Cybersecurity in the Water Sector AWWA’s mission: Providing solutions to effectively manage water, the world’s most important resource. This seminar is designed teach participants how to use the AWWA Cybersecurity Guidance Tool.
Safety and Comfort Please review where emergency exits are located. Please review locations of bathrooms and any other rules regarding the meeting space.
Introduction Jeff Coulson Practice Director EMA Canada, Inc. 2381 Bristol Circle Suite A200 Oakville, On Canada Contact info: jcoulson@ema-inc.com (905) 829-4440
Introduction Bob Daly Principal Consultant EMA Services, Inc. 900 Northbrook Drive Suite 320 Trevose, PA Contact info: bdaly@ema-inc.com (215) 942-7207
Description and Purpose This seminar consists of five modules that focus on the use cases and controls in AWWA’s Cybersecurity Guidance Tool (Tool). During this seminar you will see a demonstration of how to use the Tool to identify gaps that can be included in a cybersecurity improvement plan. The purpose for this seminar is to: Learn how the Tool works and how to use the Tool Learn the purpose and applications of control system use cases Learn the importance of evaluating use cases against the control system Demonstrate the Tool Address how to move forward with the recommendations of the report produced by the Tool
Course Requirements and Learning Elements Prerequisites: None Seminar attendance and participation Participation in hands-on learning checks and quizzes Learning Elements Lesson Plan Presentation Hands on activities (demonstration) Discussion Participant handout Quizzes and tests
Agenda Module 1 – Why is Cybersecurity Important? Module 2 – Selecting Use Cases Module 3 – Reviewing Recommended Controls Module 4 – Executing Tool Module 5 – Implementing Recommendations
Module 1 – Why is Cybersecurity Important?
Module 1 – Learning Objectives After completing Module 1, you should be able to: Recognize Threats Are Real Identify Vulnerabilities List Consequences Know benefits associated with the Cybersecurity Guidance Tool
Cybersecurity -> Risk Management Risk Management Considers: Existence of Threat Vulnerability Consequences Risk = Threat X Vulnerability X Consequences
The Threat - Ransomware Spread across the globe - Wannacry
The Threat – Advanced Persistent Threat (APT)
The Threat – Even Tools to Protect are Vulnerable
The Threat – New Threats Every Day
The Threat – Some Statistics 2017 Verizon Data Breach Digest analysis shows increasing threat actions. Source: Data Breach Digest, Verizon, Page 14
The Threat – Some Statistics
The Threat – Some Statistics Large percentage of breaches are by outsiders. Many are organized crime. Threat from Espionage is increasing. Source: 2017 Data Breach Investigations Report, 10th Edition, Verizon, Page 7 Source: 2017 Data Breach Investigations Report, 10th Edition, Verizon, Page 5
The Threat – Likely Worse Than Reported
The Threat – Staying Informed AWWA WaterISAC
Are We Vulnerable? Group Exercise – 10 minutes Please break into 4 groups Please list possible vulnerabilities that can allow bad actors into our Industrial Control Systems Consider External Threat and Insider Threat List even if you consider it common knowledge
Are We Vulnerable? Examples of vulnerabilities: Disgruntled Employee with Access Shared/Easy Passwords Remote Access by Integrator/vendors USB drives Email Internet Connection Laptop connections Missing Patches Zero-day vulnerability
What are Potential Consequences? Group Exercise – 5 minutes Please break into 4 groups Please list possible consequences of a cyber intrusion Consider External Threat and Insider Threat List even if you consider it common knowledge
Potential Consequences Examples of consequences: No. 1 – Public safety compromised Loss of customer trust Loss of productivity repairing the damage Costs to re-create configurations if backups are bad Equipment could be “bricked” by bad firmware downloads Equipment damage by improper operation Law suits Loss of data….NOVs, fines? False/incorrect data
Cybersecurity Business Drivers Potential for Operational and Financial impact Loss of Public Confidence caused by cyber breach Executive Orders encouraging voluntary action Bonding Agencies and Insurance Underwriters taking into consideration Cybersecurity Preparedness States beginning to pass regulations for Cybersecurity programs
The Cybersecurity Guidance Tool AWWA has created the Cybersecurity Guidance Tool to help create a prioritized list of ways to mitigate risk that is customized to your utility.
The AWWA Guidance Tool is Aligned with NIST Framework ….American Water Works Association has issued "Process Control System Security Guidance for the Water Sector" and a supporting "Use-Case Tool." This guidance identifies prioritized actions to reduce cybersecurity risk at a water or wastewater facility. The cybersecurity actions are aligned with the Cybersecurity Framework. This tool is serving as implementation guidance for the Cybersecurity Framework in the Water and Wastewater Systems sector. - USEPA, May 2014
Benefits of the Cybersecurity Guidance Tool Water sector guidance that provides a consistent and repeatable recommended course of action to reduce vulnerabilities in process control systems. Target audience is water utility general managers, chief information officers and utility directors with oversight and responsibility for process control systems. Developed by SME panel of utility representatives, vendors, consultants, Federal agencies Aligns with sector and national priorities, fulfills need for sector-specific guidance as specified in EO 13636 Consistent with NIST Framework and compliant with the requirements of DHS
Seminar Modules Five Modules: Why is Cybersecurity Important Selecting the applicable Use Cases Reviewing the recommended Controls generated by the Tool Executing the Cybersecurity Tool Developing Cybersecurity Improvement Plan based on the recommended Controls
Module 1 Q & A Question 1 What are the three factors that are part of “The Risk Equation?”
Module 1 Q & A Question 2 What does the cybersecurity term “APT” mean?
Module 1 Q & A Question 3 Who is the target audience for the recommendations provided by the AWWA Cybersecurity Guidance Tool?
Module 1 Summary The threats of a cyber incident are real Our systems have vulnerabilities Consequences of an incident can be high Risk of a cybersecurity incident can be high To help mitigate risk, the AWWA created the Cybersecurity Guidance Tool to provide a prioritized list of ways to mitigate risk.
Module 2 - Selecting Use Cases
Module 2 – Learning Objectives After completing Module 2, you should be able to: Describe the Use Case approach Evaluate each use case against a control system Select applicable use cases Successfully complete a self-evaluation (quiz)
What is a Use Case? A use case is an elemental pattern of behavior as described by the user of a system; the use cases are basic descriptions of important processes within PCS from the user's perspective. A list of control system capabilities, functionality or practices that define system configuration and characterize user and external interactions with the system.
Understanding the Cybersecurity Guidance Tool The tool is a use case oriented, web based application in which users review and select use cases which most closely match their situation. The use cases included in the tool are categorized as follows: Architecture (networks) Network Management & Support Systems Program Access PLC Programming and Maintenance User Access Users review and select from the available use cases in each of these 5 categories that apply to their situation.
How are Use Cases evaluated against the Existing Control System? Users should possesses subject matter expertise and system knowledge to evaluate each use case and determine if it represents their system. The users read each use case to determine if it applies to their system. The use cases that most closely match the utility’s PCS configuration and practices should be chosen. Those use cases that do not match the current state of the PCS will not be selected and do not receive further consideration .
Selecting Right Use Cases After reading and evaluating each use case the user selects the use cases that most closely match their control system(s) from each of the 5 categories. The selection is made by clicking the check boxes next to the applicable use cases. See the example below:
How are Controls Selected by the Cybersecurity Guidance Tool?
Use Case Quiz
Module 2 Q & A Question 1 What is a use case?
Module 2 Q & A Question 2 How are use cases evaluated against the PCS?
Module 2 Q & A Question 3 How is the use case tool used?
Module 2 Summary The Cybersecurity Guidance Tool requires the identification of appropriate Use Cases. A Use Case describes important processes or system configurations. Selection of a proper Use Case often requires participation by a Subject Matter Expert. The Cybersecurity Guidance Tool provides a set of recommendations, customized to your utility, based on your selected Use Cases
Module 3 - Reviewing the Recommended Controls Image source: darpa.mil
Learning Objectives After completing Module 3, you should be able to: Understand the concept of a cybersecurity control Understand the format and presentation of cyber controls provided by the Tool Identify the sources of the standards that the controls are based on Understand the rationale behind prioritization of controls by the Tool
What is a Control? Security controls are measures, developed from many industry standards, which reduce risk through a variety of strategies such as organization, procedures and technology. The tool automatically associates controls based on the selected use cases. The controls provided by the tool are a simplified restatement of existing standards.
Where do Controls come from? The source of Controls are based on standards* published by the following agencies: ANSI (American National Standards Institute) AWWA (American Water Works Association) DHS (Department of Homeland Security) IEC (International Electrotechnical Commission) ISA (International Society of Automation) ISO (International Organization for Standards) NIST (National Institute of Standards and Technology) * Catalogs, standards, technical guidance, bulletins.
94 controls are organized in 13 categories Awareness and Training Audit and Accountability Configuration Management Identification and Authentication Incident Response Media Protection Physical and Environmental Protection Program Management Personal Security Risk Assessment System and Services Acquisition System and Communications Protection System and information Integrity
One Use case can generate multiple controls and multiple use case requirements can result in the same control Use Case A Control 1 Use Case B Control 2 Guidance Tool Control 3 Use Case C Control 4 Use Case D Control 5 Use Case E
Controls are Prioritized Controls are assigned Priorities 1 – 4 Each control recommendation is accompanied by at least one reference to the applicable standards. Usually more than one standard is associated with a control.
Priority 1 Priority 1 controls represent the minimum level of acceptable security for SCADA/PCS. If not already in place, these controls should be implemented immediately.
Priority 2 Priority 2 controls have the potential to provide a significant and immediate increase in the security of the organization.
Priority 3 Priority 3 controls provide additional security against cybersecurity attack of PCS Systems and lay the foundation for implementation of a managed security system. These controls should be implemented as soon as budget allows.
Priority 4 Priority 4 controls are more complex and provide protection for more sophisticated attacks (which are less common). Many Priority 4 controls are related to policies and procedures; others involve state of the art protection mechanisms.
Recommended Controls Priorities The Tool provides a prioritized list of recommended controls as follows: Priority 1 controls represent the minimum level of acceptable security for SCADA/PCS. If not already in place, these controls should be implemented immediately. Priority 2 controls have the potential to provide a significant and immediate increase in the security of the organization. Priority 3 controls provide additional security against cybersecurity attack of PCS Systems and lay the foundation for implementation of a managed security system. These controls should be implemented as soon as budget allows. Priority 4 controls are more complex and provide protection for more sophisticated attacks (which are less common). Many Priority 4 controls are related to policies and procedures; others involve state of the art protection mechanisms. PRIORITY 4 CONTROLS PRIORITY 3 CONTROLS PRIORITY 2 CONTROLS PRIORITY 1 CONTROLS Control 1 Control 2 Control 3 Control 4 Control 5
Reviewing Controls Quiz
Module 3 Q & A Question 1 What does the acronym NIST represent?
Module 3 Q & A Question 2 Where do controls come from?
Module 3 Summary Controls are a means that can reduce risk through organization, procedures, or technologies. The controls provided by the tool are simplified restatements of existing standards. The tool draws from standards produced by National Institute of Standards and Technology (NIST), International Society of Automation (ISA), American Water Works Association (AWWA), and others.
Module 3 Summary (continued) The Cybersecurity Guidance Tool presents recommended controls based on the selected use cases The Tool presents controls in order of priority Highest priority provide minimum level of acceptable security Lowest priority provide complex protection for more sophisticated attacks.
Module 4 - Executing the Tool
Learning Objectives After completing Module 4, you should be able to: Access the Cybersecurity Guidance Tool from the AWWA website Use the tool by selecting appropriate use cases. Generate a report Save a report
Introduction to Executing the Tool We will walk through a specific example Your packet includes the following: A Block Diagram of the example system A document describing additional details about the example system. A print-out of the resulting PDF report. Please follow along with this specific example and avoid substituting your own example or use cases. We apologize in advance if we experience difficulties with network connectivity or website activity time-outs. Let’s get started!
Executing the Tool Browse https://www.AWWA.org Or Google “AWWA cybersecurity tool” Home - American Water Works Association Cybersecurity Guidance & Tool https://www.awwa.org/resources-tools/water-and-wastewater-utility-management/cybersecurity-guidance.aspx Cybersecurity Tool https://www.awwa.org/resources-tools/water-and-wastewater-utility-management/cybersecurity-guidance/cybersecurity-tool.aspx
Demonstration of Executing the Tool The instructor will now lead you through a live demonstration of the creation of the example Cybersecurity Report.
Congratulations! We have our report!
Module 4 Q & A Question 1 From what Website do we access the Cybersecurity Tool?
Module 4 Q & A Question 2 True or False: Priority 4 controls are not important?
Module 4 Summary AWWA’s website provides access to the Cybersecurity Tool When using the tool, you select those use cases that apply to your systems. A report is first generated online. It can be downloaded and saved in PDF format.
Module 5 - Implementing Recommendations Image source: Nasa.gov
Learning Objectives After completing Module 5, you should be able to: Use the output of the Tool in the preparation of a cybersecurity improvement plan
What are the next steps in the process? Carefully review the report generated by the Tool Compare current state to recommended controls Go control-by-control to check whether or not systems and/or procedures are in place Be honest and realistic about current state May require physical testing of the system The discovery that occurs during this process will produce valuable, actionable results that should be addressed in an implementation plan
Implementation Plan Discussion To achieve the required improvements an effective blend of technology and procedures should be implemented. Develop a formal Cybersecurity Improvements Plan for recommended controls that are not currently in place Assign roles and responsibilities for the implementation of the recommended controls Establish a budget and implementation schedule for cybersecurity improvements An implementation plan is a highly sensitive document. Please check with your legal counsel to confirm coverage by applicable Freedom of Information Act (FOIA) exemption laws.
Module 5 Q & A Question 1 True or False? The output of the Cybersecurity Guidance Tool shows you where your cybersecurity is weak.
Module 5 Q & A Question 2 What should be done with the report generated by the tool?
Module 5 Summary The Cybersecurity Guidance Tool presents prioritized recommended controls based on your selected use cases. Controls should be compared to existing systems or procedures to identify gaps. A cybersecurity program should be built to address gaps associated with the highest priority controls first. The cybersecurity program must be ongoing since recommendations may change and your environment changes.
Seminar Summary During this workshop, the following information was presented to help attendees prepare to use the Tool. The five modules included: Why cybersecurity is important Selecting the appropriate use cases for your environment Reviewing the recommended controls generated by the Cybersecurity Guidance Tool Executing the tool Implementing recommendations by developing a Cybersecurity Improvements Plan
Seminar Summary (continued) Now that you have attended this Workshop you should be able to: Recognize the drivers behind cybersecurity Understand the importance of evaluating use cases against your control system Explain the priorities of controls generated by the Tool Properly use the Cybersecurity Guidance Tool to generate a report for your system Take the steps necessary to bring your system into alignment with industrial cybersecurity standards
Questions? Final Exam Course Evaluation Thanks for Attending!