Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
Water Environment Association of Texas
Overview of Cyber Security Issues in
Water/Wastewater Organizations
WEAT Safety and Security Committee Chair and Webinar Host Rick Hidalgo, P.E. - Signature Automation, LLC
Security Controls and Practices for Water/Wastewater Chris Murphy, CISSP – Delta Risk, LLC
Water Environment Association of Texas
Future Safety & Security Committee Webinars
Date Topic
Jan 14, 2015 Security Monitoring
Mar 13, 2015 Incident Response
May 13, 2015 Assessing the Effectiveness of a Cybersecurity Program
July 8, 2015 Special Topic (attendee input desired)
The committee welcomes comments and/or suggestions for future webinars. These can be routed to Rick Hidalgo at [email protected].
Water Environment Association of Texas
Agenda
• Introduction
• Risk Management
• Security Controls
• Resources
• Survey Results
• Questions
in partnership with
Water Environment Association of Texas
Introduction - What are security controls?
“The management, operational, and technical controls (i.e., safeguards or countermeasures) prescribed for an information system to protect the confidentiality, integrity, and availability of the system and its information.” SOURCE: FIPS PUB 199
Controls are implemented to reduce risk to an acceptable level
May involve:
• Aspects of policy • Oversight • Supervision • Manual processes • Actions by individuals • Automated mechanisms implemented by information systems/devices
Water Environment Association of Texas
Introduction - Security Controls and Risk
First we need to understand risk and risk management
Risk determines your security controls
Water Environment Association of Texas
Risk* - The level of impact on an organization’s operations (including mission, functions, image, or reputation), assets or individuals resulting from the operation of an information system, given the potential impact of a threat and the likelihood of that threat occurring.*
*NIST SP 800-3 **FIPS 200, Adapted
Three Phases of Risk Management I. The conduct of a risk
assessment II. The implementation of a risk
mitigation strategy III. Employment of techniques and
procedures for the continuous monitoring of the security state of the information system
Risk Management** - The process of managing risks to organizational operations and includes:
Security Controls
i.e. SCADA Operations
Water Environment Association of Texas
Risk Assessment
A study of vulnerabilities, threats, likelihood, loss or impact, and theoretical effectiveness of security measures
Critical Assets & Processes
Threats Vulnerabilities Impacts
Risks
Mitigation
Contrast with Risk Management
Security Controls
Water Environment Association of Texas
Types of Risk
Risk Type of Risk
Inherent Linked to a particular activity itself • Complex regulations • Poor management • Physical limitations • Limited budget
Control Comes from a failure of the controls to properly mitigate risk • Failure of firewall to block malicious traffic • Users sharing passwords
Residual Combination of the inherent and the control risk
What remains after the controls have been applied to mitigate risk • Eliminating risk is not possible IF you have chosen to expose
yourself to it. • Residual risk must be accepted by management.
Water Environment Association of Texas
Risk Management Framework
Security Life Cycle
Determine security control effectiveness (i.e., controls
implemented correctly, operating as intended, meeting security
requirements for information system).
ASSESS Security Controls
Define criticality/sensitivity of information system according to potential worst-case, adverse impact to mission/business.
CATEGORIZE Information
System
Starting Point
Continuously track changes to the information system that may affect
security controls and reassess control effectiveness.
MONITOR Security State
AUTHORIZE Information
System
Determine risk to organizational operations and assets, individuals,
other organizations, and the Nation; if acceptable, authorize operation.
Implement security controls within enterprise architecture using sound
systems engineering practices; apply security configuration settings.
IMPLEMENT Security Controls
SELECT Security
Controls
Select baseline security controls; apply tailoring guidance and
supplement controls as needed based on risk assessment.
Identify
• Asset management
• Business environment
• Governance
• Risk Assessment
• Risk Management Strategy
Protect
• Access control
• Awareness and Training
• Data security
• Information protection processes and procedures
• Maintenance
• Protective technology
Detect
• Anomalies and events
• Security continuous monitoring
• Detection processes
Respond
• Response planning
• Communications
• Analysis
• Mitigation
• Improvements
Recover
• Recovery planning
• Improvements
• Communications
Security Controls
NIST Cybersecurity Framework Example
Water Environment Association of Texas
Control Recommendations
• To minimize/eliminate identified risks, consider the following factors when recommending controls/alternative solutions.
– Effectiveness of options
– Legal/regulatory
– Organizational policy
– Impact to operations
– Safety/reliability
– Cost
Ref: NIST SP 800-30, Risk Management Guide for Information Technology Systems
How do YOU
prioritize?
Water Environment Association of Texas
Security Controls Sources • NIST Framework for Improving Critical Infrastructure Cybersecurity
http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214.pdf • NIST SP 800-53 Rev. 4: Security and Privacy Controls for Federal Information Systems and
Organizations, April 2013 (including updates as of January 15, 2014). http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf
• NIST SP 800-82 Rev. 2: Guide to Industrial Control Systems (ICS) Security http://csrc.nist.gov/publications/drafts/800-82r2/sp800_82_r2_draft.pdf
• Control Objectives for Information and Related Technology (COBIT): http://www.isaca.org/COBIT/Pages/default.aspx
• Council on CyberSecurity (CCS) Top 20 Critical Security Controls (CSC): http://www.counciloncybersecurity.org
• ANSI/ISA-62443-2-1 (99.02.01)-2009, Security for Industrial Automation and Control Systems: Establishing an Industrial Automation and Control Systems Security Program: http://www.isa.org/Template.cfm?Section=Standards8&Template=/Ecommerce/ProductDisplay.cfm&ProductID=10243
• ANSI/ISA-62443-3-3 (99.03.03)-2013, Security for Industrial Automation and Control Systems: System Security Requirements and Security Levels: http://www.isa.org/Template.cfm?Section=Standards2&template=/Ecommerce/ProductDisplay.cfm&ProductID=13420
• ISO/IEC 27001, Information technology -- Security techniques -- Information security management systems -- Requirements: http://www.iso.org/iso/home/store/catalogue_ics/catalogue_detail_ics.htm?csnumber=54534
Water Environment Association of Texas
5 Security Control Recommendations
Vulnerability Exposure
Water Environment Association of Texas
1. Identify all SCADA network connections
• Identify and assess the risk and necessity of each connection to the SCADA network.
• Understand all connections to the SCADA network, and how well these connection are protected.
• Ensure process to approve access exists > Asset Management (ISD.AM) > ID.AM-3:
Organizational communication and data flows are mapped
> Access Control (PR.AC) > PR.AC-1: Identities and credentials are managed for authorized devices and users
NIST Security Controls Guidance: SP800-53 and SP800-52 : • SECURITY ASSESSMENT AND AUTHORIZATION (CA) > CA-3 SYSTEM
INTERCONNECTIONS • IDENTIFICATION and AUTHENTICATION (IA) > IA-3 - DEVICE IDENTIFICATION AND
AUTHENTICATION
Water Environment Association of Texas
2. Redundancy or backups exist for critical systems
• Establish a disaster recovery plan that allows for rapid recovery from any emergency (including a cyber attack).
• System backups to allow rapid reconstruction of the network.
• Exercise disaster recovery and test backups. • Update plans based on lessons learned from exercises.
Recovery Planning (RC.RP) > ID.AM-3: Organizational communication and data flows are mapped
> Response Planning (RS.RP) > RC.RP-1: Recovery plan is executed during or after an event
NIST Security Controls Guidance: SP800-53 and SP800-52 : • INCIDENT RESPONSE (IR) > IR-4 - INCIDENT HANDLINGIDENTIFICATION • CONTINGENCY PLANNING (CP) > CP-10 INFORMATION SYSTEM RECOVERY AND
RECONSTITUTION
Water Environment Association of Texas
3. Staff cybersecurity training
• Personnel and partners are provided cybersecurity awareness education
• Personnel are trained and informed on responsibilities consistent with related policies, procedures, and agreements.
> Awareness and Training (PR.AT): All
NIST Security Controls Guidance: SP800-53 and SP800-52 : • AWARENESS AND TRAINING (AT) – Family of Controls
Water Environment Association of Texas
4. Network intrusion monitoring • Implement Intrusion detection systems (IDS)
monitor events on a network, such as traffic patterns, or a system, such as log entries or file accesses, so that they can identify unauthorized access
> Anomalies and Events (DE.AE) > All Controls and Security Continuous Monitoring (DE.CM) > All Controls
> Response Planning (RS.RP) > RC.RP-1: Recovery plan is executed during or after an event and Analysis (RS.AN) > All Controls
NIST Security Controls Guidance: SP800-53 and SP800-52 : • INCIDENT RESPONSE (IR) > IR-4 - INCIDENT HANDLINGIDENTIFICATION • CONTINGENCY PLANNING (CP) > CP-10 INFORMATION SYSTEM RECOVERY AND
RECONSTITUTION
Water Environment Association of Texas
5. SCADA Account Management
• User identification and authentication may be role-based, group-based, or device-based
• For certain ICS, the capability for immediate operator interaction is critical (not a time to get locked-out)
• Minimum permission should still be applied to group roles/functions
• Some form of logging and auditing should be present for ICS access
> Access Control (PR.AC) > PR.AC-1: Identities and
credentials are managed for authorized devices and users
NIST Security Controls Guidance: SP800-53 and SP800-52 : • IDENTIFICATION AND AUTHENTICATION – IA
Water Environment Association of Texas
Survey Results
• Placeholder for responses to survey:
Survey URL: http://survey.delta-risk.net/index.php?sid=38154&lang=en
Implementing Controls on ICS vs. IT
Source: Idaho National Laboratory, Control Systems Cyber Security: Defense in Depth Strategies (May, 2006)
Questions?
Vulnerability Exposure