Upload
dodien
View
218
Download
5
Embed Size (px)
Citation preview
SECURITY ISSUES AND BEST PRACTICES FOR WATER/WASTEWATER FACILITIES 2013 AWWA IMS ANNUAL CONFERENCE SUN VALLEY, ID
Jeff Hayes Product Manager Beijer Electronics
Security Issues and Best Practices for Water/Wastewater Facilities 2013 ASWWA IMS
BACKGROUND 15 years in product management for computer
networking and security companies CISSP since March 2002 President of ISSA – Utah Chapter Currently Business Development Manager
Water/Wastewater for Beijer Electronics Beijer is a 31 year old industrial automation firm
from Sweden with Americas HQ in Salt Lake City Manufacturer of HMIs, touch-panel PCs,
programming software and networking equipment for industrial applications including extreme environmental conditions
Security Issues and Best Practices for Water/Wastewater Facilities 2013 ASWWA IMS
OUTLINE Premises Targets Closed Loop Corrective Action for Plants
Security Policies Risk Analysis Countermeasures Monitor & Manager
Security Issues and Best Practices for Water/Wastewater Facilities 2013 ASWWA IMS
JEFF HAYES 15 years in product management for computer
networking and security companies CISSP since March 2002 President of ISSA – Utah Chapter Product Manager - Beijer Electronics
Beijer is a 31 year old industrial automation firm from Sweden with Americas HQ in Salt Lake City
Manufacturer of HMIs, touch-panel PCs, programming software and networking equipment for industrial applications including extreme environmental conditions.
Security Issues and Best Practices for Water/Wastewater Facilities 2013 ASWWA IMS
PREMISES Security for infrastructure facilities is minimized,
un-funded, and not part of “best practices” thinking.
Security is not a core competency of most engineering, system integration, construction companies, nor of the operators and IT personal.
Serious security incidents have not created ample awareness or panic to create action/funding.
Cross-contamination risks of the corporate network domain vs. the process control domain.
Safety and availability are jobs #1 and #2.
Security Issues and Best Practices for Water/Wastewater Facilities 2013 ASWWA IMS
TARGET Is a water/wastewater facility a target? Who would target one? How difficult would it be
to conduct surveillance…to infiltrate a facility? Are we more secure today than a year ago?
Yes, but the “bad guys are better equipped” and the attack surface is expanding
Security is more of a people issue than a technology issue
2013 AWWA IMS Security Issues and Best Practices for Water/Wastewater Facilities
CLOSED LOOP CORRECTIVE ACTION FOR PLANT SECURITY
Security Policies
Risk Analysis
Counter-measures
Monitor & Measure
Closed Loop Corrective Action for
Plant Security
Security Issues and Best Practices for Water/Wastewater Facilities 2013 ASWWA IMS
SECURITY POLICIES
Security Policies
Security Issues and Best Practices for Water/Wastewater Facilities 2013 ASWWA IMS
SECURITY POLICIES Policies are the basis for security design, architecture,
implementation, and practices Consider some computer, Internet, physical security and
emergency management policies Computer, email , anti-virus Internet Passwords Social media and blogging Privacy Pandemic Clean desk Cell phones Concealed weapons Industrial accidents Bomb threats
Security Policies
Security Issues and Best Practices for Water/Wastewater Facilities 2013 ASWWA IMS
SECURITY POLICIES Most water/wastewater facilities have weak
policies Documented? Understood? Enforced?
If they do exist, do they… describe who owns, controls, may access what
information and in what manner? delineate sharing vs. least privilege? define separation of duties? include a vulnerability / risk / gap / cost-benefit
analysis?
Security Policies
Security Issues and Best Practices for Water/Wastewater Facilities 2013 ASWWA IMS
RISK ANALYSIS Risk management components
Evaluation and Assessment – identify assets and evaluate their properties, characteristics and loss impact
Risk Assessment – discover threats and vulnerabilities that pose risk to assets
Risk Mitigation – transferring, eliminating or accepting Internal risks
People (employees, contactors, visitors, ex-associates) Processes and procedures Computer systems
External risks Geography, weather events, neighbors Terror, war, criminal, social & economical
Risk Analysis
Security Issues and Best Practices for Water/Wastewater Facilities 2013 ASWWA IMS
RISK ANALYSIS Data Breach
Frequency and costs continue to rise Detection Response Notification Ex-post
Root Causes Malicious/Criminal Negligence System Glitch
Risk Analysis
Security Issues and Best Practices for Water/Wastewater Facilities 2013 ASWWA IMS
RISK ANALYSIS Network Vulnerabilities
Cloud Computing Remote access
Protocol Vulnerabilities Ethernet & TCP/IP (no longer security by obscurity)
Bottom-line… “Every security program is a risk program … the only
value proposition security policies, processes and technologies have is their effect on an organization's loss exposure — the frequency and magnitude of loss.”
Jack Jones, Co-Founder of CXOWARE
Risk Analysis
Security Issues and Best Practices for Water/Wastewater Facilities 2013 ASWWA IMS
SECURITY ARCHITECTURE Properly aligned people, processes, & tools
working to protect organizational assets, goals & strategic direction
Potential components Account & identity management Access and border control Vulnerabilities & base configurations Privacy & integrity Security monitoring Incident response Disaster recovery User training
Classification – trusted, untrusted and DMZ
Counter- measures
Security Issues and Best Practices for Water/Wastewater Facilities 2013 ASWWA IMS
VULNERABILITY ASSESSMENTS Identifying, quantifying, and prioritizing the
vulnerabilities in a “system” Scanning
Audit running processes, open ports, system OS details, user accounts, executable & DLL files
Security, configuration and compliance audit Patch management
Zero-day exploits and responses Mobile device management Monitoring and correlating logs and events Analysis and communication
Counter- measures
Security Issues and Best Practices for Water/Wastewater Facilities 2013 ASWWA IMS
VULNERABILITIES WITH CONTROLS PLCs vs PCs Operating systems Remote access Standards-based vs. proprietary protocols HMIs embedded with soft PLCs Will you just accept what engineers specify?
Counter- measures
Security Issues and Best Practices for Water/Wastewater Facilities 2013 ASWWA IMS
VULNERABILITIES WITH CONTROLS HMIS VS SCADA
SCADA Large-scale / multiple buildings / multiple facilities Typically hub and spoke design running on PCs
HMI PCs or touch-panel computers with software applications Process- and device-specific SCADA-like or SCADA-light implementations
Both Monitor and control industrial processes Leverage RTUs, sensor conversion, PLCs, PC data
collectors and controllers, communication infrastructure Provide for remote access/control, FTP, email, SMS for
control, log & alarm distribution, etc. Require security attention and care
Counter- measures
Security Issues and Best Practices for Water/Wastewater Facilities 2013 ASWWA IMS
PENETRATION TESTING A live test of the effectiveness of security defenses
through mimicking the actions of real-life attackers Determining the feasibility of a particular set of attack
vectors Identifying vulnerabilities that may be difficult or
impossible to detect with automated tools Assessing the impact of successful attacks Assess existing defenses, notification and responses Helps quantify what further investments are required
Should include Internal External Social engineering “Ethical hacking”
Counter- measures
Security Issues and Best Practices for Water/Wastewater Facilities 2013 ASWWA IMS
AUTHENTICATION SERVICES
Counter- measures
Security Issues and Best Practices for Water/Wastewater Facilities 2013 ASWWA IMS
AUTHENTICATION SERVICES Identity and access management (IAM)
Identification, authentication and authorization Single- vs. multi-factor authentication Identity consolidation and single sign-on
Passwords Characters, length, change frequency, re-use Initial, lost, re-assigned and forced change One-time passwords
Switches and routers VLANs, Access Control Lists
Wireless Remote access
Counter- measures
Security Issues and Best Practices for Water/Wastewater Facilities 2013 ASWWA IMS
FIREWALLS A system or combination of systems that enforces
a boundary between networks – typically a private and a public network; e.g., Internet Trusted, un-trusted and semi-trusted (DMZ)
Implementations IP and TCP/UDP port-level rules Stateful / deep-packet inspection
Deployments Network-based – appliances, server/software,
routers, switches, access points Host- & server-based
Counter- measures
Security Issues and Best Practices for Water/Wastewater Facilities 2013 ASWWA IMS
ENCRYPTION & VPN Encryption
Process of taking an unencrypted message (plaintext), applying a mathematical function to it (encryption algorithm with a key) and producing an encrypted message (ciphertext)
Data at rest ensuring integrity and privacy Data in motion
Secure Virtual Private Network - private communication over a public network
IPSec, HTTPS, SSL, SecureShell, etc. protocols Remote access – client-to-machine and machine-to-
machine
Counter- measures
Security Issues and Best Practices for Water/Wastewater Facilities 2013 ASWWA IMS
MOBILE DEVICES & APPLICATIONS Bring your own device (BYOD)
Smartphones & tablets Remote access and management Mobile security controls
Authentication & authorization VPN Lost Malware Personal vs. business functions
Counter- measures
Security Issues and Best Practices for Water/Wastewater Facilities 2013 ASWWA IMS
INTRUSION DETECTION Act of detecting actions that attempt to
compromise the confidentiality, integrity or availability of a resource A “burglar” alarm for computer networks
Types Network-based (NIDS) Host-based (HIDS) Physical IDS Intrusion Prevention
Honey Pot Systems Decoy servers or systems setup to gather information
regarding an attacker or intruder into your system
Counter- measures
Security Issues and Best Practices for Water/Wastewater Facilities 2013 ASWWA IMS
WEB APPLICATION & CONTENT CONTROL Secure Web applications (PHP, C++, Java, .NET)
Authentication & authorization Data validation & handling User and session management Points, time and state issues Error handling Encryption
Content Filtering Limitations and enforcement points Legal issues Productivity issues Bandwidth/network issues
Counter- measures
Security Issues and Best Practices for Water/Wastewater Facilities 2013 ASWWA IMS
OPERATING SYSTEM HARDENING To configure a computer or other network device
to resist attacks Secure or insecure by default? OS dependent Typical steps
Perform initial system install Remove unnecessary software Disable or remove unnecessary usernames,
passwords and accounts Disable or remove unnecessary services Apply patches Run Nessus or similar scan
Counter- measures
Security Issues and Best Practices for Water/Wastewater Facilities 2013 ASWWA IMS
PHYSICAL SECURITY Part of a holistic security posture
Based on layered defense design Physical security includes
Asset protection Video surveillance and monitoring Employee protection and workplace violence
prevention Fraud prevention Loss prevention Investigations & forensics
Counter- measures
Security Issues and Best Practices for Water/Wastewater Facilities 2013 ASWWA IMS
USER AWARENESS & TRAINING Knowing and understanding an individual’s role
in organizational and informational security and acting accordingly
Constantly reinforce messaging to change behavior
Some success elements Management support Partnering with other departments Creativity & multiple modes Use metrics Scope and timing Role-playing or exercises
Counter- measures
Security Issues and Best Practices for Water/Wastewater Facilities 2013 ASWWA IMS
MONITOR & MEASURE Physical security monitoring Information vulnerability monitoring & action
plans Security devices and software End systems and servers Network equipment
Business Continuity Planning / Disaster Recovery Planning Threat & risk analysis Business impact analysis
Monitor & Measure
Security Issues and Best Practices for Water/Wastewater Facilities 2013 ASWWA IMS
MONITOR & MEASURE Security Incident Response
The complete response set of an organization to a disaster or other abnormal event
Security information and event management Incident & data breach responses
Secure critical evidence to support investigation/litigation Defend against internal and external exposure Determine the source, scope, and sensitivity of a data loss Identify your legal and regulatory obligations Retain customers and opportunities Apply processes for future prevention
Monitor & Measure
Security Issues and Best Practices for Water/Wastewater Facilities 2013 ASWWA IMS
CONCLUSIONS Infrastructure facilities are targets Cybersecurity is essential Create a reasonable security posture
Policies Risk Analysis Countermeasures Monitor & Manage
Security Policies
Risk Analysis
Counter-measures
Monitor & Measure
Closed Loop Corrective Action for
Plant Security
QUESTIONS? Jeff Hayes [email protected] 801-924-5424