America's Water Infrastructure Act: Cybersecurity - PowerPoint Presentation
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
America’s Water Infrastructure
Act: Cybersecurity
Tom Bahun II & Tom Bahun III
Maine Rural Water
Association
America’s Water Infrastructure
Act (AWIA) : Cybersecurity
AWIA: Cybersecurity
• Detail Provisions of AWIA
• Defined Cybersecurity
• List Cyber Threats to Water & Wastewater
Utilities and Cyber Attack Indicators
• Explain the Benefits of a Cybersecurity
Program
• Discuss Available Cybersecurity Tools
• Review Challenges for Utilities in Starting a
Cybersecurity Program
3
America's Water Infrastructure Act
(AWIA) of 2018
AWIA signed into law
October 23, 2018 4
The Questions of AWIA
1. Who: Community Water Systems > 3300
2. What: Risk Resiliency Assessments (RRA)
and Emergency Response Plans (ERP)
3. When: Earliest 03/2020 - Refer to next slide
4. Where: Your system and the location of all
assets
5. Why: Prepare for and ensure proper
identification of and response to risk, as
well as avoiding fees
NOTE: $25,000.00/day Fee for Non-compliance
5
Certification Due Dates
CWS SIZE
RRA ERP
(Pop.)
>100,000 March 31, 2020 Sept. 30, 2020
>50,000 Dec. 31, 2020 June 30, 2021
>3300 June 30, 2021 Dec. 30, 2021
Note: ERP due 6 months after certification of RRA or indicated
date above, whichever comes earlier
6
AWIA is… and is not…
• AWIA is legislation that requires CWS
reporting and compliance
• AWIA concerns all-hazards: Natural,
Manmade, and Cyber
• AWIA is not a guide to compliance*
• AWIA does not require RRA or ERP be
sent to governing authority*
* EPA assumes this roll 7
All-Hazards Approach
1. Natural Risks – floods, tornadoes,
fires, and more
2. Manmade Risks – vandalism,
terrorism, active shooters, and
more
3. Cyber Risks* – Cyber attacks,
terrorism, customer data breaches,
and more
8
Cyber Risks and the AWIA
• Legislation added and expanded on Cyber
Security in the AWIA from the Bio-terrorism
Act of 2002
• Focuses on: Identify, Assess, Plan, and
Respond
• Vulnerability Assessments → RRA
• Emergency Response Plans (cont.)
9
Identify Risks
✓Create or edit a current list of assets
✓Determine mission critical assets,
goals, and customers
❑Pair each critical asset with threats
❑Pair mission critical customers and
goals with threats that impede
service
10Assess Risks
RISK = Cost Impact * Vulnerability *
Threat Likelihood
▪ Cost Impact: Total cost to you,
customers, and community (in dollars)
▪ Vulnerability: Probability of threat success
▪ Threat Likelihood*: Very unlikely – Very likely
* Threat Likelihood will not be 0, otherwise it is not a threat. 11Plan and Respond to Risks
• Based on the findings in the
assessment, the next step is to
categorize risks based on risk: address
threats with higher risks first
• The development of ERPs follow the
RRA and categorizations
12Resources and Tools
We understand this is
a lot to take in and
prepare for…
• Tools, training, and resources from
EPA, MRWA, and more (AWWA, etc.)
• VSAT (EPA)
• Cyber tool, training, consultations and
more (MRWA)
13America's Water Infrastructure
Act (AWIA) of 2018
• CWS serving more than 3,300 people
must develop or update risk assessments and
emergency response plans (ERPs)
• Sec. 2013, (b)(1): ERP must include:
“strategies and resources to improve the
resilience of the system, including the
physical security and cybersecurity of the
system”
• https://www.congress.gov/bill/115th-
congress/senate-bill/3021/text
14Amendments to the Emergency
Planning and Community
Right-to-Know Act (EPCRA)
• AWIA section 2018 amended the
Emergency Release Notification (EPCRA
section 304) and Hazardous Chemical
Inventory Reporting (EPCRA section 312)
sections of EPCRA.
• Those amendments are….
15Amendments to the Emergency
Planning and Community
Right-to-Know Act (EPCRA)
• SERC must promptly notify state
drinking water primacy - Maine
Drinking Water Program (DWP) of
any reported release
• The DWP must promptly provide
notice/reports to applicable CWSs
16Amendments to the Emergency
Planning and Community
Right-to-Know Act (EPCRA)
• SERC and LEPCs must provide
affected CWS with chemical
inventory data for facilities within
their source water protection areas
17Amendments to the Emergency
Planning and Community
Right-to-Know Act (EPCRA)
• CWS required (to the
extent possible) to
coordinate with LEPCs
• DWP should consider
opportunities to fully
participate with their
SERC
18What is Cybersecurity?
• The practice of defending
computers, servers, mobile devices,
electronic systems, networks, and data
from malicious attacks.
AKA information technology security or
electronic information security.
19What is Cybersecurity? • Cybersecurity applies in a variety of contexts, from process control systems to business critical systems and can be divided into the following categories: – Network security – Application security – Information security – Operational security – Disaster recovery and business continuity – End-user education 20
Cybersecurity Involves:
1. Access Management
2. Environment Management
3. Data Security
Management
21Cybersecurity Involves:
1. Access Management
Identifying, tracking, controlling and
managing authorized users’ access to
a system, application or any IT
instance.
The greatest risk comes from someone
that is already inside your operation.
22Cybersecurity Involves:
2. Environment Management
Involves managing all the networks, the
connectivity of the networks with other
networks, and monitoring activity within
the networks.
Smart network design, network traffic
and flow monitoring, and managing
network access and routing.
23Cybersecurity Involves:
3. Data Security Management
Is a way to maintain the integrity of data
and to make sure that the data is not
accessible by unauthorized parties or
susceptible to corruption.
Data security is put in place to ensure
privacy in addition to protecting this
data.
24Cyber Threats to Water &
Wastewater Utilities
• Upset treatment and conveyance
processes (e.g. SCADA)
• Deface the utility’s website or compromise
the email system
• Steal customers’ personal data or credit
card information
• Install malicious
programs like
ransomware
25Cyber attacks on
water and
wastewater systems
are growing
increasingly
common
nationwide.
26Cyber Attacks on Maine PWS 2016 - 2018
Not if but when…
2712/05/2019
28What Happens When You Dare
Expert Hackers To Hack You?
• https://www.youtube.com/watch?v=b
jYhmX_OUQQ
29Potential Cyber Attack Indicators • Slow or unusual computer function, • Unusually heavy network traffic, • Many bounced emails, • Deactivation of antivirus software, • The creation of new user accounts, • Log files that have been cleaned out, • Unsuccessful attempts to log in from unfamiliar systems • Files/programs execute on their own, and • Others….. 30
Benefits of a
Cybersecurity Program
• Ensure the integrity of process control
systems
• Protect sensitive utility and customer
information
• Reduce legal liabilities if customer or
employee personal information is stolen
• Maintain customer
confidence
31Cybersecurity Tools
for Water/Wastewater Utilities
• Self-Assessment “Checklist”
• Guidance
• Glossary of Terms
32Cybersecurity Tools to
Understand, Evaluate, and
Mitigate Risks for Maine PWSs
• Cybersecurity Self-Assessment
• Improvement Planning Worksheet
• 12 Basic Cybersecurity Measures
• Cyber Incident Action Planning
• Glossary of Terms
• References & Resources
• Acknowledgements
33Maine PWS
Cybersecurity Self-Assessment
1. Maintain an Accurate Inventory of
Control System Devices and Eliminate
Any Exposure of this Equipment to
External Networks.
Identify physical hardware and software
assets within the organization
to establish the basis
of a cyber-asset
management program.
34Maine PWS
Cybersecurity Self-Assessment
2. Defining Cybersecurity Policies &
Regulatory Requirements
Define cybersecurity policies within the
organization as well as identifying legal
and regulatory requirements regarding
the cybersecurity
capabilities of the
organization.
35Maine PWS
Cybersecurity Self-Assessment
3. Evaluating Threats & Vulnerabilities
Evaluate asset vulnerabilities, threats
to internal and external organizational
resources, and risk response activities
as a basis for the organizations risk
assessment.
36Maine PWS
Cybersecurity Self-Assessment
4. Establishing a Risk Management
Strategy
Establish a risk management strategy
for the organization including
establishing risk tolerances.
37Maine PWS
Cybersecurity Self-Assessment
5. Protections for Identity Management
and Access Control
Utilize Protections for identity
management and
access control within
the organization
including physical
and remote access.
38Maine PWS
Cybersecurity Self-Assessment
6. Empowering Staff Through Awareness
and Training
Empower staff within the
organization through
awareness and training
including role based and
privileged user training.
39Maine PWS
Cybersecurity Self-Assessment
7. Establishing Data Security Protection
Establish Data Security protection
consistent with the organization’s risk
strategy to protect the confidentiality,
integrity, and availability of information
40Maine PWS
Cybersecurity Self-Assessment
8. Implementing Information Protection
Processes and Procedures
Implement information protection
processes and procedures to maintain
and manage the
protections of
information
systems and assets.
41Maine PWS
Cybersecurity Self-Assessment
9. Protecting Resources Through
Maintenance
Protect organizational resources
through maintenance,
including remote
maintenance
42Maine PWS
Cybersecurity Self-Assessment
10. Detect Malware
Detect and prevent unauthorized
software from executing by deploying
antivirus technology
and application
whitelisting
43Maine PWS
Cybersecurity Self-Assessment
11. Ensuring Anomalies and Events
Are Detected
Ensure anomalies and events are
detected, and their potential impact is
understood
44Maine PWS
Cybersecurity Self-Assessment
12. Ensuring the Organization
Implements Recovery Planning
Ensure the organization implements
recovery planning processes and
procedures to restore systems and/or
assets affected by
cybersecurity
incidents
45Maine PWS
Cybersecurity Self-Assessment
4647
1. Perform Asset Inventories
2. Assess Risks
3. Minimize Control System Exposure
4. Enforce User Access Controls
5. Safeguard from Unauthorized Physical Access
6. Install Independent Cyber-Physical Safety Systems
7. Embrace Vulnerability Management
8. Create a Cybersecurity Culture
9. Develop and Enforce Cybersecurity Policies and
Procedures
10. Implement Threat Detection and Monitoring
11. Plan for Incidents, Emergencies, and Disasters
12. Tackle Insider Threats
13. Secure the Supply Chain
14. Address All Smart Devices (IoT, IIoT, Mobile, etc.)
15. Participate in Information Sharing and Collaboration
Communities
48Cyber Incident Action Planning
1. Detect and respond to a
cyber incident/attack,
2. Promptly and effectively
assess the situation and
scope,
3. Notify key PWS personnel, local law
enforcement, primacy agencies and
others,
49Cyber Incident Action Planning
4. Activate and coordinate response
activities, including establishing an
incident command center,
5. Develop a communication plan and
designate a Public Information
Officer, and
6. Implement critical systems
recovery once the cyber
incident has been
eradicated/isolated.
50Challenges for Utilities in Starting a
Cybersecurity Program
• Many utilities, particularly small systems,
lack IT resources
• Utility personnel may believe that cyber-
attacks do not present a risk to their
systems or feel that they lack the technical
capability to improve cybersecurity
51Challenges for Utilities in Starting a
Cybersecurity Program
• Rest assured, basic cybersecurity best
practices can be carried out without
specialized training
• User-friendly resources are available to
help. You just have to know
how to start and where to
look!
52Challenges for Utilities in Starting a
Cybersecurity Program
What you can do now:
• Use strong passwords
• Control access
• Put up a firewall
• Update programs and
systems regularly
• Raise awareness
• Begin to establish
cybersecurity policies
• Consult with IT experts
53Policy Template
“Inventory Audit Policy”
Purpose:
• Know what devices you have
• Track changes in your IT assets
• Plan upgrades and migrations
• Proactively manage contracts and licenses
• Identify rogue devices on network
• Ensure adequate physical protection of
devices
54Policy Template
“Awareness and Training Policy”
Purpose:
• To ensure that managers, systems
administrators, and users of
organizational systems are made aware of
the security risks associated with their
activities and of the applicable policies,
standards, and procedures related to the
security of those systems.
55Policy Template
“Acceptable Use Policy”
Purpose:
• To establish acceptable and unacceptable
use of electronic devices and network
resources in conjunction with established
culture of ethical and lawful behavior,
openness, trust,
and integrity.
56Policy Template
“Clean Desk Policy”
Purpose:
• To establish the minimum requirements
for maintaining a “clean desk” where
sensitive information such as employee
and customer information, intellectual
property, and sensitive
configuration information
is secure and out of sight
except when in use.
57Policy Template
“Password Policy”
Purpose:
• To establish a standard
for creation of strong
passwords and the
protection of those
passwords.
https://www.youtube.com/watch?v=opRMrEfAIiI 58Policy Template
“Remote Access Policy”
Purpose:
• To define the rules and regulations for
connecting to network from any outside
network. These rules are designed to
minimize the risk of:
– unauthorized access to company resources,
– exposure of sensitive company data,
– damage to company equipment, and
– damage resulting from the misuse of
company equipment.
59Plan Template
“Disaster Recovery Plan”
Purpose:
• To ensure the timely recovery of critical IT
systems in an orderly fashion, while
simultaneously ensuring the safety of
employees and minimizing the confusion of a
disaster situation.
• The objectives of the plan are to document
contact information, decisions, and
procedures for responding to a disaster that
involves IT systems, data, and services.
60Where To Find Tool and Templates
mainerwa.org/Csresources
Google: “EPA AWIA”
Google:
“WaterISAC AWIA
61Tom Bahun II & Tom Bahun III
Maine Rural Water
Association
America’s Water Infrastructure
Act: CybersecurityYou can also read
