Download presentation
Presentation is loading. Please wait.
Published byDaniella Farmer Modified over 9 years ago
1
map.norsecorp.com If possible I like starting off with a view of a live attack screen. Very effective means of conveying the compelling need for cybersecurity. If I’m using my PC I can set this up easily.
3
NC AWWA-WEA Automation Committee Don Dickinson Phoenix Contact USA
4
Agenda Growing need for cybersecurity Protecting critical infrastructure Key Standards & Guidance for Cybersecurity AWWA G430-14 Security Practices for Operation & Management NIST SP 800-82 Guide to Industrial Control System (ICS) Security ISA 62443-2-1 Security for Industrial Automation & Control Systems (IACS) Why a business case is needed How to develop a business case NC AWWA-WEA Automation Committee
5
Security breaches are inevitable… Mandiant – A FireEye ™ Company Being a headline is not ®
6
Tough questions after attack… Could you have done more to prevent this attack? Will I lose my job? What is the impact on public safety? What is the environmental impact? How will this impact your requests for funding? What are the expected costs of fines and litigation? How will this impact the public’s confidence in your utility?
7
the Cyber end is near Easy to sound like an alarmist… NC AWWA-WEA Automation Committee
8
JPMorgan Chase
9
Nation-State Attacks (by Russia, China, N Korea, many others including US) Extortion (Sony) Data Destruction (Sony, Saudi Aramco) Bank Card & Personal Data Breaches (US Office of Personnel Mgmt (22M affected), Anthem Health (80M), Premera Blue Cross (11M), JP Morgan Chase (76M), Home Depot (56M), Target (40M), many others) Third-Party Breaches (Target - HVAC connection, Home Depot – stolen vendor credentials) Critical Infrastructure (Telvent, Saudi Aramco, Iranian Nuclear Facilities, others) Security Threats NC AWWA-WEA Automation Committee
10
Attacks double on SCADA in 2014 source: 2015 Dell Security Annual Threat Report
11
“Everyone knows the threats are real and the consequences dire, so we can no longer blame lack of awareness for the attacks that succeed.” Patrick Sweeney, Executive Director Dell Security NC AWWA-WEA Automation Committee
12
Why isn’t security a bigger focus? NBC Los Angeles: NewsChopper4 captures geyser blowing through Sunset Boulevard, flooding UCLA campus July 29, 2014
13
More pressing concerns…
14
Protecting Critical Infrastructure Presidential Policy Directive – Critical Infrastructure Security and Resilience ( PPD-21, February 12, 2013 ) Cyber threat to critical infrastructure continues to grow One of the most serious national security challenges for the US Critical infrastructure must be secure and able to withstand and rapidly recover from all hazards NC AWWA-WEA Automation Committee
15
Key Security Standards & Guidance ANSI / AWWA G430-14 Security Practices for Operation and Management NIST Special Publication 800-82 rev 2: Guide to Industrial Control Systems (ICS) Security ANSI / ISA-62443-2-1 Security for Industrial Automation and Control Systems: Establishing an IACS Security Program NC AWWA-WEA Automation Committee
16
Pur pose is to define the minimum requirements for protective security program for a water or wastewater utility that will promote the protection of employee safety, public health, public safety, and public confidence. NC AWWA-WEA Automation Committee ANSI / AWWA G430-14 Security Practices for Operation and Management
17
Requirements: Section 4.0 4.1 Explicit commitment to securit y 4.1.1 Explicit and visible commitment of senior leadership to security. The utility shall establish an explicit, visible, easily communicated, enterprise-wide commitment to security. This shall be represented by the development of a security plan, by policies, and by other documents that make security a part of daily operations visible to employees and customers. NC AWWA-WEA Automation Committee ANSI / AWWA G430-14 Security Practices for Operation and Management
18
NIST SP 800-82 Rev 2 Guide to Industrial Control Systems (ICS) Security Purpose is to provide guidance for securing industrial control systems (ICS), including supervisory control and data acquisition (SCADA) systems, distributed control systems (DCS), and other systems performing control functions. NC AWWA-WEA Automation Committee
19
4.1 Business Case for Security The first step in implementing an information security program for ICS is to develop a compelling business case for the unique needs of the organization. The business case provides the business impact and financial justification for creating an integrated information security program. NC AWWA-WEA Automation Committee NIST SP 800-82 Rev 2 Guide to Industrial Control Systems (ICS) Security
20
ANSI/ISA–62443-2-1 (99.02.01) – 2009 Establishing an Industrial Automation and Control Systems Security Program Describes the elements of a Cyber Security Management System (CSMS) Elements relate to policy, procedures, practices and personnel ISA-62443 Security for Industrial Automation and Control Systems (IACS) NC AWWA-WEA Automation Committee
21
4.2.2 DESCRIPTION: A business rationale is based on the nature and magnitude of financial, health, safety, environmental, and other potential consequences should IACS cyber events occur. RATIONALE: Establishing a business rationale is essential for an organization to maintain management buy-in to an appropriate level of investment for the IACS cybersecurity program. ISA 62443-2-1 Develop a business rationale NC AWWA-WEA Automation Committee
22
ISA 62443-2-1 Develop a business rationale 4.2.2.1 REQUIREMENTS: Develop a business rationale The organization should develop a high-level business rationale as a basis for its effort to manage IACS cyber security, which addresses the unique dependence of the organization on IACS. NC AWWA-WEA Automation Committee
23
Annex A (informative) Guidance for developing the elements of a CSMS Description of element Element-specific information Supporting practices Baseline practices Additional practices Resources used ISA 62443-2-1 Develop a business rationale NC AWWA-WEA Automation Committee
24
A.2.2.3 Key components of business rationale Prioritize business consequences – What events would have the greatest impact on the organization? Prioritize threats – Which are the most credible? Estimated annual business impact – What is the business impact, if possible, in financial terms? Cost – What is the estimated cost of the human effort and technical countermeasures that the business rationale intends to justify? ISA 62443-2-1 Develop a business rationale NC AWWA-WEA Automation Committee
25
Answers for tough questions… Could you have done more to prevent this attack? Just 2 years till retirement! Because we have a comprehensive security plan we were able to detect the cyber activity early and implement countermeasures quickly to mitigate it. As a result the impact on public safety, the environment and our operations were minimized.
26
Key points on cybersecurity Security is a process not a task! Journey not a destination! Security is not an absolute! It’s a matter of degree. Neither practical nor feasible to fully mitigate all risks. Must allocate available resources as efficiently as possible. The responsibility of protecting IACS from cyber events belongs to the people who operate and maintain these systems. Goal: Risk management for critical infrastructure. NC AWWA-WEA Automation Committee
27
Easy questions for me? NC AWWA-WEA Automation Committee
28
Don Dickinson Senior Business Development Manager – Water Sector Phoenix Contact USA Contact information: e-mail: ddickinson@phoenixcon.comddickinson@phoenixcon.com Phone: 800-888-7388, ext 3868 White Paper: Making a Business Case for Cybersecurity Presenter NC AWWA-WEA Automation Committee
Similar presentations
© 2025 SlidePlayer.com Inc.
All rights reserved.