Water Environment Association of Texas

Overview of Cyber Security Issues in

Water/Wastewater Organizations

WEAT Safety and Security Committee Chair and Webinar Host Rick Hidalgo, P.E. - Signature Automation, LLC

Security Controls and Practices for Water/Wastewater Chris Murphy, CISSP – Delta Risk, LLC

Water Environment Association of Texas

Future Safety & Security Committee Webinars

Date Topic

Jan 14, 2015 Security Monitoring

Mar 13, 2015 Incident Response

May 13, 2015 Assessing the Effectiveness of a Cybersecurity Program

July 8, 2015 Special Topic (attendee input desired)

The committee welcomes comments and/or suggestions for future webinars. These can be routed to Rick Hidalgo at hjhidalgo@sig-auto.com.

Water Environment Association of Texas

Agenda

• Introduction

• Risk Management

• Security Controls

• Resources

• Survey Results

• Questions

in partnership with

Water Environment Association of Texas

Introduction - What are security controls?

“The management, operational, and technical controls (i.e., safeguards or countermeasures) prescribed for an information system to protect the confidentiality, integrity, and availability of the system and its information.” SOURCE: FIPS PUB 199

Controls are implemented to reduce risk to an acceptable level

May involve:

• Aspects of policy • Oversight • Supervision • Manual processes • Actions by individuals • Automated mechanisms implemented by information systems/devices

Water Environment Association of Texas

Introduction - Security Controls and Risk

First we need to understand risk and risk management

Risk determines your security controls

Water Environment Association of Texas

Risk* - The level of impact on an organization’s operations (including mission, functions, image, or reputation), assets or individuals resulting from the operation of an information system, given the potential impact of a threat and the likelihood of that threat occurring.*

*NIST SP 800-3 **FIPS 200, Adapted

Three Phases of Risk Management I. The conduct of a risk

assessment II. The implementation of a risk

mitigation strategy III. Employment of techniques and

procedures for the continuous monitoring of the security state of the information system

Risk Management** - The process of managing risks to organizational operations and includes:

Security Controls

i.e. SCADA Operations

Water Environment Association of Texas

Risk Assessment

A study of vulnerabilities, threats, likelihood, loss or impact, and theoretical effectiveness of security measures

Critical Assets & Processes

Threats Vulnerabilities Impacts

Risks

Mitigation

Contrast with Risk Management

Security Controls

Water Environment Association of Texas

Types of Risk

Risk Type of Risk

Inherent Linked to a particular activity itself • Complex regulations • Poor management • Physical limitations • Limited budget

Control Comes from a failure of the controls to properly mitigate risk • Failure of firewall to block malicious traffic • Users sharing passwords

Residual Combination of the inherent and the control risk

What remains after the controls have been applied to mitigate risk • Eliminating risk is not possible IF you have chosen to expose

yourself to it. • Residual risk must be accepted by management.

Water Environment Association of Texas

Risk Management Framework

Security Life Cycle

Determine security control effectiveness (i.e., controls

implemented correctly, operating as intended, meeting security

requirements for information system).

ASSESS Security Controls

Define criticality/sensitivity of information system according to potential worst-case, adverse impact to mission/business.

CATEGORIZE Information

System

Starting Point

Continuously track changes to the information system that may affect

security controls and reassess control effectiveness.

MONITOR Security State

AUTHORIZE Information

System

Determine risk to organizational operations and assets, individuals,

other organizations, and the Nation; if acceptable, authorize operation.

Implement security controls within enterprise architecture using sound

systems engineering practices; apply security configuration settings.

IMPLEMENT Security Controls

SELECT Security

Controls

Select baseline security controls; apply tailoring guidance and

supplement controls as needed based on risk assessment.

Identify

• Asset management

• Business environment

• Governance

• Risk Assessment

• Risk Management Strategy

Protect

• Access control

• Awareness and Training

• Data security

• Information protection processes and procedures

• Maintenance

• Protective technology

Detect

• Anomalies and events

• Security continuous monitoring

• Detection processes

Respond

• Response planning

• Communications

• Analysis

• Mitigation

• Improvements

Recover

• Recovery planning

• Improvements

• Communications

Security Controls

NIST Cybersecurity Framework Example

Water Environment Association of Texas

Control Recommendations

• To minimize/eliminate identified risks, consider the following factors when recommending controls/alternative solutions.

– Effectiveness of options

– Legal/regulatory

– Organizational policy

– Impact to operations

– Safety/reliability

– Cost

Ref: NIST SP 800-30, Risk Management Guide for Information Technology Systems

How do YOU

prioritize?

Water Environment Association of Texas

Security Controls Sources • NIST Framework for Improving Critical Infrastructure Cybersecurity

http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214.pdf • NIST SP 800-53 Rev. 4: Security and Privacy Controls for Federal Information Systems and

Organizations, April 2013 (including updates as of January 15, 2014). http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf

• NIST SP 800-82 Rev. 2: Guide to Industrial Control Systems (ICS) Security http://csrc.nist.gov/publications/drafts/800-82r2/sp800_82_r2_draft.pdf

• Control Objectives for Information and Related Technology (COBIT): http://www.isaca.org/COBIT/Pages/default.aspx

• Council on CyberSecurity (CCS) Top 20 Critical Security Controls (CSC): http://www.counciloncybersecurity.org

• ANSI/ISA-62443-2-1 (99.02.01)-2009, Security for Industrial Automation and Control Systems: Establishing an Industrial Automation and Control Systems Security Program: http://www.isa.org/Template.cfm?Section=Standards8&Template=/Ecommerce/ProductDisplay.cfm&ProductID=10243

• ANSI/ISA-62443-3-3 (99.03.03)-2013, Security for Industrial Automation and Control Systems: System Security Requirements and Security Levels: http://www.isa.org/Template.cfm?Section=Standards2&template=/Ecommerce/ProductDisplay.cfm&ProductID=13420

• ISO/IEC 27001, Information technology -- Security techniques -- Information security management systems -- Requirements: http://www.iso.org/iso/home/store/catalogue_ics/catalogue_detail_ics.htm?csnumber=54534

Water Environment Association of Texas

5 Security Control Recommendations

Vulnerability Exposure

Water Environment Association of Texas

1. Identify all SCADA network connections

• Identify and assess the risk and necessity of each connection to the SCADA network.

• Understand all connections to the SCADA network, and how well these connection are protected.

• Ensure process to approve access exists > Asset Management (ISD.AM) > ID.AM-3:

Organizational communication and data flows are mapped

> Access Control (PR.AC) > PR.AC-1: Identities and credentials are managed for authorized devices and users

NIST Security Controls Guidance: SP800-53 and SP800-52 : • SECURITY ASSESSMENT AND AUTHORIZATION (CA) > CA-3 SYSTEM

INTERCONNECTIONS • IDENTIFICATION and AUTHENTICATION (IA) > IA-3 - DEVICE IDENTIFICATION AND

AUTHENTICATION

Water Environment Association of Texas

2. Redundancy or backups exist for critical systems

• Establish a disaster recovery plan that allows for rapid recovery from any emergency (including a cyber attack).

• System backups to allow rapid reconstruction of the network.

• Exercise disaster recovery and test backups. • Update plans based on lessons learned from exercises.

Recovery Planning (RC.RP) > ID.AM-3: Organizational communication and data flows are mapped

> Response Planning (RS.RP) > RC.RP-1: Recovery plan is executed during or after an event

NIST Security Controls Guidance: SP800-53 and SP800-52 : • INCIDENT RESPONSE (IR) > IR-4 - INCIDENT HANDLINGIDENTIFICATION • CONTINGENCY PLANNING (CP) > CP-10 INFORMATION SYSTEM RECOVERY AND

RECONSTITUTION

Water Environment Association of Texas

3. Staff cybersecurity training

• Personnel and partners are provided cybersecurity awareness education

• Personnel are trained and informed on responsibilities consistent with related policies, procedures, and agreements.

> Awareness and Training (PR.AT): All

NIST Security Controls Guidance: SP800-53 and SP800-52 : • AWARENESS AND TRAINING (AT) – Family of Controls

Water Environment Association of Texas

4. Network intrusion monitoring • Implement Intrusion detection systems (IDS)

monitor events on a network, such as traffic patterns, or a system, such as log entries or file accesses, so that they can identify unauthorized access

> Anomalies and Events (DE.AE) > All Controls and Security Continuous Monitoring (DE.CM) > All Controls

> Response Planning (RS.RP) > RC.RP-1: Recovery plan is executed during or after an event and Analysis (RS.AN) > All Controls

NIST Security Controls Guidance: SP800-53 and SP800-52 : • INCIDENT RESPONSE (IR) > IR-4 - INCIDENT HANDLINGIDENTIFICATION • CONTINGENCY PLANNING (CP) > CP-10 INFORMATION SYSTEM RECOVERY AND

RECONSTITUTION

Water Environment Association of Texas

5. SCADA Account Management

• User identification and authentication may be role-based, group-based, or device-based

• For certain ICS, the capability for immediate operator interaction is critical (not a time to get locked-out)

• Minimum permission should still be applied to group roles/functions

• Some form of logging and auditing should be present for ICS access

> Access Control (PR.AC) > PR.AC-1: Identities and

credentials are managed for authorized devices and users

NIST Security Controls Guidance: SP800-53 and SP800-52 : • IDENTIFICATION AND AUTHENTICATION – IA

Water Environment Association of Texas

Survey Results

• Placeholder for responses to survey:

Survey URL: http://survey.delta-risk.net/index.php?sid=38154&lang=en

Implementing Controls on ICS vs. IT

Source: Idaho National Laboratory, Control Systems Cyber Security: Defense in Depth Strategies (May, 2006)

Questions?

Vulnerability Exposure