Incorporating Cyber Security into Water Utility Master Planning

Thomas House – Rockwell Automation NJ AWWA Fal Meeting September 2018

PUBLIC Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. PUBLIC Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. 2 NotPetya brings down operations

PUBLIC Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. 3 You don’t have to be the target to be a victim

PUBLIC Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. 4 CHALLENGES FACING INDUSTRIAL INFRASTRUCTURE

IT/OT Convergence Skills Gap Vulnerability Inflexibility

PUBLIC Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. 5 INDUSTRIAL CYBER RISK EQUATION

Vulnerabilities Threats Consequences

Countermeasures Basic Industrial Cyber Advanced Countermeasures Hygiene

PUBLIC Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. 6 ICS-Focused Campaigns, Attacks, Frequency

2010 2011 2012 2013 2014 2015 2016 2017

STUXNET NIGHT SHAMOON RED HAVEX BLACKENERGY BLACKENERGY NOTPETYA Worm Targeting DRAGON OCTOBER Industrial Control Virus Targeting Cyber-Espionage Malware Injected into SCADA and Modifying System Remote Malware Injected into Ransomware Malware Advanced Persistent Energy Sector Malware Targeting Ukrainian Power Power Company PLCs Access Trojan & Based Threat Targeting Largest Gov’t & Research Company Network, Network, Attackers Cut On Stolen NSA Global Energy Wipe Attack Organizations Information Stealer Cut Power to the Power to the Affected Exploits that Impacted Affected Region. Region. ICS Systems OPERATION FLAME AURORA DUQU HEARTBLEED Virus use for Security Bug and APT Cyber Attack on Worm Targeting ICS Targeted Cyber Vulnerability 20+ High Tech, Information OP GHOUL INDUSTROYER Espionage in the Exploited Security & Defense Gathering Middle East Spear-phishing Companies and Stealing by Attackers Campaign Malware Targeting Targeting Middle Electric Utility – Used GAUSS in 2016 Ukraine Grid East Industrial Attack Information Stealer Organizations Malware

WANNACRY

General ransomware which impacted ICS ICS CERT INCIDENT COUNT Systems **Only Reported Incidents in U.S. 295 290 257 245 197 140

PUBLIC Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. 7 ICS THREAT VECTORS

IT Network Direct Attack via IT Network

DMZ Insider Threat OT Network

Direct Attack on Plant Network

VPN Device

ICS Supply Chain USB Indirect Attack External Remote Maintenance On-Site Maintenance Adversaries (Compromised VPN) (Compromised Device)

PUBLIC Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. 8 OT vs. IT Priority is Priority is availability confidentiality

Architectures are Architectures are proprietary ubiquitous

End-points are End-points are of heterogeneous, task homogenous, multi- specific with long purpose with short lifespans lifespans

Outcomes are physical Outcomes are digital

PUBLIC Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. 9 PUBLIC Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. 10 Attack Continuum

BEFORE DURING AFTER

cybersecurity framework PUBLIC Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. 11 Architectures Overview

PUBLIC Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. 12 Networking Standards

IT Core Switch Enterprise Zone: Levels 4-5 and Firewall

Industrial Zone: Levels 0-3

Level 3 – Site Operations OT Core Switch

Level 2 – Area Supervisory Control

Level 1 - Controller Control System Machine

Level 0 - Process Cell

PUBLIC Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. 13 Build a Secure Network Infrastructure - IDMZ

Enterprise Zone: Levels 4-5

Industrial Demilitarized Zone (IDMZ)

IDMZ Firewalls Industrial Zone: Levels 0-3

Level 3 – Site Operations

Level 2 – Area Supervisory Control

Level 1 - Controller Control System Machine

Level 0 - Process Cell

PUBLIC Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. 14 Rockwell Automation and Cisco Segmentation and Best Practices Converged Plant-Wide Ethernet (CPwE)

Enterprise Zone: Levels 4-5

Industrial Demilitarized Zone (IDMZ) Proxy Services

Industrial Zone: Levels 0-3

Industrial Firewall Control System Machine

Cell

PUBLIC Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. 15 Asset Management

Proxy Services

FT Asset Centre and Claroty

Industrial Firewall

Control System Machine

Cell

PUBLIC Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. 16 Patch Management

Microsoft Patch Release

RA Azure WSUS

Proxy Services

Plant WSUS FT Asset Centre and Claroty

Industrial Firewall

Control System Machine

Cell

PUBLIC Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. 17 Authentication and Authorization

Microsoft Patch Release

RA Azure WSUS

Security Services Proxy Services

Plant WSUS FT Asset Centre and Claroty

Active Directory FactoryTalk Security

Secure Remote Access Industrial Firewall

Control System Machine

Cell

PUBLIC Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. 18 Computer and Endpoint Protection

Microsoft Patch Release

RA Azure WSUS

Security Services Proxy Services

Plant WSUS FT Asset Centre and Claroty

Active Directory FactoryTalk Security Secure Remote Access Industrial Firewall

Control System Machine

Anti-Virus – Anti-Malware Cell Application Whitelisting

PUBLIC Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. 19 Threat Detection Services

Microsoft Patch Release

Threat Detection Platform RA Azure WSUS

RA Remote Support Services

Security Services Proxy Services

Plant WSUS FT Asset Centre and Claroty

Active Directory FactoryTalk Security Secure Remote Access Industrial Firewall

Threat Detection Platform Control System Machine

Anti-Virus – Anti-Malware Cell Application Whitelisting

PUBLIC Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. 20 A PROACTIVE APPROACH TO INDUSTRIAL NETWORK & CYBER SECURITY NIST Attack Continuum

BEFORE DURING AFTER

Identify & Protect Detect Respond & Recover

Asset Inventory Real-Time Threat Backup and Recovery Services Detection Services Solutions BUILD A SECURE, ROBUST, FUTURE-READY NETWORK FOR YOUR CONNECTED ENTERPRISE

Qualified Patch Remote Monitoring and Management Administration Services

Vulnerability and Incident Handling Risk Assessments ASSESS DESIGN IMPLEMENTand Response MONITOR

ICS Security Zone and Incident Response and Disaster Countermeasure Recovery Planning Services Deployment

PUBLIC Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. 21 Questions?

www.rockwellautomation.com

PUBLIC Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved.