9/7/2017

1

Cyber Competency and Readiness at WRRFs

Thursday September 7, 20171:00pm-3:00pm EST

Sponsored by:WEF AUTOMATION & IT COMMITTEE

9/7/2017

2

How to Participate Today

• Audio Modes

• Listen using Mic & Speakers

• Or, select “Use Telephone” and dial the conference (please remember long distance phone charges apply).

• Submit your questions using the Questions pane.

• A recording will be availablefor replay shortly after thiswebcast.

• Automation & IT Committee Chair 2017-2018• Automation & IT Committee Vice-Chair 2015-2016

Today’s ModeratorDavid Chamberlain P.Eng, BDSEramosa Engineering Inc.Guelph, Ontario

9/7/2017

3

Today’s Presenters representing a common concern on the topic of Cyber Competency and Readiness

Presenter

Don Dickinson

Senior Business Development Manager –Water Sector

Phoenix Contact USA

9/7/2017

4

Cybersecurity – Going Beyond Protection to Boost Resiliency

NIST Cybersecurity FrameworkISA 62443 Operational Technology

Security

Presentation Outline

Managing Cyber Threats

Protecting Critical Infrastructure

NIST Cybersecurity Framework (CSF)

CSF Core Functions

ISA 62443

Sustainable Infrastructure

9/7/2017

5

Security breaches are inevitable…Being a headline is not ® Mandiant – A FireEye™ Company

Tough questions after attack…Could you have done more to prevent this

attack?

Will I lose my job?

What is the impact on public safety?

What is the environmental impact?

How will this impact your requests for funding?

What are the expected costs of fines and

litigation?

How will this impact the public’s confidence in

your utility?

9/7/2017

6

By VINDU GOEL and NICOLE PERLROTH DEC. 14, 2016

9/7/2017

7

…anyone in the world, can take down some of the web’s most visible companies…

14

WannaCry ransomware attack affects more than 200,000 computers in 150 countries.

9/7/2017

8

2017 Annual Threat Report

• Key Findings From 2016: Cyber Criminal Advances

2017 Annual Threat Report

• Key Findings From 2016: Cyber Criminal Advances

9/7/2017

9

9/7/2017

10

9/7/2017

11

2016 Dell Security –Annual Threat Report

Breaches in 2015 succeeded not because the victims lacked security altogether, but because thieves found and exploited a small hole in their security program.

Why security will become even more challenging…

9/7/2017

12

Source: www.opinno.com

DHS: 5 Cybersecurity Questions for CEOs

1) How Is Our Executive Leadership Informed About the Current Level and Business Impact of Cyber Risks to Our Company?

2) What Is the Current Level and Business Impact of Cyber Risks to Our Company? What Is Our Plan to Address Identified Risks?

3) How Does Our Cybersecurity Program Apply Industry Standards and Best Practices?

4) How Many and What Types of Cyber Incidents Do We Detect In a Normal Week? What is the Threshold for Notifying Our Executive Leadership?

5) How Comprehensive Is Our Cyber Incident Response Plan? How Often Is It Tested?

www.us-cert.gov

9/7/2017

13

Last Published Date: December 30, 2016

16 sectors vital to US security, economic security & national health and safety

9/7/2017

14

Resilience or Resiliency

[ri-zil-yuh ns, -zil-ee-uh ns] noun

1.the power or ability to return to the original form,

position, etc., after being bent, compressed, or stretched;

elasticity.

2.ability to recover readily from illness, depression,

adversity, or the like; buoyancy.

resiliency. (n.d.). Dictionary.com Unabridged. Dictionary.com website http://www.dictionary.com/browse/resiliency

NIST Cybersecurity Framework

• Voluntary, risk-based approach for managing cybersecurity risks for critical infrastructure

• References industry standards and best practices to help organizations manage cybersecurity risks

• Addresses broad security needs of all critical sectors but is not a one-size-fits-all approach. Sector-specific guidance needed to address unique needs of each sector

• More info: www.nist.gov/cyberframework

9/7/2017

15

NIST FRAMEWORK

Tiers Core Profiles

Implementation Tiers

• Framework Implementation Tiers (“Tiers”) provide context on how an organization views cybersecurity risk and the processes in place to manage that risk.

• Progression to higher Tiers is encouraged when such a change would reduce cybersecurity risk and be cost effective.• Tier 1: Partial• Tier 2: Risk Informed• Tier 3: Repeatable• Tier 4: Adaptive

9/7/2017

16

Profiles

• Alignment of Core functions with the business requirements, risk tolerance, and resources of the organization

• Useful in establishing a roadmap to move from “current” profile to “target” profile

• Does not prescribe Profile templates

CORE

IDENTIFY

PROTECT

DETECTRESPOND

RECOVER

Framework Core

9/7/2017

17

Framework Core

9/7/2017

18

FUNCTION

• IDENTIFY (ID)

CATEGORY

• ASSET MANAGEMENT

(ID.AM)

SUBCATEGORY

• Physical devices and

systems inventoried (ID.AM-1)

INFORMATIVE REFERENCES

• ISA 62443-2-1 2009: 4.2.3.4

Linking function toInformative References

CSF Informative References

9/7/2017

19

CORE

IDENTIFY

PROTECT

DETECTRESPOND

RECOVER

Framework Core

NIST CSF Informative References

• NIST SP 800-53 Rev4: Security and Privacy Controls for Federal Information Systems and Organizations

• COBIT: Control Objectives for Information and Related Technology

• ISO/IEC 27001: Information technology – Security techniques –Information security management system – Requirements

• CCS CSC: Council on Cybersecurity Top 20 Critical Security Controls

• ISA 62443: Security for Industrial Automation and Control Systems (multipart standard)

9/7/2017

20

Planned PublishedIn Process Published(under revision)

Published as

Published as

Published as

Published as

ISA-62443 Security for IndustrialAutomation and Control Systems (IACS)

ANSI/ISA–62443-2-1 (99.02.01) – 2009

Establishing an Industrial Automation and Control Systems Security Program

Describes the elements of a Cyber Security

Management System (CSMS)

Elements relate to policy, procedures, practices and

personnel

9/7/2017

21

Cyber Security Management SystemRisk analysis

Business RationalRisk identification,

classification and assessment

Addressing risk with the CSMS

Security policy, organization and awareness

Selected security countermeasures

Implementation

CSMS scope Personnel securityRisk management and

implementation

Organize for securityPhysical and environmental

securitySystem development and

maintenance

Staff training and security awareness

Network segmentationInformation and document

management

Business continuity planAccess control: Account

administrationIncident planning and response

Security policies and procedures

Access control: Authentication

Access control: Authorization

Monitoring and improving the CSMS

ConformanceReview, improve and

maintain the CSMS

Sustainable or Sustainability

[suh-stey-nuh-buh l] adjective

1.capable of being supported or upheld, as by having its

weight borne from below.

2.pertaining to a system that maintains its own viability by using techniques that allow for continual reuse

3.able to be maintained or kept going, as an action or process

sustainable. (n.d.). Dictionary.com Unabridged. Dictionary.com website http://www.dictionary.com/browse/sustainable

9/7/2017

22

Sustainable Infrastructure

Key points on cybersecurity

• Security is a process not a task! It is a journey not a destination!

• Security is not an absolute! It’s a matter of degree.

• Neither practical nor feasible to fully mitigate all risks. Must allocate available resources as efficiently as possible.

• Goal: Risk management for critical infrastructure.

9/7/2017

23

Summary

• Managing cyber risks is now the norm.

• Protecting critical infrastructure, including water and wastewater systems is essential to our country’s economic and national security.

• The NIST Cybersecurity Framework provides guidance and informative references for a utility-wide security plan.

• The ISA 62443 multipart standard provides guidance for a comprehensive OT cybersecurity plan.

Answers for the tough questions…

Could you have done more to prevent this

attack?

Just 2 years till retirement!

Because we have a comprehensive security plan we were able to detect the

cyber activity early and implement countermeasures quickly to mitigate the event. As a result the impact on

public safety, the environment and our operations were minimized.

9/7/2017

24

Easy questions for me?

Presenter

Don Dickinson

Senior Business Development Manager – Water Sector

Phoenix Contact USA

e-mail: ddickinson@phoenixcon.com

Request white paper: “Cyber White Paper” in Subject Line

Cybersecurity: Going Beyond Protection to Boost Resiliency

9/7/2017

25

49

VSAT Web - EPA’s New Vulnerability Self-Assessment Tool for the Water Sector

Water Environment Federation webinarSeptember 7, 2017

Preparedness Resources f W U ili i 50

What is VSAT?

• VSAT is used for all-hazards risk assessments of water and wastewater utilities of all sizes

• Identifies the risks of priority threats to critical utility assets

• Performs a cost-benefit analysis of additional countermeasures to reduce risk

• Helps utilities target resources to reduce risk and enhance resilience for maximum benefit!

9/7/2017

26

Preparedness Resources f W U ili i 51

How Does VSAT Work?

R = C ● V ● T

Risk (R) is the product of

Consequences (C): public health and economic

Vulnerability (V): likelihood of consequences if threat occurs

Threat (T): likelihood of threat

R = C ● V ● T

• Asset/Threat pair based

• Countermeasures can reduce C, V, and/or T

Preparedness Resources f W U ili i 52

Helpful Tools Inside VSAT Web

• WHEAT (Water Health and Economic Analysis Tool)

– Calculates health and economic consequences for: (1) Loss of operating asset; (2) Hazardous gas release; (3) Finished water contamination

• VULNERABILITY LIKELIHOOD CALCULATOR

– Based on qualitative estimate (“low” to “very high”) for 3 capability factors:

> Man-made threats: detect, delay, and respond

> Natural hazards: preparation/resilience; active response; and recovery

• Natural hazards: geographic frequency and map links

– v

9/7/2017

27

Preparedness Resources f W U ili i 53

VSAT Web Outputs• Reports that show:

○ The risk that threats present to utility assets

○ Net benefits of customized countermeasure packages

$0

$500,000

$1,000,000

$1,500,000

CP 1 CP 2 CP 3 CP 4

Net Benefits

• VSAT complies with the J100 Standard and is designated under the DHS SAFETY Act

Preparedness Resources f W U ili i 54

How to Get VSAT Web

• Older desktop version of VSAT is still available at:

https://www.epa.gov/waterriskassessment/conduct-drinking-water-or-wastewater-utility-risk-assessment

Now Available from EPA

• Access VSAT Web at: https://vsat.epa.gov

• Free with unrestricted access

• No user data is stored by or available to EPA

• Works on mobile devices (Android and iOS) and PCs

9/7/2017

28

Questions about VSAT?

Dan Schmelling

U.S. Environmental Protection Agency

Water Security Division

Schmelling.dan@epa.gov

202-557-0683

Cybersecurity Risk Management in the Water Sector

• Kevin M. Morley, PhD

• Manager, Federal Relations for the American Water Works Association (AWWA)

9/7/2017

29

Overview

• Reality of the Threat Environment

• Water Sector Cyber Risk Management

• Key Resources

Connectivity = Exposure

Source: ICS-CERT

• Process Control Systems

SCADA

AMR/AMI

Telecommunications

HVAC

• Enterprise Systems

Employee Payroll

Service Contracts

Customer Billing

LIMS etc

9/7/2017

30

Cyber Threats are Very Real• Director of National Intelligence confirms

multiple directed attacks against control systems for exploitation

• Ransomeware attack on Lansing Board of Water and Light (2016)

• BlackEnergy & Havex malware (2014-15)

• Former employee remotely modified Sacramento River control (2007)

• Malware attack on Harrisburg Water System (2006)

• Disgruntled job applicant causes massive Sewage Spill in Maroochy Shire (2000)

Water Sector & Cybersecurity

• Y2K• BT Act

2002

2008 Critical MilestoneDevelop a recommended practices ICS security template for widespread use in the water sector

2013 #1 Priority Advance the development of sector-specific cybersecurity resources

9/7/2017

31

Standards & GuidanceANSI/AWWA G430-14: Security Practices for Operation & Management

Information protection and continuity is a requirement

ANSI/AWWA J100-10: RAMCAP® Standard for Risk & Resilience Management of Water & Wastewater Systems Cyber is required threat domain

ANSI/AWWA G440-11: Emergency Preparedness Practices Consideration of key business & operating system recovery

Business Continuity Plans for Water Utilities (WRF, AWWA, EPA) Cyber recovery plan is required action item

Process Control System Security Guidance for the Water Sector (AWWA) Supports voluntary adoption of NIST Cybersecurity Framework

Water Sector Approach

Process Control System Security Guidance for the Water Sector (WITAF #503)

• Develop water sector guidance that provides a consistent and repeatable recommended course of action to reduce vulnerabilities in process control systems.

• Aligns with sector and national priorities, fulfills need for sector-specific guidance as specified in EO 13636.

• Released February 2014, updated 2016, www.awwa.org/cybersecurity

9/7/2017

32

Utility Driven

• Organized based on HOW the utility uses or operates their process control system

• It does NOT evaluate current security profile

• Generates prioritized list of controls that empowers utility to consider appropriate actions to reduce potential vulnerabilities

12 Core Practice Categories

Governance &

Risk Management

Business Continuity

Server and Workstation Hardening

Access Control

Application Security

Encryption

Telecom, Network

Security, & Architecture

Physical Security of PCS Equipment

Service Level Agreements

Operations Security

EducationPersonnel Security

9/7/2017

33

Use-Case Tool• 94 Cybersecurity Controls mapped to NIST

CSF• Use Cases describe PCS and cyber exposure• Tool determines which controls apply to

selected Use Cases and at which priority (1 –4) Priority 1 – do immediately Priority 4 – important, but not urgent

• Tool does not assess existing security level

9/7/2017

34

Select Use Case

9/7/2017

35

How is it Used?1. As a stand-alone tool to identify an appropriate

cybersecurity baseline.

2. As part of a larger cybersecurity assessment to validate findings and recommendations.

3. As basis for a cybersecurity improvements program.

9/7/2017

36

AWWA Guidance & Use-Case ToolAligns w/NIST Cyber Framework

Cyber Security Evaluation Tool(CSET®) Assessment of policy & procedures relative to NIST 800-52 & NIST 800-53

Design Architectural Review (DAR)Evaluates network access/egress, design, configuration, applications and rules.

Network Architecture Verification and Validation (NAVV)Baseline network architecture, communication protocols, discover rogue connections, & identify configuration errors.

One Step at a Time

Supported by ICS-CERT

US Voluntary Approach….American Water Works Association has issued "Process Control System Security Guidance for the Water Sector" and a supporting "Use-Case Tool." …. This tool is serving as implementation guidance for the Cybersecurity Framework in the Water and Wastewater Systems sector.

- USEPA, May 2014

9/7/2017

37

Educational Outreach

• Pilot deployments began in Q2-17 Pacific Northwest Rocky Mountain Texas Virginia

• Rollout via AWWA Sections starting Q4-17

?? Questions ??

Kevin M. Morley, Ph.D.Manager, Federal Relations

AWWA – Government Affairs202-628-8303 or kmorley@awwa.org

www.awwa.org/CYBERSECURITY

9/7/2017

38

Questions?

• Audio Modes

• Listen using Mic & Speakers

• Or, select “Use Telephone” and dial the conference (please remember long distance phone charges apply).

• Submit your questions using the Questions pane.

• A recording will be availablefor replay shortly after thiswebcast.