Critical Infrastructure Signage

Fence Line / Physical Barriers

Cameras / Lighting

Door Locks

Electronic Facility Security (Monitor/Respond)

Cabinet Entry Alarms (to SCADA)

Chain Locks on Valves

Cyber

Port Locks

Cable Locks

Authentication

Encryption

Data Flow Controls

Cybersecurity doesn’t exist without

physical security


Organization

CISA: Five Key Countermeasures for ICS

1. Identify, minimize and secure all network connections to ICS (OT)

2. Harden the ICS and supporting systems by disabling unnecessary

services, ports, and protocols; enable available security features; and

implement robust configuration management practices.

3. Continually monitor and assess the security of the ICS, networks, and

interconnections.

4. Implement a risk-based defense-in-depth approach to securing ICS

systems and networks.

5. Manage the human—clearly identify requirements for ICS; establish

expectations for performance; hold individuals accountable for their

performance; establish policies; and provide ICS security training for all

operators and administrators.Source: NIST

Backups: Schedule, test, and secure


Organization

Closing Thoughts

Humans are the Weakest Link

Governance is critical for success

Knowledge is Critical to Defense

Identify Protect Detect Respond Recover

Advance Cybersecurity Maturity to Achieve Acceptable Level of

Risk

Asset Management - Schedule Maintenance, Upgrades and

Patching (avoid obsolescence)

Risk Management is a Continuous Lifecycle

Connected devices must have a business purpose

“You have to be right 100% of the time, the cyber criminals only have to be right once!”


Organization

Thank You!David Brearley, GICSP, PMP

HDR | OT Cybersecurity Director

[email protected]

704.338.6853

The Water Act Regulation: Cybersecurity Assessment Completed, Now What?

The Water Act Regulation: Cybersecurity Assessment ...

Documents

Transcript of The Water Act Regulation: Cybersecurity Assessment ...