Resilient and Secure Solutions for the Water/Wastewater Industry



Similar documents
Keeping the Lights On

CONCEPTS IN CYBER SECURITY

How To Protect Water Utilities From Cyber Attack

Three Simple Steps to SCADA Systems Security

Best Practices in ICS Security for Device Manufacturers. A Wurldtech White Paper

Industrial Security Solutions

Roadmaps to Securing Industrial Control Systems

Which cybersecurity standard is most relevant for a water utility?

Rethinking Cyber Security for Industrial Control Systems (ICS)

Best Practices in ICS Security for System Operators. A Wurldtech White Paper

7 Homeland. ty Grant Program HOMELAND SECURITY GRANT PROGRAM. Fiscal Year 2008

Water Critical Infrastructure and Key Resources Sector-Specific Plan as input to the National Infrastructure Protection Plan Executive Summary

PROTECTING CRITICAL CONTROL AND SCADA SYSTEMS WITH A CYBER SECURITY MANAGEMENT SYSTEM

Security Solutions to Meet NERC-CIP Requirements. Kevin Staggs, Honeywell Process Solutions

Waterfall for NERC-CIP Compliance

SCADA Security Training

A MULTIFACETED CYBERSECURITY APPROACH TO SAFEGUARD YOUR OPERATIONS

Establishing A Secure & Resilient Water Sector. Overview. Legislative Drivers

Supplemental Tool: NPPD Resources to Support Vulnerability Assessments

The Advantages of an Integrated Factory Acceptance Test in an ICS Environment

Cybersecurity in a Mobile IP World

Cyber Security Compliance (NERC CIP V5)

GE Measurement & Control. Top 10 Cyber Vulnerabilities for Control Systems

Cyber Security and Privacy - Program 183

Preventing Cyber Security Attacks Against the Water Industry

SCADA Compliance Tools For NERC-CIP. The Right Tools for Bringing Your Organization in Line with the Latest Standards

Water Sector Approach to Cybersecurity Risk Management

GE Measurement & Control. Cyber Security for Industrial Controls

NERC Cyber Security. Compliance Consulting. Services. HCL Governance, Risk & Compliance Practice

Control System Integrity (CSI) Tools and Processes to Automate CIP Compliance for Control Systems

Water Security Issues: The Federal Perspective. J. Alan Roberson, P.E. Director of Security and Regulatory Affairs AWWA Washington, DC

April 8, Ms. Diane Honeycutt National Institute of Standards and Technology 100 Bureau Drive, Stop 8930 Gaithersburg, MD 20899

SCADA and Security Are they Mutually Exclusive? Terry M. Draper, PE, PMP

CIP Supply Chain Risk Management (RM ) Statement of Jacob S. Olcott Vice President, BitSight Technologies January 28, 2016

EEI Business Continuity. Threat Scenario Project (TSP) April 4, EEI Threat Scenario Project

Verve Security Center

Security for. Industrial. Automation. Considering the PROFINET Security Guideline

Cyber Security Presentation. Ontario Energy Board Smart Grid Advisory Committee. Doug Westlund CEO, N-Dimension Solutions Inc.

High Level Cyber Security Assessment 2/1/2012. Assessor: J. Doe

ABB Automation Days, Madrid, May 25 th and 26 th, Patrik Boo What do you need to know about cyber security?

Utility-Scale Applications of Microgrids: Moving Beyond Pilots Cyber Security

Department of Homeland Security Control Systems Security Program

Document ID. Cyber security for substation automation products and systems

White Paper. April Security Considerations for Utilities Utilities Tap Into the Power of SecureWorks

Building Insecurity Lisa Kaiser

ICS-CERT Year in Review. Industrial Control Systems Cyber Emergency Response Team. National Cybersecurity and Communications Integration Center

Cyber Security for NERC CIP Version 5 Compliance

An International Perspective on Security and Compliance

ICS CYBER SECURITY RKNEAL, INC. Protecting Industrial Control Systems: An Integrated Approach. Critical Infrastructure Protection

INTEGRATING SUBSTATION IT AND OT DEVICE ACCESS AND MANAGEMENT

CERIAS Tech Report Mapping Water Sector Cyber-Security Vulnerabilities by James H. Graham, Jeffrey L. Hieb and J. Chris Foreman Center for

Security Regulations and Standards for SCADA and Industrial Controls

Effective Use of Assessments for Cyber Security Risk Mitigation

Panel Session: Lessons Learned in Smart Grid Cybersecurity

Industrial Security for Process Automation

University of Central Florida Class Specification Administrative and Professional. Information Security Officer

future data and infrastructure

A Regulatory Approach to Cyber Security

Cyber Security Design Methodology for Nuclear Power Control & Protection Systems. By Majed Al Breiki Senior Instrumentation & Control Manager (ENEC)

Cybersecurity for Critical Control Systems in the Power Industry

White Paper. 7 Steps to ICS and SCADA Security. Tofino Security exida Consulting LLC. Contents. Authors. Version 1.0 Published February 16, 2012

Cybersecurity Guidance for Industrial Automation in Oil and Gas Applications

Decrease your HMI/SCADA risk

U.S. Department of Homeland Security s National Cybersecurity and Communications Integration Center

8/27/2015. Brad Schuette IT Manager City of Punta Gorda (941) Don t Wait Another Day

Cyber Security Controls Assessment : A Critical Discipline of Systems Engineering

NERC CIP Compliance with Security Professional Services

Cyber security: Practical Utility Programs that Work

GE Intelligent Platforms. Meeting NERC Change Control Requirements for HMI/SCADA and Control Systems

THE WHITE HOUSE. Office of the Press Secretary. For Immediate Release February 12, February 12, 2013

AURORA Vulnerability Background

The State of Industrial Control Systems Security and National Critical Infrastructure Protection

DeltaV System Cyber-Security

U.S. Department of Homeland Security Protective Security Advisor (PSA) North Carolina District

A Concise Model to Evaluate Security of SCADA Systems based on Security Standards

Risk Management, Equipment Protection, Monitoring and Incidence Response, Policy/Planning, and Access/Audit

SCADA Cyber Security

Why you should adopt the NIST Cybersecurity Framework

U.S. Cyber Security Readiness

Computer System Security Updates

During the Clinton administration, the

SCADA. The Heart of an Energy Management System. Presented by: Doug Van Slyke SCADA Specialist

CYBER SECURITY GUIDANCE

Cyber Security. Smart Grid

Transcription:

Insert Photo Here Resilient and Secure Solutions for the Water/Wastewater Industry Ron Allen DA/Central and Steve Liebrecht Rockwell Automation Detroit W/WW Team Leader

Your slides here Copyright 2011 Rockwell Automation, Inc. All rights reserved. 2

Initial Federal Regulations Congressional authorization under the Public Health Security and Bioterrorism Preparedness and Response Act of 2002 (the Bioterrorism Act) post 9/11/2001 conduct a vulnerability assessment certify its completion submit a copy of the assessment to EPA according to a specified schedule prepare or revise an emergency response plan certify plan to EPA within six months of completing a vulnerability assessment Source: U.S. EPA Copyright 2011 Rockwell Automation, Inc. All rights reserved.

Copyright 2011 Rockwell Automation, Inc. All rights reserved. 4 Current Security Regulations 2002 Bioterrorism Act Department of Homeland Security (DHS) Presidential Directive HPD-7 on Critical Infrastructure 2007 DHS Regulation on Chemical Facility Anti-Terrorism Standard (CFATS), including the Chemical System Assessment Tools (CSAT) Cyber Security Act of 2009 (proposed)

Copyright 2011 Rockwell Automation, Inc. All rights reserved. 5 What is NERC CIP? Federal Energy Regulatory Commission (FERC) to enforce operating standards in the bulk power sector. In 2006, FERC certified the existing North American Electric Reliability Corporation (NERC) to oversee power-system accreditation and operation in the United States. The standards that specifically pertain to the identification and protection of cyber-critical assets are commonly called NERC CIP standards. NERC CIP standards are migrating to many other critical infrastructures. Homeland Security Presidential Directive 7 (HSPD-7), along with the National Infrastructure Protection Plan (NIPP), identified and categorized U.S. critical infrastructure into the following 18 CIKR sectors: Agriculture and Food Banking and Finance Dams Energy Government Facilities Information Technology Nuclear Reactors, Materials, and Waste Telecommunications Transportation Water and Water Treatment

Roadmap to Secure Control Systems in the Water Sector, March 2008 Key AWWA document, per Kevin Morley, National AWWA Security Program Mgr Developed by Water Sector Coordinating Council Cyber Security Working Group AWWA/HSA Trends: Cyber threats to ICS are changing and growing. Computer attackers are seeking new targets and criminal extortion is increasing. ICS security is no longer simply about blocking hackers or updating anti-virus software. A new underground digital economy now provides a multi-billion dollar incentive for potential adversaries to exploit ICS vulnerability. While much security work has focused on physical security fences, guards, intrusion detection, etc. efforts pertaining to the resiliency of industrial control systems (ICS) have become more urgent. Advances in securing ICS must go far beyond the pressing security concerns of today by taking a comprehensive approach. Roadmap Call to Action: The most comprehensive security improvements are realized with the development and adoption of next-generation ICS architectures, which are inherently secure and offer enhanced functionality and performance. These systems can provide defense-in-depth with built-in, end-to-end security, integrating the IT and Process Control system. Copyright 2011 Rockwell Automation, Inc. All rights reserved. 6

Department of Homeland Security: Cyber Security Strategy Copyright 2011 Rockwell Automation, Inc. All rights reserved. 7 Evaluate existing system Follow AWWA Roadmap Use Dept Homeland Security CSET (Cyber Security Evaluation Tool) version 3.0 Self evaluation tool http://www.us-cert.gov/control_systems/satool.html Identify plant vulnerabilities Single largest vulnerability is from within Establish strategies to address vulnerabilities Look for ways to improve its robustness, resiliency How does it respond to a power outage/equipment failure Is your control system backed-up? New systems Mandate new CIP projects that include cyber security strategy - Defense in Design Establish partnership with a control system vendor Consider a holistic/plant wide approach to protecting the plant Single largest vulnerabilities may be from within

Governmental Guidelines - NIST National Institute of Standards and Technology Guide to Industrial Control Systems (ICS) Security Supervisory Control and Data Acquisition (SCADA) systems, Distributed Control Systems (DCS), and other control system configurations, such as Programmable Logic Controllers (PLC) Copyright 2011 Rockwell Automation, Inc. All rights reserved. 8

Holland BPW & DHS CSSP Partnership Doug Nibbelink, IT Security Specialist Holland Board of Public Works DHS Control System Security Program They're from the government, and they really helped us. Control Systems Security Program + =?

Challenges IT vs Operations VLAN NTFS IDS WSUS HMI RTU PLC Modbus Operations Dept IT Dept Separation of Operations/Control Systems/SCADA vs. IT Different worlds/foreign languages and Gaps in shared knowledge How do you protect and secure what you don t understand? Probably not very well

Holland BPW Security Evolution Technology Director attended 1 day training on Control Systems Security put on by DHS CSSP-Instructor mentioned availability of DHS CSSP onsite assessment AWWA sent letter about availability of CSET software (Cyber Security Evaluation Tool) In 2010 HBPW staff began discussions with DHS CSSP about an onsite assessment In January 2012, 3 staff from DHS CSSP came to Holland to facilitate cyber security TTX.

W/WW Cyber Security References Customer Success Story: Colorado Springs Utilities Goal: More resilient control system Process control system disaster recovery Multiple water, wastewater and power plants W/WW Security White Paper Why Security matters Security is not just an IT issue any more Evolution of risk Governing bodies requirements What is NERC-CIP Compliance Strategies Control solutions enhance system and device-level security by having products that support validated, defense-in-depth measures and design practices to enhance system and device-level security. Rockwell Security Tools Hardware/software/services Copyright 2011 Rockwell Automation, Inc. All rights reserved. 12

Cyber Security-Take Aways Key Questions How would your operations change if we did not have SCADA working? How sure are you that our SCADA systems are secure? When was the last time you performed cyber security vulnerability assessments? What would be the impact to your organizations if we were aware of vulnerabilities and did nothing?

Cyber Security-Take Aways- Suggestions Evaluate existing system Follow AWWA Roadmap Use Dept Homeland Security CSET (Cyber Security Evaluation Tool) version 3.0 Self evaluation tool http://www.us-cert.gov/control_systems/satool.html Identify plant vulnerabilities Look for ways to improve its robustness, resiliency New systems Work with Consultants to mandate new CIP projects that include a cyber security strategy - Defense in Design Establish partnership with a control system vendor

Rockwell Automation Security Key Points Practice 5 simple, actionable steps to enhance industrial security: 1. Control who has access 2. Employ firewalls and intrusion detection/prevention 3. Patch and update your control system hardware/software 4. Manage your passwords 5. Turn the PLC processor key(s) to Run mode Mandate new CIP projects include cyber security strategy - Defense in Design Consider a holistic/plant wide approach to protecting the plant Establish partnership with a control system vendor Rockwell Automation control products are developed following the latest governmental security guidelines using our design-for-security philosophy and include features to facilitate physical and logical access control We also provide free resources to help: www.rockwellautomation.com/security We offer Network & Security Services to help you comply with securityoriented regulations and standards www.rockwellautomation.com/services/security/ Enhance industrial security to improve robustness, reduce risk, and vulnerability

Resilient and Secure Solutions for the Water/Wastewater Industry Ron Allen DA/Central Steve Liebrecht W/WW Industry Team Leader Detroit Rockwell Automation sjliebrecht@ra.rockwell.com Cell 419-340-6873

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information