Upload
others
View
4
Download
0
Embed Size (px)
Citation preview
Cybersecurity Update
Public Utilities BoardOctober 27, 2021
1
Yesterday
2
Today
3
Field Staff
Data Center
Electric
Water
Telecommuters
Cloud ServicesData
DataData
Business Partners
Data DataData
Threats
● Organized Crime Groups● Nation States● Black Hat ● Hactivists● Insiders Gone Rogue
4
● Malware● Ransomware● Data Theft● Denial of Service ● Phishing
Types of Attacks Bad Actors
Cyber Attacks
5
Data BreachesRansomware
Energy / Water Breaches
Colonial Pipeline – Ransomware, Fuel pipeline shutdown
Oldsmar Water – Increased sodium hydroxide to dangerous levels
Supply Chain Hack
Police Dept.
Protecting APU & Customer Data
● Risk Management● Defense In Depth - Layering● Least Privilege● Privacy● Zero Trust
6
Guiding Principles
NIST Cybersecurity Framework
7
800-53
National Institute of Standards & Technology
Billing / Customer
InfoMeter Data Work &
Asset Mgt
All other City Department
Systems
CustomersCloud
Services
Business Partners
City Network Environment
8
Remote City Employees
How We Protect APU & Data
● Physical Security◌ Badges, Doors, Locks,◌ Guards, Cameras
● Firewalls ● Email Filtering● Website Filtering
9
● User Access Controls● Network Permissions● End-point Security● Encryption● Operating System Patching● Vulnerability Scanning
Technical Controls
How We Protect APU & Data
● Policies & Procedures◌ Technology Use◌ Passwords ◌ Customer Data Access◌ Third-Party Agreements / NDAs◌ Change Management
● Cybersecurity Plan● Security Assessments
10
● Awareness and Training● Cyber Liability Insurance● Industry Information Sharing
Administrative Controls
Recent Improvements
● 24/7 Security Operations Center (SOC)● Security Information & Event Management (SIEM)● Next Generation Firewalls● Malicious Domain Blocking● Email Link Protection / External Alert● Remote Access Control● Laptop Hard Drive Encryption● Water Reclamation Facility SCADA Network● New Backup Solution with Immutable Storage
11
Current Initiatives
● System Upgrades (Middleware, Meter Data Management, …)● IVR Payment Processing (migrate to Cloud)● Cybersecurity Incident Response Plan Update● Water Network and Camera Upgrade● Social Engineering (Phishing) Assessment
12
The Future
● Continuous and Incremental Improvements● System Upgrades
◌ Customer Information / Web Portal◌ Work and Asset Management◌ Advanced Meter Infrastructure, …
● Zero Trust Architecture● Multi-Factor Authentication● City WiFi Improvements● Selective Cloud Services
13
Cloud Security Responsibility
14
XaaS <X> “as a Service”• IaaS = Infrastructure• PaaS = Platform• SaaS = Software
Data
Application/Database
Operating System
Servers, Virtualization
Compute, Network, Storage
Physical Facility
Middleware
Anah
eim
On Premises IaaS PaaS SaaS
Clou
d Pr
ovid
erAn
ahei
m
Clou
d Pr
ovid
erAn
ahei
m
Clou
d Pr
ovid
erA
Types of Cloud Services
Security is a Journey, not a Destination
Thank you
15