What does a human need to survive? Typically, the first two items are food and water followed by a place live. Most of us take for granted that our water supply is always safe and drinkable. As such a vital resource, one would think that the critical infrastructure that purifies and monitors water must be completely secure at all times.
Unfortunately, that is not always the case. Take the classic hacker case of the Maroochy water plant in Queensland, Australia, for instance, where sewage was released into local waterways over a three-month period.
This event triggered government entities to become involved. The Australian Department of Communications, Information Technology and the Arts (DCITA) launched an effort to investigate the potential risks to SCADA systems and began holding a series of instructional workshops across the country regarding security mitigation and risk management. The workshop utilized known techniques such as defense-in-depth strategies.
In the United States, governments and utilities were paying attention to the fact that critical infrastructure should not be taken lightly. In 2013, President Obama issued Executive Order 13636 – Improving Critical Infrastructure Cybersecurity. One of the more interesting actionable items is:
Sec. 8. Voluntary Critical Infrastructure Cybersecurity Program. (a) The Secretary, in coordination with Sector-Specific Agencies, shall establish a voluntary program to support the adoption of the Cybersecurity Framework by owners and operators of critical infrastructure and any other interested entities (the “Program”).
The question then becomes: how do we identify and implement some mechanism to protect critical infrastructure? By “we,” I mean the utility trying to build a security posture with no prior knowledge.
In the case of the power transmission and distribution world, there are hard requirements to meet known as the NERC CIP requirements. These are put in place to protect the United States’ electrical (Read more...)
*** This is a Security Bloggers Network syndicated blog from The State of Security authored by Tripwire Guest Authors. Read the original post at: https://www.tripwire.com/state-of-security/ics-security/taking-the-first-steps-down-the-security-posture-path-with-awwa/