Shared Publication

www.ca-nv-awwa.org 21 as site visitors, emphasis on cybersecurity was critical. Designing an Industrial Control System with Respect to Cybersecurity Several industry cybersecurity standards were used as guidance in the design and implementation of WRD’s controls system network. These included the International Society of Automation (ISA) 95 Industrial Company Automation Levels and ISA 99 Security Levels, Zones and Conduits. ISA 95 consists of several models, including the Purdue Model for Control Hierarchy. (See isa-95.com/isa-95-01-models-terminology/ and isa-99.com and isa.org/technical-topics/ cybersecurity/.) Review of all of ISA 95’s general opera-tional levels are being addressed in WRD’s industrial control system and business network infrastructure, an effort that has required iterative meetings with multiple stakeholders and WRD’s design and inte-gration teams. To understand and incorpo-rate the business requirements needed to support those projects, stakeholders from enterprise business systems projects, (e.g., the CMMS Pilot Project) were also consult-ed. Once those business requirements are fully understood, a defense posture for each specific application will be defined and implemented with consideration for long-term maintenance. Defense in Depth Securing data from external and internal threats of either a malicious or accidental nature begins with a clear understanding of a utility’s business and operational pro-cesses. Utilizing the process of data clas-sification, WRD reviewed the data it was generating and determined its value. The flow of data was then mapped through the network to document inter-devices com-munication required to support efficient operations at various facilities. In addition to data mapping, WRD assessed the types of information individual users had access to as part of their daily responsibilities. The goal of this analysis was to establish a security policy using best practice tech-niques. After developing a general data classi-fication for its Industrial Control System (ICS) network data, WRD developed a multilayer cybersecurity defense strategy to protect the master SCADA system. A brief overview of some of these security techniques is discussed below. NETWORK SEGMENTATION. A key component supporting WRD’s cybersecuri-ty defense posture, network segmentation divides networks into zones based on their operational function or group in order to limit, totally restrict, or air-gap access be-tween zones. As a defense against the threat to programmable logic controllers (PLCs) and other industrial control devic-es for devices and users on the business network, the industrial control system will be segmented from the business network. LEAST PRIVILEGE. WRD will protect data by narrowing individual access and restricting users from having more access to data than is needed to accom-plish daily job functions. This will be achieved by creating groups consisting of individual users with similar data needs and assigning focused access rights to each group. MONITORING FOR POTENTIAL CYBER ATTACKS. Evolving and continuous moni-toring is essential. An Intrusion Prevention System (IPS), will be employed to detect suspicious traffic and alert the network administrator to potential intrusion in real time, per the security policies and rules configured into it. Port security will be designed into the cybersecurity defense posture as protec-tion against a rogue device that could be plugged into the network and bypass the firewall. Strategies to prevent this conduit include configuring a network switch to respond when it notices an unautho-rized device. Any port on the switch that is known to be restricted to exclusive use of one device utilizing it (e.g., a server or PLC) could apply port security. When a device change occurs, the port responds either by shutting down and alerting the administrator or simply sending an alert, depending on the circumstance. DOCUMENTING AND CONTROLLING NETWORK CONFIGURATIONS. Proper documentation of network device config-urations is another key strategy. Keeping a record of changes to network devices as well as physical changes to the network it-self is vital, especially when responding to a suspected intrusion. WI-FI SECURITY. Like many organiza-tions, WRD has experienced an increased use of Wi-Fi by employees, consultants, and visitors. Wi-Fi can be difficult to secure, due to challenges from weak encryption pro-tocols (WEP) and weak access controls. To protect the Wi-Fi network at GRIP, security strategies such as the Institute of Electrical and Electronics Engineers’ (IEEE) 802.1x authentication protocol will be implement-ed. (Authentication being the process of en-suring that something is what it claims to be before it is allowed access.) 802.1x authenti-cation involves using a Remote Authentica-tion Dial-in User Service (RADIUS) server to authenticate Wi-Fi access points along with individual users. Once the identity of the access points has been validated, the user is allowed access to the protected side of the network. If the authentication process fails, access will be denied. LONG-TERM MAINTENANCE POLICIES AND PROCEDURES. Keeping a network secure and resilient requires being proac-tive, which means continuous monitoring and making adjustments when necessary. The principles of Segmentation and Least Privilege will also be applied to sister agencies and outside vendor support staff. This involves establishing cyber-security policies and procedures for all stakeholders, including internal staff, sis-ter agency staff, and outside support staff. Vendors often use remote access to pro-vide technical assistance. Although WRD recognizes that providing remote access is necessary, it will limit vendor access to the SCADA network. No entity will be allowed unrestricted access to the WRD network from an untrusted (i.e., Internet) network, and remote access will be limited to specific devices the vendor supports. All remote ac-cess will traverse a series of security appli-ances, depending on how deep within the WRD network access is required. Unique credentials will authenticate specific ven-dor support staff, and general all purpose user profiles will be avoided because of the inability to identify a specific individual us-ing those credentials. In addition, remote access will be limited to a geographic loca-tion. Remote connections will be monitored and traffic inspected continuously by the Intrusion Prevention System. Conclusion Given the growing volume and sophis-tication of cyber attacks, WRD recognizes that ongoing attention and adjustment will be required for its security systems to evolve, protect, and provide resilience for its critical infrastructure. S /www.ca-nv-awwa.org