The Water Act Regulation: Cybersecurity Assessment ...
Transcript of The Water Act Regulation: Cybersecurity Assessment ...
Presentation titlePresenter
Organization
The Water Act Regulation: Cybersecurity Assessment Completed, Now What?
David Brearley, GICSP, PMP
OT Cybersecurity Director
Presentation titlePresenter
Organization
Agenda
01 Cybersecurity Risk Tolerance
02 Understanding Threat Vectors
03 Selecting Mitigations
04 Q&A
Presentation titlePresenter
Organization
You have to be right 100% of the time,
the cyber criminals only have to be
right once!
Presentation titlePresenter
Organization
Cybersecurity = Risk Management Mitigation of cybersecurity risk in system(s)/organizations is a/the practice of risk management
Risk management assumes you cannot eliminate risk, but you can mitigate risk
Mitigating your risk requires that you know your risk
Knowing your risk requires risk assessment
Risk Management is a continuous lifecycle
Security Risk = Impact x (Threats x Vulnerabilities)
X X X
Presentation titlePresenter
Organization
Potential Consequences of Breach
Information Technology
Financial
Loss of Client Data
Loss of HIPPA Data
Encrypted Data (Ransom)
Loss of Engineering Data
Consumer Confidence
Legal
Loss of procurement and
billing functions CIA Triad
Availability
Operational Technology
Financial – Equipment damage, remediation, revenue loss, mitigations, emergency response….
Legal
Reputation
Permit Violations
Life Safety – Loss of ability to produce or distribute water, treat wastewater, produce power, etc
Life Safety - Personnel
Presentation titlePresenter
Organization
Control System Risk Tolerance Considerations How critical is the control system to operations?
Reliance on automation, consider:
Can treatment occur without any automation?
Remote Sites
Loss of trust in VFD, Switchgear, and other programmable devices
Critical Assets and Packaged Systems
In the event of a breach…
Recovery time objective
Recovery point objective
Sustainability of manual operations – staffing, logistics, communications
Presentation titlePresenter
Organization
Risk Tolerance / Financial Capabilities
Risk = Threats x Vulnerabilities x Consequence
Does the size of your utility change…
Threat likelihood? Consequence?
Capital Funding (assessment and mitigation)
O&M Funding for threat/network monitoring, patching and maintenance, training and incident response
Staff (remote operations, contract IT/OT)
Source: AWWA Water Sector Cybersecurity Risk Management Guidance
Risk management is not one-size fits all. Mitigations
need to achieve owner defined risk tolerance, level of
investment, maintainability, and operability.
Presentation titlePresenter
Organization
Who is the adversary?General Classifications
Insider Threat / Outsider Threat
Motivated vs. Non-Motivated
Skilled vs. Unskilled
Outside Groups
Nation States
Ransomware as a Service (RaaS)
Hacking Groups
Activists, disgruntled individuals
Many other possibilities….
Cybersecurity & Infrastructure Security Agency (CISA) Current Nation States Threats
Presentation titlePresenter
Organization
Successful Attacks
2000 2010 2013 2016 2018
2009 2012 2014 2017 2021Marooshy
Shire, Au
Sewage Spill
Texas road
sign
Zombies
STUXNET
IL Municipal
Water
(From
Russia
w/Love)
Bowman
Ave Dam,
NY
Smart
Meter
Attacks (5
Cities)
Ukraine
power grid
Kemuri
Water Co
(KWC)
Chemical
Dosing
Changes
Saudi Arabia
(TRISIS)
Saipem
O&G
(Shamoon)
Triconex
Safety
System
Attacks (multiple -
TRISIS)
Jan. Ryuk
Ransomware
Attack ($30M /
24-72hr ICS
Outage)
Feb. EKANS
(ICS-Malware)
Jan.
Sunburst Attack
(Solarwinds / FireEye /
18,000 installations)
Feb.
Oldsmar WTP
Chemical System
Setpoint Changes
Mar.
Ellington Kansas
May
Colonial Pipeline
In 2019, OT targeting increased 2000% over one year with more attacks on ICS and OT
infrastructure than any of the prior three years. Most observed attacks involved a combination
of known vulnerabilities within SCADA and ICS hardware as well as password-spraying. -- IBM
X-Force, 2020
Presentation titlePresenter
Organization
Common Vulnerabilities
26% of attacks attributed to insiders
Back doors exist in almost all control systems
Improper input validation
Security configuration and maintenance
Credentials management
Improper authentication
Permission, privileges and access controls
The weakest link is you!
Presentation titlePresenter
Organization
Vulnerability / Detailed Risk AssessmentMethodology
Systematic approach
Comprehensive Network Inventory
Network Data Captures (PCAP)
Configuration Capture/Scans
Develop Purdue Model Network
Diagram with Data Flows
Identify Vulnerabilities
National Vulnerability Database (NVD)
ICS-CERT Advisories
OEM Vendor AlertsSource: ISA 62443-2-1 (Figure B.4)
Presentation titlePresenter
Organization
PrioritizationBalanced Return on Investment
Mitigation cost vs. Consequence
Security vs. Convenience vs. Operability
Likelihood vs. Costs (Mitigation &
Consequence)
Prioritization
Vulnerability Exposure
Insider vs. Outsider
Consequence / System Criticality
Low Hanging Fruit: Backups, Training,
Response Plans
Presentation titlePresenter
Organization
Mitigation Costs
• Significant investment in monitoring solution and staff time to monitor
• Additional networking equipment and more advanced skillset to maintain
• Lower investment in solution and staffing. Reactive response rather than lowering the likelihood or breadth of impact.
Cost
• Network Monitoring
• Network Segmentation
• Backup Testing and Disaster Recover Plans
Mitigation VS
Balanced investment for risk tolerance and maintainability
Investments in technologies, staff and time
Presentation titlePresenter
Organization
PEOPLE, Processes & Technologies
Establish risk management leadership team
Establish or adopt a risk management framework
Commitment to follow best practices and industry
standards
Training staff on role-specific cybersecurity
Establish roles and responsibilities
Incident response, tabletop simulations, and
“manual operation” days
Management support is critical to success
Technology
Processes
People
Presentation titlePresenter
Organization
People, PROCESSES & Technologies Develop cybersecurity policies
Set expectations of staff
IT and OT systems
Include special risk systems - SIS,
communications, etc.
Procedures for system interaction
Vendor and Procurement requirements
Incident response plans and disaster recoveryplans for cyber attacks
Risk assessments at frequency defined by policy
Policies & Procedures
Regulations Standards Guidelines Law Conduct Constraint Plan Solution
Get organized and establish a vision for staff
Presentation titlePresenter
Organization
People, Processes & TECHNOLOGIESImplement Network Defense in Depth
Secure existing infrastructure (use
standards)
Leverage technology to:Protect against human error
Enforce policies through auditing
Aide in procedures
Limit accessibility
Detect anomalies
Recover from attacks
Provide staff the tools for success
Connected devices (and data flows) must
have a business purpose
Least functionality & least privilege
Data Security
App Security
Endpoint Security
Network Security
Perimeter Security
Critical
Assets
Presentation titlePresenter
Organization
Defense in Depth: Remote Site ExamplePhysical Protections and Deterrents
Critical Infrastructure Signage
Fence Line / Physical Barriers
Cameras / Lighting
Door Locks
Electronic Facility Security (Monitor/Respond)
Cabinet Entry Alarms (to SCADA)
Chain Locks on Valves
Cyber
Port Locks
Cable Locks
Authentication
Encryption
Data Flow Controls
Cybersecurity doesn’t exist without
physical security
Presentation titlePresenter
Organization
CISA: Five Key Countermeasures for ICS
1. Identify, minimize and secure all network connections to ICS (OT)
2. Harden the ICS and supporting systems by disabling unnecessary
services, ports, and protocols; enable available security features; and
implement robust configuration management practices.
3. Continually monitor and assess the security of the ICS, networks, and
interconnections.
4. Implement a risk-based defense-in-depth approach to securing ICS
systems and networks.
5. Manage the human—clearly identify requirements for ICS; establish
expectations for performance; hold individuals accountable for their
performance; establish policies; and provide ICS security training for all
operators and administrators.Source: NIST
Backups: Schedule, test, and secure
Presentation titlePresenter
Organization
Closing Thoughts
Humans are the Weakest Link
Governance is critical for success
Knowledge is Critical to Defense
Identify Protect Detect Respond Recover
Advance Cybersecurity Maturity to Achieve Acceptable Level of
Risk
Asset Management - Schedule Maintenance, Upgrades and
Patching (avoid obsolescence)
Risk Management is a Continuous Lifecycle
Connected devices must have a business purpose
“You have to be right 100% of the time, the cyber criminals only have to be right once!”
Presentation titlePresenter
Organization
Thank You!David Brearley, GICSP, PMP
HDR | OT Cybersecurity Director
704.338.6853
The Water Act Regulation: Cybersecurity Assessment Completed, Now What?