Water Sector Approach to Cybersecurity Risk Management



Similar documents
How To Protect Water Utilities From Cyber Attack

Establishing A Secure & Resilient Water Sector. Overview. Legislative Drivers

PROTECTING CRITICAL CONTROL AND SCADA SYSTEMS WITH A CYBER SECURITY MANAGEMENT SYSTEM

Which cybersecurity standard is most relevant for a water utility?

DHS Cyber Security & Resilience Resources: Cyber Preparedness, Risk Mitigation, & Incident Response

The President issued an Executive Order Improving Critical Infrastructure Cybersecurity, on February 2013.

ICS-CERT Year in Review. Industrial Control Systems Cyber Emergency Response Team. National Cybersecurity and Communications Integration Center

EEI Business Continuity. Threat Scenario Project (TSP) April 4, EEI Threat Scenario Project

CONCEPTS IN CYBER SECURITY

No. 33 February 19, The President

CForum: A Community Driven Solution to Cybersecurity Challenges

Integrating Cybersecurity with Emergency Operations Plans (EOPs) for Institutions of Higher Education (IHEs)

Cybersecurity Audit Why are we still Vulnerable? November 30, 2015

OCIE CYBERSECURITY INITIATIVE

NIST Cybersecurity Framework Sean Sweeney, Information Security Officer 5/20/2015

Resilient and Secure Solutions for the Water/Wastewater Industry

Cybersecurity in the Utilities Sector Best Practices and Implementation 2014 Canadian Utilities IT & Telecom Conference September 24, 2014

FFIEC Cybersecurity Assessment Tool Overview for Chief Executive Officers and Boards of Directors

Water Critical Infrastructure and Key Resources Sector-Specific Plan as input to the National Infrastructure Protection Plan Executive Summary

Cybersecurity: What CFO s Need to Know

THE WHITE HOUSE. Office of the Press Secretary. For Immediate Release February 12, February 12, 2013

SCADA and Security Are they Mutually Exclusive? Terry M. Draper, PE, PMP

Attachment A. Identification of Risks/Cybersecurity Governance

Best Practices in ICS Security for Device Manufacturers. A Wurldtech White Paper

Executive Order 13636: The Healthcare Sector and the Cybersecurity Framework. September 23, 2014

Enterprise Security Tactical Plan

NERC CIP VERSION 5 COMPLIANCE

By: Gerald Gagne. Community Bank Auditors Group Cybersecurity What you need to do now. June 9, 2015

Department of Homeland Security Federal Government Offerings, Products, and Services

Integrating Cybersecurity with Emergency Operations Plans (EOPs) for K-12 Education

Threat and Hazard Identification and Risk Assessment

How To Write A Cybersecurity Framework

Logical Operations CyberSec First Responder: Threat Detection and Response (CFR) Exam CFR-110

Program Overview and 2015 Outlook

Cybersecurity and internal audit. August 15, 2014

Defending against modern threats Kruger National Park ICCWS 2015

Billing Code: 3510-EA

Defending Against Data Beaches: Internal Controls for Cybersecurity

Why you should adopt the NIST Cybersecurity Framework

Liability Management Evolving Cyber and Physical Security Standards and the SAFETY Act

Seven Strategies to Defend ICSs

Cybersecurity. Are you prepared?

CYBER SECURITY GUIDANCE

National Initiative for Cyber Security Education

NIST Cybersecurity Initiatives. ARC World Industry Forum 2014

Using the HITRUST CSF to Assess Cybersecurity Preparedness 1 of 6

State Agency Cyber Security Survey v October State Agency Cybersecurity Survey v 3.4

Middle Class Economics: Cybersecurity Updated August 7, 2015

MEDICAL DEVICE Cybersecurity.

Building Blocks of a Cyber Resilience Program. Monika Josi monika.josi@safis.ch

Facilitated Self-Evaluation v1.0

INFRAGARD.ORG. Portland FBI. Unclassified 1

NIST Cybersecurity Framework Manufacturing Implementation

Microsoft s cybersecurity commitment

Cybersecurity: Considerations for Internal Audit. IIA Atlanta Chapter Meeting January 9, 2015

FFIEC Cybersecurity Assessment Tool

Suzanne B. Schwartz, MD, MBA Director Emergency Preparedness/Operations & Medical Countermeasures (EMCM Program) CDRH/FDA

Cisco Security Optimization Service

SECURING YOUR SMALL BUSINESS. Principles of information security and risk management

Industrial Control Systems Security Guide

Lessons Learned from a Basic Vulnerability Assessment and Emergency Response Plan Update Project in Greensboro

NASA OFFICE OF INSPECTOR GENERAL

ICBA Summary of FFIEC Cybersecurity Assessment Tool

Ed McMurray, CISA, CISSP, CTGA CoNetrix

CIPAC Water Sector Cybersecurity Strategy Workgroup: FINAL REPORT & RECOMMENDATIONS

Cyber Threat Intelligence and Incident Coordination Center (C 3 ) Protecting the Healthcare Industry from Cyber Attacks

Why you should adopt the NIST Cybersecurity Framework

Subject: Critical Infrastructure Identification, Prioritization, and Protection

U.S. Cyber Security Readiness

ADDENDUM TO STATE OF MARYLAND PURCHASES ISSUED UNDER STATE CONTRACT NO. 060B

December 17, 2003 Homeland Security Presidential Directive/Hspd-7

FEDERAL HOUSING FINANCE AGENCY ADVISORY BULLETIN AB Cyber Risk Management Guidance. Purpose

Industrial Cyber Security Risk Manager. Proactively Monitor, Measure and Manage Cyber Security Risk

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

Cybersecurity Issues for Community Banks

Report on CAP Cybersecurity November 5, 2015

Supplemental Tool: NPPD Resources to Support Vulnerability Assessments

Experience the commitment WHITE PAPER. Information Security Continuous Monitoring. Charting the Right Course. cgi.com 2014 CGI GROUP INC.

Cyber Security Metrics Dashboards & Analytics

Communication Security Measures for SCADA Systems

US-CERT Year in Review. United States Computer Emergency Readiness Team

Cybersecurity Framework: Current Status and Next Steps

for Critical Infrastructure Protection Supervisory Control and Data Acquisition SCADA SECURITY ADVICE FOR CEOs

FINRA Publishes its 2015 Report on Cybersecurity Practices

THE HUMAN FACTOR AT THE CORE OF FEDERAL CYBERSECURITY

Transcription:

Water Sector Approach to Cybersecurity Risk Management Wasser Berlin International March 24, 2015 Copyright 2015 American Water Works Association

Cyber Threats are Real Director of National Intelligence confirms control systems are being targeted for exploitation Remotely modified Sacramento River control (2007) < former employee? > Malware Infection at Harrisburg Water System (2006) < overseas hacker > Catastrophic Failure at Taum Sauk Water Storage Dam (2005) < instrumentation / accident > Sewage Spill at Maroochy Shire (2000) <disgruntled job applicant >

Problem

Finding Answer There is no lack of cybersecurity guidance..[but] given the plethora of guidance available, individual entities within the sectors may be challenged in identifying the guidance that is most applicable and effective in improving their security posture. Recommendation Develop a better understanding of the available guidance and best practices would help both federal and private-sector decision-makers coordinate protection of critical cyber-reliant assets. Source: Cybersecurity Guidance Is Available, but More Can Be Done to Promote Its Use, GAO-12-92 (http://www.gao.gov/assets/590/587529.pdf)

Water Sector & Cyber Risk Y2K BT Act 2002 Critical Milestone Develop a recommended practices ICS security template for widespread use in the water sector #1 Priority Advance the development of sector-specific cybersecurity resources

Standards & Guidance ANSI/AWWA G430-14: Security Practices for Operation & Management Information protection and continuity is a requirement ANSI/AWWA J100-10: RAMCAP Standard for Risk & Resilience Management of Water & Wastewater Systems Cyber is required threat domain ANSI/AWWA G440-11: Emergency Preparedness Practices Consideration of key business & operating system recovery Business Continuity Plans for Water Utilities Cyber recovery plan is required action item Process Control System Security Guidance for the Water Sector Supports voluntary adoption of NIST Cybersecurity Framework

ANSI/AWWA G430-14 Security Practices for Operations and Management Requirements: a) Explicit Commitment to Security b) Security Culture c) Defined Security Roles and Employee Expectations d) Up-To-Date Assessment of Risk (Vulnerability) e) Resources Dedicated to Security and Security Implementation Priorities f) Access Control and Intrusion Detection g) Contamination, Detection, Monitoring and Surveillance h) Information Protection and Continuity i) Design and Construction j) Threat Level-Based Protocols k) Emergency Response and Recovery Plans and Business Continuity Plan l) Internal and External Communications m) Partnerships n) Verification

Call to Action Executive Order 13636: Improving Critical Infrastructure Cybersecurity (Feb 2013) NIST Cybersecurity Framework (Feb 2014) 1. Framework Core 2. Framework Profile 3. Framework Implementation Tiers Voluntary guidance to assist critical infrastructure and business s improve cybersecurity.

Water Sector Approach to NIST CSF Organized based on HOW a utility uses or operates their process control system It does NOT evaluate current security profile Prioritizes controls based on usecase & enable utility to assess actions to mitigate vulnerabilities

www.awwa.org/cybersecurity FREE, just create user account to access tool Links to related resources

One Step at a Time AWWA Guidance & Use-Case Tool Aligns w/nist Cyber Framework Cyber Security Evaluation Tool (CSET ) Assessment of policy & procedures relative to NIST 800-52 & NIST 800-53 Design Architectural Review (DAR) Evaluates network access/egress, design, configuration, applications and rules. Supported by ICS-CERT Network Architecture Verification and Validation (NAVV) Baseline network architecture, communication protocols, discover rogue connections, & identify configuration errors.

Summary.American Water Works Association has issued "Process Control System Security Guidance for the Water Sector" and a supporting "Use-Case Tool." This guidance identifies prioritized actions to reduce cybersecurity risk at a water or wastewater facility. The cybersecurity actions are aligned with the Cybersecurity Framework. This tool is serving as implementation guidance for the Cybersecurity Framework in the Water and Wastewater Systems sector. - USEPA, May 2014

Key Reminder 42 USC 300i 1 - Tampering with public water systems d) Tamper. means (1) to introduce a contaminant into a public water system with the intention of harming persons; or (2) to otherwise interfere with the operation of a public water system with the intention of harming persons. REPORT ALL INCIDENTS Local Law Enforcement, FBI ICS-CERT

?? Questions?? Kevin M. Morley, Ph.D. Security & Preparedness Program Manager AWWA Government Affairs 202-628-8303 or kmorley@awwa.org www.awwa.org/cybersecurity

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information