Presentation is loading. Please wait.

Presentation is loading. Please wait.

CYBER SECURITY FOR WATER AND WASTEWATER UTILITIES

Published byEverett Jennings Modified over 5 years ago

Similar presentations

Presentation on theme: "CYBER SECURITY FOR WATER AND WASTEWATER UTILITIES"— Presentation transcript:

1 CYBER SECURITY FOR WATER AND WASTEWATER UTILITIES
PRESENTED BY: DAVID A. CHANDA, PE

2 Cyber Security – A Hot Topic
NotPetya Cyberattack 2018 Thales Data Threat Report “Tempting Cedar Spyware” 2017 Bullets – Recent Equifax data leak, Russian and Chinese Cyber Security Attacks and data breaches at various retailers and credit card companies

3 Implementation Origins
Early 2000’s – Risk Assessment Methodology for Water (RAM-W) Required by US EPA, based on cybersecurity work by Sandia Labs Threat and vulnerability assessments Consequences Risk assessment and emergency response plan 2010 AWWA Standard J100 Uses RAMCAPTM Risk and resilience analysis and management Identify vulnerabilities – threats, natural hazards Methods to evaluate options for addressing weaknesses Focus on significant threats AWWA and Sandia National Labs shortly after the events of 9/11, the EPA undertook a program to improve security at water utilities across the US AWWA developed the first voluntary consensus standard encompassing an all-hazards risk and resilience management process for use specifically by water and wastewater utilities.  RAMCAP Provides guidance for calculating the probability of a specific natural hazard occurring at a given utility (i.e., earthquake, tornado, and hurricane)

4 New Jersey Requirements for Utilities
2016 BPU Utility Cyber Security Program (Docket No. AO ) Water Quality Accountability Act (NJSA 58:31-1 et seq)

5 Water Quality Accountability Act (NJSA 58:31-1 et seq)
Water purveyors with > 500 service connections and “internet connected controls system(s)” Effective date: October 19, 2017 By February 16, 2018 develop a Cyber Security Program (Based on BPU requirements) Cyber risk management responsibilities & accountabilities Establish plans, policies, etc. to minimize cyber risk Conduct risk assessments, implement controls to mitigate risks, maintain situational awareness, create and exercise incident response and recovery plans New Jersey Office of Homeland Security is currently implementing a checklist to review what is considered and internet controlled system. Not fully live yeat NJCCIC program not currently available to submit the cyber security plans.

6 2018 WQAA Cyber Security Implementation
Provide a copy of program to NJ Cybersecurity and Communications Integration Cell (NJCCIC) Due February 16, 2018 Join NJCCIC within 60 Days of developing the cybersecurity program Cyber Security Program Requirements Cyber Risk Management Situational Awareness Incident Reporting Response and Recovery Security Awareness & Training

7 Areas of Concern Customer Information Staff Information E-mail System
Operating Data Operating Control Cloud-Based Computing vs. On-site Hardware Pathways for Cyberattack

8 Approaches for Handling Security
Equipment – Hardware & Software Physical Security Organization Staff Training Handling of Unsolicited Files Passwords Turning-off Equipment Limiting Physical Access Physical Security Lock rooms/areas that house servers and phone equipment Limit access to authorized personnel Staff Training Provide regular training for staff Laws/Regulations Utility company requirements How to handle spam and other unwanted Passwords Complexity Frequency of Changing Best Practices Access Training System Maintenance Provide each employee with appropriate credentials to access systems and limit their access to subsystems Compartmentalize your cyber information Customer vs. Staff vs. Operations Limit on-line access to parts of you system Require very strong passwords 10 digits, upper and lower-case letters, numbers and symbols Change them regularly Provide regular training for staff about laws/regulations New Equipment / Procedures Maintain Security of Passwords Vet and install programming updates and patches ASAP

9 Typical Network Infrastructure
Domain vs Workgroup challenges

10 Typical Network Infrastructure – Cont.

11 Typical Network Infrastructure – Cont.

12 Typical Organization Utility Manager/Director Financial Officer
Manages Cyber Security for Financial Systems Financial Officer IT Manager Coordinates Cyber Security Manages Operations of SCADA System Superintendent IT Specialist/Consultant Coordinates Operations of Cyber Security System Billing Administrative Assistant

13 Monthly Requirements The IT specialist shall …………
Monitor internal and external sources of threat and vulnerability Deliver critical alerts and notifications as they occur Maintain Executive Reports from Firewall including: Threat Identification Threat Protection Intrusion Detection Response Taken Recovery Steps The IT Specialist shall monitor internal and external sources of threat and vulnerability and maintain executive reports generated from the existing Firewall. The IT Specialist should be able to send critical alerts/notifications as they occur. To keep staff up to date, the monthly executive report must describe the following:

14 Quarterly Requirements - Training
The IT specialist shall train………… Staff with access for potential pathways of threats New personnel The IT specialist shall train on………… Password management Contain both upper- and lower-case letters (case sensitivity). Contain one or more numerical digits. Special characters, #, $ etc. can be included but are not required. All passwords changed every 90 days Recommended minimum of eight characters. Training of staff that have access to devices vulnerable to cyber threats in the form of In-House sessions, notification alerts, or as the IT Specialist deems fit. Training of new personal pertaining to the companies critical inventory requirements. Staff should be trained to have the best practices on creating and changing passwords. All passwords throughout the workgroup peer to peer connections should meet the following requirements:

15 Quarterly Requirements – Training Cont.
Downloading unlicensed software. Accessing files remotely should be through a secure remote access service (VPN). Safe internet usage, recognize any cyberattacks and vulnerabilities, and avoid any suspicious s. Trained to recognize a legitimate warning message or alert. Employees should be trained to immediately report the incident so it can be investigated, and any threat reduced or removed. Downloading unlicensed software should be prevented, unless instructed by the IT Specialist. The IT Specialist shall make available any anti-virus or malware application to the staff.

16 Long Term Requirements
Annual Requirements Perform an annual inventory analysis of critical systems and document any changes from the system architecture as operated in the prior calendar year. Review risk assessment methodology as encountered in the prior calendar year. 24 Month Requirements Create a cyber risk assessment plan and conduct an exercise to the test the Plan every 24 months at a minimum. Establish a Cyber Security Incident Response Plan that follows through the life-cycle of an incident.

17 Other Resources for Security Ideas
CSET – US Department of Homeland Security Cyber Resilience Review (CRR) Cyber Self Assessment WaterISAC – Water Security Network Organization of water sector professionals Focuses on vulnerability and security of all types New Jersey Office of Homeland Security and Preparedness Currently Developing a checklist to determine “internet-connected control system” applicability. WaterISAC Provide Tools for Water/Wastewater Utility Managers to identify and manage risks, help managers target limited resources where they are most needed, communicate threat warnings and incident reports to water systems.

18 Conclusions Cyber Security is an increasing threat to utilities
Legislation and regulations currently require higher levels of protection for utilities Need for better protection will be extended to smaller systems, and possibly wastewater systems, over the coming years Effective Cyber Security risk management has several elements Organization Situational Awareness Incident Reporting Response and Recovery Security Awareness & Training Start planning and developing your program ASAP There is no down-side to proactively preparing and implementing these plans

19 QUESTIONS? Presenter: David A. Chanda, PE

Download ppt "CYBER SECURITY FOR WATER AND WASTEWATER UTILITIES"

Similar presentations

Are you Safe at Work? A look into Safety at the Workplace and Internet Security Presented by Sheila Gee.

Are you Safe at Work? A look into Safety at the Workplace and Internet Security Presented by Sheila Gee.
Copyright © 2014 American Water Works Association Water Sector Approach to Process Control System Security.

Copyright © 2014 American Water Works Association Water Sector Approach to Process Control System Security.
David A. Brown Chief Information Security Officer State of Ohio

David A. Brown Chief Information Security Officer State of Ohio
© 2005, QEI Inc. all characteristics subject to change. For clarity purposes, some displays may be simulated. Any trademarks mentioned remain the exclusive.

© 2005, QEI Inc. all characteristics subject to change. For clarity purposes, some displays may be simulated. Any trademarks mentioned remain the exclusive.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.

Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.
Security Controls – What Works

Security Controls – What Works
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
Know the Client Own the Problem Share the Solution The 2005 Case for Information Technology Security October 14, 2004.

Know the Client Own the Problem Share the Solution The 2005 Case for Information Technology Security October 14, 2004.
ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.

ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.
(Geneva, Switzerland, September 2014)

(Geneva, Switzerland, September 2014)
Computer Security: Principles and Practice

Computer Security: Principles and Practice
Network security policy: best practices

Network security policy: best practices
Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.

Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.
Website Hardening HUIT IT Security | Sep 30 2011.

Website Hardening HUIT IT Security | Sep
NUAGA May 22, 2014.  IT Specialist, Utah Department of Technology Services (DTS)  Assigned to Department of Alcoholic Beverage Control  PCI Professional.

NUAGA May 22,  IT Specialist, Utah Department of Technology Services (DTS)  Assigned to Department of Alcoholic Beverage Control  PCI Professional.
SEC835 Database and Web application security Information Security Architecture.

SEC835 Database and Web application security Information Security Architecture.
Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.

Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.
UNDERSTANDING THE RISKS & CHALLENGES OF Cyber Security DAVID NIMMO InDepth IT Solutions DAVID HIGGINS WatchGuard NEIL PARKER BridgePoint Group A BridgePoint.

UNDERSTANDING THE RISKS & CHALLENGES OF Cyber Security DAVID NIMMO InDepth IT Solutions DAVID HIGGINS WatchGuard NEIL PARKER BridgePoint Group A BridgePoint.
HOMELAND SECURITY ADVISORY SYSTEM. Established after the terrorist attacks on America September 11, 2001.

HOMELAND SECURITY ADVISORY SYSTEM. Established after the terrorist attacks on America September 11, 2001.

Similar presentations

Ads by Google