Control System Security Guide

There is an interesting blog post by Bridget O'Grady over at SecurityNotes.asdwa.org about a new control system security program being introduced by the American Water Works Association (AWWA). Based at least in part on the recently published Cybersecurity Framework (CSF), this voluntary program for water treatment facilities looks like an interesting attempt at making the CSF usable.

There are two main components of this program, a Cybersecurity Guide and an on-line Cybersecurity Guidance Tool. Unfortunately for most readers of this blog, the tool is only accessible to members of the AWWA.

Cybersecurity Guide

There are three main parts to the publicly available guide:

• Recommended Cybersecurity Practices;

• Cybersecurity Guidance Tool; and

• Cross Reference to NIST Cybersecurity Framework

The recommend practices section gives a overview of the broad sweep of cybersecurity practices including definitions of some key terms. It addresses twelve important areas of cybersecurity:

• Governance and risk management;

• Business continuity and disaster recovery;

• Server and workstation hardening;

• Access control;

• Application security;

• Encryption;

• Telecommunications, network security and architecture;

• Physical security of PCS equipment;

• Service level agreements;

• Operations security;

• Education; and

• Personnel Security

Table 2-1 in the Guide provides a slightly more detailed listing of the various components of the above listed category. All of this is written in the broadest language and is hardware and software non-specific. While some of the wording used applies specifically to water treatment systems, there is nothing here that could not generally be applied to any industrial control system.

Cybersecurity Guidance Tool

While the tool itself is not available to the public, there is a good description of how the tool works and how to use it in the Guide. It employs a check-list type approach to allow a facility to describe its control system. For example, under system architecture there are three check boxes (and more than one box can be checked):

AR1: Dedicated network: All network and communications infrastructure is dedicated exclusively to SCADA. No connections to enterprise networks.

AR2: Shared WAN: Wide-area network communications infrastructure is shared (controls: physical (media) separation, VPN, VLAN, firewall).

AR3: Shared LAN: Local-area network communications (within facility) is shared (controls: VLAN, firewall).

Each of these selected boxes is described as a Use Case. Once the system architecture is described, the tool provides a list of Recommended Controls for each of the selected Use Cases. Readers who are familiar with the CSF will recognize the general format of these Recommended Controls as it references back to various established standards using both the standards listed in the CSF and some additional standards more directly applicable to control systems (DHS DID: DHS Recommended Practice: Improving Industrial Control Systems Cyber Security with Defense-In-Depth Strategies) or water treatment facilities (ANSI/AWWA G430-09: Security Practices for Operations and Management).

The Recommended Controls are provided in four different priority levels starting with the minimum accepted levels of security for SCADA/PCS (Priority 1 Controls) and ramping up to the most complex controls that are targeted at preventing the most sophisticated attacks (Priority 4 Controls). The description of the use of these various priority levels seems to be more targeted on an implementation.

Cross Reference to CSF

Appendix A provides a tabular cross reference of these suggested security controls back to the Appendix A table in the CSF. Unfortunately they used the August 28^th, 2013 draft version of the CSF for their table so it does not exactly match up with the table in the final version of the CSF. Given that this was published within a week of the final version of the CSF I can understand why this choice was made. It would have been nice, however, if the authors had been able to access a more up-to-date version of this table, but such is life.

Commentary

This actually looks like a very useable process and the AWWA is to be commended, not only on the thoroughness of the effort, but on the speed with which it was done. They obviously relied on a lot of the public work that was done by NIST during the development of the CSF.

There is one slightly negative thing that I do have to say about this effort. This program is a management program not a technical program. It is a valuable tool to provide management with a set of techniques to oversee the establishment and maintenance of a control system cybersecurity program. It is not, however, an actual guide on how to secure a specific control system.

Granted it would not be possible to write a single useable document to the security of the wide variety of control systems in use even in the relatively limited area of water treatment. But management must realize that they are still going to have to rely on the judgment and skills of their control system staffs and contractors to actually put the controls into place and make them work on a day-to-day basis. And if management is not willing to ensure that those employees and contractors have the necessary skills and tools to accomplish those tasks, no level of ‘compliance’ with a tool such as this will provide any kind of cybersecurity for their organization.