Awwa Research Sandia Foundation National Advandng the Seien", ofWater' Laboratories ) ) Risk Assessment J Methodology for Water Utilities Second Edition , ; ) ) ) ) ) Awwa Research Foundation 6666 West Quincy Avenue Denver, Colorado 80235 PROPRIETARY and CONFIDENTIAL REPORT NUMBER: 1074 LOANED TO . NAME: 􀁊􀁾􀁳􀀭 P.ua. J",. AFFILIATION: ?:I..v e£ AiU"iiMJ Telephone: (303) 347-(1100' Fax: (303) 730-0851 • E-maIl: Info@awwarf.com ) ) } ) ) ) ) ) ) , ) ,0) ) ) :) ,.J The mission ofthe Awwa Research Foundation is to advance the science ofwater to improve the ) quolity of life. FwuJed primarily through annuol subscription payments from over 1,000 utilities, ',' ) consulting firms, and mmwfacturers in North America and abroad, AwwaRF sponsors research on ') all aspects of drinking water, including supply and resources, treatment, monitoring and analysis, ) distribution, management, and health effects. 􀁾􀀠 )) From its headquarters in Denver, Colorado, the AwwaRF staffdirects and supports the efforts of ! over 500 volunteers, who are the heart of the research program. These volunteers, serving on various boards and committees, use their expertise to select and monitor research studies to benefit the entire drinking water community. Research findings are disseminated through a number of technology transfer activities, includingresearch reports. conferences, videotape summaries, and periodicals. ) J ) ) : 􀀮􀁾􀀠 ..:. Y .J ) ) ) J SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY '.,.J .J .J .) RISK ASSESSMENT METHODOLOGY FOR WATER UTILITIES (RAM_WSM) Second Edition Prepared by Security Systems and Technology Center Sandia National Laboratories Albuquerque, NM 87185-0789 Jointly sponsored by A wwa Research Foundation 6666 West Quincy Avenue Denver, CO 80235-3098 and U.S. Environmental Protection Agency Ariel Rios Building 1200 Pennsylvania Avenue, N.W. Washington, DC 20460 SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY This document contains infonnation tnat is not appropriate for public dissemination. Do not copy or further distribute this information. This infonnation may be subject to International Trade in Arms regulations (ITAR) 22CFR 120-130. Export of IT AR information may require a license from the US. Department of State. Published by the Awwa Research Foundation SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY DISCLAIMER This study was jointly funded by the Awwa Research Foundation (AwwaRF) and the U.S. Environmental Protection Agency under Cooperative Agreement No. X-82956501. AwwaRF and USEPA assume no responsibility for the content of the research study reported in this publication or for the opinions or statements of fact expressed in the report. The mention of trade names for commercial products does not represent or imply the approval or endorsement of AwwaRF or USEP A. This report is presented solely for informational purposes. Proprietary. Copyrighted NOT APPROVED FOR PUBLIC RELEASE -This document contains information exempt from mandatory disclosure under the FOIA. Exemption 2 applies. WARNING -This document contains data whose disclosure is restricted by 5 U.S.c. § 5S2(b)(2) (2000), the Freedom of Information Act, and the U.S. Attorney General FOIA Memorandum of October 12, 2001. Dissemination of this document is controlled. Violation of governing laws is subject to severe criminal penalties. DlSTRlBlITION -Department of Energy approval required prior to public release. This document may not be transmitted over the open Internet unless it is encrypted. DESTRUCTION -Destroy by any method that will prevent disclosure of contents or reconstruction of the document. Disclaimer of Liability This report was prepared as an account of work sponsored by an agency of the United States Govemment. Neither the United States Govemment, norany agency thereof, nor any of their employees, nor any of their contractors, subcontractors, or their employees, make any warranty, express or implied, or assume any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represent that its use would not infringe privately owned rights. Reference herein to any specific commercial product, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by by the United States Government, any agency thereof, or any of their contractors or . subcontractors. The views and opinions expressed herein do not necessarily state or reflect those ofthe United States Government, any agency thereof, or any of their contractors. Prepared by Sandia National Laboratories. Sandia is a mURiprogram laboratory operated by Sandia Corporation, a Lockheed Martin Company, for the United States Department of Energy under Contract DE-AC04-94AL85000. ©2001. 2002 by AwwaRF All rights reserved. First edition 200 1. Second edition 2002. Printed in the U.S.A SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY iv ) ) ,) 7 ) ) ) : } .) ) r) :) 􀀬􀀬􀀺􀁾􀀠 >. . ;1l :) :} : } ) ) ) I , .J .'"f 􀀻􀁾􀁷􀀩􀀠 􀀮􀁾􀀩􀀠 ','"'J'' . , • J ;, " '-j ,"" ':".J' ;:: C', . 'cc/', . .",1 ',,) ) ,.J" , .J CONTENTS LIST OF TABLES ......................................................................................................................... ix LIST OF FIGURES .................................. ..................................................................................... xi FOREWORD ..................................................................................................... ...................... Xlll ACKNOWLEDGMENTS .............................................................................................................xv EXECUTIVE SUMMARY ......................... ............................................................................... xvii 1 INTRODUCTION AND BACKGROUND ................................................................................ 1 1.1 Introduction.............................................................................................................. 1 1.2 Background ..................................................... .........................................................1 1.3 Design Philosophy: Design and Evaluation ofPhysical Protection Systems ........4 1.4 Risk Assessment Methodology ....................... .........................................................5 1.4.1 Risk Equation ......................................................................... ; .................. 7 1.5 Tools ................................................................................................................8 2 DECISIONS AND RISK ................................................................ ........................................... 11 3 PLANNING FOR SECURITY RISK ASSESSMENTS .......................................................... 13 3.1 Management Roles and Responsibilities ............................................................... 13 3.2 Project Management .............................................................................................. 15 3.2.1 Assessment Team Selection .................................................................... 16 3.2.2 Document Facility Operations ......................................................... ....... 17 3.3 Define and Prioritize Mission Objectives .............................................................. 18 3.4 Screening (Facility Prioritization} ..................................... ..................................... 19 3.4.1 Example Water Utility ............................................................................21 3.4.2 Screening (Facility Prioritization) for Example Water Utility ...............23 3.5 Defining Risk Reduction Goals .............................................................................26 4 UNDERSTANDING THE THREAT ........................................................................................29 4.1 Threat Assessment ...................................................................................... ...........29 4.2 Design Basis Threat .............................................................................................. .30 4.3 Categories ofAdversaries ................................. .................................................... .32 4.3.1 Categories of Outsiders .......................................................................... .32 4.3.2 Categories ofInsiders .............................................................................33 4.3.3 Contamination Threat ............................................................................ .33 4.4 Information Gathering .......................................................................................... .35 4.5 Threat Attributes .................................................... ............................................... .36 4.5.1 Outsider Threat Attributes ..................................................................... .36 4.5.2 Insider Threat Attributes .........................................................................38 4.6 Cyber Threat ......................................................................................................... .40 4.6.1 Outsider Adversary Levels .....................................................................41 4.6.2 Insider Levels ...................................................................... ................... .42 SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY v 4.6.3 Cyber Threat Attributes ........................ : ................................................. 43 4.6.4 Emerging System Weaknesses .......................... , ........................... ......... 44 4.7 Threat Analysis Summary ..................................................................................... .45 4.8 Likelihood ofAttack (PA) ....................................... ...............................................46 5 SITE CHARACTERIZATION ..................................................................................................47 ) 5.1 Preparation for Site Characterization .................................................................... .47 5.2 Risk Assessment Scope .......................................................................... ............... .47 5.2.1 Interdependencies .................................................................................. .48 5.3 Documents Required for Site Characterization ................... ................................. .................................................... .48 5.3.1 Site Survey ........................ : ............................................................... ...... 50 ., 5.3.2 Existing Chemicals .................................................................................51 · } 5.4 The Generic Undesired Event Fault Tree .............................. ............................... .52 􀁾􀀠 } 5.4.1 Introduction to the Fault Tree ................................................................. 52 , ) 5.4.2 Process for Customizing the Fault Tree .................................................. 55 :.) 5.4.3 Identifying Critical Assets ......................................................................59 5.5 Questionnaires ........................................................................................................ 60 ") 5.6 Consequence Assessment .............................................. ........................................ 61 c:\ ;. 􀀺􀁾􀀠 5.6.1 Define Measures ofConsequence ...........................................................62 ) 5.6.2 Develop Site Specific Consequence Matrix ................... , ....................... 63 5.6.3 Determine Critical Assets Consequence Levels ..................................... 65 ) 5.7 Existing Protection Systems .................................................................................. 66 ) 5.7.1 Collect Information on the Existing Security System .............................67 5.7.2 Review the Performance ofthe Existing Security System .....................70 5.7.3 Review the Performance ofthe Existing Operational System ................70 5.8 SCADA Assessment Methodology ........................................................................71 5.8.1 DocmnentationReview...........................................................................73 5.8.2 SCADA System Characterization ...........................................................74 5.8.3 Relative Ranking Process ...................................................................... .74 5.8.4 Pairwise Ranking ofAssets in Relation to Consequences ......................80 5.8.5 Generate Relative Risk Rankings ........................................................... 82 ) 5.9 Onsite Chemical Characterization ......................................................................... 84 · , j 5.9.1 Contamination ofWater with Onsite Chemicals ........................ ............84 · .'J. 5.9.2 Specific Chemicals (liquids/solids) .........................................................88 zd 5.9.3 Specific Chemicals (gases) ....................................... ..............................90 5.9.4 Potential Reactions ..................................................................................91 5.9.5 Incorrect Tank Fill ............................. .....................................................91 5.9.6 Conclusions for Treatment Plant Chemicals ...........................................91 6 PHYSICAL PROTECTION SYSTEM DESCRIPTION ..........................................................93 6.1 Design and Evaluation Process Outline .................................................................94 6.1.1 Detection............. .....................................................................................95 6.1.2 Delay ................................................................................................... ....97 6.1.3 Response .................................................................................................98 6.2 Mitigation .............................................................. ................................................99 6.3. Deterrents ............................................................................................................ 1 00 6.4 Relationship ofPPS Functions ............................................................................. 1 01 SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY : :\ , . .7 vi ) , .J 10 6.4.1 Interrelationship ofPPS Functions -Example Water Utility ................ l 02 6.5 Characteristics ofan Effective PPS ..................................................................... 1 02 7 SYSTEM EFFECTIVENESS ..................................................................................................105 7.1 Concept of System Effectiveness ................................. ........................................ 1 05 7.1.1 Operating System Effectiveness for the Example Water Utility .......... 106 7.2 System Effectiveness Analysis Process ............................. .................................. 108 7.2.1 Adversary Strategy ................................................................................ 1 09 7.2.2 Adversary Sequence Diagram (path Analysis).....................................110 7.2.3 Derive Most Vulnerable Adversary Attack Scenarios ..........................113 7.3 Estimated System Effectiveness ...................... .................................................... 118 7.4 Protection System Vulnerabilities ........................................................................122 7.5 Mitigation ............................................................................................................123 8 RISK ANAL ySIS ...................................................................... ..............................................125 8.1 Risk Equation .......................................................................................................125 8.2 Estimate Risk Values ...........................................................................................126 9 RISK REDUCTION AND RECOMMENDATIONS ....................................................... ......129 9.1 Mission Objectives ...............................................................................................129 9.2 Security Policy and Procedures (General Guidelines) .........................................130 9.3 System upgrades to Prevent Undesired Events ...................................................132 9.4 System Upgrades to Reduce Consequences ........................................................135 9.5 SCADA Recommendations .................................................................................136 9.5.1 PolicylProcedureiConfi guration Management... ..................... ::............136 9.5.2 SCADA System ....................................................................................137 9.5.3 SCADANetwork........... .......................................................................137 9.5.4 SCADAPlatfonn.................................................................................. 137 9.6 System-Wide RiskReduction ..............................................................................138 9.7 System Upgrades to Deter Adversary .................................................... ..............138 9.8 Calculate Risk for Upgrade Package ................................................................... 139 9.8.1 Example ofUsing Adversary Attack Scenarios and Timelines ..................139 FINAL RAM_WM REPORT ..........................................................................................141 10.1 Contents by Chapter ............................ .................................................................141 10.2 Protection ofInfonnation ..................................................................................... 144 10.3 Organization ofFinal Report ............................................................................... 144 APPENDIXA. EXAMPLE WATER UTILITY ............................................. .................. : ........ 147 APPENDIX B: PROJECT PLANNING AND TEAM SELECTION ........................................161 APPENDIX C: PROCESS FOR PAIRWISE COMPARISON ............................. .....................167 APPENDIX D: THREAT ASSESSMENT ................................................................................175 APPENDIX E: FAULT TREE ANALySIS ............................ ................................................... 187 SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY vii APPENDIX F: DATA COLLECTION QUESTIONNAIRES ................................................... 217 APPENDIX G: CONSEQUENCE ASSESSMENT FOR THE EXAMPLE WATER UTILITY.................................... .......................................................................267 APPENDIX H: SCADA SECURITY POLICY FRAMEWORK .............................................. 269 1 } REFERENCES............... ..............................................................................273 1 ACRONYMS AND DEFINlTIONS .....................................................................275 "J 􀁾􀀩􀀠 .) 􀁾􀁝􀀠 D' ,") ") ) ) ) ) ) :;) ,. CJ ' ,} , ,"-j :,3' 􀁾􀀩􀀠 .) SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY ell ' viii u, J TABLES Table 3.1. Values for Ranking Criteria in Pairwise Comparison ................................................. 23 Table 4.1. Completed Water System Outsider Threat Analysis Worksheet for the Table 4.2. Example of a Completed Water System Insider Threat Analysis Worksheet-Table 4.3. Example of a Completed Water System Insider Threat Analysis Worksheet-Table 7.3. More Example Results for Estimating System Effectiveness for Treatment Table 9.1. Examples of Features that Might Increase Physical Protection System Table 3.2. Mission Objective Comparison forthe Example Water Utility System ..................... 24 Table 3.3. Facility Comparison -Example Water Utility (Criterion "Capacity") ....................... 25 Table 3.4. Facility Comparison for the Example Water Utility (All Criteria) ............................. 26 Example Water Utility .................... : ................................................................. ....... 37 Part 1 for the Example Water Utility ....................................................................... 39 Part 2 for the Example Water Utility ....................................... ................................ 40 Table 4.4. Outsider Adversaries and Attributes ........................................................................... 43 Table 4.5. Insider Adversaries and Attributes .............................................................................. 44 Table 5.1. Example Generic Consequence Matrix ........................................................ ............... 64 Table 5.2. Site-Specific Consequence Matrix for the Example Water Utility ............................. 65 Table 5.3. Consequence Values for Undesired Events for the Example Water Utility ............... 66 Table 5.4. Example Physical Protection System Features Worksheet.. ....................................... 69 Table 5.5. Examples of Water SCADA System Assets ............................................................... 75 Table 5.6. Description of Relative Ranking Matrices ........................................................... ; ...... 77 Table 5.7. Numerical Ranking Values ............................................................................................ 77 Table 5.8. Example of Benefit to Threat (Adversary) Matrix ...................................................... 79 Table 5.9. Example of Degree of Vulnerability Matrix ............................................................... 79 Table 5.10. Example Calculation of Relative Likelihood of Occurrence .................................... 80 Table 5.11. Consequence Weighting Matrix .............................................. .................................. 81 Table 5.12. Example ofInterrupt or Impair Water Flow in the System ...................................... 82 Table 5.13. Example of Combined Consequences Matrix ........................................................... 82 Table 5.14. Example of Relative Risk Calculation ...................................................................... 83 Table Table 5.15. Example of Relative Ranking for Physcial Assets .................................................... 84 Table 5.16. Toxicology ................................................... ............................................................. 85 Table 5.17. Chemicals Stored Onsite at Treatment Plant 2 ......................................................... 88 Table 5.18. Maximum Feed Rates for Chemicals into Water ...................................................... 88 Table 7.1. Protection System (pPS and Operational) Features for Treatment Plant 2............... 119 Table 7.2. Example Results for Estimating System Effectiveness for Treatment Plant 2 ......... 122 Plant 2 ................................................................. .......................................... 122 Table 7.4. Example System Vulnerabilities at Treatment Plant 2 ............................................. 123 Table 8.1. Outcome of Risk Analysis -Example Water Utility ................................................ 127 Effectiveness at Treatment Plant 2 (Example Water Utility) ................................. 134 SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY ix 􀁲􀀮􀁾􀀠 . :, ;:;. t] 􀁾􀀭􀀭􀁝􀀠 ''1\ -', :; ...􀁾􀀠 y .J J ( ) ) } () D :} ') ) ) ) . ,) D.· ,-\ . <, j 􀁾􀁝􀀠 : ) ,---, SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY ,. ') :' -... ,:J ) .) _J 1 FIGURES Figure 1.1. RAM_WSM "Waterfall Flow Diagram" ........................................................................6 Figure 5.10. Dose vs. Toxic Chemical. % ofSubjects Exhibiting Response vs. Dosage ............ S6 Figure 6.6. Interrelationship ofPPS Functions ............................................................ : .............. l 01 Figure 7.3. Operating System Effectiveness for the Example Water Utility ............................. .1 08 Figure 7.10. Combined Timeline Third Case for Treatment Plant 2 .......................................... 1 IS Figure 7.11. Combined Timeline Third Case for Treatment Plant 2 with Detection Figure 2.1. Decisions and Risk: How Much Is Enough? ............................................................. 12 Figure 3.1. Example Water Utility ................................................................................................22 Figure 4.1. Screening Process for Developing the DBT...............................................................31 Figure 4.2. Outsider Adversary Levels .........................................................................................41 Figure 4.3. Insider Adversary Levels ........................................................................................... .42 Figure 5.1. Water System Block Diagram for Treatment Plant I (Example Water Utility) .........49 Figure 5.2. Upper levels ofGeneric Undesired Event Fault Tree ................................................53 Figure 5.3. Development ofLoss ofWater Sources .....................................................................54 Figure 5.4. Upper levels ofSite Specific Fault Tree for the Example Water Utility ....................56 Figure 5.5. Loss ofWater Sources for the Example Water Utility ...............................................57 Figure 5.6. Customized Generic Undesired Event Subtree for Example Water Utility ...............58 Figure 5.7. Grafted Loss ofCritical Pump Systems for Example Water Utility ...........................59 Figure 5.8. SCADA Assessment Methodology ........................... .................................................72 Figure 5.9. SCADA System Asset Relative Ranking Process ...................................................... 76 Figure 6.1. Functions ofa Physical Protection System .................................................................94 Figure 6.2. Design and Evaluation Process Outline (DEPO) ........................................... ............95 Figure 6.3. Detection Functions in a PPS .....................................................................................96 Figure 6.4. Delay Function ............................ ...............................................................................97 Figure 6.5. Response Function ....................................................................................... ...............98 Figure 7.1. System Effectiveness, Pa..........................................................................................106 Figure 7.2. Operating System Effectiveness for the Example Water Utility ..............................107 Figure 7.4. Adversary Path Development fur Treatment Plant 2 .............................................. .110 Figure 7.5. Adversary Sequence Diagram (ASD) for Treatment Plant 2 ................................... 111 Figure 7.6. ASD for Treatment Plant 2 with Path Elements .......................................... .............112 Figure 7.7. Adversary Attack Scenario Timeline (PPS Example) ..............................................11 5 Figure 7.S. Combined Timeline First Case for Treatment Plant 2.............................................. 116 Figure 7.9. Combined Timeline Second Case for Treatment Plant 2 ......................................... 117 Reliability Added ....................................................................................................120 Figure 10.1. Organization ofFinal Report ...................................................... ............................ 145 .SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY xi 1 . .1 ) :) ,) /) /) ) ;) C] :} .,) .I . ) ) ) ) ) ".,J 􀁾􀁊􀀠 :) . . , '. J , I , 􀁾􀀠 ., , .I ) "] ) SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY ') , 􀀮􀁾􀀮􀀮􀀮􀀠 -. : ) .) .J FOREWORD The Awwa Research Foundation is a nonprofit corporation dedicated to the implementation of a research effort to help water utilities respond to regulatory requirements and traditional high-priority concerns of the industry. The research agenda is developed through consultation with subscribers and drinking water p'rofessionals. Under the umbrella of a Strategic Research Plan, the Research Advisory Council prioritizes the suggested projects based upon current and future needs, applicability, and past work; the Council's recommendations are then forwarded to the Board of Trustees for final selection. The foundation also sponsors research projects through unsolicited proposals; the Collaborative Research, Research Applications, and Tailored Collaboration programs; and various joint research efforts with organizations such as the U.S. Environmental Protection Agency, the U.S. Bureau of Reclamation, and the Association of California Water Agencies. This publication is a result of one of these sponsored studies; it is hoped that its findings will be applied in commuliities throughout the world. The following report serves not only as a means of communicating the results of the water industry's centralized research program, but also as a tool to enlist the further support of nonmember water utilities and individuals. Projects are managed closely from their inception to the final report by the foundation's staff and a large cadre of volunteers who willingly contribute their time and expertise. The foundation serves a planning and management function and awards contracts to such other institutions as water utilities, universities, and engineering firms. The funding for this research effort comes primarily from the Subscription Program, through which water utilities subscribe to the research program and make an annual payment proportionate to the volume of water they deliver. Consultants and manufacturers subscribe based on their annual billings. The program is designed to offer a cost-effective and fair method method for funding research in the public interest. A broad spectrum of water supply issues is addressed by the foundation's research agenda: resources, trestment and operations, distribution and storage, water quality and analysis, toxicology, economics, and management. The ultimate purpose of the coordinated effort is to assist water suppliers to provide the highest possible quality of water economically and reliably. The true benefits are realized when the results are implemented at the utility level. The foundation's trustees are pleased to offer this publication as a contribution toward that end. SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY xiii ;) The security of water utilities has become a more prominent concern in recent years. In 1998, President Clinton signed Presidential Decision Directive (POD) 63, Protecting America's "') Critical Infrastructures. PDD 63 identifies eight critical infrastructures across the country, '"5 including the water supply sector. PDD 63 envisioned a public-private partnership between the owners and operators of these critical infrastructures and the federal government to help improve security. This report for the watet supply community is one product of that partnership; it represents a joint effort between the water supply community. the U.S. Environmental Protection '} Agency, and the U.S. Department of Energy. This report identifies a methodology that a 􀁾􀀩􀀠 medium or large water utility can use to review their facilities and make informed decisions to :} reduce the risks from malevolent attack. This methodology will help water utilities first identify ) what facilities and operations are most critical to accomplishing their missions and then consider how best these critical operations might be protected. The methodology presented in this report 􀀧􀀬􀀺􀁾 '=. .;J> :) will help drinking water utilities decide where security measures can be most effectively applied ) and thus put to better use the limited time and money resources available for security issues. ) Edmund G. Archuleta, P.E Chair, Board of Trustees Awwa Research Foundation James F. Manwaring, P.E. Executive Director A wwa Research Foundation ) ) } \ :.:) . " , 􀁾􀁩􀀠 ., '"..i' ., ... i " ',.) SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY " " '--Y xiv ACKNOWLEDGMENTS Several drinking water utilities have contributed significant amounts of their time and resources to create both Version 1 and Version 2 of RAM-WSM• AwwaRF, Sandia National Laboratories, and the U.S. Environmental Protection Agency would like to thank the management and staff of the following water utilities: City of Alamogordo Milwaukee Water Works Seattle Public Utilities Tucson Water Massachusetts Water Resources Authority Washington Aqueduct District of Columbia Water and Sewer Authority Additionally, the authors would like to acknowledge the many hours of review and input from the Project Advisory Committee assembled by AwwaRF whose careful review and thoughtful comments improved the quality of the final product: • Russel Balbirona, Bureau of Reclamation • Kevin Brown, DEQ Division of Drinking Water • Steve Dennis, Alameda County Water District • Kevin Gertig, Fort Collins Water Utilities • Robin J. Hamblet, CISSP, City of Portland • Steve Jackson, Bureau of Reclamation • Jack Jacobs, EMA, Inc. • Bruce Johnson, City of Tucson Water Department • Thomas Kahler, Newport News Waterworks • Jerry Obrist, Lincoln Water System • John W. Porco, PE, Michael Baker, Jr., Inc. • Raymond Riordan, East Bay Municipal Utility District • Alan Roberson, A WWA • Marty Swickard, USEPA Region 8 • Frank Blaha, PE, A wwa Research Foundation • Jeff Oxenford, Awwa Research Foundation SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY xv " '\ ) ) q. 􀁾􀀩􀀠 :) 􀁾􀀩􀀠 ) ) ) , ) .) \ I "J , ;􀁾􀀠 ,;J . .") .. OJ .. ) . ) . ) .. 1 ;) .. J. SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY 􀁅􀁘􀁅􀁃􀁕􀁔􀁦􀁖􀁅􀁓􀁾􀁒􀁙􀀠 In partnership with the Awwa Research Foundation (AwwaRF) and Sandia National Laboratories (Sandia), the EPA has undertaken a program to improve security at water utilities across the United States. At the national level, the EPA has the responsibility to create a Public Private partnership for improving the security of the water infrastructure. To meet the security needs of the AwwaRF, water utilities, and the EPA, Sandia developed the Risk Assessment Methodology for Water Utilities (RAM-WSM). Version 1 of RAM-WSM was issued in November of 2001. This report contains Version 2, developed and validated over the course of six detailed case studies. Version 2 also contains a cyber assessment methodology, which was not sufficiently developed for inclusion in Version 1. Included as a separate document, to go handin-hand with Version 2, is a worked example to demonstrate application of the methodology. Training has been, and continues to be, available on the methodology from consultants trained and licensed by Sandia. Contact infonnation for the trainers can be found at . Version 2 is much more than a methodology. It represents the wisdom and experience gained through multiple water utility assessments intertwined with years of security experience. Examples of how to apply the methodology are included in the body of the text as well as in the separate example water utility. Although this version ofRAM_WsM completely updates and better explains the methodology, it is still strongly recommended that assessment teams receive training before undertaking an assessment. The training has been specifically designed for this methodology and will provide additional information, examples, and hands-on experience. SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY. xvii ) ) '} ..) ) ) ) .) ) ;',} : } J ) ) ) \ ) ) . , } : ) : ;) ',)' ", ,Y . .) '..I ,j 􀁾􀁊􀀠 :.3 SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND 􀁐􀁒􀁏􀁐􀁒􀁉􀁅􀁔􀁁􀁒􀁙􀁾􀀩􀀠., .J " 􀁾􀁊􀀠 J' 1 INTRODUCTION AND BACKGROUND 1.1 INTRODUCTION This document presents, explains, and demonstrates the Risk Assessment Methodology for Water Utilities (RAM-WSM), designed to assist water and security professionals in assessing the risks from malevolent threats. Through a systematic, thorough evaluation of the water utility operations, a prioritized plan for consequence mitigation, security upgrades, modifications to operational procedures, andlor policy changes can be developed to mitigate identified risks. This consequence-driven risk-management program is a performance-based approach designed to facilitate a comparative analysis that relies on relative risk rankings and uses a simple-tounderstand risk equation. Physical security and cyber security assessment methodologies are both included. Users ofRAM_WsM should strive to apply it in a performance-based manner, which ultimately requires some form of performance testing to verify that protection andlor mitigation objectives are met. The quality of the assessment results is directly related to the training, expertise, and commitment of the team(s) performing the assessment, and the commitment and support of senior management. Following the methodology will aid in describing critical facilities and assets to protect, identifying system vulnerabilities, and determining the level of protection to which the security system should be designed. The goal of RAM-WSM is to provide a plan for balanced risk reduction measures by appropriately applying valuable water utility resources. 1.2 BACKGROUND During the Clinton administration the National Security Council issued directives that designated several U.S. infrastructures as critical, including the water infrastructure. The Environmental Protection Agency (EPA) was assigned the responsibility to develop plans for improving water infrastructure security, in cooperation with water industry associations, such as the Association of Metropolitan Water Agencies (AMWA) and the American Water Works Association (A WWA), as well well as metropolitan water agencies. During this same period, the American Water Works Association Research Foundation (AwwaRF) noted an increased concern about security among its membership of water utilities. In response, AwwaRF SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY 1 embarked on a program to develop a methodology and the associated tools for completing security risk assessments of water utilities. Version 1 ofRAM_WsM was issued in November of 2001, and a training program on how to apply the methodology followed in December of the same year. On June 12,2002, President Bush signed the Public Health Security and Bioterrorism Preparedness and Response Act of 2002 into law (pL 107-188). This Bioterrorism Act requires community water systems serving populations of greater than 3,300 persons to conduct vulnerability assessments. Over 8,000 communities are required to assess and report on their vulnerabilities detennined through a security risk assessment. The EPA requires the following elements in the risk assessment: "A satisfactory vulnerability assessment (VIA) is comprised of the following eight major elements and processes. A V IA is a systematic analysis used to detennine the malevolent risks posed to the operations of water supply, treatment, and distribution systems. A A satisfactory VIA is a thorough and systematic evaluation of the ... water utility system, characterized by the following elements: 1. Determination of water system objectives by: • Identifying the important missions/functions of the system to be assessed, • Identifying the undesirable consequences that could affect the missions/functions. • Determining the assets that need to be protected to minimize the impacts of the undesirable events/consequences, • Detennining the malevolent acts that could reasonably cause these events/consequences. 2, Prioritization of adverse events/consequences affecting the water system and the surrounding community including: • Loss of critical function and/or major service disruption, • Intentional attack on public safety via water utility assets, contamination of the water supply, and chemical releases or chemical theft. 3. Definition of how the malevolent acts might be conducted, such as: • Physical damage, • Chemical, biological, and radiological contamination, SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY 2 C"} " ' ) ') ') : ) ) ') ) ) ,) ) , ) : ) u ) ) } ) , J ..J : ) "J J " .., . ,J , , 􀁾. .J :) 􀁾􀀩􀀠 C) ; ,J • Cyber attacks on the Supervisory Control and Data Acquisition (SCADA) or other process control systems, • Interdependency disruptions (e.g., electrical, transportation, etc.) 4. Assessment of the likelihood (qualitative probability) of such malevolent acts from defined threat sources (e.g. terrorist, insider, determined vandal, casual vandal, etc.) 5. Systematic site characterization of the water system to include the collection of performance data on: • Important facilities, processes, and assets, • Physical protection system features of deterrence, detection, delay, and response. • Cyber protection system features, • Security policies and procedures and compliance with same. 6. The approach to the VIA is "performance-based," meaning that is evaluates the risk to the water system based on the effecti veness of the security system against the specific malevolent acts determined in the initial step. 7. The VIA determines the most critical assets (targets) in a water system, details their interrelationships interrelationships within other assets in the system, identifies the consequences of malevolent acts that could be directed against them, and evaluates the effectiveness of both existing and proposed protection systems. 8. The VIA identifies a system's vulnerabilities and provides a prioritized plan for security upgrades, modifications of operational procedures, and/or policy changes to mitigate identified risks to critical assets. The VIA also provides a basis for comparing the cost of protection against the risks posed." Version 2 of RAM-WSM incorporates significant improvements leamed through mUltiple assessments of some of the largest metropolitan water utilities in the United States as well as input received from scores of water utility personnel during RAM-WSM training sessions. Appendices including worked examples have been added to assist the practitioner. The Generic Undesired Event Fault Tree has been completely reworked to make it easier to follow and apply. More explanation has been added to all all chapters, and additional sections included where necessary. SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY 3 1 The efforts of EPA, A WWA, AwwaRF, and AMWA have been coordinated through this project with the goal of developing a generic security risk assessment methodology to assist water utilities in understanding and mitigating their security risks. Several water utilities have graciously opened their doors and offered countless hours of their staff's time to develop and refine this version ofRAM_WsM. 1.3 DESIGN PmLOSOPHY: DESIGN AND EVALUATION OF PHYSICAL PROTECTION SYSTEMS For more than 25 years, Sandia National Laboratories (Sandia) has employed performance-based methods for designing and evaluating physical protection systems (PPS). This approach has been applied for many years to high-consequence government facilities, and more recently to several critical infrastructures (e.g., federal dams, power utilities, etc.). This document describes the adaptation of this process to the requirements of the water infrastructure. An overview of the Sandia process provides the underlying assumptions used in the adaptation: A PPS integrates people, procedures, and equipmentfor the protection of assets orfacilities against theft. sabotage. or other malevolent human attacks. The design ofan effective PPS requires a methodical approach in which the designer weighs the objectives ofthe PPS 􀁡􀁧􀁡􀁩􀁾􀁴􀀠available resources and then evaluates the proposed design to determine how well it meets the objectives. Without this kind ofcareful assessment, the PPS might waste valuable resources on unnecessary protection or, worse yet, fail to provide adequate protection at critical points ofthe facility. For example, it would probably be unwise to protect a facility's employee cafeteria with the same level ofprotection as the central computing area. Similarly, maximum security at a facility's main entrance would be wasted ifentry were also possible through an unprotected loading dock. Each facility is unique, even ifperforming generally the same activities, so this systematic approach allows flexibility in the application ofsecurity tools tools to address local conditions. The foundation ofthis approach is the design ofan integrated performance-based system, Performance measures (i.e., validated numeric characteristics)for various system components, such as sensors, video, or response time, allow the use ofmodels to predict system performance against the SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY 4 ") ..' '" " ':2 .,.. ,} :) ) ) ) ) ) '} :} 􀁾􀀩􀀠 􀁾􀀩􀀠 ) ) ) .., J ") ',--,' U C,.o ) .) , .">, ) () 􀁾􀀬􀀠 --':) ,-,j , '\ ;',Y ., .. J ) .. 3 􀁾􀁊􀀠 i.} t..: 􀁾􀁊􀀠 􀁾􀀠 ., .1 ,\ identified threat. This effectiveness measure can then be used to provide the business rationale for investing in lhe system or upgrade, based on a measurable increase in system perfonnance and an associated decrease in risk to the facility. Looking at system improvement compared to costs can then support a cost-benefit analysis. By following this process, the system designer will include elements of business, technology, and the criminal justice system into the most effective design within the constraints and budget ofthe facility. (Garcia, 2001) This PPS design philosophy has been applied to the development of RAM_WSM, the security risk assessment methodology for water utilities described in this document. The philosophy has been extended to also consider contributions of non-physical security elements in determining protection system effectiveness. These non-physical security elements, referred to as operational elements, are elements that are intrinsic to the water utility operation. This will be discussed more in later chapters. The cyber security assessment portion ofRAM-WSM is based on a relati ve 􀁾􀁡􀁮􀁫􀀮􀁩􀁮􀁧􀀠 assessment approach to water utility SCADA systems. A guided top-down approach provides the basic structure and integrates elements from a variety of IT assessment and evaluation approaches. The process provides an effective means to evaluate the overall system security of water utility SCADA systems and to guide the development and integration of sustainable security improvements. A final, prioritized list of SCADA system assets, ranked by relative security deficiency, indicates an order for applying resources to improve SCADA security. 1.4 RISK ASSESSMENT METHODOLOGY Chapter 1 of this document provides background information and introduces the methodology. Figure 1.1 is a "waterfall flow diagram" showing the generic risk assessment methodology. This document follows the waterfall flow diagram starting with Chapter 3, explaining each of the major steps along the path. Chapter 2 discusses management decisions and acceptable risks. After discussing project planning and team selection, Chapter 3 introduces the concept of pairwise comparison and provides an example application. Pairwise comparison is a screening tool used to prioritize the water utility's mission objectives and helps identify and prioritize critical facilities for risk evaluation. Chapter 4 discusses threat assessment and provides tools to uncover and understand threats posed by insiders, outsiders, and outsiders SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY 5 i -1 working in collusion with insiders. The Cyber Threat is also introduced in Chapter 4. The concept of a Design Basis Threat (DBT) (i.e., the threat level the water utility owner decides the water utility must be protected against with high confidence) is also discussed in this chapter. Chapter 5 presents the site characterization phase and discusses several customized tools. The Undesired Event Generic Fault Tree is a tool introduced in this chapter that should be carefully controlled because it organizes sensitive material that is collected by the water utility as the security risk assessment is applied. The generic fault tree will be customized for the site to identify the most vulnerable parts of the water utility operation being evaluated. Critical assets are identified from the site-specific fault tree, which are assigned consequence levels based on the water utility's site-specific consequence table. How to define consequence measures and develop a site-specific consequence table is presented in Chapter 5. Protection and Ope rating Systems (PJ .. PI.anning: .. '--Purpose, Objective .. ,. Prioritize Facilities '.. 'Threat..•. " Design Basis Threat ',. 􀁁􀁳􀁓􀁥􀁳􀁳􀁾􀁦􀀱􀁴􀀠 r-Likelihood of Attack (P,J Facility.: Characterization -Prioritized Critical Assets (C ) ".. System', . . Effectiveness -J ···.RiSk : '. 􀁁􀁲􀁩􀁡􀁬􀀮􀁹􀁳􀁩􀁾 . .. . . .. , .. No ProposlKIupgrades •... i.•· '. ,. . .. rR=PA*(1-PJ*C .. 􀀢􀀧􀁒􀁪􀁾􀁫􀁓􀀧􀀠.. Yes "􀂷􀁁􀁾􀁣􀁥􀁰􀁴􀁡􀁢􀁩􀁥􀀿􀂷􀀠 .. '. End Figure 1.1. RAM_WSM "Waterfall Flow Diagram" .J' ) ) ) ) 'j ) ) ) ) ) .' .'\ ,'._"'l., ·,:Y i :) 'J . ., ;> ') " j . ... ,/SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY j 6 How to collect information about the existing protection system is presented in Chapter 5. This chapter includes a description of the SCADA assessment methodology (the RAM_WSM is an integration of both physical security and SCADA security) and a description of how to evaluate the risk of contamination from onsite chemicals. Chapter 6 describes physical protection systems in general and introduces the concepts of detection, delay, and response. Chapter 7 describes the System Effectiveness analysis process. The concepts of adversary strategy, adversary sequence diagrams, and scenarios and timelines (path analysis) are introduced. The path analysis tool is applied to understand how an adversary might attack the water utility and how effective the existing protection system (i.e., physical protection and operational design systems) is against that attack. In Chapter 7, afrer estimating the current system effectiveness, system vulnerabilities are identified. Chapter 8 uses the information collected and developed developed in all the previous chapters to perform a risk analysis that allows decision-makers to consider whether the identified risks are acceptable. Finally, if the risks are deemed unacceptable, Chapter 9 discusses steps that might be taken to reduce the risk and describes generic recommendations including "good business practices." Chapter 10 describes the organization and content of the final report. The appendices contain detailed infortnation on examples, processes, worksheets, tools, etc., supporting the applicable chapter. 1.4.1 Risk Equation Reducing risk can be accomplished by either increasing the effectiveness of the security system and/or operational system or by decreasing the consequences of an adversarial attack. A relative estimate of risk is calculated for each identified critical asset using the following risk equation: R=PA 0;. (I-Pi) 0;. c where: R = risk associated with the adversary attack PA = likelihood of the attack Pe = probability the security system and/or the operational system (robustness) is effective against the attack (1-PEl = probability that the adversary attack is successful (also, the probability that the security system is not effective against the attack) C :: consequence of the loss from the attack. SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY 7 It is important to recognize that in the RAM_WSM application of this risk equation to water utilities, the variables are not true probabilities, but qualitative values expressed in terms of low, medium, and high. This is due to the lack of performance-based probability data currently available. As water utilities implement improvements to lower the risks from malevolent attack, testing data may become available to better quantify the variables. Initially in the analysis the ) assessment team will determine these qualitative values, and later define and substitute numerical values between 0 and 1 for the variables. This conversion to a numerical scale, however, is done only for aggregation purposes and ultimately does not have any more absolute quantitative meaning other than the three levels of high, medium, or low (there is no more granularity than the three levels of high, medium, or low). Note that the risk values that result from RAM-WSM are relative versus absolute, because the parameters used to calculate risk (PA, PE, and C) are estimated and are based on engineeringjudgrnent and expert opinion. The comparison of risk on an asset-by-asset basis allows the water utility to clearly and systematically define and defend those its facilities or assets that present the greatest relative risk(s) to the overall mission. The ultimate goal should be to develop a balanced approach to understanding and managing risk. ,j , i 1.5 TOOLS This methodology makes extensive use of pairwise comparisons (screening tool), fault trees, consequence analysis, questionnaires, path analysis, and risk analysis. All tools and the : associated examples have been specifically tailored for water utilities. However, the ) presentations in this report are generic and must be adapted to each specific water utility. All of '\ : the tools employed are discussed in either the body of the document or in the appendices. Many ·;'" 􀁜􀀮􀀮􀁾􀀺􀀤􀀠 of the sections contain generic modules that may not apply to a specific water utility and thus can 􀁾􀀠 }'> · be eliminated at the outset. It is important to remember that this assessment provides a snapshot , ;} , } in time; the process must be revisited as threats change, facilities are upgraded, or operations are ·) modified. , j It is highly recommended that the assessment team and senior management be trained in the risk assessment methodology, and a security professional, trained and experienced in :} performance-based security system design and risk assessment, guide the team through the initial · "j ) ) ..J ... SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY 􀀮􀁾􀀠...:/8 C) I;· .J " J ) application of the process. As the assessment team is trained and becomes proficient at applying the process, they will be able to complete updates and analyze proposed system changes in the conceptual stage without significant guidance. SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY 9 ) ) ) . ) ) :) , ) · } ) \ ) ) ) , J , , , .j .· }. . ,. . ) , ) \ , I i-") :: ..... ,.;J : 􀀭􀁾􀀮􀁾􀀠 -. J , , .1 , j · , .J 􀁾􀁊􀀠• 􀁾􀁊􀀻􀀠 􀁾􀀩􀀠 L -) U SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY 2 DECISIONS AND RISK RAM_WSM is a very systematic, thorough security risk assessment methodology designed to assist water utilities in making a determination about the risks from malevolent threats to the operations of a water utility. Along the way, many decisions will have to be made that will directly impact the final results. Decisions on the Design Basis Threat, the measures of consequence, and the priority mission objectives are difficult at best, but they are necessary to complete the assessment. There will always be adversaries beyond the capabilities of any water utility to defeat, so it's important to make improvements that bring the greatest returns. Essentially, RAM_WSM begins with a clear statement of the performance requirements desired by the water utility for the security program. The rest of the process then determines the ability of the system to meet those performance requirements. Through a systematic analysis, the DBT is defined, the undesired events are determined, and the critical assets are identified whose compromise can bring about those undesired events. The existing security system effectiveness is evaluated. Worst-case paths for the adversary to cause undesired events are postulated and analyzed. The vulnerabilities identified are then used as input to create balanced protection against malevolent attacks. Once the information is collected, the risk analysis is performed to determine whether the performance requirements have been met. If the performance requirements have not been met, the choice has to be made to select more realistic requirements, mitigate consequences, or increase the effectiveness of the security system. It is important to remember that realistic .system effectiveness can only be determined if the water utility has decided what level of threat it desires to defeat. The overarching decision that must be made by the water utility management is how much risk is acceptable and how much risk reduction is enough (Figure 2.1). The decision process to reduce risk starts starts with the water utility's mission objectives. Using the pairwise ranking of mission objectives, the water utility can address the operations showing the greatest risks that affect the most important mission objectives. For example, if public safety is the most important mission objective, then lowering the potential consequences from catastrophic release of chemicals may be the area of greatest risk and the first candidate to investigate. Using a priority ranking system allows the water utility to invest in risk reduction in SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY 11 a systematic manner in line with the mission objectives and provides clear documentation of the ''Ii • .oJ' decision-making process. Water utilities will always face a multitude of risks. Security is one more business risk that must be considered and addressed. The lack of historical data on high-consequence, low'} ·· ). probability events makes the analysis challenging and requires that hard decisions be made. · ) , ,j How much is enough? That question will have to be answered by each individual water utility. .'.What's impOl'tant?' " . 􀀧􀁾􀀢􀀺􀀧􀀺􀀠Miss/on: '0 , .,',' -';.. :' ''Decisions: ."., :-'. What to.prptect:., . ;lgainst?;' ,PA ·',··;·' } ) ..... ) .) .. -.... ;::.' -· ) ) ",J ) " .> ) ) 􀀧􀁾􀁏􀁰􀁥􀁲􀁡􀁴􀁬􀁯􀁮􀁡􀁲􀀠.' R 􀁾􀀭􀁴􀁲􀁩􀁬􀁤􀁥􀀮􀀭􀁯􀁦� �􀀠 .' Figure 2.1. Decisions and Risk: How Much Is Enough? ) \ ... ; " ':..:) " j " ,j , · ") ".;7 􀁾􀁟􀀠 .. ... SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY ,j 12 C} ,. ( ) 3 PLANNING FOR SECURITY RISK ASSESSMENTS Purpose, Objective PrIoritize Facilities Ceolgn BasisThreat Likelihood 01 Attack (P.J Prioritized Critical Assets (C) Proteclfon and Operating Systems (P,.) Waterfall Flow Diagram -Process Locator 3.1 MANAGEMENT ROLES AND RESpONSmILITIES Due to the interactive and iterative nature of the RAM_WSM, certain responsibilities will be placed on the water utility management team. The methodology involves both an initial assessment phase and a long-term iteration phase. The initial assessment characterizes the current state of security risk for the water utility, and the long-term phase accommodates the dynamic nature of the threat as well as physical/operational changes to the water utility. The initial assessment is guided and analyzed by either an internal assessment team or an agencyfcontractor, but in the long term, the water utility's management must ensure that the process is effectively utilized, implemented, and maintained. If the management of a water utility is to to be effecti ve in the pursuit of a secure operating environment, it must be willing to commit to and lead the necessary changes. As a part of this commitment, someone in the organization (i.e., senior management) must have the overall responsibility, authority, accountability, and ownership of security for the entire water utility. The individual(s) assigned the responsibility should be willing and able to take on the long-term iterative responsibility of the RAM-WSM• Management's input will be required to successfully complete the initial assessment phase of the RAM-WSM• A team of water utility employees must be identified and assigned to SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY 13 participate in the process from start to finish. This assessment team should consist of at least one management-level representative, one or two highly experienced and knowledgeable senior staff members, a SCADA expert, and several operator-level employees. If existing water utility personnel do not have experience with risk management and security assessment, the assessment team should consider hiring or acquiring this expertise for the initial assessment phase. The ) entire assessment team should be provided with the opportunity to receive the RAM_WsM : ) training. It would be helpful for management to receive a high-level training session on the ... ", . J methodology as well. ) The assessment team must complete several steps crucial to the process in the earl y stages of the assessment, including prioritization of mission objectives, mission-weighted ) prioritization of facilities, determination and characterization of the DBT, and the formulation of )) the consequence matrix. Water utility personnel also need to research and provide extensive ) system documentation and to facilitate coordination with other related local agencies (law ) enforcement, city govemment, etc.). It is highly recommended that the security assessment team : } secure the buy-in of the entire water utility management team on prioritization of the mission . ) objectives, the mission-weighted prioritization of facilities, the consequence matrix, and the DBT : ) before proceeding. This information is critical to the process and will drive the outcome of all )) the remaining steps. In the final stages of the assessment, the watcr utility management will be presented with a comprehensive draft report that characterizes the risk spectrum. The draft report includes ) many tables, details, and recommendations that rank the relati ve risks currently faced by the ) water utility. This report should be reviewed by the appropriate management and staff and then ) critiqued for accuracy. This feedback is then incorporated into the final report. ) 􀁾􀀩 The management team should oversee the development and implementation of an action plan based on the risks described in the final report. The implementation plan should also include a provision for the long-term iterative application of the RAM-WSM process. Management must make several major decisions about the approach and risk mitigation philosophy prior to the development of the final implementation plan. These decisions center on a trade-off analysis between various constraints including: • The implementation schedule and priorities, • . Operational constraints, SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY 14 ) ) • Aesthetic constraints, • The risk exposure comfort level, • The resources available to achieve the desired results, and • Costs of any upgrades to the system. A critical part of the methodology will require the assessment team to look for ways that an adversary could exploit the assets of the water utility to cause a Weapons of Mass Destruction (WMD)-type event. Examples of these WMD-type events include flooding or hazardous release of water treatment chemicals. The ability of the adversary to cause high numbers of deaths and injuries to the public and how this might be accomplished should be fully understood by the water utility. Management of the water utility should be made fully-aware of the consequences of these types of events and consider actions to reduce the risks associated with them before considering other risk reduction measures. Because the consequences are so high, WMD-type events should be considered at threat levels even beyond the DBT (i.e., the threat level management decides the system system should protect against). While it may not be possible to protect against or mitigate such an event, the water utility management must still recognize the risk. Such situations may generate concerns beyond the sole responsibility of the water utility. For example, if reliable intelligence were obtained on a potential adversary planning to cause a WMD-type event at a water utility, extreme emergency measures such as posting of the National Guard may be necessary until the threat-level changes or until the water utility can effect a change in operations to eliminate or minimize the event. 3.2 PROJECT MANAGEMENT A security risk analysis undertaken for a water utility is a limited-time project. Using project planning concepts to plan the analysis will provide a great deal of assistance to the project leader and the assessment team by ensuring that essential work is conducted and management's requirements and expectations are met. Planning is an important part of a successful analysis, but the amount of time and resources the assessment team spends will depend on the size and complexity of the analysis and the complexity of the water utility itself. Sufficient time spent up-front determining management's expectations is a requirement for a successful analysis. Appendix B describes some basic project management concepts for SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY 15 planning and conducting a security risk assessment. Appendix B also provides estimated times for completion of each step of the process. 􀀧􀀮􀁾􀀧􀁏􀀠 · :J' 3.2.1 Assessment Team Selection As noted in Section 3.1, several individuals with differing skills and knowledge of the · ." .j. water utility form the optimal assessment team to successfully complete the security risk assessment (see Appendix B for greater detail). Because it is important to understand how requirements are actually implemented, versus how some might percei ve the requirements to be , implemented, the assessment team must cut across all levels within the organization. · J ) Understanding the nuances and numbers of employees on site during different shifts, on ) weekends and holidays, as well as how the water utility controls the access of visitors, ) contractors, and vendors, are all very important. The team may want to consider including · ) personnel from interdependencies (e.g., wholesalers, power utilities, etc.). '.r)-:'1 It is suggested that the assessment team oversee the entire process through the completion 􀀧􀁾􀀠 • :I of the recommended upgrades. Individuals selected for the assessment team will identify and · ) understand vulnerabilities within the system; therefore, management must be comfortable with ·}) the assessment team members possessing this sensitive information. ) The assessment team must ensure that information gathered from employees and ) contractors during interviews is protected and that no retribution occurs against anyone participating in the process. In order to gather credible data and information, employees and ) contractors should feel comfortable in describing actual vulnerabilities that exist. It is crucial that information on actual operations be gathered because security is dependent on policies and J \ procedures as well as technology. Through experience with multiple water utility assessments, it has been found that employees often have knowledge of critical vulnerabilities that may not be obvious to others. The assessment team will gather sensitive information throughout the process. A document control plan should be developed and approved for how to control all documentation gathered and generated. The following issues should be addressed: '...' .." ) • Distribution of plans, operational data, and other descriptive material. 􀁾􀀠 \ ' . .I • Distribution of all documents created in association with the assessment. • .1 '\ • Marking of all documentation including numbering, stamping, and assigning .J responsibility. SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY 16 • Review of State Freedom of Information Act (Sunshine Laws) to avoid having to publicly disclose sensitive information. • Approval by appropriate legal authorities of the document control plan. • Level of access to the information granted to contractors and the types of information they may access. • Control of all information including transmission, copying, locking up (controlling), and ultimately disposing. • Control of all SCADA documentation including network diagrams, configuration procedures, access control lists, etc. The final report will explicitly detail major vulnerabilities and the associated consequences if compromised and should be carefully controlled. Another item for the assessment team to discuss is whethet or not to make sensitive information available to third parties that may work closely with the water utility. This would include contract guard services, maintenance contractors, vendors, etc. Levels of information protection and access should be determined for all third party services. The RAM_WsM process requires certain steps to be completed in order. Assumptions and decisions made at every major step of the process need to be communicated, agreed to, and documented. This documentation is required input in later stages of the assessment. When the final results are determined, a complete, logical document trail leading to the final results and recommendations should exist. 3.2.2 Document Facility Operations Understanding and documenting the operations of the water utility is one of the first activities the assessment team will undertake. The following is a partial list of facility operations that should be described and documented; this list will change depending on the assets of the water utility: • Population served including a list of critical and noncritical customers, • Inventory of hazardous chemicals, • Process diagrams of the entire operation, • High and low demand walet delivery rates for all major systems and subsystems, SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY 17 • Description of all water sources, treatment facilities, pumping stations, storage 􀁾􀀩􀀠 facilities, and the distribution system, 􀀧􀁾􀁽􀀠 􀁾􀀮􀁾􀀠 • SCADA system description, .j r-"" • Security system diagrams, '. f )• mterdependencies (e.g., electrical, SCADA, wholesalers, etc.), }: • Other as necessary. 􀁾􀀠 :) The goal is to create an inventory of the major facilities and assets of the water utility. This 􀁾􀁽􀀠 information will be used in Section 3.4 to prioritize the facilities for security risk assessment. ) ) 3.3 DEFINE AND PRIORITIZE MISSION OBJECTIVES ) Before proceeding with the next step of the process, it is important for the assessment ')) team to identify the water utility's mission objectives. The mission objectives will be used in several parts of the assessment and later in risk analysis and risk reduction. First, the mission objectives will be prioritized to understand the most critical function(s) of the water utility. This 􀁾􀀠 ." , .J will help focus on which assets to assess and will be an important consideration when the risk ) reductian goals are being developed. The initial risk reduction efforts should begin with those ,) necessary to support the most important mission objective. This will help the water utility ) receive the greatest return for its security investment. The mission objectives might include all or some subset of: • Supply potable water • Distribute water • Ensure public safety • Treat water for consumption • Provide adequate water supply for fire protection Next, the prioritized mission objectives will be used as weighting factors to determine the critical facilities andlor assets within the water utility. Budgetary constraints will prevent the " " ;' water utility from lowering risk everywhere in the operation at once, so prioritizing the facilities ) helps determine where to begin. Section 3.4 describes the pairwise comparison process and }) provides a completed example. ) . ) ./SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY '. ) 18 , " ,,-"7 3.4 SCREENING (FACILITY PRIORITIZATION) An important step in RAM_WSM is the screening/prioritization process. A pairwise comparison tool allows water utilities to prioritize the myriad facilities that may be spread over a large geographical area. The assessment team starts by reviewing a process diagram of the entire water utility. The goal is to determine the critical facilities (assets) from a high-level perspective. Facilities to include would be major treatment plants, major pump stations (both before and after treatment), major storage facilities, critical wells, critical pipelines, and critical reservoirs. The goal is not to create a 1 through n'h priority ranking, but rather to understand which facilities are essential to water system operation. It is an attempt to determine the absolute minimum number of facilities that must remain operational to ensure the water utility's mission objectives are achieved. For large, complex water utilities, the assessment team may want to consider using "tiers" of assets during the facility prioritization. Placing all the assets into one pairwise comparison matrix can become difficult due to the large number of assets. Lower-level of importance assets will generally be rated low and may be overlooked. A pairwise comparison for each "tier" of water utility assets could be done to identify which facilities within each tier group are most critical to the mission. For example, a large water treatment facility that supplies a large percent of the treated water for the entire water utility will generally rank much higher than a small finished water storage tank out in the distribution system. Using tiers of assets allows for easier accounting and also facilitates grouping of like assets. Separating facilities through a tiered approach will keep the smaller facilities from being completely overshadowed during the pairwise comparison and thus allow the assessment team to clearly identify which facilities in each tier are most critical. Continuing the example from the previous paragraph, grouping all the storage tanks in the distribution system is a natural pairing and allows comparison of like assets. The assessment team can then easily determine which storage tanks are more critical than others. All this analysis can be accomplished via one matrix, but accounting for all the pairwise comparisons can be tedious and may not add much value. The facility prioritizatiort step is important for another reason. This step allows the water utility to assess the operations from a "systems" perspective. The remaining sections of the methodology will look at successively lower levels of detail, but this step helps the assessment team understand the big picture. Important questions should be asked at this point such as: . SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY 19 1. What is the minimum flow required in an emergency situation? 2. If more than one source exists, what is the minimum number that must remain operational to meet the water utility mission objectives? 3. Are there redundant paths to treat or deliver water, and if so, how many are absolutely necessary? ) 4. Are some paths through the operation more exposed than others? ") 5. Are some paths more important than others? ') 6. Are there critical customers? } 7. What is the minimum flow required for critical customers? ) 8. Are there single points of failure? )The assessment team should understand the big picture before proceeding to lower levels )) of detail. Through the pairwise comparison, the assessment team might decide not to include J some less than critical facilities/assets for further analysis. For example, a systems analysis .J might point to the fact that the water utility primarily relies on surface water, but has a few wells ) for peak demands during the summer months. The wells have very limited capability and ) investing security dollars to protect them would result in very little risk reduction. The .)assessment team might only review the wells to ensure that reasonable steps have been taken to )) protect those assets and also to ensure that they were screened for WMD-type events. At that , } point, the assessment team might decide not to consider the wells any further in the analysis. This is the type of information that can be gleaned from the facility prioritization. The prioritization will help the assessment team focus on those parts of the operation that must be functional for the water utility to meet the mission objectives. The facility prioritization "; information will be used to help prioritize risk reduction measures and will be used as a starting point in the fault tree analysis. The fault trees, described in Section 5.4, are developed to ... ) describe the entire system, at least at a high level. The fault trees will help identify any potential WMD-type events and critical assets Ilt the water utility that did not come out of the facility prioritization. If any potential WMD-type events are found, they should be included in the analysis. Also, the fault tree can be developed in more detail wherever necessary, allowing for more in-depth analysis than the facility prioritization. To prioritize the major facilities, a simplified pairwise comparison is used. Two or more facilities are compared using stated criteria (based on the mission objectives) in a structured way, SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY , .. 20 'cd' U resulting in a relative ranking of the facilities. The facilities are ranked in the context of each criterion using a comparison scale described in detail in Appendix C. In the following section, an example water utility is introduced, which will be used throughout this document, and a pairwise comparison completed. 3.4.1 Example Water Utility The following example water utility will be used throughout this document to illustrate key concepts and points. A detailed description of the water utility is given in Appendix A. The water utility serves a population of 250,000 people. 1hls is a surface and ground water utility. There are three water treatment facilities (Figure 3.1), two with integral pump stations and storage. One treatment facility is fed by wells. There are two majo.r pump stations in addition to the two integral pump stations at the treatment plants. SENSITIVE SECURITY INFORMATION: CONRDENTIAL AND PROPRIETARY 21 II) m Z II) ::1 < m II) m g :D 􀁾􀀠 Z (g :D iii: !i iz5 􀁾􀁯􀀠 oz l! c 􀁾􀀠 :! i'! 􀁾􀀠 C 'tI :D o :B i -< Well #1 7mgd Intake Treatment Integral Stor09a-t4 mg 􀁾􀀭 Pump Total Station #1 Plant #1 Dally 50 mgd 􀁣􀁡􀁰􀁡􀁣􀁾􀁹􀀠 Station 45 mgd capacity Demand = Reaches 60% of geo. area . Reaches 60% of gao. area 100mgd Serves no critical customers Serves no criticaJ customers No traatment capability Serve. 15% of customers (on avg.) Full treatment capability Pump Station #1 8. Integral Storage Treatment 40 mgd 􀁣􀁡􀁰􀁡􀁣􀁾 Reaches 70% of goo. area Plantil2 Serves critical customers Serve. 40% of cuslomers (on avg.) 􀀹􀁏􀁭􀁧􀁤􀁣􀁡􀁰􀁡􀁣􀁾􀀠 No treatment capability Reaches 80°/1:'1 of gao. area Storage -30 mg Distribution Serves no critical customers Serve. 75% of custome", (on evg.) System FUll trea1m9nt capability Pump Station #2 & Integral Storage ao mgd 􀁣􀁡􀁰􀁡􀁣􀁾􀀠 Reaches aO% of geographical area Serves no critical customers Serves 35% of custome", (on a .) No treatment capability Integral 5loroga-50mg Treatment Pump Plantil3 Station Sarve. 10% of average (on avg.) Partiel treatment capability Figure 3.1. Example Water Utility , 􀀬􀀬􀁾􀀠 􀀢􀀧􀁾􀀢􀀢􀀠 􀁾.... '",,.; "-'" '.t-J "-.' \.,..,.I 􀁾􀁾􀀠 l..:•.d 1..,. •..", 􀁾􀀠\,.;,1 i.k.,.J (,,) 􀁾􀀻􀀠 "-,, ............. ........... '''/􀁾􀀠"",,--:01 "'""'" 􀁾􀀠'-.../'-" ...,..,.; < y 􀁾􀀩􀀠􀁾􀀠􀀬􀁾􀁾􀀠 ....1$1 ...􀀺􀁾􀀩􀀠 ...-.. J 􀀧􀀼􀁴􀀡􀁾􀀠 W 􀁉􀀮􀀺􀁾􀀢􀀠 􀁾􀀬􀀬􀁟􀂥􀀠 􀁾􀁊 ''-wo ' 3.4.2 Screening (Facility Prioritization) for Example Water Utility For the example water utility four main mission objectives were identified (see Appendix C for more details): 1. Provide sufficient fire-fighting flows (capacity) 2. Serve (critical customers) 3. Greatest geographical service possible (geographical extent) 4. Provide potable water (water quality) These mission objectives are placed into a pairwise matrix and compared against one another. The pairwise criteria for comparison are shown in Table 3.1. Table 3.1. Values for Ranking Criteria in Pairwise Comparison Importance of Item One Relative to Item Two Importance of Item Two Relative to Item One much greater than (5) much lower than (1) greater than (4) lower than (2) the same as (3) the same as (3) lower than (2) greater than (4) . much lower than (1) much greater than (5) The outcome of the analysis for the example water utility is shown in Table 3.2. Further details of the pairwise process and the final outcomes are contained in Appendix C. SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY 23 Table 3.2. Mission Objective Comparison for the Example Water Utility System -t: As can be noted in Table 3.2, the most important mission objective for the example water utility is to provide sufficient fire protection (capacity), followed by the ability to reach the greatest geographical extent. Service to critical customers is ranked third. Finally, water quality ranks lowest. The rankings in Table 3.2 are then used to complete a pairwise comparison of the ) major components (i.e., facilities) of the water system. For the example, water utility the assessment team decided to include the following major ) facilities in the pairwise comparison: • Treatment Plant 1 • Treatment Plant 2 • Treatment Plant 3 (j: • Pump Station 1 • Pump Station 2 To begin the process of prioritizing the facilities, the facilities are compared for each of the criteria (mission objectives), A separate matrix is used for each criterion (see Appendix C u. for the complete pairwise comparison). For the example water utility, the criterion of "capacity" was used to compare the facilities (Table 3.3). ) } SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY 24 Mission Objective Comparison Capacity Water Quality 􀁾􀀠 􀁾􀀠 Q) w E iii -0 .?:.Q (J) 􀀮􀁾 .c :::r :::r .?:c.. 0 0 􀀮􀁾􀀠 !!! as .... OJ g c.. 0Cd Q) .£: 0 (!l 0 s*: 4 5 4 13 ) 4 9 􀁾􀀩􀀠 .'."j" Sum ) 3.4.2 Screening (Facility Prioritization) for Example Water Utility For the example water utility four main mission objectives were identified (see Appendix C for more details): 1. Provide sufficient fire-fighting flows (capacity) 2. Serve (critical customers) 3. Greatest geographical service possible (geographical extent) 4. Provide potable water (water quality) These mission objectives are placed into a pairwise matrix and compared against one another. The pairwise criteria for comparison are shown in Table 3.1. Table 3.1. Values for Ranking Criteria in Pairwise Comparison Importance of Item One Relative to Item Two Importance of Item Two Relative to Item One much greater than (5) much lower than (1) i greater than (4) lower than (2) the same as (3) the same as (3) lower than (2) greater than (4) .. much lower than (1) much greater than (5) The outcome of the analysis for the example water utility is shown in Table 3.2. Further details of the pairwise process and the final outcomes are contained in Appendix C. SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY 23 Table 3.2. Mission Objective Comparison for the Example Water Utility System Mission Objective Comparison >. :!:: 0 :2 :':"J Cl. () e iii CI • <.:> 0 E Q) 􀁾􀀠 (!:) () >.t: iii ::J "􀁾􀀠 􀁾􀀠 s: Sum Rank rrreatment Plant #1 143 99 80 108 430 3 rrreatment Plant #2 221 144 80 108 553 1 rrreatment Plant #3 52 27 160 84 323 5 Pump Station #1 156 117 80 30 383 4 Pump Station #2 J208 153 80J30 471 2Once the prioritized list of facilities is completed, the assessment team should determine how far down the list to go with the initial security risk assessment based on available reSources and management input. As assessments and upgrades are completed at the most important facilities, the assessment process will continue down the prioritized list. A trade-off analysis should be completed as the assessment team moves down the list to determine whether to continue making upgrades at a particular facility or to consider the next facility on the list. Each new project should be the highest priority determined by the security risk assessment. Some minimum level of security will most likely be undertaken at all facilities, so following a prioritized process does not mean that lower consequence facilities are simply ignored. 3.5 DEFINING RISK REDUCTION GOALS RAM_WM provides a systematic structure to estimate relative levels of risk due to malevolent threats. This information will be used for decision-making in implementing system upgrades to reduce risks deemed unacceptable to the water utility. Early on, the assessment team should discuss and document the goals for the upgraded security system. The protection goal(s) maybe to: SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY 26 rJ 􀁾􀀩􀀠 􀁾􀀱􀀠 :} '} -) ') ) ) ) "'") ) :) :) :) . ) .) ) ) ) ) , ). .. -) , ) g :) ) :,.) :J :J CJ '0 .,) , ._1 J 1. Deter the adversary. 2. Prevent the adversary from causing undesired event(s) (Le., disrupting the mission objectives). 3. Detect the adversary and mitigate the consequences ofthe attack. 4. Protect employees. 5. Collect information for later prosecution. 6. Increase redundancy in the operations. 7. Eliminate single-points-of-failure in the system. Note that only Goals 2, 3, 4, 6, and 7 actually reduce the risk value by either increasing protection system effectiveness or reducing consequences in the risk equation. Goal 5 may reduce risk in the future by reducing the incidence, but this likelihood is difficult to predict and measure. Deterrents may work, but the ability to lower the risk is unknown and hard to quantify without the event actually happening. Each increased level of protection has an associated cost; therefore, protection goals may be resource-constrained. It is important to be specific and refer to the defined goals throughout the security risk assessment process, particularly when discussing upgrades. The assessment team must constantly review the protection goals ofthe assessment. To reduce the risk, it is strongly recommended to improve the system effectiveness and/or design consequence mitigation measures that will stop an adversary from achieving hislher objective (i.e., prevent the undesired event) with a high likelihood ofsuccess. Each water utility will need to decide where to set the bar fur preventing undesired events. SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY 27 ":".:'),. :,; :) ','1' .} , C} 􀁾􀁽􀀠 ') . ) 􀁾􀀩􀀠 . , , } 􀁾􀀩􀀠 ',C )' ) ) ) :) :) , .J ) , ) .) ,) , :J , SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY :,); () 􀁾􀀩􀀠. 􀁾􀀩􀀠.• 4 UNDERSTANDING THE THREAT Planning. PurpO$Q, Oblectille Prioritize Facilities Design Basis Threat Likelihood of Attack (P.J 􀁲􀀭􀀭􀀭􀀭􀀭􀀭􀀱􀁾􀁾􀁾􀁾􀁾􀁬􀀠Prioritized Critical Assets (C) No Protection and Operating Systems (Pel Proposed Upgrades Waterfall Flow Diagram -Process Locator 4.1 THREAT ASSESSMENT A threat assessment helps identify and describe the types of adversaries (malevolent persons or groups) that may try to prevent a water utility from performing one or more of its mission objectives. This chapter provides guidance that can be used to develop a definition of threat, known as the Design Basis Threat or DBT, for a water utility. The choice ofDBT is an important part of the assessment as it drives the determination of critical assets during the risk analysis. The DBT, which is comprised of the numbers of adversaries, their capabilities, and their tools, should be carefully researched and discussed before undertaking the assessment. Choosing an unrealistically high DBT will result in high risks risks throughout the system and will not show any discrimination in the importance of various assets. Conversely, choosing an unrealistically low DBT will simply show little or no risk to the water utility. During the risk analysis, the existing security andlor operation systems are evaluated to determine their effectiveness at defeating the DBT. Collecting threat information, organizing it, evaluating it, and using it to determine which ·threat a particular water utility may encounter forms the basis of the threat 􀁡􀁳􀁳􀁥􀁳􀁳􀁭􀁾􀁮􀁴􀀮􀀠 This threat information will also be used to develop adversary strategies and scenarios. SENSITIVE SECURITY INFORMATION: CONRDENTIAL AND PROPRIETARY 29 􀁾􀀩􀀠 .:} 􀁾􀀩􀀠 4.2 DESIGN BASIS THREAT ·} I'J To begin, the assessment team will want to consider all potential threat levels (e.g., "} mischievous vandals up to sophisticated terrorists)-even those considered "outside the box." :) The assessment team must acknowledge that extremely high threat levels exist and there is little ) the water utility can do to defeat these threats. However, it is strongly recommended that the ) water utility complete the assessment with a terrorist-level threat to understand system :J vulnerabilities due to high-level threats. Only considering lower-level threats may result in 􀁾􀀧􀀩􀀠 exclusion of high-consequence targets that could have devastating impacts to the water utility if ) · ) compromised. After gathering inforroation on all potential threats the assessment team begins to ') develop the conceptual threat (Figure 4.1). This is the threat level that the water utility would C} ideally like its system to defeat if there were no constraints. The next step in the Threat Threat assessment involves reviewing operational (safety, legal, etc.) constraints during the site characterization phase, and their impact on the ability of the water utility to lower risk. The conceptual threat is then modified based on these constraints. This will likely be an iterative process, as the assessment team will be working with incomplete information until the risk ) analysis is finished. Some of the constraints will not be fully understood until critical assets are identified and attempts are made to lower risk. When the analysis is complete (See Figure 4.1), the water utility may discover that they only have reSOUICes to design against a very low threat level. Ultimately, the DBT is a management decision and mayor may not reflect threat information collected. This in no way diminishes the importance of gathering threat information, ) but recognizes that real constraints may prevent the water utility from achieving the level of , J securi ty desired. 􀀮􀀮􀁾􀀮􀀠) The DBT is the maximum credible threat to which a water utility will design its security C) and operational systems. Once established, the DBT should be protected as sensitive :J information, approved by management, reviewed periodically, and updated as necessary. Figure ) 4.1 demonstrates the iterati ve nature of the DBT development that occurs throughout the ) assessment. U ', I" · I , SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY 30 u 􀁾􀀠 ) .'.J'> 􀀻􀀻􀁾􀁾􀁾􀁸􀁴􀁲􀁥􀁩􀁮􀁥􀁬􀁙􀀺􀀠I:Ilgh . Threat . Screening Facility Characterization .. 􀀧􀀾􀀢􀁒􀁥􀁾􀁩􀁾􀁷􀀻􀀧􀀠􀀼􀀮􀁾􀀠 .􀁃􀀩􀁾􀁩􀀧􀁡􀁴􀁩􀁯􀁮􀁡􀁾􀁌􀀺􀁥􀁧􀁾􀁉􀀬􀀺􀀠􀁾􀀭􀀭􀀭􀀭􀀮􀀠 􀀺􀁥􀁴􀁣􀁾􀀮􀀠􀁥􀁯� �􀁳􀁾􀁲􀁡􀁩􀁮􀁴􀁩􀁦􀀢􀂷􀀠 Risk Analysis ----------. Modified .... . :'.'ihreat " Modified .• Threat DBT Figure 4.1. Screening Process for Developing the DBT SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY 31 4.3 CATEGORIES OF ADVERSARIES Before time is spent collecting information, it is important to decide what kind of data is needed to complete a definition of threat for a water utility. Generic descriptions of potential ) , insider and outsider adversaries are listed below. In the next few sections, additional information ; 􀁾􀀠 \ is provided about the types of adversaries that the water utility may want to consider as the DBT ) , , is developed. './4.3.1 Categories of Outsiders Listed below are broad categories of outsider adversaries: • Vandals • Protesters o Demonstrstors o Activists o Extremists • Terrorists • Criminals • Computer hackers Vandals generally intend to damage or steal property, but are not motivated to risk their lives or gather intelligence data about the water utility operations. The protestor group has different kinds of people with different motivations, most of whom are no threat to the water )) utility. The largest percentage of protesters is the demonstrstors-these are well-meaning people who are generally led into the protest by leaders with specific agendas. The activists will i) generally use force and do some active thing to cause physical damage. The innermost group ". .,) may be a hard-core group of extremists whose intention is to stop critical operations to which d they object. They tend to be well trained and well supported, and may be armed with weapons 􀁾􀀠 ) and explosives. Terrorists are often well funded and well trained, and they may be willing to die " y ) for their cause. They may spend a significant amount of time studying the operations of a , J potential target before executing an attack. Criminals tend to work in small groups (usually one). The cyber hacker and other levels of cyber threats will be addressed in Section 4.6. When , , ,} SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY 32 ) ) ) ) ) ) developing the threat, collusion must also be considered-the outside adversary working with an insider (who can assume either a passive or active role). 4.3.2 Categories of Insiders Listed below are broad categories of insider adversaries: • Betrayal (criminal) • Revenge • Abnormal behavior (psychotics) • Terrorist insider • Coercion The criminal betrays the trust shown by the water utility by hiring himlher and allowing unescorted access. Revenge is a situation in which an employee or contractor causes damage because he/she is angry about something. Psychotics are people who simply do not know right from wrong. The terrorist insider intentionally gets hired by the water utility in order to build trust and get access to inside operations. Coercion occurs when an employee or contractor is forced into causing damage (e.g., family members are held hostage, blackmail, etc.). 4.3.3 Contamination Threat The contamination threat is a difficult issue to assess due to the large number of scenarios that could be postulated. The EPA, in its guidance document available to water utilities (not publicly available) through the water Information Sharing and Analysis Center (ISAC), describes this threat in some detail (see for information on the ISAC). Additionally, the EPA, in cooperation with the Centers for Disease Control, Sandia, industry associations, and others, created a State of the Knowledge document (controlled) to understand the range of contaminants and their possible uses. Literally thousands of chemicals, biological agents, and radiological agents are available to the adversary. Many of them would not be a threat to the water supply for a variety of reasons. However, depending on the capabilities of the DBT, the potential exists to contaminate even the largest water utility system. Each water utility will have to decide how far to pursue the contaminant analysis. Unfortunately, for many of the agents that could be used, testing data are not available to characterize the threat. In their guidance document, the EPA recommends using existing measurement techniques (Total Organic Carbon, Chlorine Residual, etc.) to monitor the quality of the water SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY 33 throughout the system. This will help detect some of the potential contaminants, but information is available that suggests they will miss several that are of concern. Real-time monitoring equipment that will provide timely warning does not exist and will not likely exist for many C ) years. Without timely detection, the water utility will probably be unaware of an intentional , , contamination event. } ) During the security risk assessment, the assessment team should evaluate the potential for ) intentional contamination throughout the system. If the water source is very large, it is unlikely ;) that chemicals could be used as a contaminant due to the large amounts required. However, some of the biological agents might still be of concern. Effective filtering, disinfection, and advanced treatment techniques such as ultraviolet light and ozonation will greatly lower the risk from biological agents. Different types of treatment processes provide varying levels of protection against certain classes of contaminants. See the guidance document referenced above for further detail. The assessment team may decide that upstream from the treatment facilities would be a low risk, depending on the size of the water demand and the types of treatment employed. Post treatment is obviously a more vulnerable location. Most water utilities of any size have thousands of access points into the distribution system that an adversary could potentially exploit. This is a high-risk part of the operation and will likely stay at that level for the foreseeable future. Water utilities should take appropriate action to secure the parts of the distribution system that provide easy access for an adversary, especially storage reservoirs, as they provide an atmospheric pressure water surface. ) Modeling and simulation efforts under way to understand contaminant fate and transport ) in the distribution system indicate the risk of human effects due to a contamination event could ) be lOWered with early warning systems, but will never reach levels the public will accept. The -'. ;} . '\ /) number of instruments required and the ability to immediately react are both barriers to "j effectively deal with contamination. See the Congressional Testimony from Jeffrey J. Danneels, C) Sandia National Laboratories, for additional thoughts on how to lower the risk from intentional contamination. The November 14, 2001, testimony is available at . SENSITIVE SECURITY INFORMATION: CONRDENTIAL AND PROPRIETARY 34 ) ,J 4.4 INFORMATION GATHERING To determine the levels of threat that might exist, infonnation can be sought for regional, national, and international threats. The extent of the effort is dependent on the mission and location of the water utility. Ideally, an assessment team member with a law-enforcement background will have the primary responsibility for gathering and organizing infonnation about indi viduals or groups that might pose a threat to the water utility. Threat infonnation is acquired by interviewing employees, managers, and law enforcement agencies, and by performing literature searches. Trends or indications that the level of threat may increase in the future (e.g., increasing dissatisfaction with the union/management relationship) should be noted. Sources to be searched include: . • Incident reports, unusual occurrence reports, criminal reports, intelligence reports, and other historical data associated with water utilities or similar operations. • Employee data on union disputes, employee conflicts/violence, expressed threats, etc. • Internet, industry associations, professional journals, or other sources of data. • Government directives and legislation. Groups to be contacted include:' • Local law enforcement • State/regional law enforcement • Local/state offices of emergency management. • Local/state offices of counter-terrorism • Federal law enforcement (Federal Bureau of Investigation) • Local Infraguard • EPA Water Security Task Force (developed and made available guidance on various types of threat) • Industry associations such as AwwaRF (compiled infonnation on past security incidents at water utilities) • Water Infonnation Sharing and Analysis Center, operated by AMWA (to start operations at the end of 2002), database on threats and security incidents • Department of Homeland Security SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY 35 4.5 THREAT ATTRIBUTES Tables 4.1 through 4.3 in this chapter, describe what information to collect about outsider and insider threat attributes and provide an integrated example for the example water utility. As the various parts of the water utility are being reviewed, the ability of the adversary to damage and/or destroy assets is dependent on the attributes captured during the threat assessment. 4.5.1 Outsider Threat Attributes When considering the outsider the following list of attributes will help to define the threat: • Incidents (historical) • Targeting • Motivation • Expected number • Tactics (force, stealth, or deceit) • Equipment • Weapons • Explosives • Transportation • Intelligence gathering means • Technical skills and knowledge • Financial resources and sources • Potential for collusion with insider HistOrically speaking, the hardest attribute to agree upon is the "expected number." As the assessment team deliberates they will have to define each threat category based on these attributes. Table 4.1 is a water system threat analysis worksheet completed for the example water utility (Appendix A) and is based on a terrorist-type threat. The worksheet lists the type of information required to describe the outsider threat. This information will later be used to develop adversary strategies and scenarios and evaluate system effectiveness for these scenarios. In Appendix D several outsider examples are included for consideration. In addition, definitions for the low, medium, high, and very high outsider threats are presented. These SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY 36 } ') 􀀻􀀬􀀬􀁾􀀠 '. 􀁾􀀠 r" ') ) :) ) "', ) ..') } " <._,} :} r) , ) ) ) \ } .' '\ . ) ) , "I ,.1 examples are the starting point for a threat assessment and will require further development by the assessment team. Table 4.1. Completed Water System DutsiderThreat Analysis Worksheet for the Example Water Utility 􀀮􀁽􀁗􀁁􀁔􀁾􀁊􀀮􀁴􀁣􀁓􀀲􀂧􀀧􀁊􀀻􀁾􀀼􀁩􀁬􀀺􀁊􀁦􀁦􀁾􀁗􀁾􀂷􀁾􀁾􀁾􀁾􀁾􀁾􀁾􀁬􀁜􀁌􀁙􀁓􀁉􀁾􀁬􀁗􀀨􀀩􀁾􀁾􀁾􀀺􀁲􀀺􀀢􀀢􀂷􀂷􀀮􀂷􀀠 Utility: Example Water Utility Date: May 15, 2002 Recorded by: I. Drinkwater Adversary: Terrorist Is this a continuation sheet: DYes lID No ..'.􀀻􀀬􀀢􀀻􀀻􀁉􀁾􀀹􀁲􀁾􀁾􀁾􀁯􀁾􀀮􀀨􀀮􀀱􀁡􀁾􀀿􀁾􀀼􀀺􀀧􀀻􀁾􀀺􀁾􀀡􀀬􀀻􀀻􀀮􀀬􀀻􀀬􀀻􀀬􀀬􀀻􀁉􀀢'􀁛''� �',􀀧 􀁾􀀻􀂷􀀧􀀻."􀀼.􀂷;"􀀻 􀀻􀂷􀁆􀀯􀀺􀀮􀁮􀁥􀁳􀁣􀁲􀁩􀁰􀁴􀁩􀁯􀁮􀀠.•.. ,'. : ..•. '" . . .-'. 􀀮􀁾􀀮􀀠 : .-.. '''", •.::.... . .:>;.,....'• 1. Incidents (historical) Intemational, none in the US 2. Has the adversary targeted the water utility No (but FBI information exists for a potential or a similar (nearby) facility? occurrence) 3. Motivation • Ideological (Ideological, economic, or personal) 4. Expected number of adversaries 3 5. Tactics Destruction of assets to disrupt water 6. Equipment Power tools, hand tools, bolt cutter 7. Weapons , Handguns, small automatics 8. Explosives Explosives (51b or less) 9. Transportation Car/truck, 4 x 4, ATVs • 10. Intelligence gathering means Websites, publications, public. literature, might have taken tour of facility 11. Technical skills and knowledge Limited knowledge of security system and water processing facility, some cyber capabilities 12. Financial resources Well funded . 13. Potential for collusion with insider Potential exists (no background checks conducted on employees) SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY 37 The assessment team will complete this worksheet for each potential category of outsider adversary (see Appendix D for a blank form of the worksheet). This is the kind of information that the assessment team will collect, organize. and analyze so that it can make an informed decision about the outsider threat. 4.5.2 Insider Threat Attributes When considering the insider the following list of attributes will help to define the threat: .' Identify insider positions (Le., positions. not people) • Potential for active or passive role • Access to critical assets (including the SCADA system) • Access to security system Identifying the potential insider threats of concern is accomplished by systematically evaluating the access to critical assets of each position (e.g .• the guards, the maintenance people, the plant manager. the mechanical operator. SCADA administrator, etc.) within the water utility. ) These positions may be grouped together as many of the employees have the same level of access authority. This process requires the assessment team to list the types of positions (not individual people) that have access to critical facilities and assets. Each of the positions that have unique access authority will have to be evaluated based on all the attributes, A passive insider will only give information (e.g" operational, security, utility maps, etc.), whereas an active insider will actively participate somehow in the attack (they could be violent or nonviolent). For example. an active insider will open a valve, door, or gate. cut a wire, place ," explosives, plant weapons, etc, Table 4.2 lists the types of insider positions at the facility and summarizes part of the information needed to address the capabilities of the insider threat. Table 4.3 lists the type of information required to describe the insider. Both these tables are completed :.) for the example water utility (Appendix A). The worksheet in Table 4.3 is specifically ,"'t ", ,,) \ completed for the Control Room Operator as a potential insider threat. '. '. /" J : ) " ,Y ,,7 "' SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY ,) 38 '.'"..J ' Table 4.2. Example of a Completed Water System Insider Threat Analysis Worksheet-Part 1 for the Example Water Utility Utility: Example Water Utility Date: May 15, 2002 Recorded by: I. Drinkwater Adversary: Insider Is this a continuation sheet: 0 Yes lID No List insider positions of concern: • Plant Manager • Control Room Operators • Maintenance Technician • SCADA Administrator • Etc. To complete the section below. indicate the potential offrequency for each insider position with the following qualitative indicators: Never, Occasionally. Often lnsider Positio,i . 'A:ccessto Critical .•Ac(Jess IoSecuriJy . AccesstoSCADA . :: .FacJiittes .. . . ·S stem S'siem.' Plant Manager Oft Occ Occ Control Room Operator Oft Oft Oft Maintenance Technician Oft Occ Nev SCADA Administrator Oce Oft Oft Based on the information for the example water utility, the next form collects more detailed information and in this case is filled out for a Control Room Operator (refer to Appendix A). SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY 39 􀀬􀀬􀀬􀁾 'y Table 4.3. Example of a Completed Water System Insider Threat Analysis Worksheet-Part 2 􀀺􀁾 for the Example Water Utility , 3' .·WATERSVSTEM INSIDER..TBREATANkLYSISWORKSHEETJIAR'.t2 .... ".' . "'" .>:::......• ,., .'{fcr. '.'" 􀀧􀀧􀀧􀀺􀀻􀀬􀀧􀁣􀂷􀂷􀀮􀂷􀁾􀀺􀁦􀀧􀀠""'''..•{c.;.: .. •.􀀻􀀮􀀺􀀻􀀻􀀧􀂷􀂷􀀻􀀺􀀺􀀿􀀻􀀺􀀢􀁩􀀧􀁔􀁾􀀧􀀺􀁴􀀻􀀻􀀻􀀧􀀭 , • ",'. .;-" "'; 􀀬􀀼􀂷􀀢􀁩􀀻􀁩􀀺􀀻􀀧􀀺􀀢􀀺� �􀀺􀀺􀀧􀀠 Utility: Example Water Utility Date: May 15,2002 I Recorded by: I. Drinkwater Adversary: Control Room Operator Is this a continuation sheet: 0 Yes I8l No .. 􀁾􀁾􀁪􀁟􀁾􀀼􀀻􀀬􀀬􀀢􀁄􀁥􀁳􀁣􀁲􀁩 􀁰􀁴􀁩􀁯􀁮􀀺􀀠""'" 􀀺􀀧􀀻􀀺􀀧􀁾􀁾􀀺􀀻􀀺􀀺􀁾􀀺􀁾􀀱􀁾􀀺􀀢􀀠 .... :,,' 􀁊􀀡􀁬􀁦􀁯􀁰􀀮􀁬􀁬􀁡􀁾􀁯􀁲􀁩􀁾􀁴􀁾􀁧􀀹􀁱􀁶􀁲􀀺􀁩􀀻􀀠""",,':.' ,.' 􀀱􀀿􀁾􀁝􀀻􀁉􀀻􀁩􀁾􀁩􀀻􀀠 i" > .... '..... ... '., :::,,0-': , -/. .." l. Incidents (historical) Information not available 􀁾􀀠) ') ) () 􀁾􀁽 2. Expected number of adversaries One :) 3. Tactics Contaminate water system with onsite :) chemicals 4. Equipment Access to water utility-owned power tools and ;) hand tools ) 5. Technical skills and knowledge Knowledgeable about Water processing, ) emergency response, security system, SCADA system, security procedures The assessment team needs to determine whether it is required to consider an insider as a potential threat. Ifit does consider an insider, it will complete this worksheet for any potential category of insider adversary (see Appendix D for a blank form of the worksheet). This is the kind of information that the assessment team will collect, organize, and analyze so that it can make an informed decision about the insider threat. In Appendix D, several insider examples are ) \ included for consideration. Definitions for the low-, medium-, and high-level insider threats are also presented. These are only starting points in the development of the insider portion of the DBT and must be further developed. 4.6 CYBER THREAT " J The threats to the SCADA system considered fall into four major categories: (1) human intentional, (2) human unintentional. (3) natural, and (4) environmental. The level or sophistication of the threat directly impacts resources required in any mitigation efforts, so a clear and accurate description of the threat under consideration in the risk assessment process is critical to the overall security improvements. This particular assessment focuses primarily on SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY '-} , 40 􀀼􀁾􀀠 " ••j ) ) ) ,J category 1, with some consideration for 2. Categories 3 and 4 receive only secondary consideration in the process. Within the human intentional or malicious category there are two basic types of adversaries to be considered: "outsiders" and "insiders." It is generally the goal of an outsider adversary to either become an insider, or to acquire the access and other attributes of an insider. Thus, some of the differentiating attributes of the various outsider adversaries will be the ability to acquire a high-level of insider access. The next several sections provide details on characterizing the insider and outsider cyber threats. 4.6.1 Outsider Adversary Levels The difference in sophistication between cyber adversaries is not necessarily with respect to the tools employed, but more in their ability to use and customize these tools. Figure 4.2 depicts the increasing sophistication level of cyber adversaries. Similar tools are available for each adversary type. A clearer distinction is the adversary's ability to discover the actual security architecture that has been implemented, as well as the level of access needed to perform their mission. In the water SCADA assessment, the focus is at the hacker level due to the immaturity of security prevalent in the current information technology (i.e., cyber systems at water utilities). For the short term, most water utilities will need to focus on the hacker level threat but should recognize that the long-term goal is to protect against the cyber terrorist. Figure 4.2. Outsider Adversary Levels SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY 41 4.6.2 Insider Levels The insider threat includes many people with various degrees of knowledge and various degrees of access within a water utility (Figure 4.3). The person who can do the most damage to a water utility with the least amount of effort is an insider who already has access to the computer system. Insiders have erased complete files of companies, inserted "bugs" into software that are very difficult to find, and may do their damage and remain as an employee. Again, the sophistication level is key in distinguishing between different insider adversaries. Due to the immaturity of security in the cyber systems, the SCADA assessment typically focuses on the operator with knowledge and privileges (Le., operator who uses the software but may not know how the software works). ) ) ) Some Knowfedge No ) ) ) Figure 4.3. Insider Adversary Levels The threat of cyber attack is becoming a very important subject and a vulnerability that water utilities need to address. As water utilities become more dependent on SCADA systems to control their operations, they are becoming more vulnerable to someone hacking into the system and damaging assets. A denial of service attack on the SCADA operation affects more than the automated control of the water process. It affects the entire water utility. The cyher threat is dependent on the water utility's cyber features and is the domain of some very specific people within the organization. SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY 42 .J., j 4.6.3 Cyber Threat Attributes It is recommended that the water utilities initially use the hacker as the DBT and secure to that level before attempting to secure to the higher level of a cyber terrorist. The outsider and insider adversaries, with associated attributes, are listed in Tables 4.4 and 4.5, respectively. Appendix D contains definitions for the low-, medium-, and high-level hacker threats, which are starting points in the development of the outsider hacker portion of the DBT. Table 4.4. Outsider Adversaries and Attributes Adversary Level of Sophistication Resources Mission Risk Tolerance Motivation NaIve Novice Low Low-No skills Tacticnlfun High -No concept of penalties or risk EXploration, recreation Experienced Novice Low Low-Few skills only Taeticalfun High -Little concept of penalties or risk Exploration, reereation Hacker/Cracker Moderate Low-Skills Tacticalonly knowledge, i visible effects Moderate-Knowledge of penalties, accepts risk of being caught afier deed Exploration. recreation, searching fur knowledge and experience Hacker Coalition! High Moderate-Tactical-Moderate-Common goal, political Hactivitists Aggregated 􀁳􀁴􀁡􀁴􀁥􀁭􀁥􀁮􀁴􀁾􀀠 Knowledge of or social motives skills only visible penalties, accepts effects, risk of being social or caught after deed , political change i Organized Crime High High-Approximately $lOM Strategic gain control, financial gains Low Does not want to be caught during any phase Financial Cyber Terrorist High High-ApprOximately $lOM Strategic goal oriented, other targets of opportunity Low Does not Political or social want to be caught motives in intel gathering or implantation : i Foreign High High-Strategic -Low Does not Political mati ves Intelligence National level goal want 10 get caught Service oriented during any phase, especially by HameS" SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY 43 Table 4.5. Insider Adversaries and Attributes Adversary Level of I Resources Sophistication Mission Risk Tolerance Motivation Physical Access Only Low Low, Moderate Disruption Low-Moderate Anger, collaboration, operative Some Low Low Disruption Low-Anger, Knowledge, Moderate collaboration, No Authorized operative Access Basic User, No Special Privileges Low Low i Disruption, Financial gain Low Anger. conaboration, operative Power User, No Special Privileges Moderate Low Disruption, Financial gain Low Anger, collaboration, operative Operator Knowledge, Some Privileges Moderate-High Low Disruption, Financial gain Low Anger. I collaboration, operative Domain High Moderate Disruption, Low Anger, Knowledge. Financial gain collaboration. Some operative Privileges Full Design Knowledge, Full Privileges High Moderate Disruption. Financial gain Low Anger, collaboration, operative 4.6.4 Emerging System Weaknesses It is important to understand the trends in modem SCADA systems to understand the nature of the cyber threat. Some of the key trends include: • SCADA systems are transitioning from proprietary hardware and software platfonns towards commercial off-the-shelf products (I.e., Windows, Unix, Cisco network devices etc.). • The configurations and operations closely resemble other IT systems. • For business purposes, SCADA systems are being connected to other IT networks such as the corporate Local Area Network (LAN) and the Internet. • Many water utilities have "piggy-backed" their security systems on the SCADA system, resulting in the loss of both systems during a successful attack. As a result of these trends, SCADA systems inherit the same vulnerabilities as other IT SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY 44 ) ) ) ) ) ) \ j , ; " ,d ,) ." .' ) ) ) \ J 􀁾􀀺 "J. -,'.) , , ) J, ,3 \.J :J .J , , .. 􀁾􀁽􀀠 .i systems today, but the consequences may be greater. In addition, there may be unique vulnerabilities inherent to the SCADA applications because they were not designed with security as a primary requirement. For example, a denial-of-service (DoS) attack against a SCADA system that supports transport of physical alarms puts the entire water utility at risk. 4.7 THREAT ANALYSIS SUMMARY The outsider and insider worksheets for all potential threats need to be completed and analyzed so that entire threat spectrum can be examined. The examination of the threat spectrum leads to the definition of a DBT. For the example water utility, the DBT is summarized in Table 4.6. Table 4.6. Water System Threat Analysis Summary for Example Water Utility Adversary ! Number Equipmentl Knowledge . . . Weapons Tactics ! . Vehicles. ., . . Outsider 3 Hand tools, ; power tools, pick up, 4 x 4, car Insider Onsite tools, SCADA access, company vehicles 1 Limited knowledge of security system and water processing facility; limited cyber capability Knowledgeable about water processing emergency response, security system, SCADA system, security procedures Handguns, Damage water automatics, system, disrupt Explosives waterflow (51b or less) N/A Contaminate with on site chemicals i Outside 1 Computer Access to Internet, N/A Damage assets Hacker and hacker know ledge of hacker through software tools SCADA system tools ; I ! I I The proposed DBT should be drafted, reviewed, and agreed to by management before proceeding on with the detailed assessment. The final definition of threat for the water utility is required information for the security design and system effectiveness analysis. SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY 45 4.8 LlKELmOOD OF ATTACK (PA) In the risk equation the tenn, P A, refers to likelihood of attack by the adversary. PAis an extremely difficult tenn to estimate due the lack of sufficient intelligence data available. Its estimation involves a little bit of predicting the future. The risk equation calculation can be entirely thrown off without sufficient data to be able to come up with a good estimate of PA. In the RAM-WSM application of this risk equation to water utilities, it is therefore ) recommended to set the tenn P A to 1.0. The calculation of risk (selting P A to 1.0), ranks the · ) assets only by consequence, C, and by system effectiveness, PE. Both of these tenns can be ) estimated far better than the ability to estimate P A. Not using P Aa s a discriminator among assets ) makes sense for risk assessments that are localized to a single water utility. ) Note the subtle distinction between setting P A to 1.0 in order to calculate probability and ) setting P A to 1.0 because it is believed that the probability the water utility will be attacked by an ) adversary is 1.0. Calculating probability in this manner does not imply a belief that the water ) utility will definitely be attacked by an adversary. J \ ) ) ) .J · "' • J .J -, J ) SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY -.J 46 5 SITE CHARACTERIZATION < • 􀁐􀁬􀁡􀁮􀁮􀁩􀁾􀁧􀀠 􀀧􀀭􀀧􀀭􀀭􀀻􀁾􀁾􀀠 Design Basis Threat Likelihood of Attack (P.J Prioritized Critical Ass.ts (C) Protection and Operatlng systems (Pel No purpose, Objective Prioritize Facililles Waterfall Flow Diagram -Process Locator 5.1 PREPARATION FOR SITE CHARACTERIZATION It is absolutely essential that a site be fully understood in tenns of constraints, perfonnance parameters, operations, and the circumstances in which it exists. Infonnation and data about all the various aspects must be obtained and reviewed. When collecting infonnation a variety of sources should be used including drawings, policies and procedures, tours, briefings, reference material, and personal interviews. A system process diagram will greatly assist the assessment team in the early phases of the assessment. The assessment team should be especially concerned with single points of failure (SPOFs) that are easily accessed and damaged and/or destroyed. It is also important to understand how the parts of the process interrelate and how an undesired event can be overcome operationally. It is generally much more cost effective if an operational or a design change can be made to reduce a consequence rather than installing expensive security features. 5.2 RISK ASSESSMENT SCOPE The assessment team must define the scope of the analysis for the water utility. The assessment team should review the system process diagrams, interview the facility operators and others that understand in detail how the system operates, review emergency operations plans, and consider the interdependencies with other critical infrastructures to help define the boundaries of SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY 47 􀀮􀀭􀁾􀀠 } the assessment (i.e" the assessment team needs to define what will and will not be included in the analysis), For example, electrical power, communication lines, natural gas, and piping systems enter and leave each of the facilities in multiple locations and a decision has to be made as to how far each of these systems will be assessed, It is important for the assessment team to focus on assets that are under the control of the water utility, ) " I 5.2.1 Interdependencies " J The assessment team will need to understand the interdependencies and how easy or ) difficult they are to disrupt. Examples of interdependencies are: ') ") • Electrical power • SCADA ,D • Natural gas • Communications .:) • Diesel fuel • Transportation of Chemicals 􀁾􀀩􀀠 'j The assessment team will want to evaluate the ability of an adversary to cause disruptions :) using an interdependent infrastructure, Electrical substations may be in very vulnerable } locations, but unless the water utility owns the substation, it may be be that very little can be done to improve the security. Developing relationships with critical suppliers (e,g., wholesalers, electrical power companies, etc.) and having a written plan in place to recover quickly in the event that critical components of the system are disabled or destroyed can reduce the consequences of a malevolent attack, ) 5.3 DOCUMENTS REQUIRED FOR SITE CHARACTERIZATION } "\ j After the critical facilities are prioritized and the assessment team understands the proposed DBT, the next phase is to begin a more detalled analysis of the operations to be studied. The following information should be gathered and reviewed: • Unusual occurrence reports. • Facility drawings and site plans, • Utility maps (electrical, gas, water, and wastewatcr). 􀁾􀀧􀁬􀀠 •. • Emergency operations plans. • Emergency response plans. • Chemical impact analyses (chemical releases into alr or water). SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY 48 ."J ) ) • Back-up system diagrams. • SCADA system design and operation documents. • Operational reports. • Communication system design and operation documents. • Employee security policies and procedures. • Visitor policies and procedures. • Contractor policies and procedures. • Security alarm logs. • Existing security system design and operational data. Before going to the field, simple block diagrams should be.developed that outline the buildings, building openings; critical assets (if known), site perimeters, etc. In Figure 5.1, a block diagram has been created to represent one of the treatment paths for the water withdrawn from Bigg Lake for the example water utility (Treatment Plant I). Single points of failure (SPOFs) exist all along the path. These SPOFs will need to be evaluated to see if significant risks from the DBT exist. Intake Hous Pumping. . Station To' BiggLake Distribution' [ntilke Cribs; ·3 Hlghlift 981ltiifugal System '" Pumps· .. SCAtiA,Syslem. Lowllft . 􀁃􀁥􀁮􀁾􀁩􀁦􀁕􀁧􀁡􀁬􀀠 Purification· Pumps' Plant Figure 5.1. Water System Block Diagram for Treatment Plant 1 (Example Water Utility) SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY 49 5.3.1 Site Survey After all the background documentation and block diagrams have been reviewed and a site-specific fault tree (Section 5.4) constructed, a site survey is conducted to verify the -..,. information. As the survey progresses, the assessment team will uncover vulnerabilities and J sensitive information. It is critical that this information be briefed to management before discussion in meetings or feedback sessions. Avoid discussion on security system enhancement ) recommendations until the risk analysis is complete. One-an-one interviews with employees and i ) contractors at all levels are very helpful; however, direct managers should not be present to ) ensure candor and all conversations must be treated as confidential. Visits during the off-shifts )and non-operational hours are necessary to review the operations, security system functionality, ) .) lighting levels, and other pertinent details. Photographs are imperative during the site survey. The assessment team should take many photos for easy reference and reminders when analyzing the data at a later date. Log and label the photos as they are taken. Both panoramic shots of the entire facility (outdoor) as well as detailed photos of existing security and operational features are required. A color-coding . , scheme keyed to a particular facility or set of facilities for the questionnaires (Appendix F) and ) ) sketches is recommended. ) 5.3.1.1 Distribution System One of the more difficult decisions for the assessment team involves the determination of how far to carry the assessment into the distribution system. Large mains and distribution areas , with few supply paths available should be included. All storage reservoirs should be included as ; well. Large, complex systems with several storage reservoirs may need to tier their assets (Section 3.4) in order to keep the analyses to a manageable size. The assessment team should look for and review any exposed mains (e.g., over ravines, rivers, etc.). Having alternate supply paths available for all easily damaged/destroyed exposed mains should be a goal of the risk reduction efforts. If this is not possible, then contingency plans are warranted. The assessment team should base its decision on how far to carry the analysis in a large part on the consequences of loss. Water mains break often, so most water utilities have experience isolating and repairing water lines. Look for areas that could be compromised that would result ·,.2 in consequences beyond normal. Think like the adversary. Where would someone attack the SENSITIVE SECURITY INFORMATION: CONRDENTIAL AND PROPRIETARY 50 ,) system and cause high consequences? What parts/equipment have long lead times to replace? If the water utility has been modeled in some type of software (EPANET), then conducting "what if' analyses can be conducted to assist the assessment team. 5.3.2 Existing Chemicals The assessment team should collect information on all onsite chemicals and then analyze the ability of the adversary to use the chemicals to damage and/or destroy critical assets as well as to contaminate the water. Data to be gathered include: • Location, concentration, and quantities of all chemicals, • Containment strategies (barriers, dams, scrubbers) and capacity for unintentional release, • Maximum amount of chemicals stored on site, • Delivery frequency, amounts, methods of delivery (containers, slurry, bulk, etc.), • MSDS sheets for all chemicals to be included in analysis, • Access controls in place for chemical treatment areas, • System capacity for injecting chemicals, o Number of pumps available, o Pump flow rates, o Sizes and pressure ratings on piping, o Water flow rates at point of injection, o Ease of bypassing metering system, o Potential for breach of container for complete release of material, • Existing sensors, • Process control features on delivered chemicals to the plant, • Residence time of the treated water from the effluent of the treatment process to the first customer. Treatment chemicals in high enough doses can constitute a threat to the water utility staff as well as consumers. Additionally, many of the chemicals stored at a water utility could be used as accelerants (LOX) or fuels (diesel, gasoline), and could be mixed with air to form explosive mixtures (propane), or in some other manner by an adversary. The assessment team should understand why and how the chemicals are stored, controls on their use, and whether or not safer SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY 51 􀁲􀀭􀀭􀁟􀁾􀀠 Ii alternatives are available. The effects of catastrophic breach of mUltiple containers should be considered, not onl y within the bounds of the treatment plant, but also on the surrounding community. A worksheet for collecting information on existing chemicals is included in J AppendixF. -", " 5.4 THE GENERIC UNDESIRED EVENT FAULT TREE ) As mentioned earlier, the facility prioritization will help the assessment team focus on those parts of the operation that must be functional for the water utility to meet the mission objectives and will be used as a starting point in the fault tree analysis described in this section. The fault trees are developed to describe the entire system, at least at a high level. The main purpose of doing this is to look for any potential WMD-type events at the water utility that did not come out of the facility prioritization. If any potential WMD-type events are found, they should be included in the analysis. Also, the fault tree can be developed in more detail wherever , necessary, allowing for more in-depth analysis than the facility prioritization. J ) The Generic Undesired Event Fault Tree (fault tree), provided in Appendix E, is applied ) to the specific facility/asset that is being assessed. Appendix E provides a full-sized fault tree, a ) fault-tree broken into indi vidual pieces, and a brief introduction to fault tree symbols. It is ) suggested that the assessment team open the full-sized fault tree as this section is reviewed. 5.4.1 Introdnction to the Fault Tree ) The entire fault tree is constructed from the adversary's point of view. It describes how ) the mission objectives of a water system can be defeated. The most generalized events are found ) , in the upper layers of the tree. As the causes of these events are developed deeper in the tree, adversary strategies and the targets of attacks are revealed. The events are numbered in outline format beginning at the second layer and proceeding downward. The upper levels of the Generic Undesired Event Fault Tree are described in this section. 5.4.1.1 Upper Levels of the Generic Undesired Event Fault Tree .J The upper levels of the Generic Undesired Event Fault Tree are shown in Figure 5.2. . , ,-_..J'. , 􀁾􀀠 ,__ J SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY 52 ) .J .. J Defeat lhe Mission Treelop: 􀁾􀀠 of the Water System by Overall Undesired Event , Deliberately, Malevolently 'Causing an Undesired Event Defeat a MIssion Objective 􀁾􀀠 l.l c.m..mWater BeieR: Distribution 2.2 2.3 Disable ooll.l..Olinatc Walet PretrcalJIIellU r.a Dislribur.ioo Ttealment Process 􀀬􀀭􀀭􀀭􀀢􀁓􀀢􀀬􀀢􀀢􀁲􀀽􀁭􀀽􀀭􀁾􀀠 Possible Strategies of Adversary + Figure 5.2. Upper levels of Generic Undesired Event Fault Tree 5.4.1.2 Treetop -Defeat Overall Mission The overall goal of the adversary is stated in the topmost event (treetop): the adversary seeks to defeat the mission ofthe water system by deliberately, malevolently causing an undesired event. The treetop is the first layer of the tree. Every event on the tree is undesired from the viewpoint of the water utility (but desirable from the point of view of the adversary). 5.4.1.3 Layer 2 -Defeat Mission Objectives The second layer of the tree consists of events that cause the defeat of mission objectives of the water system. They are numbered 1 through 4. A mission objective of the water utility is to continuously maintain a flow of water to the customers. Event 1 is Interrupt or impair water flow in the system. A second mission objective is to assure that the water supplied to customers is not harmfully contaminated. Event 2 is Contaminate water. A third mission objective is to prevent mass injuries to employees or the pUblic. Event 3 is Weapon ofmass destruction-type event to injure employees or the public. An adversary might seek to accomplish Event 3 alone, or in combination with Event 1 or 2. SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY 53 A fourth mission objective is to maintain public confidence in the water system. Event 4 is Compromise public confidence. This event is usually of secondary importance, so it is shown as dashed, and it is not extensively developed. 5.4.1.4 Layer 3 -Attack a Major Stage of the Water Utility The third layer of the tree partitions Events 1 and 2 into attacks on a major stage of the water utility. The development of Event 1 follows the progress of water through the facility from source (Ll), through pretreatment and treatment (1.2), to distribution to the customer (1.3). The undesired events address attacks made at these stages to interrupt or impair water flow. The development of Event 2 addresses a contamination act before distribution (2.1), where pretreatment or treatment occurs (2.2), or in the distribution system (2.3). 5.4.1.5 Layer 4 -Adversary Strategies The fourth layer of the tree shows diverse adversary strategies to cause each third layer event. To see the complete fourth layer, refer to the full-sized fault tree. Figure 5.3 shows how Event 1.1 is developed in layer 4. Events that develop 1.1 are 1.1.1, 1.1.4, 1.1.5, etc. At this level of development and deeper, assets are identified that are critical to the functioning of the water utility. For example, Event 1.1.4 addresses critical pump systems, Event 1.1.5 addresses critical valve systems, Event 1.1.6 addresses the process control system, 1.1.7 addresses critical pipelines or conduits, etc. 1.1 r Loss of Water Sources Subtrees.1, .4, ,5, ,6, ,7, ,8, and ,9 develop these evenls, Figure 5.3. Development of Loss ofWater Sources SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY 54 ') , , ) ) ') ) , ) ) , ) , , ) ) ) /) ," \ ) ) ) 5.4.2 Process for Customizing the Fault Tree This section covers customizing the generic tree to apply to the example water utility described in Appendix A. The water utility description focuses on one of three water supply channels. Each channel has a treatment plant, but only Treatment Plant 2 is described. The customized fault tree is confined to the water supply channel that involves Treatment Plant 2. The concentration on Treatment Plant 2 might result from pairwise comparison of the importance of the facilities of the water utility, and finding that Treatment Plant 2 is significantly more important than the others. Not all water utilities have all the mission objectives and features shown on the generic fault tree. To apply the fault tree to a specific facility, delete (prune) irrelevant objectives and modify descriptions to match the facility. Similarly, for those features not shown on the tree, graft them at the correct location and develop them far enough to understand what an adversary might do to to compromise that specific feature. 5.4.2.1 Pruning Prune the fault tree by removing events that do not apply to the specific water utility being analyzed and remove any lower level development. Prune further, working level by level downward through the tree. Review the development of undesired events that have been kept in the tree, and remove events that cannot occur at the facility/asset being evaluated. These pruning steps are illustrated for the example water utility described in Appendix A. The upper levels of the pruned tree are shown in Figure 5.4. The mission requires that water flow be maintained for fire protection and other public safety uses. Thus, Event 1 cannot be pruned. Treatment Plant 2 is designed to eliminate naturally occurring contamination; and a study indicates that Bigg Lake is too large to contaminate. Thus, Event 2.1 can be pruned, but Events 2.2 and 2.3 must be kept on the tree. Because of the potential for very high consequences, it is recommended that Event 3, Weapon ofmass destruction-type event to injure employees or the public, never be pruned and be kept as part of the tree (at least at the treetop) to serve as a reminder to always look for those WMD-type events in the analysis. The threat assessment for the facility shows no history of attacks that inflicted massive damage (large fires, floods, explosions, toxic releases, etc.), but gaseous chlorine is employed at the treatment plants. On this basis, Event 3 cannot be pruned. SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY 55 ·1 The mission statement does not refer to issues of maintaining public confidence, so Event z} 4 is pruned. 􀁲􀁾􀀠 . ." > r Defeat the MiSSIon Treetop: -+ of the Water System by Overall Undesired Event Deliberately. Malevolently Causing an Undesired Eventi Defeat a Mission Objective 􀁾􀀠 Possible Strategies of Adversary ('0 Figure 5.4. Upper levels of Site Specific Fault Tree for the Example Water Utility ") ) To continue the example, only the development of Event 1.1, Loss ofWater Sources, is ) discussed. The other events still contained on the site-specific fault tree should be treated )) similarly. Figure 5.5 shows that an adversary has seven diverse ways, identified as 1.1.1, 1.1.4, etc., to cause the loss of water sources by attacking various targets (critical assets). The example ) water utility description shows, explicitly or implicitly, that all seven targets are present. Thus, ) no pruning of the fault tree is needed to customize it for the example water utility. Critical pumps, critical pipelines or conduits, key personnel, and process control (both manual and SCADA) are explicitly cited. Implicitly, process control acts through valves and requires communication lines to carry control information. Also implicit is the necessity of intake structures to bring water into the system. All of the events that develop 1.1, Loss of Water . ,;; Sources, are retained in the tree. ) SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY .) ) 56 ) ) ) 1.1 Loss of Water Sources Pump Systems : '---,..-----' MisuseJDamage ! i Process Control : & 1.1.8 1.19 LossofCrltical Loss ofKey Communications Persooncl Figure 5.5. Loss o/Water Sources for the Example Water Utility For the example water utility, the completely customized development of Event 1.1.1 looks like Figure 5.6, assuming that: 1. No wholesaler's water is purchased, 2. The SCADA system plays no role from Bigg Lake to the plant; and 3. No ground wateris delivered to Treatment Plant 2. SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY 57 1.1.1 Interrupt or Reduce Ability to Tap Source(s) .1 of Untreated Water Repeal for each essential surface water source 1.1.1,2,3 Dam-age! Desiroy Intake -, ) 1.1.1.2.1 DamaQ$lContaminato Walersi!ed , ) Figure 5.6. Customized Generic Undesired Event Subtree for Example Water Utility 5.4.2.2 Grafting Customizing the fault tree involves not only pruning but also grafting. Grafting may be necessary for two reasons. First, an undesired event that is not on the generic fault tree may occur at the site being analyzed. The event might be the defeat of a site-specific mission objective. However, the event may belong deeper in a development. The missing event should be grafted or added on and developed in a similar manner to the other fault tree events. Second, an undesired event that is on the tree may apply to several versions of the same critical asset. Graft the development of the critical asset for each different type of the asset to ensure that the differing security implications of all cases are examined. For For example, the example water utility description says that three electrical motors and pump assemblies are co-located at Treatment Plant 2. They move treated water to Pump Stations #1 and #2. On the generic tree, Event 1.3, Interrupt or Impair Ability to Distribute Water, includes one instance of Event 1.3.4, Loss ofCritical Pump Systems. If the three pump systems are not identical, each different pump system should be represented on the tree by its own subtree .4, Loss ofCritical Pump Systems. SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY 58 , · } , · .J ) · ) , ) · 'CJ '(,:,..: ''(:'':): '"". } 􀀬􀁾􀀩􀀠 " J :) ,",-:') 􀁾􀀮􀀠 U 􀁾􀀬􀀩􀀠 • An aquifer • Containment structure • Water intake • Well casing • Electrical substation • Backup power system • Power distribution bus or switches ) " ) .. , J "} -'1. "Y 􀀢􀀧􀁾􀀠 L:Y A series of questionnaires (Appendix F) have been developed to assist the assessment 􀁾􀀠 ) . ) team during the site characterization activities. These questionnaires help the assessment team , /understand the features of the water utility and also begin to collect existing performance data ) about the security and operational systems. The first set of questionnaires, F.I, included in "J Appendix F cover the security policies and procedures, security training, emergency response ) readiness, and other important aspects of the overall security program at the water utility. It is recommended these questionnaires questionnaires first be completed through an interview with management l and then verified through interviews with staff members that are responsible for implementation. " " For example, if a policy exists that all employees are to call and verify their identities before , j ; entering an alarmed area, the question then becomes whether or not this policy is followed. This can be verified through interviews with operators, maintenance staff, and others requiring access to the site. If the policy is not followed, then a performance test is not required and the system effectiveness for that portion of the operation would be rated low. If the policy appears to be followed, then a performance test could be devised to determine the system effectiveness against .} the DBT. The questionnaires are not exhaustive, nor are they !be end point of the analysis. They ::.] are simply included to facilitate the assessment team in their understanding of system 􀁾􀀠) performance and should be used as the beginning of discussion for thought experiments or actual '• J performance tests to ensure the system meets the security objectives. , , .J' SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY ,.i 60 '} -', _.I '; .. .1 The second set of questionnaires, F.2, has been developed to assist the assessment team during the fault tree analysis. These questionnaires are designed to complement the fault tree and provide additional detail on how an adversary might defeat the asset being analyzed. As noted in the previous section, these questionnaires are not intended to be exhaustive or the end point of the analysis, but to help the assessment team really understand the water utility operation in detail. By going through the existing questions and creating additional ones as necessary, a detailed understanding can be gained about potential vulnerabilities. It is not possible to design a questionnaire for every situation that an assessment team might encounter, so it is more important to leam the art of asking probing questions rather than to focus on mechanically answering the questions included. Every water utility has some number of unique vulnerabilities and it is the assessment teams' responsibility to uncover as many of them as as possible. The third set of questionnaires, F.3, provides a mechanism to collect data on current security system operations. This data will be used to determine if any or all the elements of the security system can help defeat the DBT. If the risk analysis determines thatthe system has a high probability of defeating the DBT, then performance tests can be developed to validate or invalidate the analysis. The security questionnaires are completed for each of the facilities/assets included in the assessment. The assessment team may find that existing PPS features are very similar or identical at many locations and may be able to shorten the information gathering process by copying partially completed forms and filling in only the site specific items. For example, if all sites have an eight-foot-high fence of the same constmction, this item can be completed once for all facilities/assets. The fourth set of questionnaires, FA, helps determine the importance of the SCADA system to the operations of the water utility. The fifth set of questionnaires, F.5, characterizes the SCADA if it is to be analyzed. And the final questionnaire, F.6, is a guide for gathering information about onsite chemicals. The questionnaire lists three chemicals (a solid, a liquid, and a gas) that are filled out as an example. 5.6 CONSEQUENCE ASSESSMENT It is not possible or practical to protect all the assets owned by a water utility. The criteria for selecting assets to protect will depend on the desire to avoid undesirable consequences and the capabilities of the adversary. The consequence assessment process uses SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY 61 The second set of questionnaires, F.2, has been developed to assist the assessment team during the fault tree analysis. These questionnaires are designed to complement the fault tree and provide additional detail on how an adversary might defeat the asset being analyzed. As noted in the previous section, these questionnaires are not intended to be exhaustive or the end point of the analysis, but to help the assessment team really understand the water utility operation in detail. By going through the existing questions and creating additional ones as necessary, a detailed understanding can be gained about potential vulnerabilities. It is not possible to design a questionnaire for every situation that an assessment team might encounter, so it is more ) important to learn the art of asking probing questions rather than to focus on mechanically answering the questions included. Every water utility has some number of unique vulnerabilities ) and it is the asseSsment teams' responsibility to uncover as many of them as possible. ) The third set of questionnaires, F.3, provides a mechanism to collect data on current security system operations. This data will be used to determine if any or all the elements of the security system can help defeat the DBT. H the risk analysis determines thatthe system has a high probability of defeating the DBT, then performance tests can be developed to validate or invalidate the analysis. The security questionnaires are completed for each of the facilities/assets included in the assessment. The assessment team may find that existing PPS features are very similar or identical at many locations and may be able to shorten the information gathering process by copying partially completed forms and filling in only the site specific items. For example, if all sites have an eight-foot-high fence of the same construction, this item can be completed once for all facilities/assets. The fourth set of questionnaires, F.4, helps determine the importance of the SCADA system to the operations of the water utility. The fifth set of questionnaires, F.5, characterizes the SCADA if it is to be analyzed. And the final questionnaire, F.6, is a guide for gathering information about ongite chemicals. The questionnaire lists three chemicals (a solid, a liquid, and a gas) that are filled out as an example. 5.6 CONSEQUENCE ASSESSMENf It is not possible or practical to protect all the assets owned by a water utility. The criteria for selecting assets to protect will depend on the desire to avoid undesirable consequences and the capabilities of the adversary. The consequence assessment process uses SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY 61 ., ) the consequence of the loss to help determine which assets are at greatest risk relative to all the assets owned by the water utility. 5.6.1 Define Measures of Consequence This section presents the concept of consequence measure and defines a consequence .: } matrix by which the water utility's facilities and assets will be evaluated. A consequence assessment determines a consequence value (i.e., high, medium, or low) for all undesired events identified during the assessment If values for some of the undesired events are not readily available, expert opinion of the assessment team or other subject matter experts can be used. Each undesired event can have several types of consequences and all must be captured. The ) final consequences used in the risk analyses are the highest of the estimated consequences for ) each undesired event. Once the consequence matrix has been established, an appropriate ) J consequence value is assigned to each undesired event or asset loss. The measures of C) consequence could possibly include the following: • Economic loss to water utility (equipment, facilities, loss of revenue, etc.) • Economic loss to society • Cost to repair/replace .j 􀁾􀀠 • Deaths • llinesses ) • Duration ofloss • Number of customers affected (critical and non-critical) • Loss of fire protection The assessment team must define its own site-specific measures of consequence and document the rationale for the measures and values selected. 5.6.1.1 Documentation to Review , J To help define measures of consequence and completely understand the consequences related to defeating one or more of the mission objectives of the water utility, the following information should be considered: • Facility drawings and site plans with supporting documentation • Utility maps (electrical, gas, water, and wastewater) • . Maintenance and Service records SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY 62 .J • Chemical impact statements • Water utility budgetary authority (financial records) • Water quality standards reports and documentation • Historical public confidence indicators 5.6.2 Develop Site Specific Consequence Matrix To help assessment teams understand hoW to construct a matrix, an example generic consequence matrix (Table 5.1) has been included as a starting point. The matrix is useful in helping to identify possible measures that could be applied. When constructing the matrix, it is important not to set the measures too low, which could lead to all assets being ranked high priority (value of "C" would not be a discriminatory factor). Defining realistic and pragmatic values for high, medium, and low will be a challenge for the assessment team and therefore will need to be developed methodically. The assessment team will likely need input from the financial officer and upper management to construct and gain approval of the consequence matrix. As noted in Chapter 4, some undesirable events have consequences far exceeding the high category and may be candidates for being labeled as WMD-type events. The consequences of the WMD-type events are likely catastrophic to the operation of the water utility and to public safety. SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY 63 Table 5.1. Example Generic Consequence Matrix , , Undesired Event Measure of Very Consequence Higb Medium Low Higb Loss of water Economic Joss N/A >$5M $500K-$5M <$500K sources Duration of loss N/A >4 weeks . 1-4 weeks <1 week Number of users N/A >lOOK 5K-I00K <5K impacted Loss of fire N/A ' >4hr 0-4hr $5M $500K-$5M <$500K Pretreatment or Duration of loss N/A ! >5 days 1-5 days <1 day Treatment Process Number of users N/A >lOOK 5K-100K . <5K impacted I Interrupt or Impair Economic loss N/A >$5M $500K-$5M I <$500K Ability to Number of users N/A >lOOK 5K-IOOK <5K Distribute Water impacted I Loss of fire ' N/A ! >4hr 0-4hr 5 0--5 <0 nInesses N/A ! >5K 500--5K <500 WMD-type Event Economic loss TBD i N/A N/A N/A Number of users TBD N/A •N/A . N/A I impacted Loss of fire TBD ! N/A N/A N/A protection I Deaths TBD ' N/A N/A N/A Illnesses ITBD N/A N/A ! N/A ) ) ) ) ) ) ') . ) ) ) ) '. ) ) The assessment team will construct a site-specific consequence matrix based on the measures of consequence identified and the information arid data collected from the documentation review as well as the responses to the questionnaires. As an example, a sitespecific consequence matrix for the example water utility was developed based on the information provided in the description (Appendix A) and is shown in Table 5.2. The consequence matrix includes five columns. The first column lists the measures of consequence SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY 64 ) ) ) . ) •: .":J : ) U (economic loss, duration of loss, number of user impacted) and the remaining columns indicate the threshold levels at which the consequence is to be evaluated for a corresponding measure. Table 5.2. Site-Specific Consequence Matrix for the Example Water Utility Measure of Consequence Very High High Medium Low Economic Loss TED >$2M $2M-$500K <$5OOK Duration of Loss TED >24 hr 24-8hr <8hr Number of Users Impacted TED >2,000 200--2,000 <200 It is suggested that the assessment team perform a pairwise comparison on its consequence matrix for validation. Each measure would be placed into a pairwise matrix and compared against one another for each consequence value (high, medium, low) to determine if all the measures included under each specific column are indeed at a similar level. The measures included in the consequence matrix will drive the assets that are labeled critical when the risk analysis is complete. It may be beneficial to use multiple consequence matrices for different parts of the water utility operation. The measures of consequence should be reevaluated periodically. The matrix should also be revisited when significant changes are either planned or completed for the water utility. Once the consequence matrix has been established, an appropriate consequence value will be assigned to each asset in subsequent risk analyses. 5.6.3 Determine Critical Assets Consequence Levels After the assessment team develops and agrees to the site-specific consequence matrix, they then review the critical assets identified from the fault tree and rank the consequence of the undesirable Events as low, medium, high, or very high (WMD-type events). To help determine the consequence value for each critical asset, a table is used that lists the undesired events and the critical assets on the left and the measures of consequence across the top. A Consequence Value Table (Table 5.3) for Treatment Plant 2 of the example water utility was developed based on Table 5.2 and information provided in the example water utilio/description (Appendix A). A detailed description of how the high, medium, and low consequence values were derived for the example water utility is given ill Appendix G. For each critical asset and measure of consequence a value of high (H), medium (M), or low (1.) is assigned. When all the values are SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY 65 filled in then an overall consequence value can be determined. Clearly if all uH" values are assigned across a row, then the overall consequence value would be High. If there was one "H" and the rest uM" across a row, it might be evaluated as a "H-M" asset. The assessment team will have to develop rules for determining the overall consequence value (note: averaging values is not a recommended approach). Table 5.3. Consequence Values for Undesired Events for the Example Water Utility Measlll'esofCoilsequeuce .' J!$' =: 'Q.....I 􀀮􀁾􀀮􀀠 "CI .Q.I ...r.... :l ."t:$ =: 0 , "0 ., 􀁾􀀠 '0e"n ''0"" 0.. ...1 ...1 .s 􀁾􀀠 ' 0 '8 0:: .f:,l u 0 0 en 5 'Pco ;:J u .... p;j ::l 0 , Q "" I J 􀁾􀀠 ., "􀁾 􀀠 l::I 􀁾􀀠 􀁾􀀠., "oS 􀁾􀀻􀀡􀀺􀀠 ::::; l:: c 􀁾􀀠 Damage or destroy L I H I . H H I pipelines/conduits i Damage or destroy M M , I M M . disinfection capability Loss of pumps L H H H , Loss of key personnel L L L L I )) , , j Some undesired events have a higher consequence than others, so the loss of the critical assets associated with them will have a higher "C" value, making them higher priority critical ..) assets. ') , ' 5.7 EXISTING PROTECTION SYSTEMS )) The RAM_WSM term, protection system, refers not only to the physical protection system, but has been extended to also include non-physical security elements that contribute to protection system effectiveness. These non-physical security elements, referred to as operational elements, are elements that are intrinsic to the water utility operation. Typically, these elements were put : .. , . ..I SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY 66 in place to serve other purposes but contribute to security by preventing an adversary from achieving their goal. To evaluate system effectiveness, it is important to understand how the Physical Protection System (PPS) and the Operational System (OS) work together. First, detection must occur. Detection can come from either the PPS or the OS. Once detection occurs, if either the PPS's or the OS's delay and response prevent the adversary from achieving hislher objective, then the protection system is effective. This is a very high-level description of how the PPS and the OS work together. Timelines are used in Chapter 7 to explain system effectiveness in much more detail. 5.7.1 Collect Information on the Existing Security System As part of the site characterization, the assessment tearn will collect information about the existing PPS. As noted in Section 5.5, the assessment tearn should review policies and procedures on all elements of security including: • Security policies and procedures, • Visitor policies and procedures, • Contractor policies and procedures, • Existing security system design and operational data. After reviewing available documentation, the assessment tearn will collect information about potential adversary paths. The assessment team should follow a systematic process to capture information on all existing PPS elements. One suggested method is to start at the boundaries (e.g., fences, gates, openings. etc.) and work in to the critical asset(s). recording pertinent information (e.g., building perimeters, doors, sensors, interior barriers. etc.) along the way. The following are examples of data to collect: • Detection capabilities with respect to the DBT. • Alarm assessment capabilities. • Estimated delay times for the DBT considering tools, technologies, and skills. • Expected response times from onsite resources, local police, or sheriff, and any other emergency responders. This information will be used to characterize the existing security system and establish a baseline of performance. Data may be available, but if not, tests will need to be performed to SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY 67 derive it. The assessment team needs to integrate all data collected so that one is not looking at "silos" of infonnation. 5.7.1.1 Physical Protection System Features Worksheet Table 5.4 is a completed worksheet for Treatment Plant 2 that lists the standard features of the PPS. The assessment team will want to customize this worksheet for their site by adding or deleting appropriate features. Examine and verify that each feature exists. Do not assume that they exist and ate functional because they show up on a drawing or were mentioned by personnel during an interview. It is not unusual to find presumably locked doors open, sensors installed improperly (pointing the wrong way), response forces assumed to show up in a certain time when they do not know where to go once they atrive at the facility, etc. This worksheet can be a helpful guide in verifying features from an adversaty standpoint. A blank copy of the worksheet is contained in Appendix F. SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY 68 􀀢􀁾􀀮􀀬􀀠 ) .J . " .1 J '} ') 􀁾􀀩􀀠 r..) v , 􀁾􀀮􀀠 ,)I " J ) ) ) ) .) .) c,) " :) 1. , .I , , . .1 J , , 􀀢􀁾􀁩􀀠 C} d ,) ',J Table 5.4. Example Physical Protection System Features Worksheet ) ) 􀁾􀁾􀁾􀁒􀁓􀁳􀁾􀁾􀁾􀁾􀁾􀀬􀁾􀁴􀁾􀀵􀁾􀁴􀁾􀁾􀁾􀀱􀀺􀁾􀁾􀁾􀁾􀁾􀁾􀀧􀁝􀁾􀁾􀁾􀀡􀁾􀁾􀁲􀁾􀁾􀀻􀁾􀁾􀂧􀁾􀁩􀀠 Facility: Example Water Utility Date: May 15, 2002 Recorded by: Functional Area: Treatment Plant 2 : I. Drinkwater 1. Boundary Yes lao Fence (height and construction) Chain Unk 8'-0" lb. Vehicle barriers None 2. Entrances (Site) Yes 2a. Personnel/Vehicle Both 2b. Entrance Construction Chain Unk (both) 2c. Entrance Locks Padlock 2d. Entrance Barriers None 3. Distance between boundary and building 60' 4. Building construction Brick and Stone 5. Entrance (doors, windows, vents, skylights) Hollow metal construction doors, regular glass. I 5a. Entrance Locks Commercial 5b. Entrance Barriers None 6. Distance between entrance and critical asset I Avg.20' 7. Critical asset enclosure construction : None 8. Critical asset enclosure entrance construction None 8a. Enclosure locks N/A 8b. Enclosure barriers NfA 9. Sensors (fence, intrusion, door/gate position, Personnel doors penettation,motion) only SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY 69 -. l , 1, . 11 Facility: Example Water Utility 10. Detection by personnel 11. ID checks 12. Contraband detection (persons, packages, vehicles) 13. Assessment by camera or personnel Low No No No ) ) 􀁾􀀩􀀠 ) ) 5.7.2 Review the Performance of the Existing Security System 􀁾􀀠 ") Once the assessment team has collected and organized the information for the existing ':) security system, the next step is to evaluate the performance of each PPS feature. This C) information is categorized as estimates of the following: :} • Detection probabilities (detection of the DBT intrusion) :) : ) • Assessment probabilities (after detection, communicate and verify the alarm) .. ] • Delay (time required of the DBT at the barriers) ) • Response time and capability (response by a force soon enough and capable enough ) to stop the adversary from completing their objective) ) This all needs to be in the context of the adversary attack scenario timeline and will be described in more detail in Chapter 7. Performance of the security system also needs to be reviewed during shift changes, weekends, holidays, under inclement weather, and during operational and non-operational hours. There can be distinctly different performance metrics in comparison to the daytime operational :J hours. "j . \" . .. ) 5.7.3 Review the Performance of the Existing Operational System .' ) The operational system often plays an important role in reducing risk from malevolent ." '. J attack. The assessment team must thoroughly understand the existing operations and how ) {) . undesired events may be overcome. Some operational components may be too difficult for the adversary to defeat when considering the DBT capabilities. Examples would be deep rock tunnels and impoundment structures that would require large amounts of explosi ves and large . , J SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY 70 ) storage reservoirs that would be difficult to contaminate. The consequences may be high if the events were to occur, but the capability to accomplish the feat may be beyond the DBT. Having redundancy available is another way the operational system can overcome undesired events. Credit can be taken for redundancy if both are not easily damaged and/or destroyed. For example, if one large main were exposed on a bridge and easily damaged, having two large mains exposed will not lower risk. However, if the second main is buried and not easily accessible, then the DBT may have a difficult time disrupting both (or not even be aware that redundancy exists). Many water utilities are dependent on the electrical grid to pump water through their treatment facilities and to deliver potable water to their customers. Electrical gear is easy to damage, can be easily accessed, and may take years to replace. The adversary would not even need to access the water utility site to accomplish a major disruption. Having mobile gear available to provide back-up power could significantly lower the risk, especially if the mobile equipment is stored in a secure location. All these examples are included to demonstrate the type of information the assessment team will need to collect. Where SPOFs and interdependencies are noted, the assessment team will need to evaluate the operational options available to the water utility to deterrnlne the degree of vulnerability. 5.8 SCADA ASSESSMENT METHODOWGY Note: The methodology discussed in this section focuses on the SCADA system(s) of the water utility, but all IT systems critical to the water utility should be assessed. The SCADA security assessment portion of RAM-WSM is based on a relati ve ranking assessment approach to water utility SCADA systems. A guided top-down approach provides the basic structure and integrates elements from a variety of IT assessment and evaluation approaches. The process provides an effective means to evaluate the overall system security of water utility SCADA systems and to guide the development and integration of sustainable security improvements. The SCADA Security Policy Framework™ and the Cobir® (Control Objectives for Infonnation and related Technologies) framework provide guidance during the assessment and mitigation formulation stages. A final, prioritized list of SCADA system assets, SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY 71 ranked by relative security deficiency, indicates an order for applying resources to improve SCADA security. Shown in Figure 5.8 is an overview of the methodology used to assess the SCADA system. This methodology can be used whether or not the SCADA system has been identified as a critical asset to the mission of the water utility and provides a systematic assessment approach to evaluate the logical and physical security aspects of the SCADA system. ill this approach, modern SCADA systems are viewed as IT based systems due to their constituent components and operational requirements. A life-cycle approach to mitigation strategies is required because effective security in IT based systems is an ongoing process, not a one-time technology fix. To help meet this objective, 􀁃􀁯􀁢􀁩􀁾 is an integral part of the SCADA system assessment approach :}I 􀁾􀁽 and the resulting mitigation strategies. This process resides primarily in the IT Security category r) of assessment processes utilized at Sandia National Laboratories, but also draws from the Red ) Team and System Risk approaches in several important areas. ill addition, the mitigation ) strategies integrate with the general IT Management approach via the inclusion of CobiT®. The ) ultimate goal of this effort is to provide the water utilities with an assessment approach that ) supports sustainable security for their SCADA systems. )) ) aeneric Secure SCADA Model , ,Coblf'" Framework Generic SCADA Securl,tv Policy Sandia IT. 􀁾􀁳􀁭􀁥􀁮􀁴 􀁅􀁘􀁰􀁥􀁾􀁮􀁣􀁥􀀢􀀠 ) ) ,. ,S'.C ADA Secu. rity Polley 'RQadmap'to .. ' . -' Coblf'" 'SCADA Security 􀁾􀁪􀀠 r''I 􀁾􀀮􀁽􀀠 Figure 5.8. SCADA Assessment Methodology :} .. J SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY J J 72 '.J :) .J ,J For Figure 5.8: 1. These elements guide the data gathering and review process in the next step. 2. Information gathering and formulation stage specific to water utility SCADA needs, which leads to the next step. 3. SCADA system characterized from a security perspective. 4. Threats and consequences ranked against results from previous step to provide a relative ranking of SCADA assets by security vulnerability. 5. Input for the final step. 6. Input for the final step. 7. Roadmap or path to SCADA security. 5.8.1 Documentation Review Documentation requested in the planning stage of the methodology irids the assessors in understanding the SCADA system. Standard policy and plans documentation required for the assessment include: • SCADA Security Policy, • SCADA Security Plan, • Configuration control/management procedural documentation, and • SCADA security training documentation. The SCADA security policy is specific to the SCADA system as opposed to the overall IT system. The SCADA security policy is reviewed to determine to what degree the water utility is securing its SCADA system. In addition to policy and plan documentation review, standard hardware documentation is also required for the assessment and includes the fOllowing: • Network diagram (Visio-style document) and/or the control center LAN diagram, • Logical topology drawing of the SCADA network, • Interface points defined as where the SCADA and business networks are connected, • List of network equipment (i.e., routers, Ethernet switches, CSUslDSUs, etc.), used in the SCADA network, • List of SCADA computer platforms (i.e., servers, workstations, etc.), and • Locate Access Control Lists (ACLs) on the network diagram (match them up with devices). SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY 73 Network diagrams can be used to see an overall picture of the network and can identify vulnerabilities quickly. The gathered information should be controlled according to the Document Control Plan. 5.8.2 SCADA System Characterization Detailed questionnaires (see Appendix F) help both the training of personnel in the ) process as well as completing the various pairwise decision matrices. The questionnaires are not ) restrictive in scope, but do ensure a minimum threshold of knowledge about the security of a c) particular SCADA system before completing the relative ranking process. Cobi'f"l', the generic )) depiction of a secure water SCADA system, and previous assessment experience all influence , ) the type and level of questions developed for the assessment process. C) 5.8.3 Relative Ranking Process Do The first step in the relative ranking process requires identification of the system assets, ) which are delineated into two general classes, technology and operations/procedures. Each class .) of assets is ranked independently; hence, the final ranking consists of two lists. The generic ) depiction of a secure water SCADA system (Sandia is developing this model) helps in the aaset ) determination process. Table 5.5 depicts examples of typical assets. )) ) ) d ) :) ! ) SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY 74 Table 5.5. Examples of Water SCADA System Assets PhysicallHardware Assets Operational/ProceduraJ Assets Cables (fiber optic, copper) Security Policy* Ethernet Switches Configuration Management* • ATM Switches, Frame Relay, etc. Security Training* Routers SCADA Servers Security Plan* • Remote Network Connections SCADA Network Management Connections to other Organizations Backup Configurations* Internet Connections Remote SCADA operations I Intrusion Detection Systems (IDS) Skilled Personnel* Data Protection Methods (encryption) # SCADA Account Restrictions* ! Data Separation (pVCs, VPNs, VLANs) Contml Data* • Firewalls # Support Data* Access Contml Lists (ACLs) # RTUs, PLCs, IEDs ! , i ! · Physical Protections of SCADA equipment* SCADA Network Architecture SCADA Terminals Wireless links (microwave, satellite, etc.) FEPs, IOCs MuxJDemux Modems SCADA Software Note "#" indicates a critical secure asset if SCADA Note: "*,, indicates a critical security asset network is not com letel isolated, Two classes of assets create two relative ranking lists, which support a more intuitive final result than simply including all assets in one list, and help in training new users of the approach. For example, understanding the relationship between security training and progranunabJe logic contmllers (PLCs) requires a level of abstraction, while the relationship between security training and security policy appears more direct. Upon determination of the SCADA system assets, the relative ranking process proceeds as depicted in Figure 5.9. SCADA system assets provide the continuity within the ranking process and are viewed within the context of the SCADA system rather than as individual entities. For example, the vulnerability of a SCADA server depends on its function and location within the SCADA architecture, as opposed to viewing the server as a stand-alone device. SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY 75 2 ,,: pegree of " I{ulnerabillty," , ", Mal£;x." Reiatilfe Ranking 􀁍􀁡􀁜􀁾􀁩􀁸􀀬, (!ilgll, flied,i\; 7':!ind,Low) • .---'"" Figure 5.9. SCADA System Asset Relative Ranking Process In the relati ve ranking process, pairwise decision matrices capture different viewpoints on the various assets of the system, with all matrices utilizing identical assets (with the exception of the consequences ofconcern weighting matrix). Descriptions of the matrices in Figure 5.9 reside in Table 5.6. SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY 76 "... 􀁾􀀠 .,' ."i .";. ,'J ) 􀀮􀁾􀀭 :'\ , ., .. " } -􀀮􀁾􀀠 , :J ,''\ 􀀧􀁾􀀬􀀳􀀠 '} .) , J , /:"V":/'.J ,J, of , .., i ) : :'!-, ,",j " :;; :', ]: ) .') .J () ') -./ Table 5.6. Description of Relative Ranking Matrices Matrix BriefDescription , 1 Benefit to Threat • Assets pairwise compared on their abili ty to support adversary i ! objectives I • Considers sophistication level of the adversary 2 Degree of ,Completed for individual sites by RAM-W trained personnel and Vulnerability SCADA system administrators • Assets evaluated ag8lnst secure SCADA baseline • Assets pairwise compared on their relative degree of security i vulnerability i 3 Consequences of • A single, undesired consequence represented by a single matrix, ! Concern e.g., loss of ability to provide potable water -individual • Assets are pairwise compared on ability to bring about the ' i consequence 4 Consequences of ,. Pairwise ranldng of individual undesired consequences Concern .. Establishes relative importance between undesired consequences -weighting I i • Typically considers 4-7 undesired consequences is Likelihood of • Combination of Benefit to Threat and Degree of Vulnerability . ! Occurrence matrices i • Output provides relative ranking on the potential compromise of i assets . I i 6 i Consequences • Weighted average of individual Consequences ofConcern matrices combined ! • Output provides relative ranking of assets by consequences 7 Relative Ranking • Indicates which assets warrant the greatest security improvement Initial pairwise ranldng of the assets occurs with respect to two categories: degree of vulnerability and benefit to threat. The pairwise ranking between assets utilizes the numerical values shown in Table 5.7. Table 5.7. Numerical Ranking Values Row Asset versus Column Asset Numerical Value greater than 5 equal (or 􀁮􀁯􀁮􀁾􀁤􀁩􀁳􀁴􀁩􀁮􀁧􀁵􀁩􀁳􀁨􀁡􀁢􀁬􀁥􀀩􀀠 3 less than (or non-existent) 1 The benefit to threat category is developed by an understanding of water utility SCADA systems, combined with an understanding of which elements of the SCADA system are most SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY 77 beneficial to a threat or adversary's objectives. The following questions are considered when filling out the benefit to threat matrix: 1. What are the malicious activities that can compromise the SCADA system? 2. Which assets are used to support these malicious activities? ) Then the paiiwise decisions are made as to which assets are generally most beneficial to ) the threat. Note: this can done for each individual attack scenario and then averaged for the final } result, or estimated by the expert without the formal decomposition of each individual attack scenario. ) The degree ofvulnerability matrix is developed from data gathered about a particular SCADA system, with analysis of the data guided by the general notion of a secure SCADA approach (Sandia National Laboratories is in the process of creating a generic secure SCADA Model), relative CobiT® control objectives, and general information security best practices. Results from the detailed questionnaires guide pairwise decisions in regards to differentiating vulnerability levels between assets. The sophistication level of the threat should be considered in the decision process, but detailed knowledge of specific attacks is not necessary. Detailed attack information is captured in the benefit to threat matrix. )) Examples of these two rankings follow below (Tables 5.8 and 5.9). To interpret the table, select an asset from the left most column, follow the row until it intersects the column of the asset for comparison, and determine the relation between the two assets. For example (see shaded area), in Table 5.8: ) L Select the "Physical Cabling" row; ) 2. Follow the row across until intersecting the "Internet Connections" column 3. Read the value of 1; Interpret the relationship, as "Internet Connections are more beneficial to a threat (adversary) than Physical Cabling." The SCADA assets in these matrices represent a subset of the physical assets depicted in , the example water utility described in Appendix A. Results from the onsite SCADA interview .J (Section A.7) and the SCADA network diagrams prnvide the information used in completing the ) 􀀬􀀢􀁾􀀠 1pairwise decisions. For example, operating system (OS) security patches are not maintained on .... ,;;1 the SCADA platforms, and the modems are enabled on those servers. The RTUs are only reachable by a console port or through the SCADA network and do not utilize a standard OS such as Windows NT, Unix, etc. This information dictates the decision that the SCADA servers SENSITIVE SECURITY INFORMAnON: CONFIDENTIAL AND PROPRIETARY 78 􀁾..) are more vulnerable than the RIDs. (See Table. 5.9, row 1, column 3.) Note: the matrices used in this explanation do not include all the physical assets of the example water utility system. In addition, a parallel analysis would be necessary for the operational assets. Table 5.S. Example of Benefit to Threat (Adversary) Matrix «Iil Benefit to 01::" Threat 􀀨􀀳􀁾 rnJ'l (fJ .!!! c: iii Ol iiiC":' Q) .2 :":J' iii 􀀮􀁾􀁾􀀠 ,98 c:􀁾􀀠0 - III -:=>0: .. .0 I!! I!! 􀁩􀀧􀁾􀀠 􀁣􀁾􀀠 'tI 􀁾􀀳􀀠 .c -G> .ell: .:I -; 8 􀁾􀁯􀀠 lO-Cii 0 a: SCADA Server(s) 0.23 0.21 0.05 RTUs 0.12 0.12 0.01 Firewalls 0.1 0.12 0.01 Physical Cablina 0.14 0.21 0.03 Physical Protedions 0.12 0.12 0.Q1 Intemel Connections 0.26 0.21 0.05 q ",} L,.< :] ,) 5.8.4 Pairwise Ranking of Assets in Relation to Conseqnences .J ) The Consequences category of the analysis is initially decomposed for the ranking ) process into specific consequences of concem. As in the ptevious rankings, pairwise decisions ) an: made on the assets of the SCADA system with tegard to a particular element or criteria of the ) decomposition. The decomposition follows directly from the initial Consequence Assessment from Section 5.6. A typical decomposition is as follows. Consequences: ) 1. Intenupt or impair water flow in the system \ J 2. Contaminate water ) 3. WMD-type event ,J After an initial ranking, the individual results an: recombined subject to the relative •, ) weights of the consequences. An example of pairwise weighting values is shown in the Table .. )5.11, with all consequences receiving equal weighting. The example water utility considers the }) three typical consequences listed above and utilizes equal weighting between these three ) consequences. 'J ,:: 􀀢􀁜􀀺􀀮􀁾􀀭 :: 􀁾􀁊􀀠 · " , . .I :) J SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY 80 " '",--:'j · ,.j ) ',J Table 5.11. Consequence Weighting Matrix ;: 0 ;:: Criteria S -; e J!! -!lie e -.. ; 􀁾􀁾􀀠 .. 􀁾􀀠 -0 u .. .. -,11./, -􀁾􀀠 -0 -u .. :::I Iil.II/e (fj c_ .§! e·s 0 ;: Iil. --􀁾􀁾􀀠 0.5 􀀮􀁾􀀠 m Ii!! i 0 0 ill: a: in the Contaminate water destruction-type (WMD) event 3 3 3 3 6 0.33 0.33 Assets are ranked in terms of their ability to affect each of these consequences of concern. The pairwise decisions are made on the significance of the role a particular asset plays in bringing about the consequence. For example, in order for the SCADA system to cause the "Interrupt or impair water flow in the system" consequence, the SCADA server must be compromised. Table 5.12 follows from the example water utility in Appendix A and depicts the pairwise decisions for the "Interrupt or impair water flow in the system" consequence. SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY 81 :) , ) ) Table 5.12. Example of Interrupt or Impair Water Flow in the System ) r) Inlerrupt or Impair water flow in the system (1) ., ) II) In "iig> a; 15 -0 j .2= :':":l 􀀮􀁾􀀠= E" .--􀁾􀀠 ) at-: 􀁾􀁩􀁬􀀠 ¥/-a: -",<&:l 􀁾􀀠 i 1l.0 lI: 􀁾 u: il:e Il. .515 <: co 0 0 IX: Z ) ) ) ) <0""'"􀀼􀁾 @,jl To reach the final relative ranking. the consequences of concern are recombined to form ) the Consequences relative ranking. Table 5.13 below illustrates the combination of the four ) consequences used in this example. The values are nonnalized for the calculation process. ':"") :) Table 5.13. Example of Combined Consequences Matrix:) . "\ Consequences ) ) ) .) ) ) ) 5.8.5 Generate Relative Risk Rankings The individual consequences are combined into one matrix called Consequences by a , weighted average calculation indicated in the previous step. The output of that calculation ) represents the aggregate rankings of assets within each consequence criteria. (See Consequences Weighted Total column in Table 5.13 above.) The final step requires multiplication of the ) SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY 82 Relative Likelihood of Occurrence and the Consequences results. Table 5.14 below shows the results from the example used in this document. Again, the values are nonnalized for the calculation. Table 5.14. Example ofRelative Risk Calculation Criteria Assets :II u C., ::I r::r :II c 8 "CI 0 .2 ., u 􀁾􀀠...C... .::I ....I u .. u .<=0 S-o & .. .2: .!II: -UI ...-GiO:: 0:: ., .;: 10 iii 0:: ... "g.!!l 􀀮􀁾􀀠 0:: iii E.. 0 z SCADA SelVer(s) 0.263 0,049 0.013 OA05 RTUs 0,226 0.Q15 0,003 0.105 Firewalls 0.093 0.015 0.001 0.043 Phvsical CablinQ 0,137 0.030 D.OO4 0.131 Physical Protections 0.130 0.015 0.002 0.060 Inlerna! Connecti ons 0.152 0.054 0.008 0.256 Total 0.032 1.00 An example ofrelative risks for critical physical assets is shown in Table 5.15. The final ranking of assets occurs by listing the assets in descending order according to their computed relative risk value. A final ranking based on the computed risk values identifies where resources should be applied to improve the security ofthe system with assets in the High category warranting the most attention. In Table 5.15 below, the SCADA servers belong to the High category, followed by the Internet Connections in the Medium category. The remaining assets fall into the Low category. This final relative ranking list indicates where the example water utility should focus SCADA security improvement efforts. SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY 83 􀀬􀁾􀁾􀀠 􀀮􀁾􀀠 ;} Table 5.15. Example of Relative Ranking for Physcial Assets Final Relative Ranking i Relative Security Vulnerability SCADA Server(s) High Internet Connections Medium Physical Cabling Low RTUs Low Physical Protections Low Firewalls Low This process requires identification of SCADA system assets. and the ranking of those assets over a variety of criteria. and within the context of the system. Accurate and meaningful questions to assist or guide the ranking of the assets are a key aspect necessary to make this prooess effective in a self-assessment effort, particularity in the areas not ,involving security experts. A final, prioritized list of SCADA system assets indicates an order for applying resources to improve SCADA security. As in the initial assessment activities, the depiction of a generic secure water SCADA system helps identify possible mitigation approaches and ensures that the proposed mitigation approaches function within the system as a whole. The inclusion of CobiT® supports the integration of any mitigation strategies with the overall business objectives of the particular water utility. 5.9 ONSlTE CHEMICAL CHARACfERIZATION 5.9.1 Contamination of Water with Onsite Chemicals An example analysis of the onsite chemicals is included here to determine the potential consequences of malevolent events using already available chemicals. Various scenarios are presented and discussed on how an adversary might impact the water utility through: • Affecting chemical feed rates • Intentional misuse of the chemicals • Combining chemicals SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY 84 . , J ) C') ) : ) ,) :J C) .) ) ) ) ) ) ) ) " ) " ) ) ) ) '. ) . ) ) , ) ) u .' c,) cJ ) Treatment chemicals, in high enough doses, can constitute a threat for employees and the neighboring community. This analysis is an attempt to categorize and identify the level ofrisk from onsite chemicals. This is not an analysis involving the introduction of an outside agent into the water system; it onl y addresses using the chemicals available on site. This section will not discuss access and will assume that either an insider or an outsider with sufficient knowledge can access the raw/finished water and contaminate the stream. An average flow through the various parts of the system will be needed to perform the calculations. For Treatment Plant 2, the rates are 90 mgd. The chemicals used are contained in storage tanks, or indi vidual containers, which are then fed via metering systems (or injected directly) into the water flow. Dispersing. the entire contents of all storage tanks into the system rapidly (beyond the speeds of the metering pumps) would require plumbing of bypass lines into the water flow. In most cases, this would not be practical due to the distance of the storage tanks from the water injection system, the requirement to do a hot tap on a line full of pressurized hazardous chemicals, the need to provide long pieces of large O.D. pipe, and the time required to complete this task when there are simpler ways to disrupt the system. . The following analysis will assume that an adversary could dispense onsite chemicals at the maximum possible flow rate into the water system for an entire day, undetected.' The focus of this investigation is with short-term threats-not with long-term 10-20 year threats (cancer). Table 5.16 defines several terms used in the analysis. Table 5.16. Toxicology LDso Lowest dose to cause 50% mortality in test subjects. LDLo Lowest known dose to cause mortality (human). Lowest known dose to cause exhibited symptoms (human) (pulm) . Inhalation dosing. TDLo ! (Lp.) Intraperitoneal injection dosing (Lm.) Intramuscular injection dosing (Lv.) Intravenous injection dosing . (oral) Oral dosing SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY 85 LDso is the concentration of a chemical dose (expressed on a weight basis of contsminant to body mass, mglkg of body weight) that killed 50% of the test subjects. All LDso values are oral unless otherwise noted. Some, but not all, are actual human values. In cases where multiple species exhibited different susceptibilities to the chemical, the lowest LDso is reported to be conservative. LDLo is the lowest known lethal dose for humans and TDLo is the lowest dose of a substance introduced by any route other than inhalation over any given period of time and reported to produce any toxic effect in human. Looking at the graph in Figure 5.10 and the straight line drawn onto the graph, it is obvious that the LDso does not offer a linear ruethod to determine the point at which there will be zero fatalities. Nor can an adversary be assured of killing all individuals by simply doubling the dose. Minor amounts of most substances, no matter how toxic, can be tolerated without fatality. 100% 􀁾􀀭􀀭􀀭􀀭􀀭􀀭􀀭􀀭􀀭􀀭􀀭􀀭􀀭􀀭􀀭􀀭􀀭􀀭􀁾􀁾􀀭􀀭􀀭􀀭􀀭 Linear Dose Increasing Dose 50% .. 􀁏􀀥􀁾􀁾􀁾􀀭􀁌􀀭􀀭􀁾􀁌􀀭􀀭􀀭􀀭􀀭􀀭􀀭􀀭􀀭􀀭􀀭􀀭􀀭 Dosage of Chemical Figure 5.10. Dose vs. Toxic Chemical. % of Subjects Exhibiting Response vs. Dosage Some assumptions need to be made to create an anticipated dosage that an adVersary would like to achieve to harm the users of the system. An average "person" will be 100 kg and an average child will be 10 kg to make the numbers easier to calculate. Typical adults would actually be closer to 70 kg (as defined by the EPA), but the accuracy of the dosage will not be SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY 86 'J ! ) 􀁾􀁬􀀠 r) .,, ) r -:\' y ') "􀀺􀁾􀀠 J '} "'}, '. "J' D -) :) :) {) r) 􀁜􀁾􀀠.i'I 􀁾􀀩􀀠 ) ) ) ) ) ) .) } , } ) ) .) ) ') ,, , r .j \ , ,.J ,r) " '" :. .".i ) , ", .J t) :::.J C) : ) precise enough to matter significantly, particularly when the stated amounts are IDso and the intention is to deny the potential for more than a few deaths. The amounts of material in the water will be expressed as parts per million (ppm), which is 1 mgfkg of contaminatelkg of solution. If the level of contamination is 10 ppm, then 1 liter (approximately 1 kg) consumed would represent 10 mg of material ingested. Toxicity is mg ingested per kg of body weight. A lOO-kg man would suffer adverse health effects at 10 mgll00 kg or 0.1 mgfkg. A child, however, would be 10 mgllO kg or Imgfkg. If ilie caculated lethal dose is 0.5 mgfkg, the adult would be below the lethal dose, but the child would be above the lethal dose (i.e., lethal to the child but not the adult) Table 5.17 lists chemicals stored on site for Treatment Plant 2, assuming that the maximum storage limits have been reached. The chemical is listed as well as the stated weight percent (wt %) as delivered to the water utility. The active amount is defined as the amount of chemical of interest in the solutions and is obtained by multiplying the wt% with the amounts of chemical being stored or using the density if the reported amounts are not in mass units. The daily max feed is based on pumping rates for that chemical (see Table 5.18). Pumping limited is an indication whether the pumps can empty the complete inventory over a 24 hr period. This is determined by pumping rates as well as delivery methods for the chemical. If the installed pumps can deplete the inventory, then the entire active chemical inventory is considered in the dosage calculation. The day-long levels are then determined from the amount of active chemical that can be released over 24 hours assuming a constant water flow and chemical injection rate for the facility. SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY 87 8 i '.. ) Table 5.17. Chemicals Stored Onsite at Treatment Plant 2 , Maximum .D aily /Pum pm. g IDay long Chemical Storage max feed Limited' levels (kg/day) (ppm) . , Ammonia 2736 Yes . (water solution) I I · ) , Chlorine 4090 Yes 12 i Potassium 3300 Yes 9.6 , permanganate i I 􀁾􀀻􀀠 · \ Note: these numbers are for d.stnbution from the bulk and do not represent the active amounts ofcbeffiJcals. Table 5.18. Maximum Feed Rates for Chemicals into Water 16,000 gal 20,000 lb 5 bins (9,900Ib) , Solution I Active (wt %) De't amount . nSl y' (kg) 20wt% 100 100 0.9 kgll NA NA Number of Chemical pumplfeeders , i I Chlorine 2 I Ammonia I 2 Potassium i 1 Permanaganate I I 5.9;2 Specific Chemicals (liquids/solids) 10,944 kg 9091 kg 7500 kg Total max feed all pumps 10,000 lblday 4000 gal/day 3300lblday I Limitations : ) Vacuum limited to ) 9,000 lb/day i '. y May not be able to ) run both pumps at full max Container would need to be changed to empty more than I ) ) one bin · '\ j All the toxic limits and values listed below (and in the following sections) were obtained from The Merck Index, 12th edition, or Section 11 (toxicological information) from the Material Safety Data Sheet for the chemical. Typically, ammonium hydroxide solution is used to react with chlorine to form chloramines, a residual disinfectant to protect the water in the distribution system. It is injected directly into the water at the very end of the process treatment stream. SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY 88 ) ) ) · '> .. _..1 : ) J 16.000 gal ammonia solution (3.8l1gal)(0.9 kg/l)(0.2 wt ratio}=l0.944 kg ofNH3 available The pumps can only dispense 4,000 gallons in a 24 hr period so only IA of the above active amount needs to be considered (2,736 kg NH3)' This amount is distributed in 90 mg of water. 2.736 x lei kgNHdJ(/mglkgl =8 (mg/l) ppm 9 xl07 gal/ons (3.8 lIgallon) Therefore, a total level of 8 ppm would be present if the pumps are operated at the maximum injection rate for an entire day. The LDLo for ammonia (as ammonium hydroxide solution) is 43 mglkg. The IDLo is 0.09 mglkg. Assuming a I-liter dosage, a lO-kg child would ingest only 0.8 mg/kg, which is about ten times above the lower limits of toxic response (most likely exhibited as nausea) and well below the lowest known lethal limit. It is unknown whether 8 ppm in water would be detectable by smell. Human detection limits are around 53 ppm. in air (for ammonia gas, NH3)' Since the dosage is more than 50 times less than the LDLo;. it is not considered a significant threat for ingestion that would produce fatalities. Potassium permanganate is used as an algaecide in the fall/summer to decompose some of the humic load from organic material in the incoming water (strong oxidizer) at the intake for Treatment Plant #2. It also is employed to address taste/smell concerns and to oxidize Fe +2 to Fe+3 so that it is easier to remove with standard flocculation aids. A screw auger system is used to dispense the material and is limited to one container at a time. Using the Treatment Plant 2 water flow rates, a 9.6 ppm level can be achieved during a 24-hour period and possibly higher if the dispenser can be emptied faster. The IDLo for KMn04 is 1.4 mglkg , 100 ppm for the LDI,o. A child drinking 1 liter of water would be dosed at 0.96 mglkg. This is below the threshold level and substantially below the lowest known lethal level. This chemical has to be reduced as a perceived vulnerability because it is being used in the direct treatment of incoming water rather than as a post treatment step. Therefore, the general treatment steps may mitigate this as a threat. A more likely potential threat is the use of this as the oxidizer in either a fire attack or as a component of an explosive mixture if mixed with an appropriate fuel. Initial dispersion of MnOz SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY 89 into the water creates a deep purple color; at higher concentration levels, the water turns black. This should also deter customers from drinking the water. 5.9.3 Specific Chemicals (gases) Method of introduction makes dispersion of gaseous materials, outside the normal injection system, very difficult to achieve. The assumption will be that it can be performed efficiently at maximum feed with the system injectors. The analysis will then estimate the consequences. Chlorine gas is the primary disinfectant and maintains residual disinfection within the water distribution system. It is injected via a vacuum supply system controlled by water flow. The chlorine gas in this system is delivered as a gas over a liquid in 2000 lb of (primarily liquid) elemental chlorine. These tanks are pressurized to about 80 psi at room temperature and are not cooled. Each tank contains two valves, one for dispensing liquid and another for dispensing gas. There is also a fusible lead plug designed to meltlblow out if pressure/temperature of the tank becomes too high for the container to handle. This limits the amount of shrapnel produced during a pressure event but does not prevent the gas from escaping. Calculations (and information from the manufacturer of the container) have indicated that Joule-Thompson cooling would work to seal small leaks in the tanks in the event of an accident. The company that manufactures the containers includes repair kits to seal small leaks in the tanks by trained personnel using appropriate safety equipment. If the gas injector system is used at the maximum feed rate, the concentration throughout the day can be maintained at 8 ppm (ignoring incoming/system biological and organic oxidation load). The solubility limits for Ch in water at 25°C are 4.39 gmIl or 4390 ppm, the limits for the secondary product (HOCl) is 1.58 gmllor 1,580 ppm. Therefore, solubility is not limiting for this scenario. Chlorine is detectable at 0.08 ppmv in air and causes mucous membrane irritation at 0.2 ppm. The OSHA inhalation inhalation limit is 1 ppmv (pulm) and 25-50 ppmv (pulm) is considered a dangerous level. Chlurine appears to be much less toxic when ingested than when inhaled. The oral rat IDLe is 42 gmlkg continuous over 2 weeks. Since most people can detect around 0.5 ppm of chlorine in water (by smell), it is not likely that this feed rate would be maintained for more than a few hours. Once water has a "bleach" smell to it, it is also less likely to be ingested. Over-chlorination of the water is not a likely threat in terms of injuring the customers. SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY 90 􀀬􀁾􀀠 .J 􀁾􀀧􀁬􀀠 ; ) '} ') "} 1< .7 ) ) ) .... J ) '1 􀁾􀀩􀀠 :) J ") ·} · ) ·) ) ) ) ) , ) ) } ) ',,) :) "." '·.. "J · ), 3 · ) i..) :: ) ) .J ,) .J d 􀁾􀁊􀀠 􀁾􀁊􀀠 ') J 5.9.4 Potential Reactions Since many of the chemicals are hazardous in sufficient concentration on site, they will not be discussed individually. However, there may be some potential for reacting two or more components to form an unrealized toxic hazard or a strong exothermic event. Since many of the chemicals are contained and delivered in water slurries, the exothermic potential for the reaction is not as likely. Most mixing scenarios would require a contained common area that would need to be plumbed from each tank. This is not a significant threat unless one tank could be directly fed into another tank, but then the concern is more about a tank rupture and subsequent chemical release event than a chemical contamination of the water event. 5.9.5 Incorrect Tank Fill This threat is related to the situation where an outsider is looking to destroy one of the onsite tanks through deliberate introduction of a chemical agent that would have a catastrophic interaction with the tank contents. This would be disruptive, but not likely to interrupt the ability of the plant to treat water. Another possible threat is the introduction of a (pressurized) reducing agent or fuel to the chlorine manifold system. This could cause a rupture that would endanger plant personnel and cause a chlorine release, and it may be powerful enough to deny access to the plant and inhibit purification of the water. Destruction of a single tank by itself would not likely stop the plant from operating unless it also damaged some of the non-redundant systems or an entire manifold of tanks. 5.9.6 Conclusions for Treatment Plant Chemicals Unless temporary piping/pumping arrangements were installed by an adversary, the onsite chemicals at Treatment Plant 2 would not pose an immediate contamination health risk to consumers. Rupture of multiple chlorine gas cylinders that would overwhelm the chlorine storage area scrubber system is a concern for the surrounding community. Any catastrophic ruprure of chemical storage tanks without sufficient safeguards (containment berm or dams) is a potential method for quick introduction of a "slug" of contaminates (to the air or the water). Whereas this is undesirable for many reasons, it is not likely to occur unnoticed. Quick detection through either employees wituessing the event or spikes in detection equipment should give the water utility sufficient time to warn their customers. SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY 91 · ) ) ) ) · ) ) -) ) · ) · ) ) " · ) :) 􀁾􀁝􀀠 :) ?} · ) ) ) ) ) , ) ;) J. ''') . " J J J. , ) ) . SENSITIVE SECURITY INFORMATION: CONRDENTIAL AND PROPRIETARY '.J .. ) , ) '. ". :). ' ' 6 PHYSICAL PROTECTION SYSTEM DESCRIPTION : Planning .....: . Purpose, Objective '. , ,. -;.-' Prioritize Facilities Design Basis Threat Likelihood ot Attack (P.J Prioritized Critical Assets (C) Protection and Operating Systems (P.,) Waterfall Flow Diagram -Process Locator In the next chapter (Chapter 7, System Effectiveness), the assessment team will need to estimate how effective the physical security elements will perform with respect to the DBT. To assist in the analysis, this chapter provides information on how an effective Physical Protection System (PPS) is designed, installed, and operated. An effective PPS will: • Provide protection in depth, • Provide balanced protection, and • Minimize the consequence of component failure. Expert opinion is a good starting point for evaluating security systems, but only performance testing can ensure that the system will work as designed. The PPS objective should be to prevent the accomplishment of a malevolent action. However, because of the significant delays inherent in some water utility operations, the objective may be to detect malevolent action with a high degree of probability and then follow an emergency response plan. Preventing malevolent actions can be accomplished by either deterrence or a combination of detection, delay, and response. For a system to be effective, there must be notification and assessment of an attack (detection), the adversary progress must be slowed (delay), and the response force time short enough to interrupt or stop the adversary SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY 93 (response). The primary functions of a PPS (detection, delay, and response) and some of their components are shown in Figure 6.1. The key to a successful PPS is the integration of people, procedures, and equipment into a system that protects assets from malevolent adversaries. 􀀮􀁾􀀠􀁉􀁨􀁩􀁲􀁵􀁾􀁩􀁤􀀬􀀬􀁾􀁾􀁲􀁩􀁾􀁩􀁾􀁾􀀮􀀺􀁊􀀺􀀺􀀨􀀠 􀀮􀁾􀀬􀁑􀁡􀁴􀁲􀁩􀁥􀁲􀁳􀀠,':" .." .􀁾􀀠􀁾􀀡􀁾􀁩􀁭􀂢􀀰 􀁾􀁮􀁩􀁾􀁾􀁩􀀻􀀻􀁾􀁾􀀡􀀹􀁾􀀺􀀠 􀀧􀁾􀁄􀁩􀁾􀁐􀁥􀁨􀁳􀁡􀁾􀁉􀁩􀀡􀀺􀁃􀁴􀀧􀀺􀀧􀀠 > ',-'-BarrlE![& ' . 􀁾􀀻􀀠 -, : ' -. :-'" I .-• Inte.rruption:,·. .. " -: 􀀧􀁾􀀮􀀢􀀠0 :", ,"' •• ,;:. ,CO'mmtinication to ' " 􀀧􀁒􀁅􀁩􀁾􀁰􀁏􀁩􀀱􀁬􀁩􀀻􀁥􀀠Foree' '. . '.. 􀁄􀁾􀁐􀁬􀁯􀀩􀀧􀁾􀁾􀁮􀁴􀁾􀁦􀁾􀀢􀀠 ; 􀁒􀁩􀀡􀁳􀁰􀁯􀁮􀁾􀀠Force . " 􀁾􀀭 _ ',:,', .. 􀁾􀀧􀀬􀀠 ;c., ,•• StopJPrevehf . . .' L-_..:........_'-'-_---'--.:J ,. '. .... ;;.• ' .' . . ' . Figure 6.1. Functions of a Physical Protection System 6.1 DESIGN AND EVALUATION PROCESS OUTLINE A graphical representation of the Design and Evaluation Process Outline (DEPO) for a PPS is shown in Figure 6.2. The process starts by determining the PPS objectives. The next step is to design a PPS system to meet those objectives. Finally, an evaluation is undertaken to determine how well the system performs. The remainder of this chapter will focus on discussing the primary PPS functions of detection, delay, and response. The system functions will be considered in detail, since a thorough understanding of these functions and the measure of effectiveness of each is required to evaluate the system. } ) ) · ) rj ) , } r) )) ,') 􀁾􀁊􀀠 : '} : J ) ) ) ) ) '. } \ 􀁾􀀩􀀠 ,· .'J :) ii, ",-,3 U SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY 94 .) .J Determine PPS Objectives I Facility Characterization Threat DefinHion Target Indentiflcation Design/Characterize ---+ PPS ---+ Detection Delay Response Exterior Sensors Access Delay Response Force Interior Sensors Communlcations A1ann Assessment A1ann Communication & Display Entry Control Atternpt Figure 6.5. Response Function The first effectiveness measure for the response function is the probability of accurate communication to response force. If the alarm is considered just another nuisance alarm, then the communication will not take place. The person monitoring and assessing the alarms must be trained to react quickly and treat every alarm as valid. The procedure for communicating the alarm has to be written down and practiced. The security guard should have ready access to the response force on an open communication system. Dialing numbers or running down a list of parties to contact will cost valuable time in the event of an actual emergency, especially considering the stress of the situation. The PPSmust give accurate information to the security guard monitoring the system and allow deployment of the response force to the correct location. The time to deploy is likely the SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY 98 ) ) ) ) ) \ \ ) , f oJ 􀁾􀀩􀀠 􀁾􀀩􀀠 /, ."y , 1> , j . ) .j "} ".-,; \,,,"" '__J , ) ;.l 􀀮􀁾􀁊􀀠 . '. '.3 '} .J ) ) variable requiring the greatest amount of time in the response function. Water utilities must develop good working relationships with local law enforcement to reduce this time as much as possible. Conducting exercises with local law enforcement to make sure it understands the location of critical assets and how to quickly protect them is crucial. The effectiveness of the response force will be linked to the effectiveness of the assessment subsystem during the detection function. The response force will require resources and procedures dependent on the type and number of adversaries that attack. If the response force does not have accurate information or authority, their ability to defeat the adversary will likely be low at best. 6.2 MITIGATION System effectiveness against the DBT is comprised of a physical security component (guards, fences, sensors, locks, and security policy and procedures) and an operational design component (engineered robustness, spare parts and equipment, operational alternatives, and and engineering and operational policy and procedures). These two components are considered together in the analyses to estimate the overall system effectiveness term, PE. In the case where the undesired event cannot be prevented by the security system (Le., system effectiveness is I judged to be low), risk can be reduced by mitigation features that reduce consequenees (C). Mitigation features could include: • Redundancy -have other ways of accomplishing a task if a critical asset is destroyed. • Backup systems -have alternate systems to bring on line if an asset is destroyed. • Spares -be able to repair a destroyed asset rapidly. • Emergency Response Plans -have a pre-thought out and pre-planned set of actions to put into place immediately if an attack occurs. • Administrative or Operational Changes -there may be administrative or operational procedures/policies that can help to reduce the importance of critical assets. e Personnel and training -if personnel are trained in the emergency response plans and trained in recovering from an attack, then the consequence may be lower than originall y assumed. • Computer secwity policy -have emergency response plans in place for the SCADA operators to follow if the SCADA system becomes unavailable. How well the security system prevents the adversary from achieving hislher goal is reflected in SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY 99 the term PE. In cases where the security system cannot prevent the adversary from achieving the goal, but mitigation can occur after the fact, risk reduction should be reflected in the consequence term, C. 6.3 ! DETERRENTS ) The role of deterrence in security has proven to be difficult to measure. The most ) effective deterrence is provided by an effective PPS. )) Theft, sabotage, and other malevolent acts at a facility mo;y be prevented in two ) ways-by deterring the adversary or by defeating the adversary. Deterrence )) occurs by implementing measures that are perceived by potential adversaries as .J too difficult to defeat; it makes the facility an unattractive target, 80 the adversary : J abandons or never attempts an attack. Examples ofdeterrents are the presence of .''\ ",':; security guards in the parking lots, adequate lighting at night, posting ofsigns, :} and the use ofbarriers, such as bars on windows. These are features that are 􀁾􀀩􀀠 often implemented with no additional layers ofprotection in the event ofan :) : ) . attack. Deterrence can be very helpful in discouraging attacks by adversaries; ) however, it is less useful against an adversary who chooses to attack anyway. Ii ) would be a mistake to assume that because an adversary has not challenged a system, the effectiveness ofthe system has been proven. The deterrence function ofa PPS is difficult to measure, and reliance on successful deterrence can be J \ risky; thus it is considered a secondary junction. (Garcia, 2001) .. J) As more research is done on the measurable and long-term value of deterrents, this data may be incorporated into protection system design. To date, however, there is no statistically valid information to support the effectiveness of deterrents. There are, however, studies that indicate that deterrence is not as effective after implementation as is hoped (Garcia, 2001). .',..) ) ) SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY :.J 100 U U .) .\ ..J 6.4 RELATIONSHIP OF PPS FuNCTIONS Figure 6.6 shows the relationships between adversary task time and the time required for the PPS to do its job. The total time required for the adversary to accomplish his/her goal has been labeled Adversary Task Time; it is dependent upon the delay provided by the PPS. The adversary may begin the task at some time before the first alarm occurs (To). The adversary task time is shown before To because delay is not effective before detection. After the alarm, the infonnation must be reported and assessed to determine if the alarm is valid. The time at which the alarm is assessed to be valid is TA, and at this time, the location of the alarm must be communicated to the members of the response force. Further time is then required for the response force to respond in adequate numbers and with adequate equipment to interrupt tbe adversarial actions. The time at which the response force interrupts the adversary is T" and adversary task time completion is Teo For the PPS to accomplish its objective, TI must occur before Te. From this diagram, it is obvious that a PPS perfonns better if detection is as far from the critical asset as possible and delay elements are near the critical asset. Begin To T, Tc -Task Action (First Complete Alarm) Time ) Figure 6.6. Interrelationship of PPS Functions SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY 101 .. 6.4.1 Interrelationship of PPS Functions -Example Water Utility -" For the example water utility, a scenario likely to achieve the adversary's goal of ji reducing the ability to treat the water supply might be as follows: during non-operational hours (nighttime), after staging their equipment/weapons outside the property fence and observing no , J personnel in the area, the adversary cuts through the perimeter fence, runs across the property ) area to the building, and breaks into Treatment Plant 2 through a locked sensored door (using ") hand tools). Once inside the building, the adversary locates the pumps, preps the area, and plants ) 5 Ib of high explosives on all the exposed pumps. The adversary sets the detonators, exits the ) building and property, and retreats to a safe haven before the explosives detonate. For this 􀁾􀀠 ) .,-;Y example, To occurs at the first alarm (when the adversary entered through the sensored door). '"" ') Assume that there are cameras in the building for assessment purposes. T A occurs when the door '"') alarm was activated, and a SCADA operator was able to assess the alarm and determine that .} unauthorized personnel with weapons had accessed the building. At this point, the SCADA ::} operator would communicate the alarm and assessment to local law enforcement. Assume that } the local law enforcement was trained (and tested) to respond to this type of malevolent act and }) could respond to the scene with adequate numbers and adequate equipment/weapons. If the ) response force could arrive on the scene and interrupt the adversary's activities before the explosives detonate, this would be TI. Tc would occur before TI if the response force could not ) arrive in time and the pumps had been destroyed. 6.5 CHARACTERISTICS OF ANEFFECTIVEPPS · J Not only must all the hardware elements of the system be installed and operated properly, r -" 􀀺􀀺􀀮􀀮􀀮􀀭􀁾􀀠 but they also must be maintained and tested. The procedures of the PPS must be compatible with :} () the water utility's procedures and integrated into the PPS design. Effective training of personnel in policies, procedures, and operation of equipment is also important to system effectiveness. Security, safety, and operational objectives must be accomplished at all times. A weJIJ engineered PPS will exhibit the following characteristics: 􀁾􀁊􀀠 • • Protection-in-depth (i.e., an adversary should be required to avoid or defeat a number ) of protective devices in sequence) · · ", I • Minimum consequence of component failure (contingency plans need to be in place ) 'I J SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY 102 so the overall system continues to operate without interruption) • Balanced protection (i.e., the minimum time required to penetrate each barrier is equal, and the minimum probability of detecting penetration of each barrier would be equal) Detection, delay, and response are all required functions of an effective PPS. These functions must be performed in this order and within a length of time that is less than the time required for the adversary to complete their task. In addition, a design process based on performance criteria, rather than feature criteria, will select elements and procedures according to the contribution they make to the overall system performance. In feature-based systems, the effectiveness measure is often the absence or presence of security features. In general, performance-based design criteria are better than feature-based when measuring overall system effectiveness. Finally, performance testing is the only way to ensure that the system will work as designed. SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY 103 ) ') ') ) ) ) ) ") ) ) ) c " ,,} . 􀁾􀀱􀀠 D ,) ,) · ) · ) ) ) ) \ J -", . .,:J ;". 􀁾􀁊􀀠, C) .' 􀁾􀁊􀀠 :J tJ 􀁾􀀠 􀁾􀁊􀀠. :J 􀁾􀀩􀀠 ,j : ') SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY (Ji :J · , ··Plannlng.· Purpose, Objective Prioritize Facilities Design Basis TIlreat Likelillood or Attack (PA) ) ) 7 SYSTEM EFFECTIVENESS Prioritized Critical Assets (C) Protection and Operating Systems (PeJ 􀁾__N_O-< . Risks,' Yes .. ' . Proposed Upgrades .... Acceptable? End Waterfall Flow Diagram -Process Location Analyzing how well the protection system (pPS and operating system) can defeat specific threats is part of the system effectiveness analysis. If the protection system effectiveness is judged to be low, specific vulnerabilities can be identified. The elements of system effectiveness analysis include: • Describing the protection system. • Determining the attack scenario most likely to achieve adversary goal(s). • Estimating system effectiveness against the adversary for these attack scenarios. • Identifying any protection system vulnerabilities. 7.1 CONCEPT OF SYSTEM EFFECTIVENESS In RAM-WSM the term PB has been extended beyond the PPS to also consider contributions of non-physical security elements in determining system effectiveness (Figure 7.1). These non-physical security elements, referred to as operational elements, are elements that are intrinsic to the water utility itself or its operation. Even though they are not security elements, they are able to provide some level of detection, delay, or response towards preventing the adversary from achieving its goal. SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY 105 Overall System Effeetiveness \ PPS Operational Svstem Figure 7.1. System Effectiveness, PE How well the protection system prevents the adversary from achieving its goal is reflected in the term PE• There are cases where the protection system cannot prevent the adversary from achieving its goal (Le., ill effects are felt beyond the system), but mitigation can occur after the fact. The effects of such mitigation should be reflected in the consequence term, C, of the risk equation. Adjustments to consequence will be discussed in Chapter 8. The assessment team must he careful not to take credit for proposed upgrades to the protection system in both PE and C. The upgrades can be either for prevention or for mitigation, but not both. 7.1.1 Operating System Effectiveness for the Example Water Utility In the example water utility, there are three pumps in operation at Treatment Plant 2 and a minimum of two is needed to meet the plant daily demand. For the example, assume that an adversary destroys two of the pumps. pumps. To avoid being detected by the security alarms on the door. the adversary breaks through the window to get inside the building. The adversary destroys two pumps, and the interruption of water flow from Treatment Plant 2 is picked up by the SCADA system. This detection by the SCADA system and assessment of the situation takes 1 hour (Figure 7.2). Since there are no backups stored on site, it will take 24 hours to replace one of the pumps (the third one was not destroyed). The 24 hours can be thought of as the System Response time. Pump Station 1 has 30 mg of storage with a pumping capacity of 40 mgd, and Pump Station 2 has 50 mg of storage with a pumping capacity of 80 mgd. SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY 106 ') r) :J D :) J J .' ) . '.:..<./: . ";"'.1 .: ' The System Delay time can therefore be thought of as the minimum of (5Omgl80mgd*24hr/day, 30mgl40mgd*24hr1day), which is 15 hr. Even in the best case of a detection and assessment time of zero, one can see that the System Response time will have exceeded the System Delay time. The protection system could not prevent the adversary from achieving hislher goal of disrupting service from Treatment Plant 2 (Le., the effects of the adversary action could not be isolated within Treatment Plant 2 and will be felt outside the system). (Repair Time for Pump) .. System Resporlse'-24hrS (From Storage at Pump Station 2) ·Sy&temD8laY"·1S.h\,i SCADA:oetectionand· 􀁾􀀠. . .;􀁁􀁳􀁾􀁾􀁳􀁲􀁯􀁥􀁴􀁬􀁴􀀮􀀠: ." , o 1 15 25 I I Adversary Adversary Goal Destroys 2 Time (hours) Not Prevented Pumps at Treatment Plant 2 Figure 7.2. Operating System Effectiveness for the Example Water Utility If, however, a backup pump were stored on site, cutting the replacement time in half (12 hr), there would be no disruption of service from Treatment Plant 2 (Figure 7.3). The pump could be replaced before the rest of the system was affected. The adversary is not considered to have achieved its goal since the protection system was able to isolate the effects of the action within Treatment Plant 2 and they were not felt outside the system. Because of this, consideration of these protection elements should be included as part of System Effectiveness, PE, in the risk equation. SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY 107 􀁾􀀠 o 1 I Adversary Destroys 2 Pumps at Treatment Plant 2 (From Storage at Pump Station 2) System Delay = 15 hrs (Repair Time for Pump if Spare Stored On-Site) . SYstem Response =12 hrs SCADA Detection and Assessment 13 15 I Time (hours) Adversary Goal Prevented. Figure 7.3. Operating System Effectiveness for the Example Water Utility Note that the timeline could be extended beyond prevention into mitigation. In the first example presented where the adversary was not prevented from achieving the goal ofdisrupting service from Treatment Plant 2, ifmitigation measures were then employed, such as delivering water via trucks to affected areas, credit for the mitigation measure would be considered in the consequence term, C, ofthe risk equation. 7.2 SYSTEM EFFECTIVENESS ANALYSIS PROCESS The following are the steps involved for determining PE: • Identify the most potentially successful Adversary Strategy. • Create an Adversary Sequence Diagram (ASD) on which all possible paths into the critical asset(s) are identified. Using the ASD, postulate the most vulnerable path. • With the adversary strategy and path known, then an adversary attack scenario timeline can be determined. This is a worst-case scenario from the water utility's perspective. SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY 108 , , .! } .J1J · ) //} .:} ) r"! <.c1 , ) ') ) ) ) 1 \ · ,, , J ; } :. 􀁾􀁽􀀠 '.J · 1 In the context of the adversary attack scenario timeline, the assessment team then estimates the system effectiveness (for detection, delay, and response) and detennines the effectiveness of each function (high, medium, or low) against the DBT attacking along the worstcase path. Factors such as how reliable and timely the detection, delay, and response are with respect to the DBT capabilities should be considered (This should be done in the context of the Adversary Attack Scenario Timeline which is described later). Ideally, performance testing, which adds credibility to these evaluations, is also part of this detennination. 7.2.1 Adversary Strategy Adversary strategies are identified for use in considering paths that the adversary could follow to access critical assets. Considering PPS weaknesses and facility states (e.g., shut down, middle of the night, holidays) and then considering the worst consequences that the adversary might cause by having access to the critical asset(s), the assessment team derives the most potentially successful strategy. The strategy is a simple statement of what the DBT is going to do to the asset(s) and roughly how it will be done (intention). It should not be path-specific since the next step is to detennine the worst path. A strategy statement for the example water utility would be as follows: The DBT (3 outsiders) will plant 5 lb of high explosives on two pumps and destroy them. For example, assume that the undesired event is to interrupt or reduce the ability to treat the water supply. Using the generic fault tree, some of the options for adversary strategy are: • Adversel y affect pretreatment • Cause loss of pipelines/conduits • Adversely affect treatment • Cause loss of key personnel • Cause loss of SCADA system • Cause loss of pumps • Cause loss of valves Assume that the expert opinion of the assessment team is that the easiest way for the adversary to defeat treatment of the water supply is to cause the loss of pumps. Further analysis of this undesired event will be based on this identified adversary strategy of choice (i.e., defeating the treatment of the water supply by causing the loss of the pumps). If it is too difficult SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY 109 to decide which adversary strategy is the most potentially successful. then more strategies should be addressed for the undesired event. As many strategies as needed should be developed to provide confidence in the judgment. The item or area that is the target of the strategy becomes \, the critical asset to be protected to prevent the undesired event. The next element to be considered is the best way for the adversary to get to the critical asset; specifically. the analysis )\identifies the physical path to the area or critical asset to be protected. • 7.2:2 Adversary Sequence Diagram (Path Analysis) The physical paths that adversaries can follow to accomplish their objective and the PPS and operational design features along the paths are important in determining the adversary attack scenario most likely to succeed. All possible adversary paths should be considered. For the example used earlier, the pumps would be the critical assets. and the task would be to consider ) all adversary paths to the pumps (Figure 7.4) Offsite r-----· Property Area I y-" 􀁾􀀠 I Treatment Plant 2) I '" '" '" '" Pumps Path 2--􀁾􀀠---􀀭􀁾􀂷􀂷􀂷􀀱........ ... ..... " \ ) --Path 3 )) ) } ) ) ) ) : ) mm Window c::::::J Loading Dock I .Guard ,'J 6 I House Door ....... Pedestrian Gate ) Path 1 IIlIIIlIiI1B Vehicle Gate Figure 7.4. Adversary Path Development for Treatment Plant 2 ) There are many paths that an adversary could take to get to the asset. In this simple ) example for Treatment Plant 2, three paths are shown, but there are numerous possible paths: ,J !) SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY 110 {.j' U .) . • They could use many ways to get into the property area o Through, over, under the gate o Through, over, under the fence • They could then use many ways to get into the building to sabotage the pumps. o Through the door (pedestrian or loading dock) o Through the window o Through the wall (assuming that the walls and the roof are of the same construction). There are many possible combinations of ways to get to the asset and damage it. An Adversary Sequence Diagram (ASD) is needed to visualize all the possible paths. The ASD will aid us in postulating worst-case paths. Note that ASDs are used to determine physical paths (and not used for cyber paths, for example). The fIrst step in drawing an ASD is to identify the concentric areas (adjacent physical areas) through which the adversaries will have to pass as they go from off site to the critical asset (Figure 7.5). In between these areas are layers that bound each area and through which the adversary has to pass. In these layers are physical protection elements (detection elements or delay elements). An ASD includes protection layers indicating every way that the adversary may pass from one area to the next, and these must include all of the possible areas. An ASD for Treatment Plant 2 is shown in Figure 7.6. 1 ' Offslte 􀀮􀀭􀀭􀀧􀀭􀁾􀀭􀀭􀀧' -=:''-'-' -' 􀀮􀀬􀀭􀀺􀀭􀀧􀁾􀀢􀀭􀀺􀀧􀀺􀀮􀀮􀀧--"---'--1 􀁾 Adjacent 􀁾􀀺􀀺􀀺􀀭􀀭􀀭􀀭􀁉􀀽􀁾􀀽􀀽􀀽􀁾􀀽􀁾􀀽􀀽􀁾􀀽􀀢􀀽􀀧􀀽􀀽􀀽􀀽􀀽􀀽􀁾􀀽􀀽􀁾􀁾􀀭􀀧􀀿􀀠'=' Pumps (Critical Asset) Figure 7.5. Adversary Sequence Diagram (ASD) for Treatment Plant 2 SENSITIVE SECURITY INFORMATION: CONRDENTIAL AND PROPRIETARY 111 􀁾􀀠 --,.Offsite ;: VehGate Ped'Gate . Fen'ce ' ,. Air ) Property Area ) Window, '. 'Roof '. Surface , PedDoor . Door lock ) : ) Treatment Plant 2 ) ;) Task r:') 􀁾􀁽 Pumps (Critical Asset) '} Figure 7.6, ASD for Treatment Plant 2 with Path Elements :) , :) } For Treatment Plant 2, there are four path elements allowing one to get from Offsite to } the Property Area, and five path elements to get into the Building from the Property Area. The final single step occurs when the adversary is in the presence of the critical asset and takes the necessary time to complete the task. There may be detection and delay elements associated with ) the final task, From this diagram the assessment team decides on the worst-case path. In this ) , case, it could be that the adversary will come over the fence (no detection) and through the J ) window (no detection) into the room and destroy the pumps, That may be the fastest path with ) the least probability of detection for the DBT (a sophisticated well-trained adversary will will identify ."') 􀁾􀀢 .. the most advantageous path). ') , This is a very simple diagram because the facility is relatively simple. An ASD is a way CJ' to represent all possible paths in one picture and it helps the assessment team in postulating worst-case path(s), Also, for further insight, a computer code, EASI (Estimate of Adversary :) 􀁾􀀩 Sequence Interruption), can be used in evaluating PPS performance along a single path if U·· sufficient data can be provided. EASI is a simple calculation tool that quantitatively illustrates the effect of changing physical protection parameters (delay, response, and communication values) along a specific path and is described in the reference Garcia, 2001. SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY 112 It is easier to carry a single worst-case path through the analysis. However, if it is not clear which worst -case path to choose, then it would be prudent to examine more than one path in the analysis and estimate the effectiveness for each one. This extra effort could yield important insights that might otherwise be overlooked. 7.2.3 Derive Most Vulnerable Adversary Attack Scenarios Adversary attack scenarios are developed from the strategies together with specific paths, defeat methods, and tactics. Tools that are used to estimate PPS effectiveness are based on specific adversary scenarios. An assumption of the analysis process is that the protection system effectiveness is measured by its performance against what is considered the adversary scenario most likely to succeed for each undesired event. This optimal adversary scenario is identified using expert opinion based on assessment team members' knowledge ofthe water utility, operations, and the existing protection system features. Several factors must must be considered in judging which adversary scenario might be the most successful: • Protection system weaknesses noted on data collection worksheets and site survey. o Least-protected paths (detection, delay, response). o Easiest system features to defeat. o Worst consequences. • Facility operating states that the adversary could use to an advantage. o Emergency conditions. o No personnel on site. o Inclement weather. Further development of the path (including methods and tactics that the adversary could use to defeat protection system features) leads to the development of the specific scenario that the adversary could follow that would be most likely to cause the undesired event. The best path to carry out the strategy (from the adversary perspective) would be the one that: • Is physically the easiest for the adversary to complete. • A voids any security features, such as sensors or barriers. • Could be predicted to achieve the adversary's goal. This judgment is based on the assessment team's expert opinion formed by reviewing the SENSITIVE SECLIRITY INFORMATION: CONFIDENTIAL AND PROPRIETARY 113 information collected and analyzed. The scenario description includes the development of the most likely strategy and path to achieve adversary goals. The scenario includes specific system features, specific defeat methods, and tactics. The protection provided by the system against these particular scenarios will be used to estimate system effectiveness for the undesired event. For the example water utility, a description of the scenario most likely to achieve the adversary's goal of reducing the ability to treat the water supply might be as follows: During nighttime hours after observing no personnel in the area, the adversary cuts through the perimeter fence (15 sec), runs across the protected areas to the building (10 sec) and enters the pump building through a window (5 sec). Once inside they locate the pumps (10 sec), plant 5Ibs of high explosives on the exposed pumps to destroy two pumps (25 sec) and thus disrupt the flow of water to the treatment facility. The adversaries exit the building before the the explosives detonate. The time required for this scenario is 65 seconds. 7.2.3.1 Adversary Attack Scenario TimeIine Analysis A timeline can be used to further describe and analyze an adversary attack scenario. This timeline (Figure 7.7) shows only PPS elements, but as shown earlier it could also include operating system elements as well. The capabilities ofthe adversary must be considered in the development ofthe attack scenario timeline. Figure 7.7 illustrates the concept of timely detection in the PPS context. The critical detection point (CDP) is where the minimum time along the remaining portion of the adversary path (TR) just exceeds the response force time (RFT). Timely detection is when the adversary is reliably detected at the CDP or earlier. In that case, the adversary is interrupted (prevented from continuing along his task). A protection system that achieves timely detection is effective. The performance of a protection system's detection, delay, and response should be judged in this context. Determining where the CDP lies is very important in the timeline analysis. Its location provides insights for determining effective upgrades to the protection system since system effectiveness is increased by improving detection along the timeline before the CDP and adding delay along the timeline after the CDP. The CDP can be mentally assigned based on where the analyst predicts the time remaining just exceeds the :J response time. Another way to help achieve timely detection is by reducing response time. :.J ) ) .) .) SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY .) 114 CJ tJ \",..) U Delay Elements Cut Hole In Fence and Enter Start of Completion of Adversary Path Adversary Path Critical Datection Point (COP) Time Remaining (TR. 􀂷􀁒􀁥􀁳􀁾􀁲􀁩􀁳􀁬􀁩􀁆􀁑􀁴􀁣􀁥􀂷􀁔􀁬􀁲􀁲􀁩􀀮􀁥􀂷􀀨􀁒 􀁆􀁔􀁲􀀠 PPSMlnimuJ!1DeIi,ty 􀁁􀁉􀁑􀁮􀁧􀁐􀁾􀁴􀁨􀀻􀀠 Pry Off Lock Cross Locate and Enter. Pumps Area Through Door Timely Detection Sabotage Pumps (Place Explosives on Pumps with 10 min. Detonation Delay) Figure 7.7. Adversary Attack Scenario Timeline (pPS Example) In Figure 7.8, the PPS system response is not timely, but the operational detection and response is sufficient-so it would seem that no improvements are needed in the PPS or operational system. SENSITIVE SECURITY INFORMATiON: CONFIDENTIAL AND PROPRIETARY 115 Delay Elements Pry Off Lock Cross Locnte Sabotage nmeUntil and Enter Pumps Pumps ) Area Through Door Consequence F1",' Se<:urity De_on 􀁏􀁐􀁐􀁏􀁲􀁴􀁵􀁾􀀠 '\ Operational Critical Security Critical Detection and Detection Point Detection Point (CDP) Assessment by SCADA Response.ForceTime (RFT) Start of Completion of Adversary Path Adversary Path The PPS is Not Timely. but the Operational Detection and Response is Sufficient Figure 7.8. Combined Timeline First Case for Treatment Plant 2 In Figure 7.9 neither the PPS nor operational detection and response is sufficient since the first detection opportunities for both occur after the CDPs. , ; -;) ;} ..:) . , --j-SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY .J 116 Delay Elements Cross Area Pry Off Lock and Enter Through Door Locate Pumps Sabotage Pumps Time Until Consequence OperaUonal Critical............. FIrst Security litOetectlon and Assessment Detection Point Detection Opportunity by SCAOA Security Critical OperationilrSystem Detection Point (COP) 1+------1,'Res oriSe.iTrTie' f------+i Start of Completion of Adversary Path Adversary Path Neither the PPS or the Operational Detection and Response is Sufficient Figure 7,9. Combined Timeline Second Case for Treatment Plant 2 In Figure 7.10, the PPS is not timely, but the detection at the first security detection opportunity is timely in terms of the operational system response. A possible example of such a situation is that the adversary is detected by the PPS system, the water utility knows the adversary is going to destroy the pumps before the security response force (local law enforcement) can arrive, and so the water utility decides to start working on an operational response right away, SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY 117 Delay Elements Cro" Area Pry on Lock and Enter Through Door Locate Pumps Sabotage Pumps Time Until Storage Reservoir Empty Al'IO. Security IleIe , 3 .., '",p . Z) ",-," " [) (J .' , ,j .,3" ' , ""_..::7 SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY :,J : ') '.. Design Basis Threat Ukellhood of Attack (PAl Priorillzed Critica' AIlsel$ (e) 9 RISK REDUCTION AND RECOMMENDATIONS 􀀬􀀬􀁾􀁩􀁡􀁮􀁮􀁬􀁮􀁧􀀠", .. Purpose. Objective Priorlllze Facilttles 􀀢􀀭􀀭􀀭􀀭􀀻􀀺􀁾􀁾􀀠 Waterfall Flow Diagram -Process Location Risk can be reduced by increasing the system effecti veness, PE• or by decreasing consequences, C, or by doing both. Upgrades that reduce risk should be considered for each critical asset with an unacceptably high risk level. The assessment team should review any potential WMD-type events first and apply resources to lower the risk of those events before considering other high-consequence events. The assessment team shoul;;! then review the highrisk critical assets and prioritize them by mission objectives. In other words, if the highest ranked mission objective is to provide sufficient pressure for fighting fires, high-risk critical assets that support this mission objective should be addressed first. The basic elements of risk reduction include: • Improvements in the security policies and procedures. • Consideration of upgrades to prevent the undesired event (protection system upgrades). • Consideration of upgrades to reduce the consequences of the undesired event (mitigation features). • Consideration of upgrades to deter the adversary. 9.1 MISSION OBJECTIVES The risk calculations performed for the baseline security system will determine if the protection objectives have been achieved. If not, then the assessment team will start making SENSITIVE SECLIRITY INFORMATION: CONFIDENTIAL AND PROPRIETARY 129 upgrade suggestions to lower risk. Upgrades will differ depending on the protection objectives and the design and operation of the water utility. The categories of protection objectives include: • Preventing the undesired event. • Reducing the consequences of the undesired event occuning. • Detening the adversary. As noted in the previous section, it is important for the assessment team to focus resources on the highest priority critical assets. The assessment team might consider resorting the risk analysis outcome to sort the high and medium risk critical assets by mission objective. Some . critical assets will support several or all of the mission objectives. Building on the Treatment Plant 2 example, since Capacity ranked #1 and Water Quality ranked #4 (see Appendix C), any critical asset identified that supports only the water treatment operation would be ranked much lower than those that support Capacity. What becomes obvious is the fact that flowing water through Treatment Plant 2 is more important than the treatment function (in an emergency). If Treaonent Plant 2 is vulnerable and an easy adversary target, the assessment team might consider installing a bypass around the plant to continue supporting the Number 1 mission objective to mitigate risk. 9.2 SECURITY POLICY AND PROCEDURES (GENERAL GUIDELINES) The entire risk-reduction program for any water utility hinges on performance. Performance of the system is heavily dependent on policies, procedures, and training. Critical areas for the assessment team to examine during the assessment include how well security, operational, and emergency response plans are documented, how well employees are trained on the plans, and how exercises are conducted to reinforce the training. The presence or absence of well documented, consistently applied, and trained policies and procedures can be an indication of the corporate culture-a culture that will likely need to change to implement higher levels of security .. Here is a partial list of security policies and procedures that may need to be in place to improve security. Again, each water utility is different, and the list will change depending on the specific requirements. SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY 130 ) ) ) :) . ." J ,) . ') ) ) ) .) ) (0) 􀁾􀀩􀀠 : ) .J ) ) ) \ I ) ) .) ':) U , , ; ,, ." .: . .,# t) 􀁾􀀻􀀠 'S,.. U J , , U ', ).' , ) cO) 􀀬􀀬􀁾􀀠. rJ .J ) • Training o Develop a training program to provide security training for employees, onsite contractors and vendors, including refresher courses and testing (assure understanding). o Develop cross-training between operators and guards where applicable. o Train security guards and periodically test performance. o Develop training on operational responses. • Access Control o Develop and enforce badge policies. o Compartmentalize facilities -provide access on "as-needed" basis. o Create and enforce a key control policy. o Control the access of all visitors, contractors, and vendors. o Create and enforce a vehicle control policy. • Performance Testing o Conduct "Table-Top" exercises regularly (such as conducted during Y2K and following 9/11) and evaluate performance on malevolent events and emergency response. o Maintain a supply of critical replacement parts, conduct tests to evaluate timeliness of replacement. • Teaming with other Agencies o DevelopJEducatefExercise Memoranda of Understanding (MOUs) with other other governmental agencies. o Team with 􀁩􀁮􀁴􀁥􀁾􀁰􀁥􀁮􀁤􀁥􀁮􀁴􀀠local utility providers. o Create MOUs with the electrical and gas utility companies. • Improve contacts with power utility personnel. • Inquire on the contingency plans the electrical utility has if they were to lose a feeder or transformer and how long it may take to restore the system. • Identify priority power and gas requirements in the event of electrical and gas restrictions. SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY 131 i o Establish MOUs with and between other municipal departments and law enforcement agencies both local and state wide. o Development of a regional spare parts inventory with other agencies. • Procedures and Plans o Develop acceptance procedures and verify (assay) chemical deliveries. o Perform background checks on key employees and key contractor employees. o Create and enforce employee separation policies. o Create an unusual occurrence log, train employees to document unusual occurrences. o Review and trend the data from the unusual occurrence log at specific intervals. o Develop and document contingency plans for an electrical outage in the event of: • Losing one facility/system, • Losing two facilities/systems, • Outage of the entire regional power system lasting more than 48 hours. o Policies and procedures should be reviewed annually, updated, andloreliminated if necessary. • Security Alarms o Develop, train personnel, and test procedures for how to respond to all security alarms. o Log all security alarms. o Follow-up on all security alarms, evaluate response to alarms. o Write a disposition of all security alarms. 9.3 SYSTEM UPGRADES TO PREVENT UNDESIRED EVENTS The assessment team may decide to install PPS upgrades as part of the risk reduction plan. For some critical assets, especially those in vulnerable urban areas, PPS upgrades may be the most cost-effective solution. The final PPS upgrade package will likely consist of detection, delay, and response features that are intended to prevent the undesired event from occurring. Guidance for selecting upgrade features include: • Protection for common vulnerabilities and common system features. • Protection-in-depth. SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY 132 􀁾􀀩􀀠 ')) .-) \• , ; ''','} " } 􀁾􀀮􀀠 ,J . " j ). .' . J ) 􀁾􀁾􀀩􀀠 ;' ." <,f • Balanced protection. Vulnerabilities that are common to several or all undesired events should be addressed first. In general, the first detection point must be as early as possible and as far away from the critical asset as practical, whereas placing the delay features closer to the critical asset could provide the most benefit if all adversary paths are affected. Protection-in-depth means that an adversary should be required to avoid or defeat a number of protective devices in sequence to accomplish his/her objective. Layers of features cause adversity for the adversary, including increased uncertainty about the system, more extensi ve preparations prior to the attack, and additional steps where failure could occur. Balanced protection ensures that an adversary will encounter effective elements of the PPS no matter how the critical asset is approached. For a completely balanced layer of system features, the delay times and detection performance would be equal. Complete balance is probably not possible or desirable. Some features may have inherent protection. Walls, for example, may be resistsnt to penetration, not because of physical protection requirements, but because of stmctural or safety requirements. Door, hatch, and grille delays may be less than wall delays and still be adequate. There is no advantage to over designing single elements, for example, installing a costly vault door on a flimsy wall. Table 9.1 provides examples of features that might increase PPS effectiveness for Treatment Plant 2. An analysis that includes performance testing would be required to determine if the upgrades would increase system effectiveness. SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY 133 Table 9.1. Examples of Features that Might Increase Physical Protection System Effectiveness at Treatment Plant 2 (Example Water Utility) DBT PPS Function Upgrades Outsider: 3 Detection • Add sensors on fences, doors, and windows • Add ccrv & lighting, establish policies • Add tamper indication and line supervision on all lines carrying PPS signals • Enhance portal access control wi th badge and PIN Critical Asset: Pumps Capabilities: tools, Delay • Lock doors 2417 • Harden doors, including hardened locks • Add mesh or bars to windows (inside) • Add pump/motor protection cage to 2 pumps and controls weapons, explosives, knowledgeable about water and security system Response • Develop closer coordination with local law enforcement and performance test response time • Provide security-related training for employees and contractors • Add alternative communications (i.e., cellular phones) for employees • Develop an alarm response policy Insider: 1 Critical Asset: Onsite Chemicals Detection • Separately keyed doors with strict key control and limited authorization for employees to enter areas • Criminal and financial background checks on employees • Add scheduled and random patrols Capabilities: onsite tools, weapon, extensive knowledgeable about water and security system, SCADA system and authorized access Delay • Additional barriers (doors, walls, fences, and surfaces) near the chemicals • Better and stronger locks • Two-person control over chemical access Response • Better training of response force • Less nuisance alarms • Security personnel located at site 2417 ) \ ) ) ) ) , j ) ) , ,J :J :) ) ) ) \, ", )) , 􀀮,􀁾􀀠 J 0, J 0' ." .3 . 􀁾􀀠 ,,/CJ ) , J . , .J , .i SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY ." 'oj 134 ') 􀁾􀀮􀀻􀀭 .J .J ) 9.4 SYSTEM UPGRADES TO REDUCE CONSEQUENCES Mitigation is defined as reducing the severity or harshness of an undesired event. Generally mitigation is a more cost-effective approach for reducing risk than purchasing and implementing physical protection technologies, especially when considering life-cycle costs. Mitigation or consequence reduction features should be considered and evaluated for each undesired event. Mitigation features might include redundancy, contingency plans, early warning systems, or stockpiling of critical equipment in a secure location. listed are some general practical steps forreducing consequences (this list is not all inclusive): • Develop and implement policies, procedures, and plans for responding to the loss of critical assets identified during the assessment and test them on a periodic basis. • Have spare equipment and parts ready and available in a secure location (performance test ability to replace spares based on established time requirements). Develop a regional spare parts inventory, if applicable. • Have backup systems for critical assets where practical. • Ensure that redundancy exists and operates sufficiently for high consequence undesirable events. • Develop tie-ins to neighboring water utilities. Listed are example mitigation features for the pumps located within Treatment Plant 2: • Install natural gas pumps to mitigate interdependency risk with electrical power. • Purchase a spare pump and store at another location. • Increase water storage within the system to allow for longer outages. • Performance test ability to replace pumps. • Increase the capacity of other treatment facilities. • Provide ties between the treatment facilities. • Work with local electrical power utility to allow their portable electrical generation equipment to quickly connect to the water utility power system. SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY 135 􀁾􀁊􀀠 ) ) 9.5 SCADA RECOMMENDATIONS ) ') Increasing the security level of the complete SCAPA system will require much more than simple "technology fIxes." The adoption of an Information Technology (IT) framework such as CobiTl will allow the water utility to effectively design and maintain a robust, secure :} SCADA system. The development and maintenance of a security policy is the fIrst ') recommendation to be addressed. Sandia developed a SCADA Security Policy Framework'" ) located in Appendix H in two forms: one is the framework with the areas that need to be ) addressed in a security policy and the other shows the mapping of those areas to CobiT. Basic ) ) security policies would include access and password controls. network perimeter definition, and 􀁾􀀩 data sensitivity definition requirements. Addressing the security policy issue in a timely manner 􀁾􀁽􀀠 is critical for the secure implementation and management SCADA systems. =) The following lists of recommendations are mitigations for commonly seen r'll \"_1 vulnerabilities. It is important to note that these recommendations, particularly the security ) policy development, should take place before technology solutions are incorporated into the ) system to avoid redoing the technology solutions that conflict with the decided security policy. The recommendations have been grouped into four categories: 1 1. PolicylProcedureiConfiguration Management, ) 2. System, ) 3. Network, and 4. Platform. ) ) 9.5.1 PolicylProcedureiCon figuratiou Management ) • Develop a SCADA specific security policy. )• SCADA security training and administration programs, based on formal security :1 , 􀀬􀁾􀀠 • .;)! policies and procedures, must be developed and implemented. Security awareness :J must improve. Recognition that security is an ongoing process is essential to maintaining a secure SCADA system on a continual basis. ) ) 1 IT Governance Institute, CobiT, Governance, Control, andAuditfor lnfonnation and Related Technology, Information Systems Audit and Control Foundation, Rolling Hills, IL, 2000. SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY 136 • Formal configuration management requirements and responsibilities should be developed and implemented. 9.5.2 SCADA System • Identify a security perimeter for the SCADA system. • Protect SCADA assets including networking equipment with a minimum of two layers of physical protection. • Evaluate potential consequences of data manipulation or snooping and assign sensitivity levels to data. Develop policies for protecting different data sensitivity levels. Train staff in these policies. • Encrypt SCADA data traversing untrusted networks. • Provide strong separation between administrative and SCADA data. 9.5.3 SCADA Network • Identify which communication links are critical and review options for providing true link redundancy. Implement redundancy when possible. If it is not practical to provide true redundancy, contingency plans should take this limitation into account. • Provide a separate communication system for all critical physical security alarms. If this is not possible, ensure that the security procedures in both areas (Le. physical and cyber, recognize that a compromise in the SCADA system requires a response in the physical security as well). • Password generation and time limit policies should be developed and implemented. • Create individual accounts for all personnel that login into the SCADA network remotely. including system administrators. Utilize a stronger authentication process (Le., dial-back, Smart Cards, etc). Audit activities on the remote connection via logging. and review the audit logs as part on a regnlar basis. • Implement security monitoring of SCADA workstations. 9.5.4 SCADA Platform • Assign formal ownership of SCADA hardware and software. • Develop policy and procedures for installing operating system patches. • Use virus-checking software on the SCADA network, and maintain regular updates. SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY 137 9.6 SYSTEM-WIDERISK REDUCTION The assessment team should create a list of system effectiveness and consequence mitigation features to lower risk for every critical asset that has unacceptably high levels of risk. Think creatively. There is no one right way to reduce risk, and every water utility has unique operational features and constraints. When the list of upgrades is complete, the assessment team should then take a "systems-level" view of the entire water utility operation to determine what might be done system-wide to lower risk. Are there multiple sources of water? If there are, can redundancy be increased? Are there multiple pump stations? Ifthere are, can redundancy be increased? Is there one pump station that can be hardened easier than the others, and how much of the system demand can it meet? Are there multiple distribution paths, and how might redundancy be increased? How well protected are the distribution paths? Before blindly going down the list of high-risk assets and embarking on improvements, the assessment team should spend time working "what if' scenarios to determine the best system-level improvements. The assessment team might end up recommending to "do nothing" with a few high-risk assets because improvements elsewhere in the system wiJIlower the risk when completed. 9.7 SYSTEM UPGRADES TO DETER ADVERSARY Deterrence is an attempt to increase the perception level of the security system (i.e., it discourages an adversary from attempting an attack by making a successful attack appear very difficult or impossible). The deterrence function of a PPS is difficult to measure, and reliance on successful deterrence can be risky; therefore, it is considered a secondary function. Deterrence may be accomplished by adding visible security features (e.g., increased lighting, warning signage, fences. cameras, or security officers) or by adding surveillance equipment or features that provide identification for prosecution evidence. It would be a mistake to assume that because an adversary has not challenged a system, the effectiveness of the system has deterred such challenges. Further, note that not all threats are going to be deterred. and some level of prevention or mitigation is still required. Listed are examples of features that might increase the perception of the protection system (this is not an all inclusive list): • Add visible features o Warning signage SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY 138 , ) .) ) ) ) , \ ) ) ) 􀁾􀀠 ) ') ,) , ) '.. :) ) ) ) ) ) ) , ) C) ) " J11 \, , ) U CJ '. 􀁾􀀠 , ./. ) . J , \,J .) 􀁾􀀮􀀠 ':,' .-J ....) 􀀧􀁾􀁊􀀠 o Locked doors o Cameras for surveillance o Patrols o Baniers for critical assets (insider) • Add identification means o Surveillance and recording devices for prosecution data o Witness program 9.8 CALCULATE RIsK FOR UPGRADE PACKAGE Most of the upgrades that have been discussed in this chapter are general recommendations along the lines of Best Practices. Ultimately, however. they mayor may not reduce risk. The onl y way of knowing if they reduce risk, and if so, by how much, is to examine the upgrades in the context of the adversary attack scenario. As mentioned in Chapter 7, location of the CDP provides guidance on how best to improve protection system effectiveness. If the proposed upgrades contribute to moving the protection system towards timely detection, then the protection system effectiveness will increase. It is very important to performance test the recommended upgrades in order to verify and measure the improvement to the protection system. The assessment team must reanalyze the ASDs, scenarios, and other materials created for the risk analysis to ensure that the upgrades will effectively lower risk. Similarly, consequence values associated with each undesired event should be reviewed to determine the effects of the proposed consequence reduction features. Finally, the risk values for the baseline system can be compared to that of the upgraded system to determine the amount of risk reduction. If risk values are still unacceptable, the upgrade process may have to be repeated. If risk values are now in the acceptable range, consideration may be given to the other impacts imposed on the facility or system as a result of the upgrades. Some of the factors include cost, operations, or public opinion. 9.8.1 Example of Using Adversary Attack Scenarios and Timelines A further illustration is the upgrading oione of the highest relative risk cases from Table 8.1, Outsider attack to the pumps. Since risk reduction via increasing system effectiveness is less straight-forward than with consequence reduction, the focus is on increasing system SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY 139 effectiveness in this example. Continuing from 􀁣􀁡􀁬􀁣􀁵􀁬􀁡􀁴􀁩􀁮􀁧􀁾􀁹􀁳􀁴􀁥􀁭􀀠effectiveness in Section 7.3, an adversary attack scenario timeline was described in Figure 7.11 and levels of effectiveness for detection, delay, and response were described in Tables 7.1 and 7.2. From Table 7.2, it appears that improving detection might be a way to increase overall system effectiveness. Table 7.1 and ) " Figure 7.11 provide insight on how to do that. J As determined from Figure 7.11, even though PPS detection was timely (at least mediwn), its reliability is judged to be low, so its overall level of effectiveness is listed as low. So if the reliability of the PPS detection was increased to a medium or a high, detection would go up to a medium or a high, increasing overall system effectiveness from low. There is another possible way to increase system effectiveness from Figure 7.11. OS detection by the SCADA was judged to be of medium reliability but was not timely, so OS detection was listed as low. IfOS response could be reduced enough that the SCADA detection became timely, OS detection would go up and increase overall system effectiveness. To implement any of these upgrades, as mentioned before, the next step would be to ) performance test the upgrades to verify and measure increased system effectiveness. ") ) ) ) ) ) \ .J :.J :) :J ., " ..1 SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY 140 D ... ) ) .J 10 FINAL RAM_WSM REPORT In this chapter, suggestions are presented on how to organize the final report. The final report represents the efforts of the entire assessment team and becomes the basis for future risk reduction efforts. Providing a well thought out, systematically organized, final report accomplishes several goals including: • Documents entire process including definitions and decisions • Makes it easy for others to follow the methodology • Contains an Executive Summary for management review • Creates a defensible end product 􀁾􀀠. • Streamlines the ability to update the assessment when conditions change • Provides a professional product. The final report format presented here is based on numerous RAM_WSM assessment feedback reports prepared by Sandia National Laboratories. The final report is organized to correspond to the RAM-WSM assessment process and describes how the information necessary for the risk equation was gathered and/or analyzed. 10.1 CONTENTS BY CHAPTER Executive Sununary, probably the most important part of the document and the most widely read. It should contain a very short overview of the entire process and summarize major findings, outcomes, and recommendations. Chapter 1, Introduction, contains introductory and background information on the RAM-WSM assessment process. This chapter explains why the risk assessment was undertaken and should capture high-level planning elements. It also describes the scope of the assessment, customer requirements, and the organization of the final report. Chapter 2, Planning, details the assessment planning process. The assessment team participants are noted along with the team's purpose and objectives. The ruission objectives of the water utility are identified, and the facilities screened for inclusion in the vulnerability assessment are listed. By means of pairwise comparisons, the ruission objectives are ranked against one another and the results presented in a table. A pairwise comparison is completed for the facilities included in the assessment for each of the ruission objectives. A table is constructed SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY 141 i ..) . } that contains a summary of all the pairwise comparisons, weighted by the mission objectives, and ) lists the relative importance of each facility. The risk reduction goals are documented. Chapter 3, Threat Assessment, discusses how threats were determined, defines the DBT, and discusses the likelihood of 􀁾􀁣􀁣􀁵􀁲􀁲􀁥􀁮􀁣􀁥􀀬􀀠PA. used in the risk equation. Based on multiple interviews and other available information, the threat assessment identifies and describes the types of adversaries, or malevolent persons or groups, that might try to prevent the water utility from performing one or more of its mission objectives. The DBT presented in the ') final report represents the adversary model against which the water utility's system effectiveness can be evaluated. The DBT used results from examination of general DBT spectrum definitions and consultation with various information sources and the consolidation of that information. The DBT is a management decision and must be clearly established for the the water utility. Discussion is included on the likelihood of occurrence, PA, which is either arbitrarily set at a conservative :) value because of the lack of industry-wide threat information, or used in some consistent manner 􀀯􀀢􀁾􀀠 ,j' to discriminate threats. ) Chapter 4, Site Characterization and Consequence Assessment, provides an overview ) of the water utility system, the site-specific fault tree, and assessment activities. In the site } characterization overview, the assets in the water system are described along with their function, interconnections, and potential vulnerabilities. The potential vulnerabilities posed to public health by onsite chemicals are analyzed. The SCADA system and its vulnerabilities are described. Operational and security policies and procedures (including record keeping and , , ,} training processes) are described and evaluated in terms of their completeness and the extent to which they are implemented. Existing security measures are captured and evaluation of their effectiveness included. , " , , J ' By customizing the generic fault tree, the water utility indicates which of the undesired events are achievable at their site. From the customized fault tree, critical assets are identified and a consequence value is assigned to each asset from the site-specific consequence matrix. , . --.". The level of consequence that loss of a particular asset would represent to the water utility is " ) determined by enginccringjudgment andlor expert opinion. Different levels of severity (high, .,j " medium, low), or consequence, are detennined for each of the undesired events (critical assets). :J " Chapter 5, System Effectiveness (PE), provides an analysis of the existing physical ."'./security and operating systems' effectiveness against the DBT. Worst-case adversary strategies SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY 'J. ',.J 142 ", ') '......J (J or tactics are identified that could accomplish one or more of the undesired events for highconsequence critical assets. An adversary sequence diagram (ASD) is developed to identify the worst-case scenario of events that describes in detail how the adversary could accomplish their objective. The final report describes the process of expert judgment by which system effectiveness is tested against adversary scenarios on an asset-by-asset basis. The integrated functions of detection, delay, and response are evaluated for each physical security component and operational component to arrive at an overall estimate of effectiveness (high, medium, low). The System Effectiveness table lists the overall estimates of effectiveness 􀀨􀁐􀁾􀀠for each asset against the DBT. Chapter 6, Risk Analysis, presents the risk analysis, which uses the potential for adversary attack (p,0, system effectiveness (Ps), and consequence values (C) from earlier chapters to calculate the current relevant risk value for each undesired event for specific adversary types at each critical asset. Note that only system effectiveness, ps. and consequence, C, can be mitigated to reduce risk. A table lists the relative risk, based on the risk equation, for each of the assets identified. It should be emphasized that the results are relative values and not probabilities. Chapter 7, General Recommendations, offers insights into risk reduction and general recommendations or upgrades and best practices for operations, including SCADA, security, and consequence mitigation. Suggestions are made to reduce risk at specific sites. The importance of security permeating all operations is emphasized. The need to establish upgrade goals and to balance risk reduction against budgetary constraints is discussed. A table shows the potential effect on all levels of risk if specific upgrades were undertaken in accordance with the established risk-reduction goals. Also include in this section are recommendations for any WMD-type scenarios which may have been identified during the assessment even if the analysis shows them to be of low relative risk. This is done simply as a prudent measure. Appendices, supporting background information is included in the appendices. The types of information that might be included in the appendices are: • Worksheets, • Chemicallbiological threat discussions, • The entire generic fault tree, SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY 143 !) 1 ) • Site specific fault tree elements, • Questionnaire responses and notes, etc. 10.2 PROTECTION OF INFORMATION Each page of the final report is marked in the appropriate manner to reflect the sensitivity ) of the data, and it should be secured on the computer and/or in a locked filing cabinet when it is " i not under the immediate control of the individual using the document (working documents should also be marked and controlled in a similar manner). The access, reproduction, and ) disposal limitations should be described on the back of the report's title page. Obviously, a ) report of this nature would be most helpful to potential adversaries, as would any materials produced to support the analysis and mitigation activities called for in the final report. It is the ;,' ") . :J responsibility of the water utility to define the process necessary to prevent this information from :) being improperly disseminated. Dn · ) 10.3 ORGANIZATION OF FINAL REPORT .} , ",) The organization of the final report is shown in Figure ID.1. It shows the primary subject ) areas in each chapter of the report as well as specific topic details within each chapter. The ) report flowchart also shows that after completion of the risk analysis, the water utility management team is faced with a decision step; Is the calculated risk acceptable? If the calculated risk is acceptable, then the application of RAM-WSM is complete. If the calculated · } risk is not acceptable, then the application ofRAM-WSM must be iterated. Note that the process \ is repeated until upgrades have reduced the risk and the reduction goals are met. . " ) · ) .. ) · , , .J f ) :.J • SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY J 144 U; .J 􀁾􀀩􀀠 : ) 􀁾􀀧􀀠 􀁉􀁮􀁢􀀧􀁯􀁤􀁾􀁮􀀠 RepoltOI!lanIzatlo. flAM.WSM' '. . -􀁒􀁦􀀤􀁬􀁃􀀬􀁾􀁥􀁲􀁲􀁴􀀺􀂷􀀧.. Plann.!ng; Cha0ter:2 c "Team selection 􀁾􀀱􀀢􀀧􀀡􀀱􀁦􀁮􀁧􀀠 c Chao!i:rt ' -' ,MitigatedRI", : Opet.aOon$IUpgr8de$ 􀁳􀁥􀁾􀁾 Upgrades"" 􀀧􀁐􀀬􀁾􀁾 􀁕􀁾􀁾􀀮􀁾􀁥􀁳􀀠 Figure lO.1. Organization of Final Report SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY 145 r) ') ) r] ) :) ) ) ) r) (] r,. 􀁾􀀰􀁊􀀠 ,'".1" 􀁶􀀮􀁾􀀠 . ",J CJ :J :) ., ) ) ) 1 J ) J ,j; •.. J . I ,./. , ,j ) SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY .) . ). ,) ,J APPENDIX A. EXAMPLE WATER UTILITY A.l OVERVIEW This appendix contains the description of a fictitious municipal water system (referred to as the "example water utility"). The major process elements of the methodology are presented in the body of the report to help illustrate concepts. The reader should be aware that much detail is omitted, and the example is intended only for its instructive value. Any similarity to an existing water utility is purely coincidental. A.2 EXAMPLE WATER UTILITY BACKGROUND INFORMATION The example water utility to be used throughout this document to help illustrate concepts is described below (Figure A.I). The water utility serves a population of 250,000 people. The water utility is comprised of: • Surface (Bigg Lake) and groundwater sources • Three water treatment facilities o Two with integral pump stations and storage o Treatment Plant 2 has three water intake pumps • One of the treatment facilities is supplied by wells • Two major pump stations separate from the treatment facilities A.2.1 Water Utility Description Table A.I provides some basic information (e.g., capacity, geographic extent, customer base, etc.) about each major facility within the example water utility. SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY 147 Table A.l Example Water Utility Information Total system daily demand (minimum) 100mgd Intake Station 1 ! 50 mgd capacity Reaches 60% of geographical area , Serves no critical customers No treatment capabilities , Treatment Plant 1 and 45 mgd capacity Integral Pump Station I Reaches 60% of geographical area ' Serves no critical customers , I i Serves 15% of customers (on average) ! Full treatment capabilities I Storage -14 mg Treatment Plant 2 and integral intake 90 mgd capacity i Reaches 80% of geographical area I Serves no critical customers Serves 75% of customers (on average) i Full treatment capabilities Treatment Plant 3 ' 25 mgd capacity I I I Reaches 20% of geographical area IServes critical customers Serves 10% of customers (on average) i Partial treatment capabilities Pump Station 1 I 40 mgd capacity i Reaches 70% of geographical area , i Serves critical customers I Serves 40% of customers (on average) INo treatment capabilities Storage -30 mg (continued) SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY 148 I i I I I i I i i i I I I , I I i , I ) ) j ) i',') : \ ) ' n :, ) " J ) ) ) \ ; i ,J ) ) ) ) ) ) ,') , ) U ,) U U :) ',J 􀁾􀀩􀀠 Pump Station 2 Well 1 Well 2 Storage Tank 80 mgd capacity Reaches 80% of geographical area Serves no critical customers . Serves 35% of customers (on average) i Storsge· 50 mg i 7 mgd capacity 14 mgd capacity , 8mg ......__-1 Treatment r-Plant #1 Pump Station Treatment Plant #2 T(8atment Plant #3 Integral Pump station Distribution System 􀁲􀀽􀀽􀁾􀁾􀀠 Figure A.I. Example Water Utility SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY 149 A.3 WATER UTILITY MISSION STATEMENT At the initial assessment team meeting, the assembled group from the water utility overwhelmingly agreed upon the mission of the water system, as set forth in the water utility . "J official Mission Statement. During the discussion, the following mission objectives were drafted } from the mission statement and were then prioritized as follows: ) • Maintain adequate pressure for fire protection and other public safety uses. ) • Maintain adequate volumetric water supply. )) • Maintain reasonable costs for public water supplies. ) • Serve critical customers. 􀁾􀀠 ) • Maintain water quality, with emphasis on producing potable water. ') The pairwise criteria were developed from the water utility mission objectives and are ) listed below. Some of the mission objectives were combined and one was eliminated. It was ')decided that in an emergency, the water utility would not worry about the cost of the water. ) . ) Capacity -facility'S ability to meet customers' demand (e.g., emergency demand). ) Geographic Extent -delivering water to the maximum number of customers. ) Critical Customers -delivering (24n) to city hospitals, power plants, and critical ) manufacturers. Quality -meet and exceed EPA requirements for potable water. This information (mission objectives, criteria, facilities) is used to develop the pairwise ) comparison. Refer to Section 3.4.2 and Appendix C for full details. ) , A.3.1 Water Utility Threat Information . j The water utility gathered the following extensive information to help them in defining their threat assessment. Not all this information was found to be relevant in developing and determining the DBT. However, it is a typical list of information that assessment teams gather when they first start identifYing the threat. • The water utility unusual incidents report for the last 12 months includes: eight pieces of water utility equipment found missing and 16 reports of vandalism/property f) :) damage :J SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY 150 ) 􀁾􀁊􀀠 U • Water utility treatment plant operators have full access to all plant controls, SCADA, and chemicals. • The water utility web site (H2O) has been attacked by hackers since 9/11. Prior to 9/11, all water utility infonnation (water system, operational infonnation, facility description, facility functions, drawings, and security capabilities) was available on the web site. This disclosure was for good public relations and for contractors bidding on water utility work. • Thirteen incidents of expressed threats or violence involving several water utility employees/contractors over union disputes were noted over the past five years. ) • No background checks (criminal or financial) are conducted on employees or contractors. ) • Local law enforcement and the FBI have published through the regional InfraGard that 5-10 Ib of construction-type explosives were stolen in the last six months. In addition, law enforcement reports that an organized and anned militant group was recruiting and operating in the region. • Below is a message reeei ved from FBI headquarters regarding today's notice of a terrorist threat against U.S. water systems. The FBI called XYZ Water Association's office this morning indicating that the threat came "from a knowledge source capable of carrying out such a threat." FBI Message: Today, the XYZ Water Agenoy disseminated an urgent communication indicating that a terrorist group was threatening water operations in 68 medium-to-Iarge U.S. cities. The communication advised that since the threat was coming from a 'credible, well known source with an organization structure capable of carrying out such a threat," the FBI had asked water utiltties to step up surveillance and take precautions. The FBI did become aware of a threat that mentioned water systems in a number of U.S. cities (and contacted XYZ regarding the threat); the FBI has assessed the threat (1-3 partiCipants) as being of Medium to High credibility. The FBI in New York is continuing to investigate this matter in order to obtain further information regarding the nature of the threat. This infonnation was used to develop the DBT. Refer to Seetion 4.5 for full details. SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY 151 A.4 TREATMENT PLANT 2: ASSETS REQUIRED FOR THE ABILITY TO TREAT WATER SUPPLY The water utility focused on Treatment Plant 2 as its most important facility and ., determined which assets were needed for the ability to treat the water supply. The top of the j Fault Tree customized to represent Treatment Plant 2 is shown in Figure A.2. The mission : ) objectives shown to be under threat from the adversary are "Maintaining WaterFlow" and "Avoiding Contamination". Water in the system flows through many components serially. The adversary can interrupt or impair water flow to customers by destroying, damaging, or misusing ) anyone of the components. For Treatment Plant 2, five assets are identified from the fault tree ) segment shown in figure A.2: ) • Pipelines/Conduits • Treatment Process • Critical Pump Systems , -. • Key Personnel . J , • Control System ; ) These assets and their criticality to the operation of the Treatment Plant 2 system are discussed below. DamagelDestroy Pipelines or Conduits: Single source water pipeline exposed above ground -a single pipe transmits water from Bigg Lake to the plant, there is no redundancy. This pipe is a single point of failure in the water system. This asset was determined to be a critical asset from the fault tree analysis. Treabnent Process: Other contaminants could be introduced into the system (vs. EPA standard contaminants normally identified in the system). . , : ) SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY 152 , <..I ; ); ".-; 1. bJrerruP[ or Impair Water Flow in liIeSysltID LZ Disable PrettealmCl1t or Treatment Process Defeat the Mission Top of Fault Tree of the Water System by Deliberately, MalevolenHy . for Example Facility causing an Undesired Event! (Treatment Plant 2) 3. Use Weapon or Mass Destruction Type Evcot to lJIjurc EmplOl"" &J Public Insider Targets Outsider Targets Figure A.2. Top of the Fault Tree for Treatment Plant 2 MisuselDamage Control System: The control system is exposed and standalone. The control system equipment is unprotected and allows direct access to the water flowing through the process. There are seven inputs andlor access points through the plant to the treated water. Loss of Pumps: Three electrical motor and pump assemblies are located in the plant. The pumps are required to move the water through the plant and on to the city pumping stations (Pump Stations 1 and 2). The pump assemblies have exposed workings and are vulnerable to malevolent acts. There are no spare pumps on site. Loss ofKey Personnel: At each of the treatment plants, there is only one treatment plant operator on duty at any time. They have other duties (some processes on the first floor are manual and require their physical presence) and therefore they are not always in the control room. There are 15 certified treatment plant operators on-roll for the entire water utility. Treatment plant operators belong to the union. SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY 153 'j I This infoffi1ation was used to customize the site-specific fault tree and to identify critical assets. Refer to Section 5A for full details. A.5 CONSEQUENCE ASSESSMENT After much detailed discussion, the assessment team brainstoffi1ed the following list of potential consequence measures: ) • Loss of life 􀀺􀁾􀀮􀀠) :; • lllnesses :} • Impact on water utility ratepayers } • Impact on regional economic base ) • Duration of widespread loss of fire protection :J ) • Duration of widespread loss of water potability 􀀬􀁾􀀩􀀠 • Economic loss . y"' • Number of users impacted ) • Cost to repair ) • Number of critical customers impacted }) Since the water utility focused on the topmost undesired event (interrupt or reduce ability to treat water supply), the following data were collected: The water utility reviewed its financial records and estimated that they could withstand an economic loss less than $500,000. Anything greater than $2,000,000 would be a great ) hardship. Reviewing their routine maintenance logs, the water utility determined that it could ,) shut down the treatment plant for 8 hours and not impact their overall mission. They estimated . " ; , .:".;' that a shutdown over 24 hours would cause them severe problems. After reviewing their routine , maintenance logs and public confidence records, they estimated that impacting less than 200 customers was an acceptable level. They estimated that impacting over 2500 customers would result in a severe consequence. This information was used to develop the site-specific consequence matrix and to ) ", determine the consequence level for each critical asset. Refer to Section 5.6 for full details \ , ....:1 (consequence measures and matrix for the example water utility). SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY 154 .j ,.) A.6 FACILITY CHARACTERIZATION AND PHYSICAL PROTECTION SYSTEM FOR TREATMENT PLANT 2 The facility is located on five acres owned and operated by the water utility. The facility is located 5 miles east of the Bigg Lake and 10 miles from the suburbs. The facility was built in the 1930s as the single treatment facility. Other facilities were added to the processing as the town grew. The Plant 2 complex (1400 ft x 2500 ft) is enclosed by an 8-foot unsensored chainlink fence. The building (100 ft x 100 ft) is two stories tall and constructed of brick and stone. The building has many windows, allowing it to blend in with the local architecture. The plant control room is located on the second floor. The control room is operated 2Af7, but the operator has other duties. Therefore, the console is not staffed continuously. All plant chemicals and treatment process areas are located on the first floor. The facility uses one-ton chlorine cylinders for disinfection. They have 4 to 5 on line and 4 to 5 spares at anyone time. Three 300-hp motors and pumps are in the first floor high bay area (see Figure A.3). All first floor doors into the building are alarmed during non-operational hours. A loading dock is located on the north side for chemical deli veries. All doors and windows are of typical commercial construction. All vehicles (private and government), employees, contractors, and deliveries enter through the single vehicle gate. A pedestrian gate is co-located. One contract employee (an unarmed guard) controls access only during operational hours. Access is by recognition of employees or via a daily access list for deliveries and contractors. All security, water, and chemical alarms actuate locally in the plant control room and at the SCADA control center located downtown at the water utility'S headquarters. Local law enforcement does not have access to any of the locked facilities, but they are the only armed response. The water is transported by a 48-inch-diameter steel pipe from Bigg Lake to Treatment Plant 2. This main main deli very pipe was constructed in the 1930s. Performance-testing on equi valent pipes determined that the pipe could withstand 110 psi. The pipe enters the facility above ground througbthe perimeter fence into a holding pond. The pipe is supported by reinforced concrete stands leaving the pipe exposed. The water is then pumped through the treatment process. A minimum of two pumps is required to meet the plant daily SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY 155 4I1-in.-n 2 ") : ) .) demand/capacity. The required chemicals are added to the water through intakes located on the first floor of the treatment facility and regulated by SCADA through onsite operators. -', ) ) This information was used to evaluate the existing physical protection and operating systems, and to identify vulnerabilities. Refer to Section 5.7.2 for full details. ) ) Treatment Plant 2 ) ) ) ':) : ) 􀀮􀁃􀀧􀁾􀀠 \.."3 :) :) : ) · ) _ [:=:J Loading Dock _ Guard ) 6 House Door __ Pedestrian Gate ) Vehicle Gate Figure A.3. Schematic of Treatment Plant 2 A.7 ONSITE SCADA INTERVIEW ) ) The assessment team interviewed the SCADA personnel (system administrators and " ) operators) following a detailed structured interviewing tool to characterize the SCADA system. ') · , Responses from the onsite interview were as follows: · J • The SCADA server equipment is within a locked room in a controlled access building ), • Manual operation is an option if the SCADA system fails ) :": ') • The SCADA system includes leased lines from the local phone company ) · , • The city department of public works ATM network is used for SCADA operations • J , ) 1 .j SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY 156 ., 􀁾 ·v.} CJ u c. · ). o Data separation and protection strategies have not been considered or implemented • SCADA and IOC software are not designed with any inherent security • Data transmissions are not encrypted or authenticated • Operating systems security patches are not maintained • Subcontracted janitors and security guards have access to control room instrumentation o Contracting agency must provide names and social security numbers of workers o A water utility employee is in the main control room (downtown) at all times • The original SCADA system configuration management documents from the vendor are available • Remote access connectivity to the SCADA network is used for troubleshooting o Remote access is not a critical capability, it is a convenience • Passwords are used for access control of remote access o Passwords are shared o Passwords are periodically changed (no set period of time between password changes) o Management can provide remote access privileges to non-water utility personnel • Modems are located on servers that can reach all parts of the network through login • The SCADA network is connected to the business network • System administrators are aware of critical system components but this information is not formally documented • The SCADA system has no security policy or plan • Unnecessary services (such as Trivial File Transfer Protocol (TFTP), File Transfer Protocol (FTP), Simple Mail Transfer Protocol (SMIP) have not been disabled on the SCADA platforms • Security alarms for SCADA equipment use the same communication lines as the SCADA control network • Information sensitivity levels have not been identified • RTUs are only reachable though the SCADA network or a local console port SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY 157 o No direct dial-up accessibility .. J • RTUs do not use a standard as such as Windows, Unix, Linux, etc. • Remote SCADA equipment is contained within locked buildings o A number ofemployees have keys to these buildings o Laptops can be connected to the remote equipment ifnecessary )) The nvo diagrams below provide additional descriptions of the SCADA system. ) DiagTams are extremely valuable in the SCADA analysis process. Figure AA depicts an overlay J ofthe SCADA system on the water utility's other operations, and Figure A.5 illustrates the J ') :) .) :J ,} ) ) .) ) ) SCADA network at Treatment Plant #3. 􀀱􀀿􀁾􀀻􀁾􀁾􀁾􀁉􀁾􀁮􀁴􀁾􀁡􀁫􀁡􀁾􀁾__....;i Treatment ) Plant 1 i Integral Pump station Well 2 14mgd SCADA 45mgd .Headquarters , Business A-1M i-••••_, . Il-0.. () '0 vg.JI No treatment capability Storage -somg Figure C.l. Example Water Utility System To begin the process of prioritizing the facilities, the facilities are compared for each of the criteria. A separate sheet is used for each criterion. In Table C.3, the criterion Capacity is used to compare the facilities. As drawn above, Intake Station 1, 1, Treatment Plant I, and the Integral Pump Station located at Treatment Plant I can only be operated in a series; therefore, these facilities should be considered as one item. Ifanyone of these facilities were utilized by other facilities, then they would be considered separately. If, for example, water from Intake Station 1 could be routed to Treatment Plant 2, then Intake Station I has value beyond just the series combination with Treatment Plant 1. The same procedure used to prioritize the criteria is used to prioritize the facilities. In the example, when Treatment Plant 1 is compared to Treatment Plant 2 in terms of Capacity, it is SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY 171 determined that the importance of Treatment Plant 1 (capacity = 50 mgd) is much lower than the importance of Treatment Plant 2 (capacity;: 90 mgd). A "}" is inserted into the matrix. Likewise, Treatment Plant 1 is determined to be much greater than Treatment Plant 3 (capacity = 10 mgd) in importance for this criterion, and a 5 is inserted in the matrix. Continue in this manner to complete all squares above the diagonal. The mirror images below the diagonal can then be completed and the rows summed. The Weighted Number for a facility is arrived at by multiplying the sum for that facility by the sum for that criterion. In this example, Treatment Plant 1 has a sum of 11, which is multiplied by 13, the sum for the criterion Capacity (from Table C.3), yielding a Weighted Number of 143. The remaining sums for the facilities are also multiplied by 13, the sum used to rank the criterion Capacity and placed in the last column ("weighted number") to complete the matrix (Table C.3). Table C.3. Facility Comparison -Example Water Utility (Criterion "Capacity") ."-.*' "C-*\I' t: t: Facility Comparison (t\ (t\ . (Criteria = Capacity, a-:: a-:: c: t: Sum = 13) Q) Q) -E -E (t\ !!! 􀁾 f-f5 ...N "t*:' "t*:' .2 .2 -1ii ]§ en (JJ 0.. 0.. E E :l :l a. a. 3 2 4 3 Sum 11 17 4 E :l en X E :l en This pairwise comparison is applied to each criterion developed and defined by the assessment team and a facility comparison matrix similar to Table C.3 completed for each criterion (i.e., continue the same process for "geographical extent," "critical customers," and "water quality"). Once all the comparisons are completed and the Weighted Numbers SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY . \ ) ) . ) ) ") . ') ) ) ) ) ) ) ) .;) . ,) ) ) ) '1 J ) 172 determined, a final facility matrix is completed to compare and rank the facilities (Table C.4) based on all the criteria. The weight of the criterion Capacity plays a major role in the analysis; thus the assessment team should agree on the importance of this criterion. If this is indeed correct, the highest prioritized facilities would be considered first for a comprehensive security risk assessment. Table C.4. Facility Comparison and Ranking -Example Water Utility (All Criteria) I ;;: -(J) < (J) w E Facility Comparison 􀁾􀀠 0 􀁾 c-U :::I !!! 0􀁾 "'5 III gCIlCol (J) "Iii u (I) 􀁾􀀠 (!) u :s: Sum Rank ITreatment Plant #1 143 99 80 108 430 3Ifreatment Plant #2 221 144 80 108 553 1 Ifreatment Plant #3 52 27 160 84 323 5 Pump Station #1 156 117 80 30 383 4 Pump Station #2 208 153 80 30 471 2 SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY 173 ) ) ') , ) ) :) 􀁾􀀩􀀠 :) ) 􀁾􀀠 ) ) ) ) ) ) ) } (,'" , >: ;j ,) " ) . ) ; ;) , ') , :) u. 􀁾􀁊􀀠 SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY U 􀁾􀀠 .) , . ) , ) APPENDIX D: THREAT ASSESSMENT Appendix D contains: • Definitions for the low, medium, high, and very high-level outsider threat o Examples of outsider threats • Definitions for the low, medium, and high insider threat o Examples of insider threats • Definitions for the low, medium, and high cyber hacker threat o Examples of insider and outsider hacker threats • Definition for collusion • Blank Threat Analysis Worksheets for o Outsider Threat o Insider Threat-Part 1 o Insider Threat -Part 2 o Summary Description D.1 OUTSIDER 1'HREAT DEFINITIONS Low-Level Threat. One or two outsiders, vandals with no authorized access or inside information, using portable hand tools with the intent to inflict physical damage to the water utility facility or theft of water utility property or equipment. These outsiders do not intend to cause physical harm to water utility employees or to end-users. Medium-Level Threat. A group of one to three outsiders equipped with sophisticated tools and weapons. All equipment is person portable and easily obtainable. The outsiders have limited knowledge of the security system and of the water operations. The outsiders' goal is to inhibit delivery of water by causing damage to critical assets of the water utility facility. High-Level Threat. An organized, highly motivated group of up to five outsiders, equipped with sophisticated tools, explosives, weapons, and possibly chemical or biological agents. All equipment is person portable and easily obtainable. The outsiders have extensive knowledge of the security system and of the water operations. They also have sophisticated cyber capabilities with moderate resources, including a combination of physical and cyber attacks on the water system assets to inhihit the delivery of water. The outsiders can work as a SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY 175 . 1, single unit or in teams to achieve their goals. The outsiders' goal is to inhibit delivery of water by causing damage to water utility critical assets or to introduce chemical/biological agents into the water supply to hann end users. Very High Level Threat. This group of adversaries possess all the attributes that the outsider-high level threat has plus larger than backpack quantities of explosives (truck bombs) and chemical, biological, and radiological materials with the intent to use them to cause massive deaths and inhibit the distribution of water. D.l.2 Outsider Threat Examples Example 1. A single outsider, with no authorized access or inside information, using hand tools and small power tools, who intends to inflict sufficient physical damage to the assets of the water utility to impede delivery of water for X hours for Y users. The outsider does not intend to cause physical hann to water utility employees or to end-users. Example 2. A single former employee, with no authorized access, but having knowledge of the system, using hand tools and small power tools. The former employee's goal is to damage assets of the water utility to impede delivery of water for X hours and Y users andlor to introduce substances (chemicals available at the water utility only) into the water supply to hann (make ill, kill) end-users. Example 3. A group of one to three terrorists with sophisticated tools, explosives, and weapons. The terrorists' goal is to damage assets of the water utility to impede deli very of water for X hours and Yusers andlor to introduce substances (chemicals available at the water utility only) into the water supply to hann (make ill, kill) end-users. Dol INSIDER THREAT DEFINITIONS Low-Level Threat. One insider (employee or authorized contractor) with access to onsite hand and power tools whose intent is to inflict physical damage to the water utility or theft of water utility property or equipment. Medium-Level Threat. A single, motivated employee or contractor working unaccompanied with authorized access, possessing extensive knowledge of the water operations, the emergency response, the security systems, and the cyber (including SCADA) systems. The insider has access to hand and power tools and authorization to access the chemicals available at SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY \ .. ) ') r} 176 the water utility. The insider has knowledge of the security procedures and uses this knowledge to achieve their goals. The insider's goal is to inhibit delivery of water by damaging or manipulating assets of the water utility or to introduce substances (onsite chemicals) into the water supply to harm end users. This insider has power-user types of skills. The cyrer adversary has console or network access to all of the control equipment in one facility, and may, through knowledge of the Supervisory Control and Data Acquisition (SCADA) system, be capable of manipulating the entire system. High·Lepel Threat. A single motivated or disgruntled employee or authorized contractor working unaccompanied with authorized access, possessing extensive knowledge of the water system, the security system, and detailed knowledge of the SCADA hardware and software. This insider has access to the same equipment as the medium-level threat but possesses greater knowledge and access to SCADA hardware and software. The insider-high adversary also may use handguns to intimidate or harm water utility personnel. D.2.1 Insider Threat Examples Example 1. A former disgruntled employee or contractor with limited access to some facilities (water utility has no key control procedure/process), has some limited knowledge of the water system and security system, and would use available hand and power tools. The former employee/contractor's goal is to damage or steal property. Example 2. A single employee with authorized access, possessing knowledge of the water system, using hand and power tools readily available (will not bring their own tools), with access to the chemicals available at the water utility. The employee has knowledge of the security system. The employee's goal is to damage assets of the water utility facility to impede delivery of water for X hours and Y users and/or to introduce substances into the water supply to harm (make ill, kill) end-users. D.3 HACKER THREAT DEFINITIONS Low·Lepel Threat. An individual with no insider knowledge of the water utility. Access is via Internet only. Minor cyber vandalism to non-critical business areas. Medium·Lepel Threat. An individual with limited knowledge of Information Technology (IT) structure for the water utility. This individual may have direct access via SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY 177 modem or PC connected to IT structure and may have and use sophisticated hacker tools to compromise the systems. Actions may include: denial of service, and disruption of some business functions. High-Level Threat. An individual or small group. They may possess full knowledge of IT infrastructure and the SCADA system, have access to the administrator function, and may coordinate a cyber attack with a physical attack. May use sophisticated network sniffing gear andlor other hacker tools. Actions may include a coordinated cyber attack, with the destruction of data and systems. Business continuity is threatened. ) . , D.3.1 Hacker Threat Examples , y Outsider Threat Example. A single hacker, with no authorized access or inside information, attempting to remotely break into the SCADA system, who intends to take control of various assets andlor deny access to the control system. The outsider does not intend to cause physical harm to water utility employees or to end-users. Insider Threat Example. A single employee with authorized access, possessing knowledge of the SCADA system. The employee's goal is to damage the assets of the water utility through manipulation of the SCADA system to impede delivery of water for X hours and Y users andlor to introduce substances into the water, or reduce the water quality through altered treatment processes, to harm (make ill, kill) end-users. ) D.4 COLLUSION Collusion is defined as an insider working together with Medium-, High-,or Very HighJ , , Level Threat Outsiders. A passive insider would brief the outsiders giving full details of the ,.1 , '" water operations, providing maps and diagrams, and describing the emergency and the security '(J systems. An active insider (can be violent or non-violent) would prepare the site systems for the , ''l, v'; outsiders and acti vel y engage to some degree with the attack. This threat would have attributes from a combination of the insider and outsider threats. Collusion was not evaluated for the example water utility. (J SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY -, '---1 178 ,/I D.S WATER SYSTEM THREAT ANALYSIS WORKSHEETS ) D.S.1 Worksheet for the Outsider Threat Analysis ) Table D.l is a water system threat analysis worksheet (a completed worksheet for the ) example water utility is shown in Section 4.5.1). The worksheet lists the type of information ) required to describe the outsider threat. Table DA provides a format to summarize the type and ) capabilities of the potential threat spectrum for the water utility. This information will later be ) used to develop adversary strategies and scenarios and evaluate system effectiveness for these scenarios. The assessment team will complete this worksheet for each potential category of 1 outsider adversary. All of information that the assessment team ",ill collect, organize, and analyze will help them make an informed decision about the outsider threat. The following guidance will help in completing the form: line 1: Description of historical incidents associated with the threat type. line 2: Review of potential threats to similar facilities. ; Line 3: Motivations that might prompt potential adversaries to undertake criminal ) ") actions can be grouped into three broad categories. Ideological motivations are those linked to a political or philosophical system. Economic motivations involve a desire for financial gain. Personal motivations pertain to the special situations of specific individuals. line 4: Estimate the number of adversaries. line 5: Adversaries will be expected to use any tactics that increase their chances of achieving their objective. These tactics include force, stealth, and deceit. A force tactic is one in which the adversary overpowers the system or personnel with no attempt to hide their intention. Stealth refers to the adversary tying to enter a facility covertly; the goal is to remain undiscovered for as long as possible. Deceit implies the use of real or forged credentials to gain access to information or assets. Adversaries could use a combination of tactics (e.g., a criminal might use stealth and deceit). Line 6: Available tools include weapons, hand and power tools, and cutting torches, as well as any equipment located at the site of the attack. This might include such things as chemicals, forklifts, or company vehicles. Line 7: Will the adversary be armed and if so, with what type of weapons? SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY 179 Line 8: Will the adversary have explosi ves and if so, what kind? Line 9: Describe their means of trsnsportation (truck, helicopter, etc.) Line 10: Where and how can the adversary get diagrams and information about the water . ) utility's operations and security system (public information, tours, insider knowledge, websites, etc)? \ ) Line 11: How sophisticated is the adversary? ) Line 12: How well supported is the adversary? ) Line 13: Will the adversary have insider assistance? . ) ) : ) " 􀁾􀀠 􀀮􀁾􀀬􀀠 ) .J C) C} :) ·) ) ) ) ) ) ) ) · )\ J , ) :J , c J f\.,...) " , '. ) "\ '. > d \ " J SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY , ) 180 · .) , J ) Table D.l. Water System Outsider Threat Analysis Worksheet Utility: Date: Adversary: 1. Incidents (Historical) 2. Has the adversary targeted the water utility or a similar (nearbv) facilitv'? 3. Motivation (ideolooical, economic, or personal) 4. Expected number of adversaries 5. Tactics 6. Equipment 7. Weapons 8. Explosives 9. Transportation 10. Intelligence gathering means 11. Technical skills and knowledge 12. Financial resources 13. Potential for collusion with insider Recorded by: Is this a continuation sheet? Y N (circle) . SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY 181 ) ) ) Table D.2 is the Insider Threat Analysis Worksheet. The different types of insiders at a . ) water utility should be listed and the infolIDation in the table completed. Types of insiders might ") include the security designer, SCADA operator, maintenance person, engineer, clerical workers, ) plant manager, security guard, and so on. The assessment team evaluates (based on interviews) 􀁾􀀠J about how often each type of insider has access to critical facilities (assets), the security system, )) and the SCADA system. Qualitative indicators "never," "occasionally," and "often" are used to 􀁾􀀠 ) indicate the frequency of access for each type of insider. Table D.3 (part 2 Worksheet) lists the 'J type of infolIDation required to describe the insider and is similar to the outsider threat ) worksheet. Both these tables are completed for the example water utility (Section 4.5.2). 􀁾􀀱􀀠 J () :J :) : } : ) ) ) ) ,) 􀁾􀁊􀀠 :) : .} ) J J ) .) ,J ) ,.} SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY . . , 182 '.'J 􀁾􀁊􀀠 () U Table D.2. Water System Insider Threat Analysis Worksheet -Part 1 􀁬􀁾􀁾􀁲􀀧􀁜􀁾􀁾􀀬􀁤􀁴􀀺􀀧􀀻􀀯􀀷􀀺􀀧􀀺􀀺􀁾􀁾􀀷􀁔􀀻􀀢􀁾􀁽􀀧􀀠-.'" ...•..•.. 􀁾􀀺􀁾􀀻􀀻􀁉􀁔􀀮􀁾􀁄􀀻􀀯􀀻􀀬"S. 􀁾􀀻􀀧􀀮􀀠 .•.. .,' ....... 􀀬􀀽􀁾·.·1 Utility: Date: Recorded by: Adversary: Is this a continuation sheet: 0 Yes 0 No List insider positions of concern: • • • • • • • To complete the section below, indicate the potential UJ J' _,. _/for each insider position with the following qualitative indicators: Never. Occasionally, Often SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY 183 The following form collects more detailed information and in this case is filled out for the insider threat. The assessment team needs to determine whether they are required to consider an insider as a potential threat. If they do consider an insider they will complete this worksheet for any potential category of insider adversary. This is the kind of information that the assessment team will collect, organize, and analyze so they can make an informed decision about the insider threat. Table D.3. Water System Insider Threat Analysis Worksheet -Part 2 •􀂷􀁗􀀺􀁴􀁜􀀧􀁙􀁾􀁾􀁾􀁾􀂧􀁣􀁾􀁽􀁾􀁾􀁭􀁬􀁾􀀻􀀡􀀬􀁾􀁾􀁾􀀻􀁾􀁾􀁾􀁾􀀡􀁾􀁴􀁗􀁾􀁾􀀺􀁉􀁉􀁆􀁽􀁊􀂥􀁴􀀰􀁾􀀮􀀡􀁜􀁾􀁾􀀲􀀮􀂷􀀠 Utility: Date: Recorded by: Adversary: Is this a continuation sheet: 0 Yes 0 No '.􀀬􀀺􀁯􀁬􀂢􀀧􀀿􀁾􀁾􀁾􀁾􀀫􀁾􀁾􀁴􀁥􀁾􀁾􀁉􀁔􀁴􀀺􀀻􀀩􀀻􀀧 􀀻􀀬􀀮􀂷􀀡􀀺􀀻􀁾􀀻􀁮􀁻􀁾􀁾􀂷􀁻􀁾􀁦􀀢􀀻􀀻􀁩􀀬􀁾􀁾􀁾􀁲􀁰􀁾􀁾􀁮􀀻􀀿􀀺􀀬􀀠 ." .... 1. Incidents (historical) 2. Expected number of adversaries 3. Tactics 4. Equipment 5 . Technical skills and knowledge ) ) ) ., ) . . ..,') , /\;. '" 'J : ) ) ) ) ) ) , ,J 􀁾􀁊􀀠' .) . ) ,.J. ) ) ) SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY ) 184 )' ) ., u I The outsider and insider worksheets for all potential threats need to be completed and analyzed so that entire threat spectrum can be examined. The examination of the threat spectrum leads to the definition of a DBT. This part of the process is accomplished by consultation between the water utility management, the assessment team, and outside sources such as consultants and local law enforcement agencies, which may have intelligence that relates to the threat. Consideration is given to several factors such as the nature of likely attacks provoked by the local environment, reasonable measures that might be taken to thwart an adversary, physical characteristics of the water utility, etc. The threat spectrum is summarized in Table D.4 and the DBT is selected from this Worksheet. SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY 185 7 Table DA. Water System Threat Analysis Summary for Example Water Utility . . ,... ThreatAnalysisSuDlmary Worksheet Adversary . Number Equipment . . " Knowledge' ; . IWeapl)us . Tames "'C<", ' " 􀂷􀁴􀁖􀁾􀁬􀁉􀁩􀁥􀁬􀁥􀁳􀀠. . • -. ? . . . . " --" . ' .. ...• .. . . .' Outsider (Low) . Outsider (Medium) Outsider (High) I Outsider CVery High) I I Insider 􀁾􀀠, . (Low) I Insider (Medium) , , i i Insider , I (High) Cyber I I Threat (Low) Cyber Threat (Medium) Cyber Threat (High) I I An examination ofthe threat spectrum defined in Table DAleads to the definition of a DBT. The proposed DBT should be drafted and reviewed and agreed to by management before proceeding on with the detailed assessment. The final definition ofthreat for the water utility is required information for the remainder ofthe risk analysis. SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY 186 'J ., ...... 􀀢􀀭􀁾􀀠 ") " "l ., ]> 􀀮􀁾􀀠 .J '\ I ") ") D ] ) · ,) } " /) · ,) , j .J , } :} ) · '\ j 􀀢􀀺􀀮􀀧􀁾􀀠-; ) · , ,} · 1 .. J ;} .) .) ., APPENDIX E: FAULT TREE ANALYSIS The fault tree is a tool used in security risk assessments that logically describes the operations and shows the interconnections between subsystems. They are constructed from the adversary's point of view. Fault trees are, therefore, essentially logic diagrams that, if carefully created and maintained, indicate what an adversary might do to defeat one or more of the mission objectives of the water utility. Sandia developed a Generic Undesired Event fault tree for water utilities that attempts to capture the essential water utility mission(s) and includes a host of likely undesired events. The symbols are important elements of the fault tree that make up the tree elements. Each of these symbols has specific meaning. The general symbols used in fault tree analyses are shown below. Version 2 of the methodology also includes a large-sheet copy of the generic fault tree. E.1 FAULT TREE SYMBOLS E.l.l UNDESIRED EVENTS Every boxed item on the tree is an event. The Generic Fault Tree Tree is composed of undesired events. They defeat or impair the ability of the water infrastructure to meet its design objectives. Undesired events describe the misuse, damage, or destruction of critical assets. The tree shows how a malevolent human adversary can defeat the mission objectives by accomplishing one or more undesired events. E.1.2 "OR GATE" SYMBOL The top of the "Or Gate" is an arch; the bottom is a chevron. The Undesired Event above the Or Gate occurs if any of the Undesired Events below the Or Gate occur. E.1.3 "AND GATE" SYMBOL The top of the "And Gate" is an arch; the bottom is a straight line. The Undesired Event above the And Gate occurs if all of the Undesired Events below the And Gate occur. SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY 187 . ) E.I.4 ''TRANSFER TO" SYMBOL The symbol is a triangle beneath an event box. When it is inconvenient to develop the tree directly under Undesired Event A, the development is "transferred to" a more convenient location on the page. The Transfer triangle beneath Undesired Event A contains a number by which the \ ,/development is identified. ) :; E.I.S ''TRANSFER FROM" SYMBOL ) The symbol is a triangle to the left of the event box to which the transfer is made. The triangle contains the same number that appeared in the related "transfer to" triangle. : j D E.l.6 "UNDEVELOPED EVENTS" SYMBOL !) The symbol is a diamond beneath the undeveloped event box. UndeVeloped events may be UD relevant to the mission but are not within the scope of the assessment. ") " Table E.l is a key to fault tree symbols. J , ) , ) ) , j ) :) . ,} " .., -: :J :} ) ) C);, :J SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY 188 Table E.1 Fault Tree Symbols Undesired Event • 􀁅􀁶􀁥􀁲􀁾􀀠event in a fault tree is undesired. Undesired • The ighest event on the tree is the Treetop. Description • The lowest event on any path is a Basic Event • Events between the Treetop and the Basic Undesired Event Box . Events are Intermediate Events. Or Gate Undesired • The Undesired Event above the Or Gate Event occurs ifany of the Undesired Events below t=0 OrGate the Or Gate occur. Undesired And Gate Event • The Undesired Event above the And Gate QAnd Gate occurs if any of the Undesired Events below the Or Gate occur. Undesired Event Undesired Event • Every event in a fault tree is undesired. • The highest event on the tree is the Treetop. A • The lowest event on any path is a Basic Event. & Transfer to • Events between the Treetop and the Basic Events are Intermediate Events. ''Transfer to" Symbol • When It is inconvenient to develop the tree A Undesired directly Undesired Event A. the develoroment is "transferred to" a more convenient ocatlon Event on the page. The Transfer triangle beneath Transfer from Undesired Event A contains a number by which the development is identified. ''Transfer from" Symbol Undeveloped • When it is inconvenient to develop the tree Event directly Undesired Event A, the development o is "transferred from" a more convenient Undeveloped symbol location on the page. The Transfer triangle beneath Undesired Event A contains a numbe by which the development is identified. SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY 189 •• •• •• •• Water System Fault Tree Top Levels (Generic) Defeat the Mission Treetop: -+ of the Water System by Overall Undesired Event Deliberately, Malevolently Defeat a 1. Mission Interrupt or Impair Water Flow in the System Objective --+ 8 A'.. 1.1 ,. Loss of Disable Water Sources Pretreatment or Treatment Process These events are developed on succeeding slides. Causing an Undesired Event Interrupt or Impair Ability to Supply water For Fire Protection or Potable Uses, while Preserving Public Safety, EInterrupUt or Impair Ability tu Distribute Water Causa Injury to USSIS 2. By Contamination Contaminate of Water Supply Water A--. 2.1 Contaminate [ DiUsab le ontaminate Wate Water Before Pretreatment! In Distribution of Adversary Distribution Treatment Process System +Subtrees 2.1, 2.2, and 2.3 develop these events. 3. ,,,. .------... 􀁾􀀠------I, 4. Use Weapon of • Compromise •• Mass Destruction-Public Type Event to • Confidence • Injure Employees •-----.. -r.-------• I ' &I the Public I I ' , I ' (.--... 􀀭􀀭􀁾􀀠 Possible 2.3 Strategies SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY ,,'-, ( , r", 1"" 􀀧􀁾􀁬􀀠 :" -, ," , ." " -" " (' , , '-' '"-' "-' 􀁾􀀠'-' V G \.." ..,'" '''' 􀁾􀁤􀀠",.;.1 \." "-' ,--, 􀁾􀀬􀀠 J '-' 'd '-' '-' '-' '-" '-' 􀁾􀀠.,.; ..,J "di" 􀁾 􀀬􀁾􀀠,,,01 v.-,.) .. II;.:;j ",j ..",J "",;• "" "'" ""'" """ "'" ""' """ ,'.'.'.,-.';' 1.1 Loss of Water Sources Identify Source(s): 1.1 Loss of Water Sources 1.1.1 Interrupt or ..... '.."... Reduco Ability I to Tap SOUleo(.) of Untreated Water 1.1.4 Loss of Critical Pump Systems 1.1.5 Loss of Critical Valve Systems 1.1.6 MisusetDamage Process Control r 1.1.7 1.1.8 DamageJDestroy Loss of Critical . ..C rit.ic-al .. Communications 1.1.9 Loss of Key Personnel Subtrees .1, .4, .5, .6, .7, .8, and .9 develop these events. SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY 1.2 Disable Pretreatment or Treatment Process Identify Site of Pretreatment or Treatment: 1.2.4 1.2.5 _ I Loss of Critical Loss of Critical 􀁾􀀠 Pump Systems Valve Systems 1.2 Disable Pretreatment or Treatment Process l.2.(i 1.2.7 1.2.8 MisusefI)amage Darnage/I)estroy Loss of Critical Process Control Critical Communications System Pipelines/Conduit 1.2.9 Loss of Key Personnel 1.2.11 Misuse of Pretreatment! Treatment Chemicals Subtrees .4, .5, .6, .7, .8, .9, and .11 develop these events. -",-,0 SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY ,'.. ,.-'> " , .. ', • ,-\. ,.'.'., (,' ''\ ••••, r'O"" .r"., ,? \../V 􀁾__ . 􀁾􀀭􀀯􀀠 '-' 􀁾􀀢􀀢􀀠 """" 􀁾􀀠􀁾􀀠0 w 􀁾􀀠0 ........., "--'" --." '-" '-' 􀁷􀁾􀀠􀁾􀀠􀁾􀀠􀁾􀀠'-" 0 '-" "-' '-' .....; "--'" --...... '---/",', .. 1.3 Interrupt or Impair Ability to Distribute Water Identify Location of Event: 1.3 Interrupt or Impair Ability to Distribute Water 1.3.2 -Cause Loss of Pressure in .'.D.., Distribution 1.3.3 interrupt or Reduce Ability to Store Water 1.3.4 Loss of Critical Pump Systems 1.3.5 Loss of Critical Valv. Systems 1.3.6 MisuseiDamage Process Control System 1.3.7 1.3.8 Damage!Destroy Loss of Critical Critical Communications PipelinesiConduits 1.3.9 Loss of Key Personnel Subtrees .2, .3, .4, .5, .6, .7, .B, and .9 develop these !,vents. SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY Generic Subtrees Interrupt or Impair Water Flow in the System >':e. SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY f ". 1 (", , , r"<" . . 􀁾􀁾􀀺􀀢􀀢􀀠 • 􀁾􀀠 􀁾􀁖􀁾􀁾􀁾􀁾􀁟􀁾􀁶􀀠 􀁶􀁾􀁾􀁾􀁾􀁖􀁶􀁾􀀬􀁾􀀠 􀁾􀁾􀁾􀁾􀁾􀁾􀁗􀁾􀁾􀁾􀁊􀁖􀁖􀁾􀀰􀀰􀁾􀀻􀁶􀁾􀁑􀀠 -,,,\ ','C, 1.1 .1 Interrupt or Reduce Ability to Tap Source(s) of Untreated Water Identify Source(s): 1.1.1 & Interrupt or Reduce Ability to Tap Source(s) of Untreated Water () I 1.1.1.1 Loss of Whol.saleto Raw Water I 1.1.1 ..2 Loss of 􀁓􀁵􀁾􀀮􀁣􀀮 Water sourcel,): Lakes, Streams, Reservoirs Repeat for each essential surface water source I 1.1.1.3 LossolWell.to Draw.1rom Groun.d W.at.e r Sou",e,s) ..... 􀁾􀀠 􀁾􀀠 􀁾􀀠 I 1.1.1.2.1 Damage} Contaminate Watershed -. I 1.1.1..2.2 Brea..,.I ..,.; ,.J "'" >..,.I y ...,; ..,J "" "-" "'" '-' """ """ "'" "" "'" "'" ""''''' '-' 􀀧􀁾􀀧􀀢􀁟􀀢􀁶􀀮􀀧􀀮􀀠 .." 1.n.5 Loss of Critical Valve Systems Identify Valve(s): 1.n.5 loss ofCritical 􀁾􀀠.􀁖􀁡􀁬􀁶􀁾􀀠sy$iems 􀁾􀀠 Disable! Destroy Valve .\0 \0 Disable!Destroy Valve Driver(s) Q Disablelbestroy . Prll11E)ry Valve Drivens) ". (EIecIrlcaI) Q Disable! Destroy Cut, Primary Driver 􀀯􀁩􀁾􀀠 Disable! Destroy Backup Valve Driver(s) (Non-electrical) 􀁾􀀠 Misuse Valve 􀁾􀀠Mlsusel Manual Damage Process Manipulation Control System I 16\ Contamination Loss of of Hydraulic Hydraulic Fluid Fluid SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY 1.n.6 Misuse/Damage Process Control System Identify Control System: ___________________ & 1.n.6 Misusel Damage Process Control System L;J I Misusel Damage Manual Control System 1:5 o Misuse/' Damage SCADA System l1.J I I I Sabotage Sabotage Transducers fa SCADA Control Communication 􀁾 Parameters from Xducers 􀀯􀀱􀁾􀀠 Dosages Sabotage SCADA Control Processor I Sabotage OtharSCADA Elements I Sabotage the Process Control Actuators -Control Software e.g., Alter -Modems Chemical , -etc. Dosages I Sabotage SCADA Communication to Actuators SCADA -Supervisory Control and Data Acquisition SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY 􀁾􀀮􀀠 . ,'." 􀁾􀀠 r' . '. ) 􀁶􀁶􀁌􀀭􀁾􀁇􀀬􀀭􀀭􀀬􀁾􀀠'"-, 􀀮􀁾􀀠 '---,-' 􀁾􀀿􀀬􀀠􀁾􀀠 '-" ""-" "-" '-" 􀁾􀀠'--' ""-" '-'" 􀁾􀀠 •--'" '--' "-.J V .......... 􀁷􀁾􀁾􀀭􀀭􀀮􀀮􀀩􀀧􀀭􀀮􀀮􀀧􀀮􀀭􀀮􀀮􀁊􀀠 .􀁾.... 􀀠 Generic Control Process Control Process Application --, Input ,. Ito OtherSCADA ---.. Control Elements .. Processor Parameter L---.. -Constraints Output Decision -4: pWit mo.YUSem14itip!e;&;;camng 􀁰􀁲􀀮􀁯􀁴􀁥􀁳􀁾􀀠lOops. 􀀢􀀷􀀨􀀢􀀺􀁾􀁓􀁓􀀠IIIflY 􀁢􀁥􀀴􀁩􀁓􀁴􀁲􀁬􀁢􀁩􀁡􀁾􀀴􀀧􀁩􀁾􀁾􀁴􀁩􀁡􀁥􀁤􀀮􀀠􀁲􀁥􀁪􀁬􀁬􀁾􀁴􀁥􀀬􀀬􀀡􀁲􀀧􀁬􀁯􀁣􀁡􀁬􀀮􀀠 sc. *" Legend: I Sensorl ,I Condition Transducer '.I ------I Valve 􀀺􀁾􀀢􀀨􀀻􀁾􀁾􀀥􀀪􀁊􀀻􀁾􀁦􀁾􀁾􀀧􀀠􀁾􀀮􀀧􀀠 ".,-,. .,'." ,.,:. ,i . ',. '. " 'i • 􀁾􀀠 , :' Actuator I I Action ...., .. ' .􀀬􀁃􀁯􀀢􀀢􀀢􀀻􀀧􀁮􀁩􀁣􀁡􀁩 􀁩􀁾􀁮􀀠. $:;*", . _.',' ," '" '::,;;. ".I -# Controlled Process • SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY Excavate Pipe/Conduit Open! Penetrate HalchlPort Rupture Pipel Conduit with Explosives --1.n.7 Damage/Destroy Critical Pipelines/Conduits Identify Pipeline/Conduit· ---.........--.......-. -_.... _. . __._-_........._----------􀁾􀀭 A 1.n.7 DamagelDestroy Critical Pipelines! Conduits til I I I I Oama(;tel Damage! Destroy Deslroy Underground Loss of Critical Loss of Shafts Exposod Pipe/Condull Valves Pipe/Conduit til & & til I I I I I _._􀁾􀀭 Excavate Pipet Damage! Conduit 10 Damage! Exposod Pipe! Exposed Pipel Destroy via Conduit in Conduit on Damagel Accass Hatch Destroy via s Destroy or Port Vent Tunnels Bridaes () () () I --I I I I _I Exposed Pipe/Exposed Pipe! Conduit over Conduit to Exposed Pipe! Open Critical Conduit above Channels Customers Ground 􀁾􀀭􀀭 Ruplure Pipe! Conduit wIth Toots or Explosives r-Rupture Pipe} Open! Conduit with Penetrate Vent ExplosIves SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY ",.-', 􀀨􀀢􀀭􀀢􀁾􀀠 r···· (" ."', ,', " ,"-" ( <"", r"'., ,·'1 􀁾􀀮􀁾􀀠 .',\ ,'" ....􀀬􀁾􀀠 . ',"1, 􀁾􀁾􀁟􀀰􀁾􀁾􀁾􀀰􀁾􀁾􀁾􀀰􀁾􀁾􀁾􀁾􀀰􀁾􀁾􀀠 􀁾􀁾􀁾􀁟􀁾􀁹􀁾􀁾􀁗􀁾􀁾􀁾􀁾􀁾􀁾􀁾􀁾􀁾􀁾􀁾􀁾􀁾􀁷􀀠 8 1.n.B Loss of Critical Communications Identify Communications System: 􀁾􀁾􀁾􀁾􀀠 􀁾􀁾􀁾􀀭􀁾􀁾􀀠 1.n.8 !S\ Loss ofCritical Communications I Loss of Direct ccnnectlon Hardwire Telephone System 􀁾􀀠 Disable! Destroy HandseV Modem Cut Line Disable! Destroy Antenna t,:J I Loss of RF Radio Over-the-Air Microwave System 􀁾􀀠 Cut Line Disable! Destroy Receiver! Transmitter c,er 􀀻􀀮􀁩􀁾􀀠 I Loss of Fiber Optic System 􀀭􀁾􀀠 Disable/Destroy Cut Line c,er Receiver! Transmitter 􀀻􀀮􀁩􀁾􀀠 SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY 1.n.9 Loss of Key Personnel Identify Position & Location: ________________ 1.n.9 M Loss of Key Personnel 􀁾􀀠 􀁾􀀠 I , J I Loss Due to a Loss Due to Loss Due to Loss Due to Strike Illness Kidnapping Death These events, malevolently caused, do not by themselves defeat mission objectives; they would impair ability to cope with a crisis or recover from it in the most timely manner. Minimizing the number of key personnel, for example by cross training is desirable. SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY , 􀁾􀀠 • I , /.,> ' (" 􀀧􀁾􀀠 ......,.. 􀁜􀀮􀀮􀁾􀀯􀀠 􀀢􀀭􀀬􀁾􀀠 ,_" "".",' -0" ........,' ;...d 􀁾􀀠􀁾􀀮􀀻􀀠 ',...-' 􀁜􀀮􀁾􀀬 .. ,...,.) i.",.?, v ,--' .......... ' .j 􀁾􀀺􀀠 ',-' j 􀁾􀀬􀀠 · ..10 Cut Power Identify Power System 􀁾􀀠 Cut Power Unesfrom Utility r Loss of Substation CJ I DamageJ Disable/Open High Voltage Switches/Bus SCADA, I Loss of Transformer Destroy, Rupture Short Circuit Tank, Short Circuit 􀁾􀀠􀀬􀁣􀁾􀁥􀁲􀂷􀀠Affects Whole Plant 1tJ I Loss of Power Source 1,J 1 Damage/Disable/Open Low Voltage Switches/Bus Affe I &1: Loss of Backup Power L;J I Damage/Disable/Open Low Voltage Switches/Bus Damage/Disable/Open UPS I uamagel Disable/Open Non-electrical Driven nl"lt"\.....ef""'.."'" I Damage/Disable Mobile Sub SCADA,' SCADA, SCADA Short Circuit Short Circuit SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY n.n.11 Misuse of Pretreatmentrrreatment Chemical(s) Identify Chemical, Quantity and Location: Misuse of of Prelreatmenll !al and SCADA), Treatment Chemicals leal Feed Pumps, Cause On-Site Gain Access to Toxic Release Target afChemical 􀁾􀀠 0\ Other Ammonia Chlorine SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY "e ('. ,',. I" r 􀀢􀀨􀀢􀀺􀁾􀀠 􀀧􀁾􀀢􀀭􀀢􀀧􀀡􀀠 I '\ ' '" ; , "--' 􀁬􀁾􀁊􀀠 W l..;: l.,....; ,...,.i \..-r' 􀀬􀀬􀁾􀀮􀀮􀀧􀀠 :.,....., '-.... ",.j '--􀁾􀁾􀀠􀁾􀀠􀁾􀀭􀀮􀀺􀀮􀁊􀀠 t..v/'v:l 4,J 􀀢􀁾􀀮􀀢􀀠 ......r' 􀁾􀁾􀁾 __ 􀁷􀁙􀁾􀁾􀁟􀁾􀁾􀁾􀁾􀁾􀁷􀁷􀁾􀀰􀁾 􀁾􀁾􀁾 n.n.12 Loss of Shaft(s) Identify Shaft: Applies to deep rock tunnels. Loss of Shaft(s) Destroy Physical Structure Destroy PipingNalves Misuse/Damage Process Control System 􀁾􀀠 SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY Generic Subtrees 􀁾􀀠 Contaminate Water in the System SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY ,", " , l.' ( ", '" '.'" 􀁾􀀠 ',,-,_ "_e "-􀁾􀁾􀁶􀁾􀁾􀁾􀁾􀁾􀁾􀁾􀁾􀁾􀁹􀁾􀁾􀁕􀁾􀁾􀁾􀁾� �􀀰􀁾􀀠 '-' .....) 􀁾􀀬􀀠 ------------2.1 Contaminate Water Before Distribution Site of Contamination: 2.1 Contaminate Water Before Distribution 􀁾􀀠 I I Disable Introduce Pretreatmenll Contamination Treatment , i Processes J g 0 db InJeO! Contaminant Obtain Contaminant Bring to Point 01 Injection *" Defeat security .;. measures, especially detection. . 􀁾􀀠 􀁾􀀠 I I I Biological Chemicals; Pathogens! Organic! Radionuclides Toxins Inorganic Consider Hazardous Material Spills, acc/dental or deliberate, and beyond capability of water treatment to remove SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY 2.2 Disable Pretreatment /Treatment Processes Identify Site of Treatment/Pretreatment: 2.2 Disable Water Pretreatment/Treatment PrOCeBses [,J I 􀁾􀁨􀁯􀁯􀁳􀁥􀀠Process to Disable I Gain Access to Target(s) Including Backups Destroy, Damage: or Disable Target(s) 􀁾􀀠 N.o 0';;';Destroy Coagulation capability I Damagel -Direct Destroy -Micros/rainer Filtration 'SlowSand -Rapid Sand ·OuaVMuIll·Media Capability idjustment Filter Breakthrough 􀁾􀁾􀀠 -Pressure 'Alr Scour Bys, -other I I 􀁾.. 1 Hydraulic Overload Contaminate Filters Loss of Chamical Supply MaylMayNot Contaminate Subsmule Wrong Dose: Treatment Wrong Underdosel Chemlcal(s) Chemical Overdose -, -, Involve Toxic Release 1 OamageJ Destroy Olslnfeclion capability 􀁴􀁾􀀠 -Reverse Osmosis 'Ultraviolet I I I SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY 1""', /'"", • i" ", ?:'" ,"", , "., " . "', , 􀁾􀁾􀁾􀁾􀁾􀁾􀁾􀁾􀁗􀁗􀁾􀁾􀁾􀁾􀁾􀁾􀁾􀁾􀁾􀁾􀁾􀁾􀁾􀁾􀀠 􀁾􀁾􀁾􀁾􀁾􀁾􀁾􀁾􀁾􀁾􀁾􀁾􀁾􀁾􀁾􀁾􀁾􀁾􀁾 􀁾􀀠􀀧􀀭􀁾􀀠 􀀮􀀧􀀭􀁾􀀠 􀁾􀀠''-'" "--" "􀁾􀀠'--' '.-' ........ """'"'" --" 2.3 Contaminate Water in Distribution System Site of Contamination: .2.3 Contaminate Water in Distribution System L) I I Bring to Point Injecl of Injecllon Contaminant 1...'.". li1 Q. ..... I -I I I. I I Obtain Contaminant Biological Pathogens! Toxins Chemicals: Organlcl Inorganic Radionuclides Introduce BaCckafuloswe to Loss 01 Over-Contaminant Introduce Chlorine Chlorlnalion al into Mains Contaminants Residual Booster Stalion 􀁾􀀠 Manipulation of On-$ite Chemicals I I I I 􀁾􀀠 Backflow AI Hydrants Backflow Via Cross Connec!lons Bacidlow Via Air Valves (Blow Off) Backflow At Homes! Industrial Backflow At Monitoring Stalions ---SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY Generic Subtrees N.... .. N U se Weapon of Mass DestructionType Event to Injure Employees and/or the Public SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY , 􀁾􀀧􀀭 _ 1'--" ,,'-" ,"-', Fe. /", ( " ,.''> r" r''\ r.-''\ { ., l,.. l... '-" G .......􀁾􀀠 􀁾􀁟􀀬􀀠 ,_,' --: G 􀀬􀀬􀁾􀀠 .j 􀁾􀀠"-./\;..../''". 􀁊􀁾􀁾􀁾􀁾􀁾􀁾􀁾􀁾􀀰􀁾􀁾􀁾􀀮􀀯􀁾􀁾􀁾􀀠 􀁾􀁾􀁾􀁾􀁾􀀠 3. Weapon of Mass Destruction-Type Event to Injure Employees and/or the Public Site of Event: .N... . '" 3. Weapon of Mass Destruction-Type Event to Injure Employees and/or the PubliC Q r I Gain Access to Target Triggerl Release Weapon of Mass Deslruction Q r Breach Pipeline., Valves I I I Gause Hydraulic Event Gause Oftsile Release of Toxic Water Treatment Chemical Cause ElCPlosion 4l I Breach Unit Siorage 1 Breach Dams, Embankments I Cause Oft.ite Ralease of Gaseous Chlorine Q I I .1''''' Gause OHsile Release of Cause Other Gaseous Toxic Oftsite Ammonia Release SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY Gause Large Fire Flammable Agents; __ II.. , I Generic Subtrees Compromise Public Confidence .N... . .j>. SENSITIVE SECURITY INFORMATION: CONFIDENTIAL. AND PROPRIETARY , (." 􀁦􀁾􀀧􀀢􀀠 (""'1 r" r"'" ,<,-;<,.,., (-'-': 􀁾􀁾􀀢􀀻􀀺􀀧􀀺􀀻􀀮􀀠 :""., {""" r"', ,,,,'.., ("\ ) '-:'\"\ ' "\ , 􀁾􀁹􀁉􀀠 t........ 􀁜􀀢􀀮􀁾..... 􀁾􀀬􀀮􀀺􀀮􀀠 " ..... 􀀢􀀧􀁾.... 􀁾􀀠x...... I...:.vJ W 􀁾􀀠t...oJ 􀁾􀀮􀀻􀀮􀁕􀀠 􀁾􀀠􀁾􀀬􀀠 􀀮􀁾􀀠 -j ..... ,.' ',./' .. .-.' ' __/'_" ,_-, I",w..J 􀁾􀀠Y \.t..,J W 􀁾􀀠,*".) ...,,; ">lot> 􀀢􀀢􀀭􀁾􀀠 "'"rJ W ....,..J ......j .......:; 􀁾􀁾􀀩􀀠 ...,..,J ""••􀁾􀀠 !off) ',," 4. Compromise Public Confidence 4. Compromise Public. Confidence .N.... . VI I Contaminants Out of Control Bounds I Insufficient! Unreliable Supply. of Water 􀁾􀀠 r Journalistic Misrepresentation I Cause Unacceptable Taste/Odor/Color Fraudulent Threat Compromise Activated Carbon SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY 􀁾􀀩􀀠 ) ) ) , , , J ) ) ) ) C)' 􀀮􀁾􀀠 ) 􀁾􀀠) 􀁾􀀠 ) ) ) ) ), ,',) ' '. _J 'J. SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY) ; ) ) APPENDIX F: DATA COLLECTION QUESTIONNAIRES The questionnaires and worksheets in Appendix F are used to collect data about the water utility. They are certainly not exhaustive and can be thought of as "ticklers" to help the analyst in eliciting information about the water system. F.l. Policies and Procedures Questionnaire: This questionnaire tries to explore what security -related policies and procedures are in place. F.2. Cousequence Worksheet: The Consequence Worksheet uses a matrix with checkmarks to map relevant questions to elements of the Generic Undesired Event Fault Tree. F.3. Water System Data Collection Worksheets: The 􀁗􀁡􀁴􀁾􀁲 System Data Collection WorksheetslTables are used to collect various types of information about the water system. F.4. SCADA Fault Tree Questions: The SCADA Fault Tree questions map various questions to the generic subtrees to determine whether SCADA can bring about any of the undesirable events. F.S. SCADA Characterization Questions: If it is determined that SCADA can cause undesirable events, the SCADA Characterization Questionnaire is used to characterize the SCADA system. 5.6. Onsite Chemical Assessment Worksheet: The Onsite Chemical Assessment Worksheet is used to gather information about the chemicals on the site. There are three chemical listings on the worksheet (shown in gray) provided as an example. SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY 217 '} ) ) r) '.. " "'1 . , ) :) :) 'c] 􀁾􀀠) 􀁲􀁾􀀠 . ',.:J . 'J ) ) ) ) ) ) ) 􀁾􀁟􀀮􀁊 ·" :' D· ,] . :J :) :J 􀁧􀁾􀀠 􀁾􀁊􀀠 · ) CJ :) U. CJ " .) . · 1 ", . .lI .J SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY F.l. POLICIES AND PROCEDURES QUESTIONNAIRE FOR WATER UTILITIES 1. PolicieslProcedureslIncident Occurrence Reporting A. Do they have written security policies and procedures? What do they contain? If so, review a copy. Where are they normally kept? Does everyone have access? How? Who do they apply to? How are employees trained? How often are they trained? Are training records kept and accessible? How are they enforced? B. Do they have a badge policy? How'are folks trained? How often are they trained? ' How are they enforced? Policy if someone loses or forgets their badge? What type(s) of access control (site andlor building) systems do they employ? Where are they operational? Are PIN's used? Do all employees have access to all facilities? Do they have a key control policy? How enforced? C. Do they perform background checks on employees? How detailed? How often updated? Drug and alcohol screening? D. Do they have other organizations sharing their facilities? How are they controlled? SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY 219 i ."J \ F.l. Policies and Procedures Questionnaire -Continued E. Do they have exit procedures for employees leaving? How detailed? If so, review a copy? Keys required to be tumed in? Badges required to be tumed in? ;> Passwords automatically disabled? ) F. Do they have a response force? ) Contract or direct? '. \, How trained? ) () Are they armed? ') Do they have a policy on lethal force? P} .:.Do they do rounds or random patrols? D How do operators and guards interact? '; J Is there any joint training? ;. Who sees the security alarms? ) What are the procedures to handle alarms? Are they logged? Does the log contain a disposition of each alarm? What is the nuisance alarm rate? Is it within acceptable limits? Are alarms tumed off during business hours? ) Do any of their alarms alert outside parties? Does the alarm system run through the SCADA system? How are operators trained on security? Are their duress al arms? 􀁾􀀠 j" "0 . , Where and what happens? . ./G. What is the policy for confronting unknown visitors accessing the site? (j Guards response? Employee response? Do they notify anyone before they confront someone? SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY 220 F.l. Policies and Procedures Questionnaire -Continued H. How do they deal with contractors? Do they captive contractors? Janitorial, maintenance, etc.? Background checks on captive contractors? How are they trained on security policies and procedures? What are their requirements for site access? Consttuction and other contractors? How is their access controlled? What are their requirements for site access? I. How do they deal with vendors? How is their access controlled? J. How do they control chemical deliveries? Check chemicals before unloading? Restrict hours of deli very? K. How do they deal with other visitors? Do they give tours? How do they control vehicular traffic to the site? Do they do random searches? Do they use car decals? L. Do they have an Incident Command System? If so, review a copy. What does it include? Does it include information on responding to terrorism events? Have they done any training with other emergency services providers? What emergency response plans do they current! y have? Do they train on them? Is the training documented and available? How communicated? SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY 221 ., j F.1. Policies and Procedures Questionnaire -Continued M. Do they have any agreements in place with local law enforcement? How long is the typical response time? Who is most likely to respond? ·1 How are they trained? J ) N. Incident Reporting ) Do they have an unusual occurrence reporting system? ') How long has it been operational? ) Who sees the reports? J What action is taken in response if any? :} "] Is the data trended in any way? .c ) Do the guards keep a log? 'J Do the operators keep a log? .) What types ofincidents have happened in the past? ) Vandalism? Threats! )\ Intrusion? ) Hacking? Do they have a theft problem? What types of employee incidents have occurred? ; How do they characterize the management/union relationship? \ j , -; ,.1 ) ) :_"J .., ..1 . ) SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY 222 F.2. CONSEQUENCE WORKSHEET 1. Interrupt/Impair Water Flow in the System 1.1 Loss of Water Sources 1.1.1 Interrupt or Reduce Ability to Tap Source(s) ofUntreated Water ! Questions £ 􀁾􀀠 ..... 1'">":: o 􀁾􀀠 􀁾􀀠. ,3.ll -9 􀁾􀁯􀀠 􀁪􀁾􀀠 'll ..c 1l.§ 􀁧􀁰􀁾􀀠 􀁾􀁂􀀠 o 􀁾􀀠 􀁾􀀠􀀮􀁾􀀠 -; " .􀁾..􀀠;u0 , " fil 􀁾'" 􀁾..", """!Q 􀁾􀀠0 ....(-u 􀁾􀀠 r.-S 􀁾" 􀁧'" 3 􀁾􀀠 􀁾􀁩􀀠 "-;l 'E"! -"'';0" 􀁾􀀠 .I:l -t:; '; , ..,. ,'"""" §.(' " E! 􀁣􀀵􀁾􀀠 °'" 0'" (5" -; '5 􀁾􀁝􀀠 "-1. "'" 􀀺􀀺􀀻􀁾 .􀁾..􀀠;u0 "􀁾'􀀠;00 Contingency plans ...Interdependencies ...Historical problems ...Location concerns ..Single points of failure i Alternate sources .Concerns with the watershed ..Critical containment structures .Ease/difficulty to damage the containment structure .Size of the source ..! What happens with a power loss .i Ease or difficulty to disrupt .Intake systems: include other control structures .Concerns with the aquifer .Destroy/damage casings .Contaminate casings .SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY PROPRIETARY 223 ----I F.2. Consequence Worksheet -Continued 1. lnterr"pt/Impair Water Flow in the System 1.3 Interrupt or Impair Ability to Distribute Water ''0"" ...l 1l "􀁾􀀠 "􀁾􀀠 B g" B '" Questions !"l " "ell CI} "'u '" "􀁾􀀠 llB ilSc; u'" 􀁾􀀠£:> 􀁾􀀠 􀁾􀀠b 􀁾􀀠 '"" <'ll t<"'I .-<1) M:'='O£ 􀁾_ 􀀠..0. . 􀁾􀁝􀁾 􀀻􀁪􀁾􀁾􀁾 -'0( Contingency plans .,/Interdependencies .,/,( I Historical problems ,( .,/.,/I Location concerns Single points of failure .,/: Ability to simulate main breaks .,/-Size of storage .,/I Ability of storage to supply system .,/.,/-I Flooding/collateral damage concerns .,/I Loss of wholesaler's treated water Concerns with dependence on a source .,/I I I :-') " C) ,:11\ '.: .F 􀀼􀁾􀀠 􀀧􀀲􀀺􀁾􀀠 :J :) , ) ) ) ) :J ) J i"'l> £..,J 􀁾􀀮􀀠 CJ : -j ,) ,) SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY 224 F.2. Consequence Worksheet-Continued Subroutines, .4 through .9 It 􀁾􀀠 g, "'"U 0􀁾:: 􀀠 "il 􀁾􀀠g ";::::: a 0:: "c '':;:: 0:: '" -0 Questions '" 􀁾􀀠§ 􀁾􀀠 u 11 􀁾􀀠 " 􀁾 ]J 􀁾􀀠U) .....􀁾􀁵􀀠 .S !9 o 0:: " .'" EO '" '" 􀁾􀀠 '0 'S 􀁾􀀠 '" .t:; .!:l 􀁾􀀠 􀁾􀀠 EO ", u", 'C:: .9 £,-g o EO " U '" " 8 -' 0 ..: ":(1) 'f.'(l1')" ",ll:; 􀁾􀀸􀀠 "'!u 0') Contingency plans ,/Interdependencies ,/" Historical problems ,/" ,/Location concerns ,/" Single points of failure ,/" " Back-upsystems . ,/" i Spares " " Redundancy " " ,/Ability to replace ,/" Criticality to operation " Irwn " " .. to cause a valve malfunction " appens with a loss of power ,/,/" bility to operate facility ,/,/i Ability to manipulate processes ,/i Alter/misreport data ,/􀁾of energy source .r osed lines .r Size and flow rates .r Access points ,/Locations marked " Contiunination issues " Critical valves .r Connections to other systems or customers .r Ability to operate " Control or feedback ,/Alternate paths/methods ,/Concerns with key personnel .r Concerns with attacks on key personnel ,/SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY 225 F.2. Consequence Worksheet -Continued Subroutines, .10 through .11 Questions : Contingency plans Interd(lpendencies Historical problems Location concerns , Single points of failure Concems with chemicals hnpacts if pretreatment disabled Chemicals validated before delivery i Ability to cause toxic release Ability to use chemicals as accelerants or in explosives Types of treatment processes Chemicals Risk management plans required Ability to respond to chemical spills/leaks Types of filtration processes , Backwash processes i Loss of feed pumps Ability to substitute wrong chemical , Natural contamination issues I What happens with a loss of power Ability to operate facility Back-up systems Ease or difficulty to cut power I Ability to replace 􀁾􀀠 £ u 􀁾􀀠 " 0 􀁾􀀠././././././././E " 􀁾􀀠 £ l:! 􀁾" 􀀢􀁡􀁾􀀠􀀠 􀁾􀀠,5! 􀁾􀁪􀀠 􀁾􀁵􀀠 ./././././././.'}, ,jI 􀁾􀀠 ']I E"'"l y " 􀁾"􀀠 ) "􀁾􀀠 -􀁾􀀠 "] 􀀮"􀁾􀀠 ."g ;::q '} -..c: 􀁾􀁵􀀠 ) ) ././I ,) , ./) I ) , ././, , ) ./././././) ./) ././) ./) " 􀁾􀀩􀀠 " ., , ,.I . ') ',J , ) . ) CJ ) :) ,J 'J " ' SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY ,J 226 rJ " '..;,.. F.2. Consequence Worksheet -Continued 2. Contaminate Water Questions IS l;! 􀁾􀀠§ " 'J:) 􀁾􀁾􀀠 .-J:I 􀁾􀀠.!!l EO o !! U,.'3 -C'iC"Q ':> Ii g .. 0 g Xl <" t£" 􀁾"􀁦 􀁩􀀠 .!!l .§ 0 .. Me C'iE-< £ s 􀁾'" 􀁾" 􀀠 !:!'" ."S .cg 􀁾􀀮􀀦􀀠 E "B 0 0 U .",,0 N. ."_ Biological contaminants of concern '" '" Chemical contaminants of concern '" '" Radiological concerns '" .r Contingency plans .r .r .r Ability to detect unexpected contaminants '" .r Natural contamination issues .r .r Ability to disable pretreatment/treatment .r process Impacts if coagulation disabled Impacts if filtration disabled ..Impacts if disinfection disabled .r SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY 227 F.2. Consequence Worksheet-Continued 3. Use Weapon ofMass Destruction Type Event to Injure Employees and/or the Public i .,,􀁾, 􀀠 ,' gj!l) . 􀀺􀀺􀁅􀁾􀁾􀀠 􀀢o􀀧 􀀧Q􀀧. 􀁾0 Questions " >.] 00 ....".. 9 􀁩􀀡􀁯􀁾􀀠 􀁾􀀭u e 4) =.g :;'::", l::il " ",AS Destroy facilities ,/Fire ,/Explosives ,/i , I Chemical releases ,/i , Affecting public areas ,/Large pipeline failures ,/Collateral damage ,/Flooding ,/Pump failures ,/Fire ,/Containment structure failures ,/Flooding ,/Collateral damage ,/) "') n :) C) 􀁾􀀩􀀠 :) } ) ) . , ; ) U 􀁾􀀩􀀠 " ,", ", ) SENSITIVE SECURtTY INFORMATION: CONFIDENTIAL AND PROPRIETARY I . 228 F.3. DATA COLLECTION QUESTIONNAIRES Table F.3.1. Water System Data Collection Worksheet DEFINITIONS FOR ASSET CRITICAUTY RATING Very High: associated with WMD-type event High: High criticality implies that loss of the function of the asset would produce an undesired consequence having a seriously adverse impact on the mission of the site. o Loss of capability of the site to provide water to all customers for a period in excess of t, days &I causing losses in excess of $L, • Loss of capability of the site to provide water to a critical customer (e.g., a hospital) for a period in excess 01 􀁾 days • Contamination of water by monitored substances greatly in excess ollederal standards and causing immediate serious health problems for the most susceptible people (e.g., inlants, people with compromised immune systems, etc.) o Contamination of water delivered to all customers by unmonitored substances that would cause serious illness or death Medium: Medium criticality implies that loss of the function 01 the asset would produce an undesired consequence having a moderately adverse impact on the mission of the site. Low: • Loss 01 capability 01 the site to provide water to customers in m zone(s) for a period in excess of fa days &I causing losses between $L, and $L2 • Contamination of water by monitored substances in excess of federal standards and causing delayed serious health problems o Contamination of water delivered to any customer by unmonitored substances that would cause serious illness or death Low criticality implies that loss of the function of the asset would produce an undesired consequence and have a slightly adverse impact on the mission of the site. o Loss of capability of the site to provide water to a few specific customers for a period in excess of to days &I caUSing losses of less than $L2 • Contamination of water by monitored substances slightly in excess of federal standards • Contamination of water by substances that would affect taste, color, or odor of water, but would not cause serious illness or death • Property damage (vandalism) Note: This form is provided to help the water utility define consequence measures. The values on this lorm (t" t2, & $L" etc.), all come from the consequence table. This is simply an aid and is not included in the body of the methodology. SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY 229 Table F.3.2. Water System Data Collection Worksheet Recorded by: Obtain answers to the following questions. • Questions should be answered on this page and continuation pages if required. • Answer Yes (Y) or No (N) to the right of each question. • Supply additional comment in "Notes" keyed to the related question. Threat tactics: (1) Describe how adversary can disable/destroy asset (2) What mitigating measures can be employed to limit adversary attack? Physical Security: (3) Describe route(s) adversary can access asset (4) Describe existing protection measures (5) Describe natural terrain or geographical features that might be barriers to the adversary (8) Describe potential vulnerabilities Police Response Force (7) Describe response in terms of numbers and time to respond (6) Describe means of communication to response force. (9) Describe equipment and training of response force Control Access & Authority (10) How is "access and authority" by non-employee personnel, (Contractors, Vendors, Casuals, Delivery Delivery Personnel) to this facility controlled? Ill) Does abandoned or secondary access exist for this facility (Tunnels, Water Mains, Utility Chases, etc). (12) If Yes, how are they controlled and documented? Security System Integration (13) Describe where and how alarms are annunciated. (14) Describe protection for communication lines (15) Describe procedures for what happens when an alarm sounds. " ,} ) ) :1 J: :) 'J :) {. '} '] ") D .;) ') .J ) ) ) ) " '. J (J .'" 􀁶􀀮􀁾􀀠 (J ) U" (?, " ,,;; SENSITIVE SECURITY INFORMATION: CONFIDENTIAL ANDPROPRIET ARY 230 :,J CJ ) <.J < U. Table F.3.3. Water System Data Collection Worksheet Area: Physical Protection Features (8) asset enclosure (3) between boundary (doors. windows. vents. (6 Distance between entrance and (7) critical construction 1----':::" SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY 231 3 Table F.3.4. Water System Data Collection Worksheet Physical Protection Features , , :) :'} :) (14<>3) A';;'JlII '-:\ " .J ) ) ) ) ) " J. ) , , ) ) ) ) ) ) , .I , SENSITIVE SECURITY INFORMATION: CONFIDEN1"IAL AND PROPRIETARY J 232 􀀮􀁾􀁟􀁊􀀠 􀁾􀀮􀀠 " ) , •• ..)1 I I/,I) " ,I) F.4 SCADAFAULTTREEQUESTIONS 􀁉􀁾􀀠 The following questions help the water utility decide how critical their SCADA system is to their mission and how the SCADA system could be used to bring about undesired events. The questions map to the fault tree. ) ) ) ) ) ) ) ) \ } ) ) ) SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY 233 Generic Subtree I !Loss of Water Sources !--1.1.1 Interrupt or Reduce Ability to Tap Source(s) of Untreated Water 1.1.4 Loss of Critical Pump System 1.1.4 Loss of Critical Pump System 1.1.4 Loss of Critical Pump System 1.1.4 Loss of Critical Pump System 1.1.5 Loss of Critical Valve Systems 􀁾􀀠 1.1.5 Loss of Critical Valve Systems 􀁾􀀠 1.1.5 Loss of Critical Valve Systems 1.1.5 Loss of Critical Valve Systems 1.1.6 Misuse/Damage Process Control System 1.1.7 Damage/Destroy Critical Pipelines/Conduits 1.1.B Loss of critical communications I-Disable Pretreatment or Treatment Process 􀀭􀁾􀀠 Questions 01 Can the SCADA system be used to interrupt or Reduce the ability to tap sources of untreated water 02 Does the SCADA system control your critical pumps? 02a. Is there local control available? <-< 02b. Through the PLC or RTU? 02 c. Can the pumps be operated manually? 03. Does the SCADA system control your critical valves? 03a. Is there local control available? 03b. Through the PLC or RTU? 03 c. Can the valves be operated manually? < 04 Can the SCADA system be used to Interrupt or Reduce the ability to tap sources of untreated water 05 Can the you damagaldastroy critical Pipelines/Condults with the SCADA system? 06. What happens if you lose communications? SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY /"' (., -rOo,,, '> ( :. '-' v ,-. '-' 􀀧􀀭􀀧􀁬􀀮􀀮􀀮􀀭􀀧􀁉􀀮􀀮􀀮􀀮􀁹􀁕􀁹􀁾􀀠 '-..../"-" ,_/"___ 􀁾􀀯􀀠 '-' "-.-i "-"' 􀀭􀀭􀀭􀀢􀀻􀁾􀁙􀁖􀀧􀀭􀀢􀀧􀀭􀀧􀁾􀀠 -./'-/􀀭􀁾􀀠 '-" '-" '-" .....) -.I .......... 􀁾􀀠 ,"'> r"."" t':-;.::". ---------------------tv W Vt Generic Subtree Questions . 1.2.4 Loss of Critical Pump System 01 Does the SCADA system control your critical pumps? 1.2.4 Loss of Critical Pump System 01 a. Is there local control available? 1----.. 1.2.4 Loss of Critical Pump System 01 b. Through the PLC or RTU? 1.2.4 Loss of Critical Pump System 01 c. Can the pumps be operated manually? 1.2.5 Loss 01 Critical Valve Systems 02. Does the SCADA system control your critical valves? 1.2.5 Loss of Critical Valve Systems 02a. Is there local control available? 1.2.5 Loss of CrITical Valve Systems 02b. Through the PLC or ATU? .. 1.2.5 Loss of Critical Valve Systems 02 c. Can the valves be operated manually? 1.2.6 Misuse/Damage Process Control System 03 How can you disable the pretreatment or treatment process using the SCADA system? 1.2.7 DamagelDestroy Critical Pipelines/Conduits 04 Can the you damage/destroy critical Pipelines/Conduits wilh the SCADA system? 1.2.8 Loss of critical communications 05. What happens if you lose communications? Interrupt or Impair Ability to Distribute Water 1--.._. 1.3.2 Causa Loss of Pressure in Distribution System 01 Can the SCADA system cause a loss of pressure In the distribution system? f·· .._.. 1.3.3 Interrupt or Reduce Ability to Store Water 02 Can the SCADA system be used to interrupt or reduce the ability to stofe water? SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY C'l 0\ Generic Subtree Questions 1.3.4 Loss of Critical Pump System 03 Does the SCADA system control your critical pumps? 03a. Is there local control available? OSb. Through the PLC or RTU? OSc. Can the pumps be operated manually? 1.S.4 Loss of Critical Pump System 1.3.4 Loss of Critical Pump System 1.3.4 Loss of Critical Pump System -1.S.5 Loss of Critical Valve Systems 04. Does the SCADA system control your critical valves? 1.3.5 Loss of Critical Valve Systems 04a. Is there local control available? 1.S.5 Loss of Critical Valve Systems O4b. Through the PLC or RTU? 1.S.5 Loss of Critical Valve Systems -04c. Can the valves be operated manually? 1.3.6 MisuselDamage Process Control System 05 How can you Interrupt or impair the ability to distribute water using the SCADA system? !1.3.7 DamagelDestroy Critical Pipelines/Conduits 06 Can the you damage/destroy critical Pipelines/Conduits with the SCADA system? !-1.3.8 Loss of critical communications 07. What happens if you lose communications? -Contaminate Water Before Distribution SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY 􀁾􀀠 .'\ t' , 􀀭􀀭􀀭􀀭􀁾􀀠 􀁜􀁾􀀮􀀮􀀮􀀮􀀠 V "'./:.....,' 􀁜􀀮􀁾􀀯􀀠 '-./' "r"'" 􀁾􀀠􀁾􀀠.;..."'; '.J .􀀭􀁾􀀧􀀠 --' ,..-I ,d 􀁾􀀠...... ",,,, 'if' ""' !..# v ' ../􀀮􀀭􀁾􀀠 ..... ' .-.... F.S. SCADA CHARACTERIZATION QUESTIONS The questionnaires that follow characterize the SCADA system as well as detennining the security mechanisms in place within the system. Detailed questionnaires help both the training of security personnel in the process as well as completing the various pairwise decision matrices. These questionnaires also help the applicability to multiple sites by maintaining consistency in the depth and areas of coverage. The questionnaires are not restrictive in scope, but do ensure a minimum threshold of knowledge about the security of a particular SCADA system before completing the relative ranking process. CobiY®, the generic depiction of a secure water SCADA system, and previous assessment experience all influence the type and level of questions developed for the assessment process. ) SENsmVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY 237 ; Asset Questions 01. Security Policy 01. Is there an official SCADA security policy? L-. 01. Security Policy j 01 a. Is the official SCADA security polley documented? 01. Security Policy 01. Security Policy 01 b. Where is the official SCADA security policy located (intelViewer should obtain a copy of this policy)? 01 c. How often If the policy reviewed? --01. Security Policy 02. What procedures are used In lieu of an official SCADA security policy? 01. Security Policy 03. Can you describe any security threats created by security insensitive SCADA policies? 1-----01. Security Policy -04. Do you have a privacy policy for your site. and is it displayed prominently? 􀁾􀀢􀀭􀀭􀀭 01. Security Policy 05. Are there standards, policies, or procedures in your organization for configuring hardware configuration items (HWCls) or computer system configuration items (CSCls)? 02. Security Plan (Implementation Guidance) of--01. Is there a security plan to protect IT elements/components? 02. Security Plan (Implementation Guidance) 02. Can you describe any security threats created by security insensitive on nonexistent SCADA operating procedures? 02. Security Plan (Implementation Guidance) ---03. Who has permission to make as changes? 􀀬􀁾􀀠 02. Security Plan (Implementation Guidance) ----04. Are passwords used? 02. Security Plan (Implementation Guidance) 05. Are passwords required? SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY ( (' " 'I' , <,'-,. " " , i";-' (,' '. '\ /"' v \../1...") 􀁾􀀠It.v' 1.,.,..,..0 "-,,, 􀁾􀀢􀀢􀀠 1:...') W .......; ....w 110".,..) 􀁬􀁾􀀠􀁾􀀠lo.xJ' \""'/","",J ............ '-J '.".' '-" .......,t "-" 􀁾􀀠􀁾􀀠􀁾􀀠􀁾􀀠􀁾􀀠v ......; v ......,...I""'..) ......􀀬􀀮􀁯􀁉􀁾􀁾􀁾􀁾􀁉􀀮􀁯􀀬􀀻􀁩􀁊􀀠 ----------------------------------------Asset 02. Security Plan (Implementation Guidance) 02. Security Plan (Implementation Guidance) 􀀭􀁾􀁾􀁾􀁾􀁾􀀠 02. Security Plan (Implementation Guidance) 02. Security Plan (Implementation Guidance) 􀁾􀁾􀁾􀀠 02. Security Plan (Implementation Guidance) 02. Security Plan (Implementation Guidance) f" i:C 02. Security Plan (Implementation Guidance) 03. Security Training Questions ! 05a. What is the password minimum length? 05b. Are the passwords machine generated? 05c. Do the passwords require a combination of letters and numbers? 05d. Do the passwords expire? 05e. Are the passwords audited? 06. Does your organization have an electronic record security plan (pursuant to the Computer Security Act of 1987)? If yes, is it documented? 07. Have you installed aU security-related patches and updates? 01. What type of security training have you received In support of your job responsibilHies? 03. Security Training 04. Skilled Personnel 04. Skilled Personnel 04. Skilled Personnel 􀁲􀁾􀁾􀁾􀀠 04. Skilled Personnel 04. Skilled Personnel 02. What type 01 IT securHy training is provided or required on a regular basis? 01. Are there any non-utility people that have access to the control room instrumentation? 02. Do you use contract personnel to provide any services related to your SCADA operation? 028. What are the security validation processes associated with their employment? 02b. Are there check-in/check-out proyedures associated wRh their employment term? 02c. Please describe the procedures. SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY ,--Asset Questions 04. Skilled Personnel 03. Are you relying on only 1 or 2 people to know aboU1, run, or modify SCADA application? ---04. Skilled Personnel 04. Who operates the network management packages(s)? -04. Skilled Personnel 05. Who is responsible for your WAN interface configuration? 04. Skilled Personnel 06. Who is responsible for configuring the ACL(s)? 04. Skilled Personnel 07. Who is responsible for reviewing the audit logs? -04. Skilled Personnel 08. How many total people have access to the control room instrumentation? 04. Skilled Personnel 09. Is there a grade or classification for employees granting access to the control room instrumentation? 04. Skilled Personnel 09a. What is this classification, and how many employees qualify? 04. Skilled Personnel 10. Who installs the Operating System on your computers? 􀁾􀁉 0, ) --) 04. Skilled Personnel 11. Who is responsible for configuring your servers? 04. Skilled Personnel 12. Who is responsible for official records in your organization? f------------04. Skilled Personnel 13. Who maintains the software on your compU1ers? -05. Remote SCADA operations 01. Can you identify cr"ical functions in your mission that depend on remote access connectivity for success? ---05. Remote SCADA operations 01a. Please list function(s) and descriptlon(s). 05. Remote SCADA operations 02. What are the consequences associated with not completing remote access functions? and consequence(s) Please list function(s) f--05. Remote SCADA operations 03. What methods of remote access are supported by the RTUs/PLCs (i.e., dialup, telnet, etc.)? f---05. Remote SCADA operations 04. What access control is there for remote access (e.g .• pesswords)? 􀁾􀀭 SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY ,"',-(."', '. "" '-..." "--" "-" \"""..! 􀀢􀀭􀁾􀀠 ' ...../'-/'-' 􀀬􀀭􀀬􀀬􀁾􀁇􀀢􀀭􀀮􀀯􀀠'-..--' "--' 􀁾􀀠"-.' 􀁾􀀠 􀁾􀀮􀀠 '-"../'-' '-' '--" 􀁾􀀠􀀬􀁾􀀯􀀠 􀁾􀀠'--''-' ,-."/􀀮􀁾􀀠'-'" 􀀭􀁾􀁾􀀠 􀁾􀀠 Asset ------􀁾􀁾􀁾􀀠 Questions 05. Remote SCADA operations 05. Can SCADA attributes be set remotely? OS. Remote SCAOA operations ---05a. If so, what settings are available through remote access? 05. Remote SCADA operations 06. What are the remote access points for the RTUslPLCs (i.e., from where are they accessed)? -----06. RTUs PLCs, IEDs 01. Are there any entities apart from the area control center and facility control room that have control over RTUsIPLCs? 06. RTUs PLCs, rEDs 01 a. If so, please lisl them and their control access levels. 06. RTUs PLCs, IEDs ---02. Do any RTUslPLCs include local control intelligence? ----06. RTUs PLCs. IEDs 02a. If so, please explain the control schemes. 06. RTUs PLCs, IEDs 03. How many RTUslPLCs tolal are there? 06. RTUs PLCs, IEDs 04. How many RTUslPLCs does a facility have? 􀁾􀀭􀁾􀀠 06. RTUs PLCs, IEDs 05. What types of RTUslPLCs are used in Ihe system? 07. SCADA Servers 01. How many people have passwords to the equipment? 􀁉􀁾􀁾􀂷􀀠 􀁾􀁾􀀭􀁾􀁾􀁾􀀠 07. SCADA Servers 01 a. Are the passwords shared? 07. SCAOA Servers 02. What is Ihe logging system for the SCADA operators? 07. SCADA Servers 03. What is the time period of unavaiiabilHy for the complete SCADA system that can be tolerated before significant consequences result? 07. SCADA Servers ------03a. Please explain the consequences of this unavailability. ----07. SCAOA Servers 04. How many control components or control algorithms are directly dependent upon the SCADA system? What are they? . -􀁾􀀠 SENSITIVE SECURITY INFORMATION; CONFIDENTIAL AND PROPRIETARY ret ! Questions I 07. SCADA Servers 05. From where does the input data come? i 07. SCADA Servers 06. Is sensitive elata shared with other applications? i 07. SCADAServers 07. Do you have back-up system configurations for the SCADA Servers? , 07. SCADA Servers 08. Are the passwords audited on a regular basis? 1----07. SCADA Servers "--09. Are !he server log files protected against snooping by unprivileged users? 07. SCADA Servers 09a. How are they server Jogs protected? 􀁾􀀠 07. SCADA Servers 10. Do any of your SCADA servers also serve as a web server, user workstation, etc. or perform duty as a general purpose machine? 07. SCADA Servers 11. How frequently are the passwords changed? 07. SCADA Servers 11a. Are the passwords audited on a regular basis? f-07. SCADA Servers ---12. Is access to the MMI or SCADA servers password-protected? 07. SCADA Servers -13. What platform (computer type and OS) typically supports the control room instrumentation? I07. SCADA Servers ----14. At what sije(s) is the SCADA application located? -07. SCADA Servers 14a. On what machine(s) is the SCADA application running? 08. SCADA Software 08. SCADA Software 01. Does the application require you to run with any special privileges? (e.g., logging in with root or administrator privileges) 02. What are the underlying platforms or external systems that the application assumes are secure? (e.g., Oracle, a user's NT workstation, DNS, etc.?) -....................􀁾..........................􀁾􀀠 SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY ('" (-'\ ;-:"'., roO r"' (' ," .'-'. ,.', i" ,"" 􀁾􀁾􀁾􀁾􀁾􀁕􀁾􀁾􀁾􀁷􀁾􀁗􀁾􀁾􀀮􀁾􀀠 􀁾􀁾􀁾􀁾􀁾􀁹􀁾􀁶􀁗􀁾􀁾􀁾􀁾􀁾 J: '-" "'-" ...,,) ......) It.y) .....J 􀁾􀀠􀁾􀀮􀀭􀀭􀁊􀀠 ,«_J ;,;.;; 􀀢􀀢􀀢􀀢􀀧􀀭􀀧􀁶􀁾􀀠 ...,. --------------------------------Asset Questions -os. SCADA Software 03. Does the application introduce concerns (requiring a specific port be opened on a firewall, dial-in modem being installed, plaintext passwords embedded in batch files, etc.)? ... OB. SCADA Softwara 04. Have any upgrades or security patches been applied to the MMI software? OB. SCADA Software 05. How many people use the SCADA application? OB. SCADA Software 06. What sorts of protection mechanisms exist for the control capabilities identified in the question above (Checkbelore-operate, Control tlmeouts, Select-execute, Others)? ... OS, SCADA Sollware 07. Who is the manufacturer and what is the product name of the SCADA and/or MMI software (note: this is not the name of the operating system)? OB. SCADA Software 07a. Is the product still supported? 09. Operating Systems -Unix 01. How many UNIX-based servers comprise the SCADA system? , 􀁾􀀡; 09. Operating Systems -Unix 02. Do you have remote Jogins enabled? w' 09. Operating Systems -Unix OS. Is root allowed to login remotely? 09. Operating Systems -Unix 04. Do you have a security plan your UNIX servers (interviewer should obtain a copy)? 09. Operating Systems -Unix O4a. Do you have a configuration guide for your UNIX servers (interviewer should obtain a copy)? 09. Operating Systems -Unix 05. What UNIX utilities do you have enabled? (TFTP, FTP, SMTP, NFS, DFS, DCE, WEB Server, News Server, Telnet, BOOTP, S,SH, Finger, rlogin, rsh, Xwindows, other) 09. Operating Systems -Unix 06. Please list the applications running on SCADA UNIX servers (Examples: databases, Web server, email, etc). 09. Operating Systems -Unix 07. Do you regularly install security patches on your UNIX servers and workstations? 09. Operating Systems -Unix OB. Please select all the automated prooedures established for your SCADA UNIX platforms (backups, security checks, logging off users after Inactivity, routine administration tasks, etc.). SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY 􀁾􀀠􀀬􀁾􀀠 Asset Questions 09. What type of data resides on the SCADA UNIX platforms (administrative -sensitive or non-sensitive, sensor 09. Operating Systems -Unix output, SCADA control information, engineering data, SCADA alarm reporting, physical security alarms, Fire/Safety alarms, Other))? 09. Operating Systems -Unix 10. Do you use directory services for account management? f-09. Operating Systems -Unix 11. Is remote system configuration of the UNIX servers allowed? 09. Operating Systems -Unix 12. Do you use C2 Security? (e.g., Enhanced Security for HP-UX, bmconvert for Solaris) I-09. Operating Systems -Unix 13. How many people have admin accounts? 09. Operating Systems -Unix 14. Do any applications require a process to run with SUID; if so, does "root" own any of the processes? 09. Operating Systems -Unix 15. Do you have a letc/hosts.equiv file? 􀁾􀁏􀁰􀁥􀁲􀁡􀁴􀁩􀁮􀁧􀀠Systems -Unix 15a. Do you have active entries in this file? 09. Operating Systems -Unix 16. Do you utilize a shadowed password file? -10. Operating Systems -Windows NT 01. Can you identify the critical NT servers in your network? -10. Operating Systems -Windows NT 01 a. If yes, please list them. 10. Operating Systems -Windows NT 02. Do you have a security plan for your SCADA NT platforms? 10. Operating Systems -Windows NT 02a. Do you have a configuration guide for your SCADA NT platforms? 03. What versions of Windows are you running? (WinNT 3.5x, WinNT 4.0 SP3 or less, WinNT 4.0 SP4, WinNT 4.0 NT 10. Operating Systems -Windows SP5 or higher, Windows 2000, XP) --.....__ .......SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY :"'. ('" ". .,.,.' ,"" " .., .') 􀀬􀁾􀀠'-' 􀀧􀀭􀁾􀀠 '".. ' '-'-' 􀁾􀀠 <......' '-,.; '-' '-' 􀁾􀀠 ......."" ........' , .... v.....,.,;yW'-"'V 􀁾􀀮􀀠 ---' 􀁾􀀠 􀁾􀁟􀀬􀁊􀀠 􀁾􀀠'-.J ,="-, oJ";; ---------------------------------------------------􀁾􀀠 Vi Asset Questions 10. Operating Systems Windows NT 10. Operating Systems Windows NT ---------------10. Operating Systems Windows NT 􀁦􀁾􀁾􀁾􀀠 ---------------10. Operating Systems Windows NT 10. Operating Systems Windows NT 10. Operating Systems Windows NT 10. Operating Systems Windows NT 10. Operating Systems Windows NT 10. Operating Systems Windows NT 10. Operating Systems Windows NT 10. Operating Systems Windows NT 10. Operating Systems Windows NT 04. Are workstation users "administrators" on their own machines? 05. Is remote configuration of NT devices allowed? ---05a. Who has permission to make changes? 06. Is RAS allowed? Oea. What other network resources are available upon establishing a remote connection? 􀁾􀁾􀀠 07. Do you perform automated auditing of user activity on the NT servers? 07a. Please Indicate the software and procedures involved. 08. Please list the other applications that run on the SCADA NT platforms (e.g., Outlook, Exchange, Internet Information Server, Oracle, SMS, Netscape Enterprise Server)? ----------09. What type of data resides on the SCADA NT platforms? ---------10. On your NT devices, are any folders or drives shared; other than the NT Default (C$, Admin$, other drive letters)? 􀁾􀀠 lOa. Are permissions set at the Share Level or the NTFS Level? 11. Do you have any file sharing software installed (i.e. Web Server software, FrP Server software)? SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY IAsset !auestions 10. Operating Systems -Windows NT 11 a. If yes, type. 10. Operating Systems -Windows NT 12. Do you have a list or topological map ot all the NT domains in your network (interviewer should obtain the I map)? I 13. Do you have a recovery procedure tor your SCADA NT platforms? I 10. Operating Systems -Windows NT 10. Operating Systems -Windows NT 14. Are you using: WinNT Server, WinNT Workstation, WinNT Server Enterprise Edition, WinNT BackOffice Server? ! 10. Operating Systems -Windows NT 15. Do you use accounts other than Administrator for system configuration of the NT client workstations? 16. Is the user 'Guest' disabled on your servers? 10. Operating Systems -Windows NT 􀁾􀀧􀀭 10. Operating Systems -Windows NT 17. Are rights assigned to individual users or groups, or are they given to everyone in general? I11. Web Servers 01. How many SCADA web servers are r.unning at this site? 11. Web Servers -02. Which web applications, if any, are critical to the operations of this site, and why are they critical? I-11. Web Servers 03. What services are your web servers providing? (e.g., SCADA display and control, web pages, database access, applications?) -11. Web Servers 04. Does the web server get monttored? 11. Web Servers .. 04a. By whom is the monitoring done? 􀁾􀁷􀁥􀁢 Servers 04b. What gets monitored (suspicious activtty, unauthorized users, monitoring of hits, etc.)? \11. Web Servers 04c. What software tools are used? I I I SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY . . "., "-'., /.;' ( " , 􀀧􀁾􀀠 : 􀀧􀀬􀀧􀁾􀀠 􀀮􀀬􀁾􀀠 ( 􀁾􀀠 . , , . r..... ../...._-' ,_/􀀬􀁾􀁾􀁟􀀮􀀠 ",.' " .. ' ._ _,_' '...-' 􀁾􀀣􀀠W I,q) Iy;JJ 􀁾􀀠􀁾􀀠x..,J 1o....iI' ..... /; , .•} ",-J 􀁜􀀢􀀧􀁾􀀮􀁊􀀠 v.-:J ..􀁾􀀠􀁾􀀠1.,;.,) iyJ 􀁜􀀬􀁻􀁾 \",./'...-' 1., .. ' """I \'.. , .... 􀁾􀀢􀀮􀀧􀀠 􀀬􀀬􀁾􀀩􀀠 􀀢􀁾􀀮􀀧􀀢􀀠 􀁜􀁾􀁊􀀧􀀠 "'>"" \,y" '*.!I 􀁾􀀠",... ----" ..' ' ....../,._-" "'_w' ,_/'-.r' -_.' '-.' Asset Questions 11. Web Servers 05. Do you use a web browser that supports the SSL protocol when viewing or submitting confidential information? 11. Web Servers 06. Where is the public web server in relation to the firewall? 11. Web Servers 07. How many people -internally· have access to place information on the web server? 11. Web Servers 08. How many people -externally· have access to place information on the web server? 11. Web Servers 09. How do you monitor the web server for compromise? 11. Web Servers 10. Do you use all of the log information you collect? 11. Web Servers loa. When is the log information used? 11. Web Servers lOb. What log information is collected? 11. Web Servers 11. Do you manage what information is placed on your web server? 􀁾􀁉􀀠I 11. Web Servers 11a. Are there documented procedures for this? 11. Web Servers lIb. Are there undocumented procedl!res for this? 11. Web Servers 12. Do you have an approval process for public information being placed on the public web server? 11. Web Servers 12a. Are there procedures for this? 11. Web Servers 13. What forms of enhanced security do you use? (SSL. SHTTP, certificates, encryption. others) 11 . Web Servers 14. What plug-ins and helper applications are installed in your browser? 11. Web Servers 15. Please describe all of the cryptographic protocols you are utilizing on the web server. 11. Web Servers 16. Do you allow http, https & lip on your web server? -SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY ---􀁾􀀠 Asset Questions -11 . Web Servers 17. Is the web server running as "root" (UNIX) or system accounts (NT)? f---11 . Web Servers 18. Please note any of the application servers running (e.g., Cold Fusion, Galileo, Lotus Domino, Netscape , Oracle, SilverStream, Sybase Enterprise Server, WebObjects, other). -11. Web Servers 19. What other network services are available from the web server machine? (e.g., DNS, sendmail) 11 A. Platform Security 01. Do you have modems on your clients or servers? 11 A. Platform Security 02. Are any servers configured with multiple NICs? I t----llA. Platform Security -02a. Are they configured as routers? llA. Platform Security -02b. Do they transfer data between the SCADA network and another network? 11 A. Platform Security 03. Have you disabled all unnecessary services on SCADA platforms, including NetBIOS services, if running an NT machine? -II A. Platform Security 04. Do you have boot (BIOS) passwords installed on your computers? 11 A. Platform Security 05. Do you use automatic screen savers on your computers? I 11 A. Platform Security .---05a. Does the screen saver lock the computer when it activates? 11 B. SCADA Control Terminals --01. Does the SCADA application display any sensitive or private data? 11 B. SCADA Control Terminals .. _02. Is there a backup control center? !-11 B. SCADA Control Terminals -03. What are the locations of the facilities having generation or water control with electronically controlled operations? !--11 B. SCADA Control Terminals 04. What is the location of the main control center for the SCADA and engineering systems? 11C. SCADA Terminals 01 . Is electronic access to the control room instrumentation paSSWord-protected? L ____ _.--r I r (' '\. .r;".', "'. ":L· '"'-"" '-./\, ..../............ .........., '",...-'-_..' "-' .... "" ,--<;;.I 􀁊􀀮􀀮􀀮􀀮􀁾............ '.'" ,-,_J 􀀬􀀬􀁾􀀢􀁾􀀠 ,.,.; ..........., 10.-../V ....,y "-'" 􀀬􀁾__• 􀀧􀀮􀁾􀀭 '-".) ,_", '._' '-' '-) .... "-" ......,; J SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY 􀁾􀁾􀀠 ' ,--,-<.1 ."... ..../'.-.' ... 􀀧􀀭􀀢􀀧􀁾􀁾􀁾􀁌􀀢􀀠 --'-'-eel-'-" ______. -" -Asset Questions 12. SCADA Account Restric1ions 01. Are there any limits on access to SCADA data? 1----12. SCADA Account Restrictions 01 a. What are the access limits? 12. SCADA Account Restrictions 02. On what internal security mechanisms does SCADA rely? (e.g., table lookup of privileges based on user id) .. ---. 13. SCADA Network Architecture 01. What is the physical topology of the network under evaluation (the interviewer should obtain a copy of the drawing; be sure there is a legend attached)? ---13. SCADA Network Architecture 02. If there is no drawing available, can a sketch be provided of the network hardware? 13. SCADA Network Architecture 03. What technologies are used for the network (ATM, Frame relay, Ethernet, Gig-Ethernet, etc.)? How many deliices each? 13. SCADA Network Architecture 04. Which network protocols are utilized? (TCP, IP, IPX, AppleTalk, DECNET, Other) 13. SCADA Network Architecture 05. Which routing protocols are used in the network? (RIP, IGRP, EIGRP, OSPF, NLSP, Other) 13. SCADA Network Architecture 06. Are priority/critical routes clearly Identified in your topology? 13. SCADA Network Architecture 07. Are all firewall locations clearly indicated on the logical topology drawing? ----13. SCADA Network Architecture 08. Is there a physical backup connection on priority routes? 13. SCADA Network Architecture 09. Where in the network are the ACL(s) located? 13. SCADA Network Architecture 10. What are the security threats created by subsystem compatibility issues (e.g., single password to access various subsystems)? 13. SCADA Network Architecture 11. What vulnerabilities are you aware of In your current SCADA network? 13. SCADA Network Architecture 12. How do you protec1 your information from being intercepted by packet sniffers? 13. SCADA Network Architecture 13. Note the versions of the included protocols, and explain the response for "Other" (if applicable). , . SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY Asset Questions 13. SCADA Network Architecture f-14. Connections to other Organizations 14. Which WAN interface equipment is customer premise equipment (CPE)? 01. Is the control room instrumentation connected to the business network? 14. Connections to other Organizations 02. If the control room instrumentation is connected to the business network, describe the connection. 14. Connections to other Organizations 03. Does the SCADA data network interface With any other systems? 14. Connections to other Organizations -04. Describe the name and owner of the other systems, and the locations of the intersections. (Internet, Intranet, Independent system operators (lSOs), None, Other) 14. Connections to other Organizations f-tv 􀁾􀀠: 14. Connections to other , Organizations 05. Do you have any Service Level Agreements (SLA) with your Local Exchange Carrier (LEC) or Internet Service Provider (ISP)? 06. What technique or packages(s) is used for auditing? What type of information is collected? 14. Connections to other other Organizations 07. Does the SCADA data network include leased or shared lines? "---14. Connections to other Organizations I-14. Connections to other Organizations OS. Do you perform any auditing at the WAN interface? 09. Are thE! SLAs available for review? 14. Connections to other Organizations 09a. If yes, please indicate the location. 14. Connections to other Organizations 09b. Are the lines are leased or shared? ---.... _-SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY /') i "'I (.",} -, " -: ' ;> 0 􀀮􀁾􀀠 ,__/'-' '-...." ........, 􀁾􀀠"",-"", ...........J '-<.J 􀁾􀀠􀁾􀀠"-" y 􀁾􀀠w 􀁾􀀠'--" '-..,J '-' 􀁾􀀠0 --...; ....."..... 0('"-'"- >" 􀁾􀀠 ''-'' 􀀬􀀭􀁾􀀮􀀭􀀧􀀠 N 􀁾􀀠Asset Questions 14. Connections to other Organizations 09c. If shared, with whom are they shared? 14. Connections to other Organizations 09d. Who has ownership of the lines? 14. Conn actions to other Organizations 0ge. What communication protocols are used? 14. Connections to other Organizations 09f. What types of data traffic typically traverses the lines? 􀁦􀁾􀁾􀀠 14. Connections to other Organ izations 09g. Are there other pertinent observations that you can provide? 14. Connections to other Organizations 10. Which WAN interface equipment is provided and maintained by the service provider? 15. Internet Connections 01. Is Internet access available? 15. Internet Connections 01 a. What types of connections are allowed (Web -Secure Server, Web -Unsecure Server, Telnet, Ftp, r services (rsh, rlogin, etc.), Other -Please Describe)? 15. Internet Connections 02. What data is generated/output? ---------15. Internet Connections ---02a. Where does the output data go? 15. Internet Connections 02b. Who uses the output data? 15. Internet Connections ---02c. Where are they? 15. Internet Connections 02d. For what do they use it? 15. Internet Connections ---03. Do you ever browse the web while logged on as administrator on Windows NT system, or as root on UNIX systems? 􀁾􀁾􀁾􀁾􀁾􀁾􀀭􀁾􀁾􀀠 􀁾􀀠 SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY ----------------------Asset Questions 16. Remote Access Connections 01. Is remote access to the SCADA network allowed -(dial-up, Internet)? -.--IS. Remote Access Connections 02. What are the methods of remote access? (Dial Up Lines, Internet. Other. please-describe) 1S. Remote A9cess Connections 03. How is the remote user authenticated? (Knowledge of telephone number. Password. Secure token (i.e .• secure lD card. S-Key), Dial-Back. Other, please describe.) 􀁾􀀭􀀭 l16. Remote Access Connections 04. Are the passwords shared? t6. Remote Access Connections 04a. Are the passwords audited on a regular basis? 16. Remote Access Connections 04b. What is the audit schedule? f--16. Remote Access Connections 05_ Please list the applications that are available by remote access. 1----16. Remote Access Connections OS. Does your remote access process use a stand-alone server? f---t-..lVo:l 16. Remote Access Connections 07. Are remote connections audited? N,'I----16. Remote Access Connections 07a. What type of information is collected? 16. Remote Access Connections 08. Is any wireless remote access available? 1S. Remote Access Connections 08a. Please describe this remote access? 16. Remote Access Connections 09. What other software/applications run on the remote access server? !---16. Remote Access Connections 10. How many people have administrative access to your remote access server(s)? 116. Remote Access Connections 11. What additional access is provided within the physical network after establishing a remote connection? -16. Remote Access Connections 12. What addilional access is provided outside the physical network alter establishing a remote connection? 17. SCADA Network Management 01. Are you using any network management packages? SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY t " ((" ...., /.''1 􀁾􀀧􀀧􀀧􀀧􀀠 ;/f -, ,. '\ " -" I' " 􀀮􀁾􀁾􀀠 􀁾􀀠 . .', 􀀮􀁾􀁾􀁗􀀰􀁟􀁾􀁾􀁗􀁗􀁾􀁾􀁾􀁾􀁾􀁾􀁙􀁾􀁾 '--' ....."J ..... 􀁾􀁟􀁾􀁾􀁗􀁾􀁾􀁾􀁟􀁾􀁾􀁾􀁾􀁾 .,,1 Y Y Y 􀁾􀀠t.....,..J ........... '--.._' 􀀬􀁾􀀯􀀠 .... ," '-/􀀧􀀭􀁾􀀠 '-,. '--" '-' ' .... 􀀬􀁾􀀠 '-􀁾􀀬􀀠 "-" 􀀧􀁾􀀭􀀧􀀠 -􀁾􀀠 􀁾􀀠􀁾􀀠,--' 􀁾􀁾􀀠 􀀮􀁾􀀠 􀀬􀀬􀁾􀀬􀀠 􀀮􀁾􀀠 N I VI Asset 17. SCADA Network Management 17. SCADA Network Management 17. SCADA Network Management ---17. SCADA Network Management 17. SCADA Network Management 17. SCADA Network Management 17. SCADA Network Management 17. SCADA Network Management 17. SCADA Network Management 18. Firewalls 18. Firewalls 18. Firewalls 18. Flrewalls 18. Firewalls 18. Firewalls W : 17. SCADA Network Management Questions 02. Are you using any network management security packages? (Please list) 03. Can you make device configuration changes from the network management package? (Explain) 04. Do you make device configuration chan!;j9s from the network management package? 􀁾􀀠._-05. How do you make remote configuration changes? (Telnet, FTP, TFTP, Web Browser, Other -Explain) OS. Is remote configuration of the network equipment allowed? 07. Please list the equipment remotely conflgurable. 08. Are you monitoring/auditing auditing the network using a network management package? .. _09. Are you monitoring/auditing the network using a network management package? What type of information is collected? 10. How would you rate your organization's dependency on the network management package(s)? (Low, Medium, High) 􀁾􀀠.--11. Do you have a help desk? 01. Do any of the devicas apply a firewall to the data traffic? 01 a. Is a password required for configuration of the firewall(s)? 01 b. How many people have passwords to the flrewall(s) (number of people)? -01 c. Are the passwords to the firewall shared? Old. Are the firewall passwords audited on a regular basis? ---------01 e. What is the schedule of audit? , SENSITIVE SECURITY INFORMATION; CONFIDENTIAL AND PROPRIETARY --Asset (lIlACI 00 SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY r'", (: 􀁾 ') ,.'", "-1 ( 􀁾􀀠 ,', ',:-, l,,-, \.'-" 􀀬􀀬􀁾􀀮􀀠 ".j '-.J 􀁾􀀠J...vI' G '_/􀁾􀀠V i.....,; 1";",,.1 "-..-..J '-_ "--'" 􀁾􀀠"'-'---' 􀁾􀁟􀀯􀀠 ,--/',,-,' 􀀮􀀮􀁊􀁊􀁕􀁾􀁙􀀬􀀭􀀬􀀠....; '-' '-' 􀁾􀀠-..' _-' 􀁾􀀠' . ...-"' .-"" .......; .-.J -----------------------------Asset 30. Backup Configurations 30. Backup Configurations 30. Backup Configurations 30. Backup Configurations 30. Backup Configurations 31. Configuration Management 31. Configuration Management 31. Configuration Management 31. Configuration Management r;g 31. Configuration Management 31. Configuration Management 1--..... 31. Configuration Management 31. Configuration Management 31. Configuration Management 31. Configuration Management 31. Configuration Management 31 . Configuration Management Questions 09a. Where is ij located? 10. Where is client data stored? 11 a. How is the client data backed up? 11 b. Where are the backups stored? 11 c. For how long to you retain these backups? 01. Do you have a configuration management process to maintain the SCADA architecture? 01 a. Is the configuration management process documented? 01b. If yes, please indicate the location 01 the documentation 02. What is the mechanism for training personnel in this process? 03. What security elements are incorporated into this training? 04. IS.there a configuration management process for the control room hardware/software? 05. Are there system configuration guidelines for client workstations? 06. Are passwords audited on a regUlar basis? 06a. What is the schedule of the audits? 07. Have you identified the critical components in your LAN? 07a. Is so, please list them. 08. Have you identified the critical components in your remote access operations? SENSITIVE SECURITY INFORMATION; CONFIDENTIAL AND PROPRIETARY Asset 'Questions 31. Configuration Management 09. Have you identHied the critical components in your WAN? -31. Configuration Management 09a. Is so, please list them. -31. Configuration Management 10. Is there a configuration management process for maintaining equipment? -31. Configuration Management lOa. If not, please explain. -31. Configuration Management 11. Is there a configuration management process for maintaining LAN equipment? 31. Configuration Management 11 a. If not, please explain. -"--31. Configuration Management 12. Is there a configuration management process for maintaining remote access capability? r----31 . Configuration Management 12a. If not, please explain. " ---" 31. Configuration Management 13. Are there master inventory lists of SCADA hardware and software? -> 31. Configuration Management 13a. What is the location of this data? " --31. Configuration Management 13b. How often are they updated, reviewed, or checked? "--" 31. Configuration Management 14. Where are the SCADA baselines stored (physical location and device)? r31. Configuration Management 15. Where are the SCADA documents and drawings stored (physical location and device)? " --31. Configuration Management 16. Where is SCADA's operational baseline located? (Ust multiple sites, if applicable) -31. Configuration Management 17. Can copies of official records be distributed electronically? 31. Configuration Management 18. Please dascribe the process for preventing the loss, alteration, or unauthorized use of Official records. 31. Configuration Management 19. Can non-mission critical activities be performed using copies of official records? --gN!,• SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY ", /..... (.-, '1 ;<:'1 f"'.\ 􀁲􀀺􀂷􀀮􀁾􀀠 -', . 􀁾􀀠 v 􀁜􀀮􀀮􀁾􀀠 l.--U 􀁾􀀮􀀮􀀮􀀻􀀠 v 􀁾..", 􀁾􀀬􀀢􀀢􀀮􀁊􀀠 Lco" 1...•.-"' 􀁾􀁟􀀬􀀮􀀧􀀠 '-.-' ,-.,&.i 􀁾􀀠􀁾􀀠",:,,,", 􀁾􀀠􀁾􀀡􀀺􀁉􀁉􀀧􀀠 '-v" '--.' '.,-/'".) \u).J V \@􀁾􀀠􀁾􀀠􀁾􀀠􀁾􀀠􀁾􀀠W ..... ,./􀀢􀀮􀁾􀀩􀀠 􀁶􀁾􀁾􀁶􀁾􀁾􀁾􀁾􀁾􀀰 t" '. ( , ,.".,,' " l.3...(. 􀀬􀀭􀀭􀀭􀀭􀁾􀀠 Asset Questions 31. Configuration Management 20. Is the process for an employee to request remote access capability formally documented? , 31. Configuration Management , 21. What is the schedule for reviewing the audit logs? 32. Physical Protections of SCADA equipment 01. Is the server equipment at your facilities physically secured? 32. Physical Protections of SCADA equipment 01 a. If so, how is the server equipment physioally secured? 32. Physical Protections of SCADA equipment ----02. Are the SCADA terminals at your facilities physically secured? 32. Physical Protections of SCADA equipment -----02a. How are the SCADA terminals physically secured? 􀀭􀀭􀁾􀀠 32. Physical Protections of SCADA equipment ----03. How many personnel have access to the SCADA terminal equipment? 32. Physical Protections of SCADA equipment 03a. Who? 32. Physical Protections of SCADA equipment ----04. Is the remote SCADA equipment at your facilities physically secured? 32. Physical Protections of SCADA equipment ---, 04a. How is the remote SCADA equipment physically secured? ---32. Physical Protections of SCADA equipment 05. Is the communication link equipment at your facilities physically secured? 32. Physioal Protections of SCADA equipment '---􀁾􀀭􀀭 􀁾􀀭􀀭 05a. How is the communication link equipment physically secured? 􀁾􀀭􀀭 --SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY .." Asset 􀁾􀁾􀀠 32. Physical Protections of SCADA equipment 32. Physical Protections of SCADA equipment 􀀳􀀲􀁾􀀠Physical Protections of SCADA equipment 32. Physical Protections of SCADA equipment I-32. Physical Protections of SCADA equipment f-32. Physical Protections of , SCADA equipment ii: 32. Physical Protections of SCADA equipment 32. Physical Protections of SCADA equipment '--32. Physical Protections of SCADA equipment 􀁾􀀠 32. Physical Protections of SCADA equipment 32. Physical Protections of SCADA eqUipment 32. Physical Protections of SCADA equipment Questions 06. Are the communication link termination points of the SCADA network physically secured? 06a. How are the communication link termination pOints of the SCADA network physically secured? 07. Is the LAN equipment at your facilities physically secured? -07a. How is the LAN equipment physically secured? OS. Is the WAN equipment at your facilities physically secured? OSa. How is the iNAN equipment physically secured? 09. Is the remote access equipment at your facilities physically secured? 09a. How is the remote access equipment physically secured? 10. How many personnel have access to the SCADA server equipment? 􀁾􀀠10a. Who? 11 . How many personnel have access to the remote SCADA equipment? 11a. Who? --.... __ ......SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY ( " r' (';"" ,.... .. .., r:.' <, ...•" ,.,' , 􀁾􀀠 '--" "-.-I ............ ' ... ' ',-" l..."", '-" '-' 􀁾􀀠"'---' '-' '-' ".d..; '-' ....􀁾􀀮􀀮􀀮􀀠 􀀧􀁾􀀠􀁾􀀠􀀧􀁾􀁾􀁟􀀧􀀠 ".-" "-'" -....,..1 􀁾􀀠􀁾􀁷􀀠........... '--; 􀁾 􀁾􀀭􀁾􀀠 ./"-' '-" 􀁾􀀠􀁾􀀠 I ,---Asset Questions 32. Physical Protections of SCADA equipment 12. How many personnel have access to the SCADA communication link equipment? 32. Physical Protections of SCADA equipment 12a. Who? 32. Physical Protections of SCADA equipment 13. How many personnel have access to the SCADA communication link termination pOints? 32. Physical Protections of SCADA equipment 13a. Who? 32. Physical Protections of SCADA equipment 32. Physical Protections of SCADA equipment N 􀁾􀀠32. Physical Protections of SCADA eqUipment 14. How many personnel have access to the SCADA LAN equipment? 14a. Who? ----------15. How many personnel have access to the SCADA WAN equipment? I 32. Physical Protections of SCADA equipment 15a. Who? 32. Physical Protections of SCADA eqUipment ----32. Physical Protections of SCADA equipment 16. How many personnel have access to the SCADA remote access equipment? ---16a. Who? SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY ·, " y " ; ) ) ) · , :3 ) .' ,.) "' , ) \ .) t} .' " , .I , J'\ I , J · ) ; ) SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY · ) ; ) ) F.6. ONSITE CHEMICAL ASSESSMENT WORKSHEET Onsite Chemical Assessment Worksheet 􀁾􀀠 Trade Name Chemical Name Maximum Siorage 􀁾􀀠Units Cone. Delivery Melhod Liquid MSDS Injection method, II of j 􀁾􀁾􀀠 􀁾􀁾􀀻􀀭􀀭􀀭 Amount ----􀁾􀀠􀁾􀀠1ToncYlinders 􀁄􀁥􀁮􀁳􀁾􀀠􀁾􀀠 sites, total flow rates Liquid Chlorine 􀁾􀀠Chlorine 10 ton 100% NA Y 2 Injectors raled at 5,000 Ibslday each. i I Vacuum limited to 􀁾􀁣􀀠 􀁾􀀭􀀭􀀭􀁾􀀠 􀁾􀀠 􀁾􀀠 9,()()O 􀁾􀁉􀁢􀁳􀁬􀁤􀁡􀁾􀀠 Ammonia Water Aqueous 5,000 garlons 20wt% tanker truck 0.9 Y 2 metering pumps ammonium raled at 2,000 gaVday 􀀭􀀽􀁾􀁾􀀠 hydroxide ----􀁾􀀭􀀱􀁟􀀷􀀽􀀢􀁾􀀠 􀁾􀁾􀀠 Permanganate Potassium 9,000 Ibs 100% 1500 kg bins NA Y Screw auger solids permanganale feed of one bin/day. Overhead crane used to chanQe bins. ----􀀧􀀭􀀭L􀀻􀀭o􀀺􀀭c􀁾 alion Slle'________ Maximum Water Flow Minimum Water Flow ___ Date'_______ Typical Water Flow Time 10 1" customer___ Comments; SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY "" , ! :') " -J . ) ) ,I j /"\ "' SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY ") APPENDIX G: CONSEQUENCE ASSESSMENT FOR THE EXAMPLE WATER UTILITY G.1 Determining Critical Assets Consequence Levels After the assessment team agrees to a site-specific consequence matrix and the associated definitions, they then review the critical assets identified from the fault tree and rank the. undesirable events as high, medimn, or low. To help determine the consequence value for each undesired event (critical asset) a table is used which lists the undesired events on the left and the measures of consequence on the top. A Consequence Value Table (Table 5.3) for the example water utility was developed based on Table 5.2 (Section 5.6.2) and information provided in the water utility description (Appendix A). A detailed description ofhow the high, medimn, and low consequence values were derived are discussed below, Damage or Destroy Pipelines/Condnits • Economic loss to water utility (defined as cost to repair and economic loss) o L = Less than $500K to replace (loss is only to exposed pipeline, most of pipeline is underground, assmned there is a turnoff valve nearby" • Duration ofloss o H = if destroyed it will take more than 24 hours to fix (facility is out of operation during repair time) • Nmnber ofusers impacted o H = Serves 80% ofgeographical area and 75% of customers (90 mgd out ofl00mgd) Damage or destroy disinfection capability at Treatment Plant 2 • Economic loss to water utility o M = Once it's been detected, the water utility needs to shutdown Treatment Plant 2, Pmnp Station 1 and Pmnp Station no. 2 and storage. Cannot 'deliver to the customer. Need to fix the disinfection process (may lose chemicals, equipment, treated water) • Duration ofloss SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY 267 o M = Will take at least a day to fixlrepair the disinfection process, however raw water can be pumped ifnecessary • Number of users impacted oM"" Treatment Plants I and 3 will have to run at maximum capacity and )storage will have to be depleted to try to keep up with demand I) Loss ofpumps (loss of capability of pumping at Treatment Plant 2) ) • Economic loss to water utility ) o L = Loss ofcapability ofpumping station (e.g., a motor, a shaft, a oJ component, less than $500K to replace) } ;} • Duration ofloss ;:.} o H = Will take more than a day to repair (pumps are one-of-a-kind -don't ,C} have parts on the shelf) 􀁾􀁽􀀠 • Number ofusers impacted -.. J o H =Loss ofcapability ofpumping affect, water can't move through' ; } Treatment Plant 2 to Pumping Stations 1 and 2 '.) Loss of key personnel at Treatment Plant 2 " J • Economic loss to water utility ) o L = Ifthe operator at Treatment Plant 2 is affected, the process is not . ). interrupted (treated water is still delivered) ) • Duration ofloss ) o L = Ifthe operator at Treatment Plant 2 is affected, the process is not interrupted (treated water is still delivered) ,􀁾"􀀬􀀩 • Number ofusers impacted 􀀭􀁾􀁽􀀠 o L = Ifthe operator at Treatment Plant 2 is affected, the process is not :); interrupted (treated water is still delivered) 1 \,-1' The overall consequence values in Table 5.2 were assigned based on the highest 􀁾􀀩􀀠 qualitative value determined for that specific undesired event. For example, for the undesired o event "damage or destroy pipelines/conduits" one "L" and two "H's" were determined or the 􀁾􀀩 consequence measures, therefore the overall consequence value was an "H." SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY 268 " • J . ) 􀀬􀀬􀁾􀀠-' APPENDIX H: SCADA SECURITY POLICY FRAMEWORK Increasing the security level ofthe complete SCADA system will require much more than simple "technology fixes." The adoption ofan Information Technology (IT) framework such as CobiT2 will allow the water utility to effectively design and maintain a robust, secure SCADA system. The development and maintenance of a security policy is the first recommendation to be addressed. Sandia has developed a SCADA Security Policy Framework 1M that follows in two furms, one is the framework with the areas that need to be addressed in a security policy and the other shows the mapping ofthose areas to CobiT. Basic security policies would include access and password controls, network perimeter definition, and data sensitivity definition requirements. Addressing the security policy issue in a timely manner is critical for the secure implementation and management SCADA systems. 2 IT Governance Institute, CobiT, Governance. Control, and Auditfor Information and Related Technology, Information Systems Audit and Control Foundation, Rolling Hills, IL,2000. SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY 269 SCADA Security Policy Framework™to CobiT Control Objective 􀀡􀀨􀁃􀁾􀁾􀁾􀁾􀁾􀁐􀁾􀁉􀁜􀀼􀁹􀂷􀂷􀀠 􀁦􀁬􀀡􀁦􀁦􀁵􀀻􀀢􀁩􀁲􀁩􀀻􀁕􀁾􀁾􀁦􀁬􀁴􀁪􀀱􀁾􀀺􀀻􀀧􀀺􀀮􀁹􀀪􀀮􀁾􀁾􀁾􀁾􀀠 POoI.4, P()U, POO-8, P07,3, A1l.!l, AlS.l, AI5.3. AIS,.10 􀁾􀀠 􀁲􀀭􀀭 "C" SCADA .. i.,., $CADA I tSCAl)A' 􀁉􀀮􀁾􀀺􀀬􀀠. Pflllfulm S!!CWity Oata'SecurHy 􀁃􀁩􀁭􀁾􀀠 􀁾􀁓􀁣􀁣􀁷􀁴􀁴􀁶􀀠 """'..... "I 􀁾􀁾􀁾􀀮􀀬􀀺t! COOUnully F>tlfk;y ':li ""., 􀁾􀁬􀁑􀁹􀀠 Pclq'· , ,." '. "I, 􀁾􀁾􀀧􀀠.... G􀁾􀀠 L.=. 􀁇 ;"!dUll:1,􀀮􀀡􀀻􀀮􀂣􀀬􀁾􀀡􀀻􀀮􀁾􀀺􀁉􀁬􀁪􀁾􀁩􀀠 􀁉􀀻􀀻􀀺􀀻􀀧􀀭􀁾􀀺􀁴􀁩􀀺􀀡􀀠 1""T"18' :;.ill' 'mVillT"" """nr""""" , t 054.1. Al2.12, POZ, P04.10. Al3.II, PDS, DSU. AJ3.3. 􀁄􀁓􀁾􀀠 PO.t7, 􀁐􀀰􀀱􀁾􀀮􀀠 Al1.e, OS·..a:, DS!i.1, 055.2, P04B. P07.a. "", os'" Al1.1o, 084.10 055.2. DS5.1a. P04.12. 055.2, D􀁟$􀀬.5,7􀁾, O'S5.1$, 0'$$,20, 0'55.3, DS5A 0$5.17. 0'51"1.17 oss.a 0$:5.5, 055.11, OSlua 055.9.. O$!Sa, 055.12. OSS.11$, ass.' Ma', OSS,19. M2A 0511.18. 1.13.1. O'S11.13, 􀁏􀁓􀀱􀀱􀀬􀀲􀁾􀀬􀀠 '" OS11.2a Vmkln o,a At.9 08. 2roz JDD SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY ,.•"' (", t" f' .... w L.... v'..:.......... '--' <' ' f" ',,. "" " L--...-, 'TO' '-/..............._, 􀁾􀁾􀀠 "'-" ,,,,,,,,", ,----' 􀁾􀀠 '-' .......... ,......; '-/'-, ......... ' '-'--' '-' '-' v 􀁾􀀠''''''' -....p '-' '-' "'--' 􀁾􀀠.....""" '.,/".' 􀁾􀀢􀀢􀀠 􀀧􀀭􀁾􀀠 '-' '-' 􀁾􀀭􀀧􀀠 SCADA Security Policy Framework™ S,CAD,-" Syatam' 􀁳􀀻􀁾􀁣􀁾􀁾􀁴􀁴􀁹􀀠􀁐􀀮􀁯􀀡􀁾􀀧􀀠 􀁾􀀠 􀀱􀀮􀁬􀀧􀀡􀁩􀁏􀁲􀀮􀀢􀀮􀁲􀀺􀀮􀁾􀁴􀁬􀀺􀁩􀀡􀁉􀁬􀀺􀁬􀁩􀀡􀀮􀀡􀁉􀀱􀁗􀁾􀁴􀀮􀁴􀀻􀁾􀁩􀁈􀁩􀁉􀁬􀁗􀁉􀀡􀀺􀁲􀁪􀁬􀀠 1 '􀀮f􀁾􀁲􀁡􀁴f􀁉􀁯􀁮􀁳i􀂷􀀬􀀠'Uco""",! "''''' ',I . " . , 􀁬􀁾􀀠 􀀱􀀡􀀮􀀱􀁬􀁜􀀡􀁬􀁩􀁭􀀺􀀢􀁾􀁉􀀮􀀡􀁾􀁩􀁴􀁗􀁩􀁩􀀺􀁬􀀠 N .-...l. Ve!'lilonO.5 Augoa,2002 JOO pillCfurm,SewrIty. , .' :-PI:IIIcy :," 'Y􀀧􀁾1􀀧J􀀬 􀀠 􀀢􀁾􀁾􀀬􀀬􀀬􀀺􀁟􀀺􀁾􀀻􀁾􀁟􀀠􀁾􀀧􀁾􀁬􀁾􀁾􀀠 I _I SeIVllrlCII,..wS r-l OSlPlatfrimi" , 􀁓􀁾􀁐􀁯􀁕􀁃􀁹􀀮􀀠 L..J ,SCAOA " ....""'" Sac:wIty PoIlfiY SCADA H "Appl/calkln 􀁔􀁉. 􀁾􀁾􀁰􀁉􀁣􀁡􀀧􀁜􀁬􀁯􀁮􀀠􀁳􀀧 , -SCADA iii' NetM:lrk Security I,; ,Pollo/􀁾􀀠 ••" 􀁪􀁾􀁾􀀠 f-+I . LAN Policy L.l 􀁐􀁥􀁾􀁭􀁥􀁬􀁥􀁲􀁐􀁡􀁬􀁪􀁣􀁹􀀠 H 􀀧􀀧􀀧􀀧􀀧􀀧􀀻􀀡􀁾􀀽􀀧􀁉􀀠 HRerme 􀁁􀁴􀁴􀁡􀁳􀁾􀀠I "''''' y Vllndorf3rd ParIy . ACcess Policy 1 􀀧􀀡􀀱 .Data Secuty 􀀺􀁾􀀠 􀀧􀁾􀁾􀀱􀁉􀁣􀁴􀀠 􀀠:fl """,c,,,' ,..,,",,1 ,., o.r. ' r---'l 􀁾􀁯􀁲􀁗􀀡􀁬􀁴􀁬􀁮􀀠 . PoIlei: f--DBl"a'B,a.c,l lup Data Destruction 􀁐􀁯􀁉􀁉􀁾􀀠 􀁾􀀭 Mal!ciJu:i Sol'twam 􀁾􀁮􀀧􀀡􀀺􀀧􀁯􀁄􀁄􀁃􀁙􀀠 r 􀁰􀁾􀀬􀀻􀁲􀁵􀀬􀀻􀁾􀀧 . _ Pont:)' 􀀭􀀧􀁾􀀠":' 􀀮􀁾􀀺􀀬􀀢􀀺􀀧􀀧􀀧􀀢􀀬􀀢􀀠 >., . H 􀀮􀀬􀁾􀁊􀁾􀀻􀁾􀀭􀀮􀀺􀀠 􀁈􀁁􀁾􀁬􀁩􀁓􀁡􀁧􀁥􀀠 1.1 _"" .. 􀁾 􀁐􀁾􀀡􀁤􀁆􀀻􀀧􀁾􀀱􀁴􀁙􀀠 1 C,o nS/CIgAQOaAU on ,􀀮,􀁾"􀀧􀀠 􀁍􀁡􀁮􀀸􀁏􀁾􀀠 : 􀀧􀁟􀀢􀀬􀀮􀁊􀁾􀀠 􀁊􀁦􀀧􀀻􀀻􀀢􀀧􀀻􀀡􀀮􀁬􀀨􀁾􀁾􀀧􀀠 , st.AoA Security I-< PolIcy" . MaintBnanco """"' SCADA Stsndaltls L.j &'Procedure:s 􀀢􀀧􀀺􀁾􀁲􀁣􀁥􀀠 1 : 􀁾􀁩􀁾􀁌􀁤􀀢􀁤􀀠􀀢􀁾􀀺􀀠 " ".:!kY "J: Illi' 􀁾􀁩􀀠 􀁾 AIISQ!lsrroeirtand 􀁅􀁾􀁾􀁮􀁾􀀱􀁉􀁣􀁹􀀠 f-. 􀀵􀁥􀁡􀁊􀁉􀁜􀀡􀁹􀁾􀁯􀁧􀀠 : 􀁐􀁯􀁾􀁃􀀧􀁦􀀧􀀠 I _I VIoIationJIoddent 􀁾 􀁒􀁾􀁾􀁐􀁯􀁉􀁉􀁃􀀧􀁦􀀠 I ,,11rtr\lslQn Oetectlon 􀁾􀀠. 􀁐􀁯􀁾􀀠 ," SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY } ], ') } ) ) 􀁾􀀩􀀠 :) :) :) 􀁾􀀠) u :) ') ,J , ) ) ) ) ) , , ,.1 /') , j , , ) :) . ) .) \ , J 􀁾􀀮􀁊􀀠 c" ' 􀀧􀀭􀁾􀀺􀀮􀁩􀀠 , ) , ') ,_i () 􀁾􀀠 , ') , " ,.1 SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY () i U· ;"j' , , 􀁾􀁟􀁊􀀠 􀁾􀀠 REFERENCES American Water Works Association http://www.awwa.orgl Association of Metropolitan Water Agencies http://www.amwa.net/Awwa Research Foundation (AwwaRF) http://www.awwarf.coml Campbell, P. 2002. A Taxonomy ofInformation Assurance, SAND2002-0131, Sandia National Laboratories, Albuquerque, NM. Environmental Protection Agency http://www.epa.gov/safewater!security/FBI, lnfraGard http://www.infragard.netl Freeman, r.w., Darr, T.C., Neely, R.B. 1997. Risk Assessment for Large Heterogeneous Systems, IEEE Proc. 13th Annual Computer Security Applications Conference. pp. 44-52. Garcia, Mary Lynn. 2001. The Design and Evaluation ofPhysical Protection Systems, Reed Elsevier (Butterworth-Heinemann), Boston, MA. IT Governance Institute™ 2000. Cobi'J'li': Governance, Control and Audit for Information and Related Technology, Information Systems Audit and Control Foundation, Rolling Meadows, IL. Modarres, M. 1993. What Every Engineer Should Know About Reliability and Risk Analysis, Marcel Dekker, Inc., New York, NY. National Infrastructure Protection Center (FBI) http://www.nipc.gov/Oddo, F., Editor. 1994. The Memory Jogger, GOALlQPC, Methuen, MA. The Merck Index, 121h edition, Susan Budavari, ed., 1996. Merck and Company Inc., Whitehouse Station, NJ. Sandia National Laboratories (Congressional Testimony) www.sandia.gov/news-center/resourceslcongress-testimony/index.htrnl Section 11 (Toxicological Properties) ofthe Material Safety Data Sheets (MSDS) for specific chemicals, MDL Information Systems, Inc., Nashville, TN SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY 273 ) '} , ) ;) C) C) . ) ) ) :; ) ) ) ) . , ) ) ....;J " ' .. ) . '..-"' ) , : ) ... ) <... '.J SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY . ) ) ACRONYMS AND DEFINITIONS AMWA ASD ATM AWWA AwwaRF BMS CDC CDP CobiT CSU DBT DEMUX DEPO DMZ DoS DSU EASI EPA ERP FAC FBI FEP FTP GIS GPM H ID lED IOC IRP IT L LAN LOX M MG MGD MSDS MUX N/A PC PDD PL Association ofMetropolitan Water Agencies Adversary Sequence Diagrams Asynchronous Transfer Mode American Water Works Association Awwa Research Foundation balanced magnetic switch Centers for Disease Control critical detection point Control Objectives for Information and Related Technology channel service unit Design Basis Threat de-multiplexers Design and Evaluation Process Outline De-Militarized Zone (see definition) denial of service data service unit Estimate ofAdversary Sequence Interruption Environmental Protection Agency emergency response plan free available chlorine Federal Bureau ofInvestigation front-end processor File Transfer Protocol Geographical Information System gallons per minute High identification intelligent electronic device Input/Output Controller Incident Response Plan information technology Low local area network liquefied oxygen Medium million gallons million gallons per day Material Safety Data Sbeet multiplexers not applicable personal computer Presidential Decision Directive Public Law SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY 275 PPM parts per million PVC permanent virtual circuit PPS physical protection system (see definition) RAM_WM Risk Assessment Methodology for Water Utilities RDCP Redundant Distributed Process Controllers Routing Information Protocol RlP Routing Information Protocol RFl' response force time RTIJ Remote Terminal Unit . ") f SAVI Systemic Analysis ofVulnerability to Intrusion SCADA Supervisory Control and Data Acquisition (see definition) SMTP Simple Mail Transfer Protocol SOW Scope ofWork SPOF single point offailure TBD to be determined TFTP Trivial File Transfer Protocol TR time remaining UPS Uninterruptible Power Supply VFD variable frequency drives VLAN virtual local area network VPN virtual private network WAN wide area network WMD Weapon ofMass Destruction (see definition) \ .' ) DEFINITIONS J \ , Asset A useful, valUable item dedicated to a specific purpose. J DMZ -A network located between a trusted network (SCADA) and an untrusted network (external or business). Facility -Located on a site having a specific function, usually a building or structure. Estimates -Results ofa ranking process by which expert judgment may be used to assign relative values to subjective assessments. High (H) = .9; Medium (M) = .5; Low (L) = .1. ... _".J PPS -Provides notification that a malevolent act is being attempted (detection), makes it difficult and time consuming for an adversary to complete the malevolent act (delay), and allows a security force enough time to stop the adversary (response). Protection System -A security system that includes both aspects ofa physical protection system and operational design system. Red Team -An independent, threat-based effort by an interdisciplinary, simulated team, which ; " uses both active and passive capabilities to expose and exploit information assurance vulnerabilities ofan IT system. (After proper safeguards are established) : } SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY 276 ) .J SCADA -A Supervisory Control and Data Acquisition (SCADA) system is typically defined as computer-based monitoring and control system that centrally collects, displays, and stores information from remotely located data collection transducers and sensors in order to support the supervised remote control ofequipment, devices, and automated functions. Site -A geographic location providing a particular function or purpose. Target-A specific area or component to be protected to prevent undesirable consequences. The object of an attack. Water Utility System -The entire complex ofequipment, ranging from input ofwater to distribution ofwater. WMD -Generally, a weapon ofmass destruction is any weapon capable ofinflicting a large number ofdeaths immediately or over a period oftime. Examples are chemical, biological, radiological, or explosive weapons. In this report, WMD refers to a malicious act that results in WMD-like consequences by exploiting some weakness ofthe water utility operation. Destruction ofa dam with the resultant flood causing the death ofa large number ofpeople is an example. Another example is dispersal oftoxic chemicals. SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY 277 .) ) :) · ) . .1 :)) · , · ) ..􀁾􀀩􀀠 . ,,, -.) ... :.) , ,. . ) . , ) . ) () .' , , SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY ) ,, : , , , ) ; 6666 West Quincy Avenue Denver, CO 80235-3098 American Water Works T (303) 794-7711 F (303) 795-1989 Association www.awwa.org The Authonlative Resource for Safe Drinking Water Sf.! New AWWA Security Resources Don't miss out on these new security resources, brought to you by the American Water Works Association. New dates now available! Vulnerability Assessments for Water Utilities (RAM-wm) Seminar This hands-on seminar is'desighed to help you develop security plans at your utility. You'll leam' key components of the methodology and immediately apply them through guided exercises. By the end ofthe class, you'll have an action plan that may be immediately implemented at your utility. Course material is licensed from AwwaRF and Sandia National Laboratories and includes material from the first and second editions of the Risk Assessment Methodology for Water Utilities. February 19-21, 2003 Scottsdale, Arizona February 24-26, 2003 Dallas, Texas March 5-7,2003 New Orleans, Louisiana March 12-14, 2003 Arlington, Virginia AWWA Water Security Congress March 23-26, 2003. Los Angeles, Califomia To help you deal with the new security challenges you are faCing, attend the AWWA Water Security Congress. Christie Whitman, United States Environmental Protection Agency Administrator, is SCheduled tO'be the keynote luncheon speaker on Tuesday, March 25. The event will also feature seminars from leading water and water security experts in the nation addressing topics such as vulnerability assessments, water quality monitoring, research and legislative updates, distribution system security, crisis decision-making, security hardware and technology, crisis communications, and threat identification and response. This important opportunity will provide a forum for water industry leaders to learn, network, and share ideas. Members who register by February 26 will save $1.00 on the registration fee. Cyber Security Seminar In this seminar, participants will learn what types of action should be taken to secure SCADA (supervisory control and data acquisition) systems and other computer-based systems from outSide intrusion. May 13-14, 2003 Denver, Colorado May 28-29, 2003 Syracuse, New York Online Institute: Security Planning for Drinking Water Systems-An Operational Approach [link is http://www.awwa.orgjlearnonline/l AWWA, in conjunction with the US Environmental Protection Agency, has developed this online course to address operational procedures for securing your drinking water facility. This course is designed to introduce water professionals to appropriate security measures in the water industry including. securing planning for the total water system, physical system vulnerability assessment, operational system vulnerability assessment, and emergency response preparation. NEW-Risk Assessment Methodology for Water Utilities, Second Edition The second edition of Risk Assessment Methodology for Water Utilities has recently been released. This proprietary and confidential methodology is available to water utilities, govemment agencies, and security conSUltants. The procedures outlined in this report will guide drinking water utilities through a complete security review; to assist in making informed decisions about how best to reduce risks from intentional sabotage and other emergency events. Risk Assessment Methodology for Water Utilities, 2e is $85 plus shipping and handling. A confidentiality and nondisclosure agreement must be signed in order to obtain this product. To order or for more information and necessary forms, please call Eric Lovick, AWWA Customer Service, 303.734.3441. Water System Security: A Field Guide This book emphasizes measures any size water utility can take for better security against man,made threats. It covers emergency preparedness plans, vulnerability assessments, mitigation measures for critical components, emergency response and recovery, and crisis communications. Catalog Number 20501. Retail price: $89, AWWA Member price: $58. Water System Security; A Video Field Guide This companion video to Water System Security: A Field Guide covers emergency preparedness plans, vulnerability assessments, mitigation measures for critical components, emergency response and recovery, and crisis communications. Catalog number 65247. Retail price: $185, AWWA Member price: $125. Water System Security Set Includes Water System Security: A Field Guide book and video. Catalog number WSSFG. Retail price: $259.95, AWWA Member price: $169.95. Please call AWWA Customer Seri To register or order, go to www.awwa.org or call AWWA Customer Service at 800.926.7337 CASE STUDY RISK ASSESSMENT METHODOLOGY FOR WATER UTILITIES (RAM-WsM)sECONDEDITION Prepared by Security Systems and Technology Center Sandia N alional Laboratories 􀁁􀁬􀁢􀁵􀁱􀁵􀁥􀁲􀁱􀁵􀁥􀀬􀁾􀀠87185-07 89 Jointly sponsored by Awwa Research Foundation 6666 West Quincy Avenue Denver, CO 80235-3098 & U.S. Environmental Protection Agency Ariel Rios Building 1200 Pennsylvania Avenue, N.W. Washington, DC 20460 SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY This document contains information that is not appropriate for public dissemination. Do not copy or further distribute this information. This information may be subject to International Trade in Arms regulations (IT AR) 22CFR 120-130. Export of IT AR information may require a license from the U.S. Department of State. Published by the Awwa Research Foundation DISCLAIMER This study was jointly funded by the Awwa Research Foundation (AwwaRF) and the U.S. Environmental Protection Agency under Cooperative Agreement No. X-82956501. AwwaRF and USEPA assume no responsibility for the content of the research study reported in this publication or for the opinions or statements of fact expressed in the report. The mention of trade names for commercial products does not represent or imply the approval or endorsement of AwwaRF or USEPA. This report is presented solely for informational purposes. Proprietary -Copyrighted NOT APPROVED FOR PUBLIC RELEASE -This document contains information exempt from mandatory disclosure under the FOIA. Exemption 2 applies. WARNING -This document contains data whose disclosure is restricted by 5 U.S.c. § 552(b)(2) (2000), the Freedom of Information Act, and the U.S. Attorney General FOIA Memorandum of October 12,2001. Dissemination of this document is controlled. Violation of governing laws is subject to severe criminal penalties. DISTRIBUTION DISTRIBUTION -Department of Energy approval required prior to public release. This document may not be transmitted over the open Internet unless it is encrypted. DESTRUCTION -Destroy by any method that will prevent disclosure of contents or reconstruction of the document. Disc/aimer of Liability This report was prepared as an account of work sponsored by an agency of the United States Govemment. Neither the United States Govemment, nor any agency thereof, nor any of their employees, nor any of their contractors, subcontractors, or their employees, make any warranty, express or implied, or assume any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represent that its use would not infringe privately owned rights. Reference herein to any specific commercial product, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States Govemment, any agency thereof, or any of their contractors or subcontractors. The views and opinions expressed herein do not necessarily state or reflect those of the United States Govemment, any agency thereof, or any of their contractors. Prepared by Sandia National Laboratories. Sandia is a multiprogram laboratory operated by Sandia Corporation, a Lockheed Martin Company, for the United States Department of Energy under Contract DE-AC04-94AL85000. ©2001, 2002 by AwwaRF All rights reserved. First edition 2001. Second edition 2002. Printed in the U.S.A SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY II CONTENTS TABLES ......................................................................................................................................... v FIGURES ................................... .................................................................................................. vii EXECUTIVE SUMMARY .............................................................................. .............................. ix 1 GENERAL DESCRIPTION OF THE FACILITY ..................................................................... 1 1.1. Introduction ..................................... ........................................................................................ 1 1.2. SCADA System Description .............................................................................. ..................... 4 1.2.1. SCADA PhysicallHardware Description ..................................................................... 4 1.2.2. SCADA Operational Descriptions ...................... ......................................................... 4 1.3. MCWD Mission Objective ..................................................................................................... 5 1.4. Facility Prioritization ............................................................................................................... 6 1.5. Detailed Facility Descriptions .................. ............................................................................. 10 2. THREAT ANALYSIS AND CHARACTERIZATION .......................................................... 11 2.1. DBT Summary ...................................................................................................................... 11 2.2. Likelihood of Attack .................................. ........................................................................... 12 3. UTILITY CHARACTERIZATION AND VULNERABILITY IDENTIFICATION ............. 13 3.1. 􀁃􀁨􀁥􀁭􀁩􀁾􀁡􀁬􀀠Vulnerabilities.... ................................................................................................... 13 3.2. SCADA Analysis and Vulnerabilities ........................................................ ........................... 15 3.2.1. Analysis ......................................................................... : ............................................ 15 3.2.2. SCADA Vulnerabilities .............................................................................................. 25 3.3. Physical Vulnerabilities ....................................................... .................................................. 26 3.3.1. General Security Comments ....................................................................................... 26 3.3.2. Santa Inez Lake, Dam, Spillway, and River .............................................................. 27 3.3.3. Duck Pond .......................................................................... ........................................ 27 3.3.4. McGrath Tunnel ......................................................................................................... 27 3.3.5. Newman Reservoir .............................................................................................. , ...... 27 3.3.6. Torres Treatment Plant.. ........................................... ..................... , .... , .... " ................. 28 3.3.7. Monroe Aqueduct.. ..................................................................................................... 28 3.3.8. Valveworks................................................................................................................. 28 3.3.9. Control Center ........................................ .................................................................... 28 3.3.10. Treated Water Reservoirs and Residual Treatment Stations .................. , ................. 29 3.3.11. Pump Stations ..... , ..................................................................................................... 29 3.3.12. Potential Contaminates ......................................... ..................................................... 29 3.4. Fault Tree .............................................................................................................................. 30 3.4.1. MetroCity Fault Tree .................................................................................................. 30 3.4.2. Fault Tree Analyses ....................................... ............................................................. 30 4. CONSEQUENCE MEASURES ...................................................................................... ,'" .... 37 4.1. Consequence Assessment.. .................................................................................................... 37 5. SYSTEMEFFECTNENESS ........................................ ................................................ , ... , ..... 41 SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY iii 5.1. Identification of Adversary Strategies ................................................................................... 41 5.2. Adversary Path and Sequence Diagrams .......................... .................................................... 44 5.3. System Effectiveness Tables ................................................................................................. 45 6. RISK CALCULATION ........................................................................................................... 49 7. RISK REDUCTION ............................................... .................................................................. 53 8. RECOMMENDATIONS ......................................................................................................... 57 8.1. General Recommendations ................................................................................................... 57 8.2. ToxiclBiological Contaminants General Recommendations ................................................ ................................................ 58 8.3. WMD-Type Event Recommendations .............................................................. .................... 59 8.4. Detailed Facility/Asset Recommendations ........................................................................... 59 8.5. SCADA Recommendations ........................ ........................................................................ ".61 8.5.1. SCADA PolicylProcedurelConfiguration Management Vulnerabilities .................... 61 t SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY iv TABLES Table 1. Mission Objectives Comparison for MCWD ................................................................... 6 Table 2. Facility Comparison Results for the MCWD Fire Flow Mission Objective .................... 7 Table 3. Facility Comparison Results for the MCWD Critical Customers Mission ...................... 8 Table 4. Facility Comparison Results for the MCWD Potable Water Mission ............................. 9 Table 5. Facility Mission-weighted Comparison Results for MCWD ......................................... lO Table 6. Design Basis Threat for MCWD .................................................................................... 11 Table 7a. Example of Benefit to Threat (Adversary) Matrix ............................... ......................... 17 Table 7b. Example of Degree of Vulnerability Matrix ................................................................. 18 Table 7c. Example of a Consequence of Concern Matrix (Individual) ........................................ 19 Table 7d. Example of a Consequence of Concern Matrix (Individual) ........................................ 20 Table 7e. Example of a Consequence of Concern Matrix (Individual) ....................................... 21 Table 7f. Summary Matrix for Consequences of Concern (Individual) ..................... ................. 22 Table 7g. Example of Consequence Weighting Matrix ................................................................ 23 Table 7h. Example of Relative Risk Calculation .......................................................................... 24 Table 7i. Final relative Ranking of Operational Assets ................................................................ 25 Table 8. MCWD Consequence Matrix ......................................................................................... 37 Table 9a. Consequence Table .......................................... .............................................................. 39 Table 9b. Consequence Table ....................................................................................................... 40 Table 10. Possible Adversary Tactics ........................................................................................... 43 Table lla. System Effectiveness Against Threats ....................................................................... .47 Table lIb. System Effectiveness Against Threats ..........................􀁾􀀬 ........................................... 48 Table 12a. Risk Calculation .......................................................................................................... 50 Table 12b. Risk Calculation .............................. ............................................................................ 51 Table 13a. Risk Reduction Comparison for High-Risk Assets ..................................................... 54 Table 13b. Risk Reduction Comparison for High-Risk Assets ..................................................... 55 SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY v SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY vi FIGURES Figure 1. MCWD Schematic Diagram ........................................................................................... 2 Figure 3b. Site-Specific Fault Tree Element for "Disable Pretreament or Treatment Figure 3c. Site-Specific Fault Tree Element for "MisuselDamage Process Control System" for Figure 3d. Site-Specific Fault Tree Element for "Damage/Destroy Critical Pipelines/Conduits" Figure 3e. Site-Specific Fault Tree Element for "Loss of Critical Communications" for the Figure 3g. Site-Specific Fault Tree Element for "Misuse of PretreatmentlTreatmen t Chemicals" Figure 7. Scenario TimeJine for the Chlorine Cylinders at the TTP (Insider Medium) with Figure 2. SCADA System Asset Relative Ranking Process ............................................ ............ 16 Figure 3a. Upper Level Elements of the Generic Fault Tree ....................................................... 31 Process" for the Torres Treatment Plant .......................... ........................................... 32 the Torres Treatment Plant .......................................................................................... 33 for the Torres Treatment Plant .................................................................................... 33 Torres Treatment Plant. ....................................................................... ........................ 34 Figure 3f. Site-Specific Fault Tree Element for "Cut Power" for the Torres Treatment Plant.... 34 for the Torres Treatment Plant .......................................... .......................................... 35 Figure 4. Adversary Path Development for the Chlorine Cylinders at the TTP .......................... 44 Figure 5. Adversary Sequence Diagram for the Chlorine Cylinders at the TIP .........................45 Figure 6. Scenario Timeline for the Chlorine Cylinders at the TTP (Insider Medium) ............... 46 Improvement in PPS .................................................................................................... 53 SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY vii SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY viii EXECUTIVE SUMMARY INTRODUCTION This Case Study demonstrates parts ofRAM_WsM and is not intended to be comprehensive, nor is it considered to be the acceptable format for a final report. From the many hours spent teaching, performing assessments, and developing the methodology, several areas have been noted that require supplemental examples to explain certain concepts. The Case Study presents another example of those areas that will help assessment teams understand and apply the concepts better. The Case Study was not designed to be a standalone document, and the student/practitioner should review the corresponding chapters in the methodology while reviewing this material. The Case Study has been designed to be as real as possible, but certain assumptions have to be made for brevity. Overview This document contains an example of the application of the RAM_WSM methodology to a fictitious municipal water system called MetroCity. The major elements of the process are presented for illustration purposes. The reader should be aware that much detail is omitted, and the example should be reviewed with the appropriate chapters of RAM_WsM. The physical structure and facility names are fabricated, and any similarity to an existing water utility is purely coincidental. MetroCity is designed primarily to rely on gravity for water delivery to complement the example facility used in RAJvI-WSM, which primarily relies on pumps. Also, it should be noted that water utility systems vary greatly, not only in their source and distribution infrastructure, but in the way they are managed, their mission(s), operational procedures, intrinsic vulnerabilities, etc. This example should be considered as merely a guideline and not as a strict template for all systems. The RAM_WSM process is designed to be sufficiently flexible to accommodate virtually any facility architecture, but it must be applied with considerable judgment to be successful. SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY ix In general, boxed italicized text within this example is used to indicate instructive information. The remaining text indicates example material. SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY x 1 GENERAL DESCRIPTION OF THE FACILITY 1.1. Introduction MetroCity Water District (MCWD) is primarily a gravity fed system (Figure i), but it includes two pump stations for service to some higher elevation areas. MCWD supplies water to 500,000 customers in the greater MetroCity area. Typical peak summer consumption is i25 million gallons per day (MGD). Annual-average usage is 90 MGD. The Santa Inez watershed is owned by MetroCity and drains 50,000 acres. Melting snow and rain are gathered and stored in the 3-billion-gallon Santa Inez Lake, which is constrained by the Santa Inez Dam and spillway. Water from the spillway flows into the Santa Inez River, and approximately 50% of this flow is diverted to the 600-million-gallon (MG) Duck Pond. At the base of the Duck Pond is the 5-MW Corona hydroelectric station fed by the penstock. A bypass line with pressure regulating valves allows all or just the excess flow to bypass Corona. From the hydroelectric station, water flows through the McGrath tunnel. This tunnel follows the contour of the land until it reaches Shaft 1, which carries water to a deepl y buried section of tunnel 300 feet below grade. At Shaft 2, water returns ro!grade level and continues on to the Newman Reservoir. Control valves regulate flow into the reservoir. Bypass lines can route water around the reservoir during maintenance and direct flow to the Torres Treatment Plant (TTP). Newman Reservoir has a storage capacity of 600 MG, which equates to approximately a one-week supply of water. Sluice gates regulate flow from Newman Reservoir to the inlet of TIP. The reservoir is located in forested area surrounded by a residential neighborhood. TTP is located at the outlet of Newman Reservoir and provides primary disinfection and corrosion control. The water is screened prior to entering the treatment plant, and chlorine gas is injected for disinfection. The treatment building can store up to ten i-ton cylinders of chlorine. Up to 50 tons of lime are stored on site for pH adjustment. In addition, up to 25,000 gallons of fluorosiIicic acid are stored at the treatment plant and used for dental hygiene. SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY 1 T OakPS --··T .& 􀂷􀁡􀁡􀀮􀂷􀁐􀁃􀂷􀁾􀀠􀁾􀀮􀀭T 􀁾􀀭􀁏􀁎􀁯􀁲􀁴􀁨􀁁􀁟􀀠 1""'-Metrocity Potable Water System o Westside Res-ToAemote "'Sites -lletroclty Pubtio Worb ATM NIJtwortI IBP2 T 1 0 I 0& --"_ 􀁾􀀠 _ .. ...􀀭􀁾􀀺􀀠 I I Purveyor Tap Vahle Station Municipal Reservior (with hypochiorite) Facility Aqueduct or Tunnel Pipeline Surface Row Figure 1. MCWD Schematic Diagram SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY 2 From the TrP, the water is transported via the Monroe Aqueduct. The aqueduct starts as a 64-inch-diameter pipe that transports water from the TIP to a header. From there, the flow is divided into two 40-inch pipes. The 64-inch pipe follows the contour of the land and is exposed as it crosses over a major freeway. The two 40-inch pipes are buried their entire 10-mile length until they enter the Valveworks. The Valveworks facility takes water from the Monroe Aqueduct and distributes it to four major distribution lines, each 36 inches in diameter: the Westside Pipeline, the Northside Pipeline, the Eastside Pipeline, and the Southside Pipeline. Gate valves (36-inch diameter) housed in the facility enable flow to be shut off to any of the four distribution pipelines. However, there is no ability to control the incoming supply lines from the Valveworks. Two major pump stations boost pressure to high service areas: the Oak Pump Station and the Sequoia Pump Station. The Oak Pump Station houses two pumps, each with a capacity of 7,000 gallons per minute (gpm). This pump station feeds water to the purveyors at the end of the Eastside and Northside pipelines and to the North Reservoir. The Sequoia Pump Station has three 3,000 gpm capacity pumps that supply water to Sequoia Reservoir. Four major reservoirs in the distribution system store trea'teo water: Westside Reservoir (25 MG capacity), Fatgut Reservoir (60 MG), Sequoia Reservoir (5 MG), and North Reservoir (10 MG). At the outlet of each of these reservoirs, residual treatment is provided by sodium hypochlorite. The Westside, Sequoia, and North reservoirs are all covered. The Fatgut Reservoir is an open-water reservoir. Each reservoir stores approximately a 24-hour supply of water for its respective customers. The entire system is controlled by a SCADA system located at the Control Center (CC). This system is integrated with the MetroCity Information Technology (IT) system or network by a standard firewall interconnection. The CC also monitors security alarms located throughout the system. Roughly equal numbers of customers are serviced by each purveyor tap; however, there is a concentration of hospitals serviced by the westernmost tap of the Westside Pipeline and a military base by the two easternmost taps of the Oak Pipeline. SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY 3 1.2. SCADA System Description 1.2.1. SCADA PhyslcallHardware Description The SCADA system controls and monitors 24 sites. There are approximately 100 RTUslPLCs in this system. These control loops primarily provide (1) SCADA alarm monitoring and control. (2) water pressure and treatment monitoring, and (3) valve and pump control functions. Personnel monitor and control the system via control panels located in the CC. Valves of up to 60 inches in diameter can be controlled from the CC. Most of the pumps at the system pump stations are also controlled via the control panel in the CC. The main SCADA process control Local Area Network (LAN) consists of a redundant atchitecture and utilizes Ethernet technology with IPtrCP suite of network protocols. Backups ate available for the critical SCADA server. Communication links include Ethernet, microwave, fiber optics, and leased phone lines. The city administers the microwave and fiber optic ATM networks, which include several critical paths. A local phone service provides T1 connecti vity for part of the system. Currently, backups do not exist for several of the MetroCitycommunication links. Physical protection systems for the SCADA and network equipment at the CC consist of two layers of locked doors, with administrative access only to the network equipment and the SCADA server. Some of the remote sites have no physical protection. No data protection (e.g., encryption) is utilized during data transfer or storage. 1.2.2. SCADA Operational Descriptions There is no official SCADA security policy, although some basic security elements, such as passwords, firewalls, etc., ate incorporated into the system operations. Configuration management is performed on a limited basis, mainly focusing on the SCADA-specific equipment (as opposed to the supporting network). There ate three skilled SCADA system administrators, but they do not recei ve any regular formal security training. SCADA accounts are restricted to the levels of administrators and operators, with password verification required. Regular virus checking and formalized event logging are not explicitly defined operational requirements for the system. Intrusion detection and network management packages are not incorporated into the SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY 4 SCAD A system. No remote SCADA operations are allowed, but there is remote access to the engineering workstations and for some network management functions. Public information based on SCADA data is available on the MetroCity web page, and historical data transferred from the SCADA network to the administrative network is utilized for engineering and planning decisions.' As noted previously, none of the data is encrypted during either transfer or storage. The CC PLC receives intrusion detection data for the physical intrusion detection alarms. This PLC concentrates the alarm data and sends them to both the analog display system and the SCADA system. The alarm system in the CC consists of both alarm sounds and lights. Staff indicated that most alarms are false alarms that result from weather conditions. As a result, alarm sounds are often disabled in the CC, particularly if specific weather conditions exist. A light comes on and stays on even if the alarm is turned off. Alarms are responded to at the discretion of the operator. 1.3. MCWD Mission Objective The first step in the security assessment ofa water utility is to idenfify and prioritize the mission objectives of the water utility. These objectives must be defined in order to accurately measure the importance ofthe various facilities and assets. Refer to Section 3 ofthe methodology document. The (three) main mission objectives identified for MCWD are to: (1) Provide adequate water volume for firefighting (2) Provide water to critical customers (3) Provide potable water These mission objectives (Table 1) are placed into a pairwise comparison matrix and compared to one another. SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY 5 Table 1. Mission Objectives Comparison for MCWD Mission Objectives Comparison 12 􀁾􀀠 Q) rr: - for ingestion of chlorine was determined to be 42 gmlkg continuously over a two-week period for rats. A concern may be in the catastrophic release of multiple containers that can overwhelm the scrubbing capacity of the storage facility. Environmental and safety requirements should have a calculated scenario for the release of any tOllic gases stored on site. Lime is used to control the pH of the water. It is delivered as powdered quicklime (CaO), which is then hydrated (slaked) slaked) to Ca(OHh on site. The LDso is 7.3 gmlkg (oral mouse); therefore, it is practically nontoxic. Continuous injection would result in 3.51 ppm of Ca(OH)z being delivered to the customers. Fluorosilicic acid is used to artificially fluoridate the water at the TPP. It is delivered via tanker truck as a 24-wt% aqueous solution (density =1.234 kgll) lliid is stored inside the facility. If all the storage were discharged into the water lines with the pumps running at maximum capacity, a concentration of 8 ppm of fluorosilicic acid would result. The target dosage by a typical water system is -7 ppm fluorosilicic acid for an O.8-ppm residual fluoride target. Assuming complete inventory release, the residuai fluoride level would be about 1.1 ppm. Fluoride has shown chronic effects at elevated levels (tooth staining, bone embrittIement), but acute doses are less well characterized. Information from the Centers for Disease Control (CDC) indicates that doses up to 5 mglkg body weight of fluoride are acceptable even in children (no known toxicity at this level). Therefore, fluoride is not a useful contamination target. As can be seen from the anaiysis, the largest potential consequence is not associated with contamination of the water using the chemicals on site, but rather use of the available chemicals to create a cloud of poisonous gas. There are approximately 10 tons of chlorine gas at the TIP. There is only enough scrubber capacity for one tank of chlorine, and there is only one repair kit available for repairing the chlorine tanks in case of a rupture. It is assumed in this study that the chlorine tanks would be a primary target of the adversary. SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY 14 It is further assumed that the adversary will be capable (as indicated in the DBT) of introducing foreign chemicals into the system. The analysis contained in this example will allow for that kind of attack. Fortunately, in many cases, the substances will experience such high dilution rates as to make them ineffective. 3.2. SCADA Analysis and Vulnerabilities 3.2.1. Analysis Refer to Section 5 ofthe methodology document for detailed infonna/ion on the SCADA analysis process. For this case study, only operational assets are considered; however, for a complete analysis, both asset classes would need to be analyzed. An example ofthe physical assets relative ranking is detailed in Section 5 ofthe methodology document. After determining the SCADA operational assets, the relative ranking process proceeds as depicted in Figure 2. SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY 15 1 􀁀􀀧􀀭􀀧􀁂􀁥􀁮􀀻􀁦􀀻􀀻􀁾􀀭􀀡􀀠 . Threaf·. tL. _.._'M_a_t.r..i_x _..__.. li 􀁾􀀮 Degree of Vulnerability .. :. Matrix , _____________• : 􀁃􀁯􀁲􀁩􀁳􀁾􀁵􀁥􀁮􀁣􀁥􀁳 of: r:v Likelihood of 􀁾􀀠... Occuffence ... '. Matrix Rfil/at/ve Ranking : Concern Matrices 􀁾􀀠 ... Matrix (High; Mad, fa\ (Individual) I 􀁴􀁖􀀭􀀭􀀭􀀭􀀭􀀭􀀭􀀭􀀭􀀭􀀭􀁾􀀠 tv and Low) , 􀁾􀀭􀀭􀀭􀀭􀀭􀀭􀀭􀀭􀀭􀀭􀀭􀀮􀀡􀀠 I Consequences l... 􀁾􀁣􀀻􀀧􀀻􀁾􀀭􀀻􀀻􀀧􀁾􀀻􀀻􀀻􀀻􀀻􀀻1: Matrix 1 ,, ofConcem I ,-------------. I Weighting Matrix: 1______-------Legend Completed by rT/SCADA Security Personnel .....••·· Completed by Individual Sites Completed by Individual Sites and RAM-WSM Trained· Personnel Figure 2. SCADA System Asset Relative RanWng Process Tables 7a through 7i represent the SCADA analysisfor the case study. Fordetailed explanations ofeach table. refer to Section 5.8 ofthe RAM methodology. SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY 16 Table 7a. Example of Benefit to Threat (Adversary) Matrix C '" 􀁾􀀠 'OJ c: '0 "8., llu .e Gil!! -􀀢􀀢:􀁾I ""u 􀁾􀁵 iO lI: ., 􀁾􀀮􀀮􀁉􀁉􀀺 -..V.I "ill: lI: ., ! 􀁾􀀠 lI: ..II: '.C,"' .!:Ill: "i E 􀁾􀀠 0 Z Security Policy 0.1198 0.1370 0.1519 0.0208 0.0025 0.23 Configuration Management 0.0753 0.0630 0.1222 o.oon 0.0006 0.05 Security Training 0.1099 0.1370 0.1370 0.0188 0.0021 0.19 SCADA Network Man. 0.0926 0.1074 0.0630 0.0068 0.0006 0.06 Backup Configurations 0.0580 0.0556 0.0704 0.0039 0.0002 0.02 Remote SCADA Operations 0.0333 0.1296 0.0407 0.0053 0.0002 0.02 Skilled Personnel 0.1420 0.1296 0.0852 0.0110 0.0016 0.14 SCADA Account Restrictions 0.1346 0.1296 0.On8 0.0101 0.0014 0.13 gCADA Control Data 0.1519 0.0630 0.1296 0.0082 0.0012 0.11 support Data 0.0827 0.0481 0.1222 0.0059 0.0005 0.05 Total 0.01 1.00 SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY 24 Table 7i. Final relative Ranking of Operational Assets Final Relative Ranking -,., 􀀢􀂧􀁾 u: ",.0 1/) .. "' ... ;.>:. .5""' Gj> a: Security Policy HiQh Security TraininQ HiQh Skilled Personnel Med 􀁾􀁃􀁁􀁄􀁁􀀠Account Restrictions Med SCADA Control Data Med SCADA Network Man. Low Configuration Management Low Support Data Low Backup Configurations Low Remote SCADA Operations Low A final, prioritized list of SCADA operational assets 􀁩􀁮􀁤􀁩􀁣􀁾􀁩􀁥􀁳􀀠an order for applying resources to improve SCADA security. The next section provides more details on specific vulnerabilities. 3.2.2. SCADA Vulnerabilities The SCADA analysis provided a rank list of operational assets for focusing security improvements. In this section, we elaborate on the high and medium elements of that ranked list. (See final ranking from previous section.) 3.2.2.1. SCADA PolicylProcedure/Configuration Management Vulnerabilities Vulnerability: The system has no security policy or security plan. There is very little security awareness, security implementation and administration are lax, and there exists a general lack ofrecognition that security is important. Vulnerability: SCADA personnel do not receive regular formal security training. SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY 25 Vulnerability: The dial-up access into the SCADA network for the system administrators utilizes shared passwords and shared accounts. Shared accounts and passwords are weak. In addition, activity logging on remote activities becomes impractical. Vulnerability: Inadequate data protection exists as the SCADA data traverses the MetroCity network, both as it is transferred to other SCADA segments and as the data are sent to servers on the administrative network. The data are used for a variety of purposes, including public display and engineering efforts. 3.3. Physical Vulnerabilities This section discusses the assessment of major facilities in the MCWD system. Included here are some general security related comments, some specific observations, and some site descriptions. During this portion of the overall assessment, ratings of the facility security robustness were also made. These ratings are listed or reflected in later tables. These descriptions are not intended 10 be complete but merely 10 indicate what types ofinformation is necessary for completion ofthe assessment. 3.3.1. General Security Comments Generally, most facilities had intrusion detection in the form of balanced magnetic switches on the entry doors as well as all other exterior doors. Normal entry procedure requires the operator to call the Control Center to inform the operator of entry into the facility. The CC would then see a "door open" light on their computer screen. Except where noted in the site description, all exterior doors were of hollow steel construction. SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY 26 3.3.2. Santa Inez Lake, Dam, Spillway, and River The Santa Inez watershed is closed to public access. The property is adjacent to a wilderness area. Vehicles that are allowed access are limited to MCWD service and employee vehicles. Gates are secured with chains and padlocks. Although employees regularly visit the lake, no personnel are stationed there. A concrete arch dam impounds the water for Santa Inez Lake. It is unlikely small amounts of explosives will have any effect on the integrity of the structure. The river normally flows at 2500 cfs, making it impractical to contaminate the water at this point in the system. 3.3.3. Duck Pond Similar to Santa Inez Lake, Duck Pond is closed to public access. It borders the national forest. Gates are secured with chains and padlocks. Although employees regularly visit the lake, no personnel are stationed there. An earthen dam contains the water in Duck Pond. It is unlikely that small amounts of explosi ves will have any effect on the integrity of the darn. -􀁾􀀠= 3.3.4. McGrath Tunnel McGrath Tunnel follows the contour of the land until it reaches Shaft 1. where water flows into a deeply buried tunnel until it reaches Shaft 2. From Shaft 2 downstream, the tunnel again follows the contour of the land. The tops of the shafts act as vents that are covered but not sealed. Contaminants can be introduced at the tops of these shafts; however, because of the flow rate, this action would likely be ineffective. 3.3.5. Newman Reservoir Similar to Santa Inez Lake, Newman Reservoir is closed to public access. It borders a residential area on two sides. Gates are secured with chains and padlocks. A masonry darn impounds the water in Newman Reservoir. It is unlikely that small amounts of explosives will have any effect on the integrity of the darn. SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY 27 3.3.6. Torres Treatment Plant The major target at the TIP is a maximum of ten I-ton chlorine storage containers . . Typically only six cylinders are present and being used. The site has a chlorine gas scrubber system capable of handling a I-ton cylinder leak. The chlorine storage building is a concrete block building with a metal roof. There are eight hollow metal doors in the facility. Each door has a balanced magnetic switch sensor and a crash bar. There are three roll-up doors with roller switch sensors. Sensors are monitored locally. but are turned off during the day when doors are typically unlocked. A 7-foot chain link fence with one vehicle gate surrounds the building compound. The gate is open and unlocked. Police response is 10 to 25 minutes provided operators can make a phone call. During the off-shift, only one person is on duty. 3.3.7. Monroe Aqueduct The 64-inch aqueduct is covered under shallow earth for most of its length. However, a section of it is exposed as it runs under an overpass, which crosses a major interstate. Flooding could cause a major disruption to traffic. 3.3.S. Valveworks The Valveworks facility contains several valves that can be manually operated or electrically operated locally or remotel y by the SCADA system. Since the valves are large, it can take more than an hour to close them. The valves are contained in a masonry block building with a metal roof. There are eight personnel doors and two roll-up doors. The doors are of hollow metal construction. All personnel doors have balanced magnetic switches. The vehicle access doors have roller switches. Before entering the building, employees must notify the CC. The exposed piping and valves in the facility are targets. Explosives are required to breach them. The Valveworks facility is on a fenced property. The fence is 7-feet high with outriggers and borders a business area. Response would be 20 to 60 minutes for a MCWD employee during normal operation and possibly much longer, if at all, during the off-shift. 3.3.9. Control Center The CC is located in a business area of the city. It is a modem three-story building with large glass windows on the exterior offices. The front doors are locked and alarmed and are SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY 28 I opened by employees with a swipe of a proximity card. No one is stationed at the front to stop people coming in once an employee opens the door. Also the back doors are unlocked during the day. The control room within the CC has hollow metal doors with a small glass pane and pushbutton locks for entry control. It has large glass windows that look into an adjacent office area. 3.3.10. Treated Water Reservoirs and Residual Treatment Stations The reservoirs are located in residential areas. Seven-feet tall chain link fences surround each property. Each has vehicle access gates secured with chains and padlocks. There is evidence of vandals trespassing on the properties (spray painting). Access hatches on top of the covered reservoirs (Westside, Sequoia, and North) are secured with padlocks and are alarmed with roller switches ..The relatively large capacity Fatgut Reservoir is an open water reservoir. Refer to Section 3.3.12 for contaminate information with respect to these reservoirs. 3.3.11. Pump Stations The Oak and Sequoia Pump Stations each house pumps in masonry block buildings. The doors are alarmed, and employees must notify the CC before entering. The targets for both pump stations are the pumps. Hand or power tools or explosives -ate required to disable the pumps. 3.3.12. Potential Contaminates Note: this section contains fictional data-for example only. Local and federal law enforcement agencies recently have issued alerts to local water systems to be concerned about two potential methods of contamination. One of these materials is biological and the other is chemical. The first is Agent-SKS a terrorist-developed chemical modification of a readily available pesticide. Synthesis of this material, in a temporary facility not much larger than an illicit methlab, produces a contaminate with increased toxicity, water solubility, and chloramine resistance over the parent compound. The LDLo for this compound has been estimated at 0.579 mglkg. This means that 50 Ib would be sufficient quantity to poison one million gallons of water. Samples of this material that have been tested indicate that it has very low resistance to SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY 29 direct chlorination. Boiling of the water containing this material is not advised because it will force the contaminant into the gas phase where it has an increased toxicity. The biological contaminate material is Yersinius dinoaves-a genetically modified version of the plague bacterium manufactured by rogue nations and supplied 10 terrorist organizations. A concentrated 1 liter solution contains 8 x 108 bacteria and weighs 1.1 kg. One thousand organisms are considered an infective dose. Therefore. approximately 10 Ib of this material could contaminate one million gallons of water. This organism has been engineered to be orally infective and resist chlorine up to 20 ppm in water. It is, however, very sensitive to alkalinity of the water. Exposure to pH greater than 8.3 for a matter of a few minutes completely inactivates it. Boiling is also effective in removing this contaminant. 3.4. Fault Tree Critical assets are identified in the RAM_WSM process, first by utilizing the facility pairwise results (discussed earlier) and then by analysis of the fault tree. The pairwise process produces a rank-ordered set of facilities, and the fault tree identifies the assets within those facilities and also ensures that no critical assets/targets (system-wide) were overlooked in the process. 3.4.1. MetroCity Fault Tree The customized fault tree, which is essentially a logic diagram that describes the operation ofthe I water system, is presented in this section. Refer to Section 5 of the methodology document. 3.4.2. Fault Tree Analyses The upper level of the Generic Undesired Event fault tree is shown in Figure 3a., SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY 30 Defeat the Mission of the Water System by Deliberately, Malevolently Causing an Undesired Event 1.2 1.3 1.1 Disable fnterruptOl" ImpaiI Watteors Sso oufr ces Pre......" '" Ab""y", '---rr--' Treatme!lt Process Distribute Wa!f:r Ci;WS9 fniIJ"Y wUSiPS ByCcn/er!lilTal/ol'l 01 Warer Supply 2. 􀁃􀁾􀁴􀁡􀀮􀁭􀁩􀁮􀁡􀁲􀀮􀁥􀀠 Waler 3. Use Weapon of Mw DestructiOQ Type Event [0 Injure Employees <h!: Public 2.1 Cont.amin:lle Water Before Distribution %.l 2.3 Di:t:tble Contaminate Watt Pretreatmentl In Dimribution Treatment Process System Figure 3a. Upper Level Elements of the Generic Fault Tree The MCWD Generic Undesired Event Fault Tree will be evaluated on an element-byelement basis and customized to reflect the specificity in the system. The fault tree analysis of MCWD will be demonstrated for the TIP. The process starts by following branch 1, Interrupt or Impair Water Flow in the System (see Figure 3a). Also on Figure 3a, included beneath Interrupt or Impair Water Flow in the-System, is branch 1.2, Disable Pretreatment or Treatment Process. The development for Disable Pretreatment or Treatment Process is shown in Figure 3b. TTP can take water from Newman Reservoir or from the bypass lines to provide disinfection. There are no filtration facilities at TTP. Disinfection is accomplished via chlorine injection from I-ton cylinders, fluoride is added for promoting healthy teeth, and pH is adjusted by the addition of lime. For the fault tree branch shown in Figure 3b, the top-level undesired events of "Loss of Pumps," and "Loss of Valves" are crossed with a solid line because these items do not exist at TTP. There are pumps for the chemical feeds, but the water flows into the plant via gravity. Therefore, the higher level undesired event was removed. All the subsequent development under these three top-level events is removed as well. The top-level undesired event, "Loss of Key Personnel," is crossed off with an X indicating that multiple personnel are trained to operate the facility, and it is, therefore, not considered a probable adversary target. See Appendix E (methodology document) for additional discussion on fault tree symbols and to see all elements of the generic fault tree. SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY 31 Site: Torres Treatment Plant 1.2 Disable Figure 3b. Site-Specific Fault Tree Element for "Disable. Pretreament or Treatment Process" for the Torres Treatment Plant Notes are added onto the fault tree to indicate areas of concern and to capture important data. For example, notes on chlorine disinfection would prompt additional questions to analyze how much is stored on site at anyone time and the potential impact to surrounding communities if the cylinders were to become an adversary target. See the questionnaires in Appendix F ofthe methodology document. The triangles with numbers in them note ties to sub-trees to further the analysis. Figures 3c -3g show these sub-trees. The same process is followed to prune/graft other elements that exist/do not exist at the site. SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY 32 1.n.6 Misuse! Damage Process Control !6\ ...MllI'lIJaiControl System ",rI S_ rM$duCe1s for CQntl't.'A P"",""om WafS( QIJ8Jlty It􀁾􀀠 Monitoring: e.g., MimIpon System L.J I Sabotage SCADA Co""",,""""" 1rom Xt:iuurS .SaiJoIage SCADA $YStwi I MisU$&" """"". SCIIDA 􀁓􀁹􀁳􀁴􀁾􀁭􀀠 􀁾􀀠 􀀡􀁾􀀠 SaboIage :SCAOA control ; 􀁐􀁾􀁲􀀠 􀁁􀀱􀁴􀁥􀁲􀁾􀁳􀁉􀀠 􀁓􀁾􀁦􀁴􀁬􀁉􀀧􀁦􀁉􀀶􀁴􀀮􀁡􀁲􀀺􀁳􀀠 at 111 befOle interface with controlled mtenr. -Affect hsrdwsrrJ, soflwarv, or.li'!fonnation abQ¢ .stars of CfJ(Itn;J!/f1d pt'OCfISS Of how much toaJterit. Sabotage OtherSCADA Elements ·Fg63: Parameter Coll8ln!tin1s I Sabotage the Proo"" Corn"" -.. Setting adjuSlm9nt disabled Qf made incorrectly : I Sabolaga SCAOA IcotMlJnication to AcwalOls "Conuci $Qltwam e.g., Alter .M«Jsm$ Chsmir:aJ ..nc. Do5Sgf/$ Figure 3c. Site·Specific Fault Tree Element for "Misuse/Damage Process Control System" for the Torres Treatment Plant When dewhpirtg attack scerumo for exposed pi{)filconduit corJ$lri Sf -Standoff attack to dirsclIy penetrate plpaloondulf ""Hands-on attack ItJqUiJfng acc9S$ to pipelcooduit tottowed by roptuf8 using tools or upI.osivas. Figure 3d. Site·Specific Fault Tree Element for "Damage/Destroy Critical Pipelines/Conduits" for the Torres Treatment Plant SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY 33 1.n.8 Loss of Critical I Communications Figure 3e. Site-Specific Fault Tree Element for "Loss of Critical Communications" for the Torres Treatment Plant I"',,""-Unqfrom Utility Af(8CtS borl! Ud1ity ,-..J=::::;-------=""'-----;:=:::r-.!i&BactupPower "'" .1 """"gel L..... OisabielOpen Tt'Df'ISlorrmr LowVdlaga SMfdlesI8us SG4liA, J./6swy. Ruptuffl SC4DA, SCA"', sa.", ShMCin:uit Tank. Short Cirr:uif ShaftCi=it SIron Cin':vk Figure 3r. Site-Specific Fault Tree Element for "Cut Power" for the Torres Treatment Plant SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY 34 •••• Consider also the roles 0/Misuse of Pretteatment/Process Control (Manual and SCADA), Treatment Chemical Communications, Chemical Feed Pumps. <..::..::..:--'---'__-,-__--' and V.,•••. calise OnSite oAmmania Gain Access t Toxic Release -Chlorine Ta!Qe' of CnemK:al •j;>tI". Chiorine Figure 3g. Site·Specific Fault Tree Element for "Misuse of Pretreatment/Treatment Chemicals" for the Torres Treatment Plant SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY 35 SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY 36 4. CONSEQUENCE MEASURES Table 8 has been developed for MCWD. The consequence matrix includes four columns (In the methodology document we've shown an extra column to distinguish between High and Very High consequences -either system works fine to denote WMD-type events). The first column lists the measures of consequence including economic loss, duration of loss, number of users impacted, loss of fire protection (in terms of duration), deaths, and illnesses. The remaining columns indicate the threshold levels for evaluation of the undesirable events. The measures of consequence were determined by the expert judgment of the MCWD assessment team and approved by upper management. Table 8. MCWD Consequence Matrix Measure of Consequence . High Medium Low ! Human effects (sickness, death, , etc.) >5 persons 2-5 persons <2 persons Impact on MCWD ratepayers >$100 million $25-100 million <.$25 million Impact on region's economic base >$5 billion $IOOmillion to $5 billion <.$100 million Duration of widespread loss of of fire protection >8 hours 4-8 hours <4 hours I Duration of widespread loss of water potability >72 hours 6-72 hours <6 hours 4.1. Consequence Assessment The consequence matrix, the pairwise ordering, and the site-specific fault tree identi..fY specific assets at all the facilities and provide a means to estimate the consequence ofthe loss ofthose assets. "Assets" can be thought ofsynonymously as "targets" from an adversary's point of view. From this point forward in this example. the focus will be on assets. Facilities are mentioned only as a means ofidenti..fYing the physical location ofthe assets. In some cases, the facility itselfis the asset ifa grouping oflower level assets is best described at the facility level. Refer to Section 5 ofthe methodology document. SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY 37 Many of the facilities that make up MCWD support more than one of the major branches of the site-specific fault tree. Table 9 summarizes the assets at each of the facilities and also displays the results of the consequence evaluation. The table is constructed with consideration of the three top-level undesirable events from the fault tree. The undesired events from the fault tree are as follows: • Interrupt or hnpair Water Flow in the System, • Contaminate Water, • Weapon of Mass Destruction (WMD) Event Each sub-table has four columns that list (1) the facility-asset-effect, (2) the highmedium-low magnitude of the consequence based on the measures defined in the consequence matrix, (3) a numerical value associated with that magnitude, and (4) brief explanatory comment(s). The numerical value in column 3 will be used later in the analysis. The items in the table were derived by summarizing the remaining undesired events found on the customized fault tree segments for each facility. The facilities are evaluated for the undesired events that apply to their main functions. Naturally, there are commonalties between many of these 􀁦􀁡􀁣􀁩􀁬􀁩􀁴􀁩􀁾􀀧􀁡􀁮􀁤􀀠the undesired events. It is important to divide the facilities and assets into the most logical subgroups to aid in making the difficult decisions necessary to carry on with the analyses. Within each of the identified facilities are numerous "assets" that allow the main functions to be performed and the mission objectives ofMCWD to be completed. Finally, these assets (or the loss of these assets) are compared to the consequences measures listed in Table 8. Engineeringjudgrnent is used to assign values of consequence for the loss of each of the identified assets and a description of why that consequence was assigned. The justification allows for review and concurrence of these consequence values. Later, the assigned consequence values are used in the risk equation to calculate the relative risk associated with the loss of specific assets due to malevolent attack(s). It should be noted that the estimated consequences in Table 8 may change with time because of changes in the design andlor operation of the water system. SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY 38 Table 9a. Consequence Table It-____􀀮􀀮􀀮􀀡􀁾􀀡􀀡􀀡􀀺􀁾􀁾􀁾􀁾􀀱􀀲􀀻􀁾􀁾􀁾___􀁟􀁦􀀮􀁉􀁎􀀺􀀺􀁏􀁾􀀻􀀬􀀮􀀬􀁔􀁢􀁥􀁾􀁲􀁥􀀠are three possible WMD-type events (noted in Bold VV 31er identified; (l),lhe breach of.me Santa Inez dam wjth resuluog 􀁤􀁡􀁭􀁡􀁾􀀠to resideDCCS below, (2), lhe release ofa large cloud of chlorine _goa:' 􀀮􀁾􀀬􀁾􀁟􀁾􀀠TrP, and (3), biologicaJ "'gent water conlllmination. ",C'','::., . 􀁾􀀬􀀠 ,p,,,,, """ (elTect), . d"troy) ,(d"""e. "',.oy) , (dornase. d".oy) Coo.o '. d"troy) , (dwnage. "',uoy) " "',.oy) 􀁗􀀧􀁾􀁲􀀠 " wi'" oo·,i" , <.Wnn, ,,/oua) .. Warer(contaminaJe) HI LO LO HI MEn LO HI HI F"io" l.' 0.1 0.1 . ' . ;':. ',' '. -"", ..-." ,. ;.-' ...".;''-",': ".,-.-' .,:","-' • SIOOM ''''. > 8 hrs I"" of fire , • > 72 "" ''''' of 􀀢􀀬􀀬􀁾􀁲􀀠 0.' >72""'"" 0.5 " •.􀁃􀀢􀀢􀀬􀀮􀁾􀁰􀀬􀀬􀀬􀀬􀁵,0:' , " F, '" 0.' U., 0.' ". po» '''' Of lire pm. > 7Z "" 'oss 01 "'Ier. SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY 39 Table 9b. Consequence Table ":>@lID. , cO""ill"''''' F""" D >n "" I""of ...'" Qu, 􀁾􀀬􀀠 •orw"., :'," ,,:.., .... Ii::.?· ....." .HI · '. 􀁥􀁦􀁦􀀢􀁾􀀬. ".' :.;'''':', ,f" ;,",:..,.,....... ' .' .," ,. .' ....:.........􀀭􀀺􀀿􀀺􀀧􀀺􀀺􀀮􀀭􀀬􀀬􀀬􀀧􀁾􀁾􀀻􀀺􀀮􀀮􀀺􀀠.•... 􀁬􀁩􀁾􀀻􀁕􀁉􀁬􀀧􀀢􀀠 ... .. , F, '" oodi.. & , Wattr(conItmtiruUe) 􀁾􀀠􀁾􀀮􀀢􀀢􀀮􀀠p< "''''' "" • ", on .,,, u. _='. !!I 􀀺􀀻􀀺􀁾􀀻􀀬􀀺􀀺􀁾􀀠 . ',' :.:', I. :..􀀬􀀻􀁾􀀺􀀮􀀠 ":' .. ,,'I',,' :; 'j" " .,,:. ' :·,.·.·;····,':C. Facio" 􀁾􀀢􀀢􀀠 i II"" 01' 0.' G,neric' 0.' >8Iv< I"" "II 􀁾􀀧􀀮􀀠.. 􀁾􀁡􀁊􀁵􀀠 ,,·C. .. .. . HI..'" 􀀮􀀬􀁟􀀺􀁾􀀺􀀹􀀮􀀭􀀬􀀬􀀬􀀮􀀬􀀠 ':FT ": ····C:··..􀁾 .... .' · 'FadlllY: ConI Ceo"; am. ".... F, 􀁐􀁏􀀢􀀧􀀧􀀧􀀧􀁾􀀠 '. e.o""l) ; 􀁾􀀢􀀻􀀻􀀺􀀮􀁾􀀠 ".'.,;.,􀁾 􀀨􀀻􀀧"􀁨. 􀀺,􀀧.􀀡􀀺􀀺􀀮􀁴􀀺􀁾􀀺􀁾􀀮􀁾􀁾􀀠􀀮􀀺I􀁦􀀮􀀠 ,...... .. . . 􀀺􀁾..:;. 􀀦􀀮􀁢􀁬􀁥􀀡􀀢􀁾. .. .' ".''';'; . .."ci'."' 'CC"'''',: ':-:: 􀁾􀀠Fa""" I S, U , 􀁾􀀧􀀢􀀠 l. I""",) L . ; • 'es""y) •.::;,. ,. :.'.:"',1;;;':;::;" :;:i:.·· ".". ,! . "U ' Likely I · '.'," ", .. .··'·0...·....:". '.',". ,., . ! 􀁪􀁩􀁾􀁣􀁩􀁬􀁩􀁉􀁙􀀢􀁐􀁵􀀢􀀧􀀢􀀠S"'••"' .. . 􀁾􀀠F. I. i '" '. 􀀧􀀧􀀧􀁾􀀧􀀧􀀧􀀧􀀩 I I .'. 􀀢􀀧􀀧􀀧􀀬􀀬􀀺􀁾􀀮􀀠 􀀬􀀮􀀬􀁾􀀢􀀮􀁟􀁈􀀧􀀮􀀮􀁟􀀬􀀠 ..... 􀁾􀁾􀀠 ',.:7" ..,y .. :.... A few important points should be recognized from the consequence values assigned to the identified assets in Table 9. First, the tables contain a fairly good distribution ofLO, MED, and HI consequence values. This derives from the threshold levels assigned by MeWD to the consequence measurements table, and indicates that the levels were appropriate to achieve good resolution (or distribution) across the consequence spectrum. This should be a goal in the analysis because the vulnerability assessment must discriminate between the relative risks for the assets. Also, the HI consequence events are associated with , contamination, major structure damage, and catastrophic attacks, which should be expected. SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY 40 5. SYSTEM EFFECTIVENESS This section presents an analysis ofthe existing system effectiveness based on the capabilities of the DBT. The outcome ofthis analysis is an estimate of the effectiveness, PE, ofthe existing security and operational systems at each facility. Refer to Section 7 ofthe methodology document. 5.1. Identification of Adversary Strategies The DBT for MCWD was previously defined to include an Insider, an Outsider(s), and a Hacker. In addition, the adversary was identified to have specific tools that would be used to attempt to accomplish the objecti ve of defeating/damaging each of the critical assets. The DBT will be used as input to define potential strategies and adversary paths. The threats are all given the number(s), tools, or capability to potentially cause significant damage to equipment/facilities. Presented here are potential adversary strategies, tactics, and adversary path diagrams for selected facilities and assets. This technique defines the path that the adversary will likely take to reach the asset, thereby achieving the objective of defeating at -least one of the mission objectives of MCWD. Because of the relative simplicity of the existing security measures and because the structures that normally house the critical assets are not generally hardened, the paths are simplistic. They do, however, illustrate the thought process necessary to design upgrades to improve security. The optimal adversary strategy is derived from expert opinion based on team members' knowledge and the existing protection system and operational design features. Several weaknesses in the existing security system(s) are considered in judging which strategies may be the most successful: • Least protected paths, • Easiest system features to defeat, • No detection, • Very little delay, and • Long response times. The scenarios and paths must be consistent with the attributes and tools already defined for the adversary. Table 10 provides brief descriptions of potential adversary strategies and SENSITIVE SECURITY SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY 41 tactics for a range of undesired events for the facilities evaluated during the assessment. Note that the strategies/tactics given in the table are not considered exhaustive, but rather identify what to consider in defining adversary strategies and tactics. Figure 4 indicates an ASD for TIP. SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY 42 Table 10. Possible Adversary Tactics Water District .,., ,'"'' " .... ""',"'" " '" '-" ..'''' ..•.,. IFa.:ilit·y: Valveworks Control Center '"'. Pump Stations various parts of the dam various parts of exposed [uMelal'overpass IContaminate ICcmlamir••t. water IDisabieSCADA structure SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY 43 5.2. Adversary Path and Sequence Diagrams lllustrated below(Figures4, 5, 6) are notional diagrams associated with a scenario to breach the 1TP and explode the chlorine cylinders. The rudimentary security features of the facility make these diagrams quite simplistic. Refer to Section 7 ofthe methodology document. Offsite Vehicle Gate Figure 4. Adversary Path Development for the Chlorine Cylinders at the TIP SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY 44 Otfsite . Vah Gate Ground Fence Air Property Area ....... Window . Roof .• Wall ... . Ped Door Dock Door Chlorine Storage . Task Tanks (Critical Asset) Figure 5. Adversary Sequence Diagram for the Chlorine Cylinders at the TTP 5.3. System Effectiveness Tables In a manner similar to the assessment of consequence, the System Effectiveness also uses values of LO, MED, and HI for characterization. Table 11 indicates the results of the analysis for each element of the DBT (Outsider Medium, Insider Medium, and Hacker Medium). The table also contains a brief comment explaining the valuation. An example scenario timeline is shown in Figure 6. SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY 45 Delay Elements Force open Cut Cff Lock Locate Sabotage Tanks (Rupture pedestrian Cross and Enter chlorine Tanks) --!late Area Through Door Tanks Time Remaining (TR) Detection Point 'Response Force Time (RFT) PPS Minimum Delay Along Path Start of Completion of Adversary Path Adversary Path Figure 6. Scenario TimeJine for the Chlorine Cylinders at the TTP (Insider Medium) As an example. Figure 6 shows a notional timeline associated with the chlorine cylinder attack as mentioned above for the Insider Medium adversary [response .t.i.m e is approximately equal to delay (after detection) timel. Note that the Insider Medium does not have explosives; therefore, he is limited to somehow rupturing a tank or tanks. This timeline is used to evaluate the effectiveness ofthe existing system (i.e .• determine LO. MED, HI) for each level ofthe DBTfor this particular event. Such a timeline diagram may be necessary for each critical asset and each , level ofadversary. Refer to Section 7 ofthe methodology document. SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY 46 Table lla. System Effectiveness Against Threats . Water 􀁾􀁲􀁲􀁥􀁣􀁾􀁶􀁾􀁮􀁾􀀠􀁔􀁾􀁢􀁾􀁥􀀠􀀼􀀡􀁾􀁟􀀬􀀠 .... 􀁾􀀺􀁾􀁾􀁟􀁾􀁪􀀵􀀠table includes the combined ellectivenass 01 the 􀁐􀁨􀁾􀁪􀁣􀁡􀁬􀀠Prolecti on System (PPS), and the Design Effectiveness or essel"Robustness', ..: '.' • •• C. .. 􀀺􀁾􀀬􀀢􀀢􀀠 .;-., ", . ,. , '," ' .....-'.' --. -, .. ' .. :";,-,", ',', ..,,'" -" 􀁾􀀠 I , I Dam 􀀨􀀢􀀧􀁾􀀢􀀬􀀠dn''''') HI 0.' HI 0.' HI 0.' I i i I No "''''' ."",, C""",,. 􀁤􀁤􀁾􀀬􀀩􀀠 MED 0.5 HI 0.' HI 0.' I No .,,,,, 􀀵􀁰􀁩􀁬􀁬􀁾􀀬􀀠('_go, 􀁤􀁮􀁾􀀬􀀩􀀠 MED 0.5 HI 0.' HI 0.' Im"""," 10 llama., No "'"'' HI 0.' .HI • ,0..•. .-"!. ,'I , 􀁉􀀮􀁾􀁯􀀧􀀠 I No""", 1-"\'<.:2" . .. 􀁾􀀠.. • .. .. I I 􀁾􀁾􀀠 I I I 􀀬􀀮􀁤􀁮􀁾􀀢􀀠 LO 0.1 HI 0.' HI 0.' I ,,"""',' 􀁾􀀠 I INo "",,, I I' I I I I ,""Ik"yIO 􀁾􀀠I MED 0.5 HI 0.' HI 0.' I , I' I 􀁾 c· ........·.• ·.·;, ''''''. .,i<>::;::;.,· 􀀮􀁾􀀧􀀠 .•􀁯􀀮􀁾.• ;:.' ,.0.'. '. :" •.•..􀁽􀀺􀁾.. '. '.'C"." . --.:. . ,: ."':. " ........... .. ; "',..-' ....... ".:: . I I , I I I I I I I I I i i W4trr(cOlll/llJfiMt" .. 􀁾􀁉􀁌􀁭􀁧􀁾􀀮􀀢􀀢􀀬􀀬􀀢􀁉􀁾􀁏􀀧􀀠.. 􀁾.... • 􀂷􀁎􀁾􀀮􀀢􀀢􀀧􀀢􀀠 􀀺􀁃􀂷􀀺􀂷􀀺􀁾􀀧􀀺􀁩� �􀀮􀀠 '. • ,.,•• ' , • • • _ " , " 􀁾􀀺􀁴􀀠 I I I 􀁾􀀠 LO 0.1 HI 0.' HI o.•􀁾􀁾􀀠􀁾􀀠 . I I I C,"'" LO 0.1 LO 0.1 HI 0.' I I ,I """., No .""" BPI LO 0.1 LO 0.1 HI 0.' I I ,I 5 􀁾 fi.r.i. I plaM & ag188/T1enl with local I 􀁩􀁁􀁾􀁾􀁾􀀢􀀢􀀢􀀧􀁏􀁐􀀢􀀢􀀧􀀢 "'."'_run"". . '\. ,·ii􀁾 􀁣􀀮􀀧 .. , .;. .. , ...' " . '","", . . ,-,.' 􀁾􀀠 ":::e,,"'; ',,' ., ...... .. ti' I 􀁾􀁾􀀬􀀠 I.,c.•􀁾 .•... ! ." .:. ,.. ' . ,'", '..... ,.'" ..' ')"cr -',''C-: "':"'....c:' 􀀷􀀢􀁾􀀮􀀠" . ' .... I 􀀱􀀢􀀻􀀱􀀧􀀺􀀺􀀧􀁾􀀢􀀠 􀀮􀁾􀀠 '" !.09 =ti ' .. """", '""" ','fr ..; .'" . ·""',"C; ". ·e.c·.;'·;:·' ' .. I 􀁾􀀠 :;: 􀁾􀀠 o. , Imp1(M1 ppS with sensors. & immadiale 'Ht 009. i 001 ! Compartmenlaliza access to area. lawenlo«;emant. I ..... ,'. ",;, ; ..... e.'"":,, .,--" '.. .,' 􀀮􀀬􀀮􀁾􀀮􀀨􀀩􀀹􀀮􀀠".u''C'. use " .... . "...... '.'.:<: I See' ' ...'-",-.:.,::,'..... ""'::''''.. ::.•.C:' .' SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY , 54 Table 13b. Risk Reduction Comparison for High-Risk Assets 􀁾􀀠 , , , i. "':3,: ' " 0.0' 009 .00' .' , '􀁾􀀬􀀮􀀬􀀧􀀬􀀠 .. .' -''-,-',.'''-:'-:" ;,,:;;,:: 􀀧􀀻􀀻􀀭􀁾􀀺􀀺􀀬􀁾􀀧􀀺􀀧􀀠 . \:;.. .t, i 􀀺􀁾􀀢􀀠 I 􀀧􀁾􀁾􀀻􀀻􀁾􀀠 .". k',,·, .,;'.-"" "":'" ,',',",."-.",-: ',,-," -:,,}',, ";',:::' ',: ,.-" 􀀡􀁾􀀡􀀺􀀮􀀠 ..0' 'wi" """""•.,med"", alann "_Oe",,,oi it I 􀁾􀀠law' Mitigate C by 􀀭􀀢􀀻􀁾􀀭 ..􀁾􀀠 'ocal i 􀀢􀁾􀀮􀀫􀀬􀀬􀀬􀀠 -, 􀁾􀀠11'!$1aiI bypass PIL's . ", ':;, ", ,--,, 􀀬􀀧􀁾􀀠 :..-". ,-,-',' " .... :' I 􀁾􀀠 .􀁾􀁾􀀧􀀺􀁾􀁓􀀠 ' ,PPS"., '. 􀀧􀁟􀀭􀀢􀀺􀁾􀀮􀀠 r ' 1_02", 1-0,25 I ... "po":'. I':' -. 􀀺􀀺􀀿􀀬􀀭􀀬􀁾􀀮􀁹􀀧􀀧􀀭􀀧􀀠 ,\:,;," "n"" '.1,: , .. ' ,,-".. >" .. , . -,'. -, F"Ill'" "'''';,i''' 􀁒􀀧􀁾􀁉􀁔􀁯􀀧􀀢􀀠 ," .!lJ I I Risk I Ou"Of', = i, ii 􀁾􀀧􀀻􀀻􀀻􀀧􀀻􀁹􀀻􀁾􀀠􀀭􀁾􀁾􀁩􀁾􀀭􀀭􀀭􀀭􀀭􀀻􀀧􀀠 .... , 􀀬􀀴􀀵􀀬􀁊􀀬􀁾􀀬􀀢􀀢􀀠 􀁶􀁾􀀠 -. .' _ .. , " . . 􀀮􀀬􀀬􀁾􀀠••. , 􀁤􀁾􀀢􀀢 I I :m , , " ' .-,'.'''--. . ,v,' .,. V,V. I SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY 55 SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY 56 8. RECOMMENDATIONS The recommendations below are hypothetically appropriate to this exercise, but are merely brief examples. An actual assessment would contain many more specifics. 8.1. General Recommendations There are a number of good practices under way at MCWD. Unusual occurrences are being captured and reviewed, but several questions arise concerning how the infonnation is being recorded. Do the instructions for completing the fonns on an unusual occurrence specifically ask the person completing the report to look for malevolent or intentional acts that may have caused the condition? It is highly recommended that this log be expanded to include potential malevolent activities. Are all employees trained on the use of the Unusual Occurrence log? Having a Security Incidents Log is another good business practice. It is recommended that all employees be trained on the use of this log and that summaries of incidents be produced for trend analysis. Employ unifonn descriptions for the security incidents to assist in the analysis. The Alarms Log indicated an unusual number of alarms for the short period reviewed during the assessment. Notes on the follow-up for every alarm should be captured in the log. This infonnation can then be used for maintenance, system perfonnance, and trend data. A security system testing program has to be developed to exercise all components of the system to ensure proper operation. Perfonnance testing has to be instituted at the level of the DBT to build confidence that the system will work as designed. While not tied to a specific adversary, there are several good business practices that could be undertaken by MCWD to lower risks from lower levellldversaries. Factors to consider for improvement include the following: SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY 57 • Developing/upgrading security policies and procedures. • Developing a training program to provide security training for employees including refresher courses and test-out provisions (tests to assure understanding). • Developing and enforcing more stringent badge policies. • Conducting "Table-Top" exercises regularly (such as cooducted during Y2K and following 9/11) on malevolent events and emergency response. • Continuing to develop/exercise memorandums of understanding with other governmental agencies (cooperation and education with law enforcement agencies has been excellent). • Performing background checks on key employees and key contractor employees. • Developing testing procedures for how to respond to all security alarms. • Enforcing employee separation policies. • Following up and writing a disposition on all security alarms. • Compartmentalizing facilities-providing access on "as-needed" basis. • Creating and enforcing a key control policy. • Training all employees on the use of the Unusual Occurrence Log and insisting that it be completed. • Controlling the access of all visitors, contractors, and vendors. • Creating and enforcing a vehicle control policy. • Maintaining a supply of critical replacement parts. • Developing a robust security system testing program. • Reviewing. updating, andlor eliminating policies and procedures annually. 8.2. Toxic1Biological Contaminants General Recommendations Monitoring for contamination events is a concern for MCWD. from the perspecti ve of impacting the drinking water as well as potentially contaminating a facility. Instrumentation in use to measure pH, chlorine residual, total organic carbon, conductivity, and other parameters may aiso be employed to detect impacts on water quality from malevolent acts. MCWD may want to consider installing some of this available instrumentation in critical locations in the SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY 58 distribution system and monitoring the data in real time. It is important to know the range of these measurements outside a contamination event in order to identify significant state changes in the system. Policies, procedures, and emergency response plans will also be required to effectively deploy real-time monitoring instrumentation. Knowing what to do and how to do it in an emergency will be critical to successfully defeating an event. Changes to the system may also be required to allow a quick response and the ability to isolate sections when contamination is indicated. 8.3. WMD-Type Event Recommendations Although the MCWD management team considers the most important mission objective to be the provision of adequate water volume for firefighting, several WMD-type events should be addressed that potentially have a large impact on public safety. The potential WMD-type events were indicated in bold italics in the tables and include the following: • Breach of the Santa Inez Dam • Water contamination by a biological agent • Release of chlorine gas from TIP For the DBT adopted by MWD, the breach of the dam is not considered a viable risk as indicated in the tables. However, a revision of the DBT would change this -possibly to a matter of grave concern. The most significant public safety risk concerns the chlorine at TIP. The obvious remedy for this is to modify the treatment process and eliminate the gaseous chlorine altogether. This is a costly approach, but very effective and also reduces the risk of a catastrophic accident. MCWD may choose to accept the risks associated with the chemicals and take other steps to simply mitigate the risk. It is recommend that a detailed analysis of the consequences of all ten chlorine cylinders being breached simultaneously be undertaken for MCWD to understand the full extent of the risk. 8.4. Detailed Facility/Asset Recommendations This section contains one example of an upgraded PPS for improving system effectiveness. The assumption is made that MCWD would like to continue using gaseous chlorine as a disinfection agent due to its efficacy and lower operating costs. The DBT for MCWD has up to three adversaries with the capability to attack with explosives and weapons. SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY 59 MCWD would like to defeat this adversary and significantly lower the risk to public safety of a catastrophic chlorine release. The chlorine storage facility is a concrete block building with eight personnel and three roll-up doors for access. The facility is surrounded by a chain link fence with two access gates. In general, to have an effective PPS, the following items are necessary: • Balanced protective layer that serves as the first point of detection. • Detection system that has a high probability of detecting intrusions at this outer protective layer. • Additional delay elements after detection. • Selectively hardened and alarmed vital targets inside the outer protective layer. • WelJ-equipped, trained, and authorized 24n response force of 2 to 6 persons located at the site. The existing facility was not built to withstand this level of threat and significant changes will be required to upgrade the PPS. The fence will need to be replaced with a much sturdier version that includes sensors to detect whether or not someone is climbing. Since adversaries can jump a sensored fence, the next item is to put a second layer ,lprotection inside the fence. A microwave sensor field and a buried cable are included. Unless the adversary brings tools beyond their present capability, or is able to defeat the detection elements in some other way, detection probability will increase dramatically. Lights are added around the perimeter and a CCTV camera system installed to provide assessment of all alarms. Finally, a second fence is constructed with a barrier that will prevent anyone from driving through the detection perimeter and reaching the chlorine storage facility. The next item is to increase delay. The decision is made to harden all the openings to the building and permanently seal all but a couple of the doors. Balanced magnetic switches are already installed on the doors. A new wall is designed to surround the chlorine tanks that will survive the blast from the amount of explosives available to the adversary. The access door is hardened, but will not be able to survive the explosives. To further delay the adversaries, enclosures are designed for the chlorine cylinders that will each require explosives to destroy. With these elements in place, MCWD estimates the delay time is now several minutes for the DBT. A blast consultant confirms that the amount of explosives necessary to breach the chlorine SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY 60 room door and each of the chlorine cylinder enclosures is beyond the amount the adversaries could carry on-site. The final element is response. MCWD decides to take a two-pronged approach. A security guard is stationed inside the facility in a protected area. The guard will not be able to stop the adversaries, but will be able to assess the situation and delay them further. MCWD alerts local law enforcement of the situation and asks for their support. Drills are conducted and the response time is consistently less than 5 minutes. Adversary sequence diagrams are constructed on the updated PPS. It's estimated the system effectiveness has improved from low to medium. The life-cycle costs of this upgraded PPS has to be weighed against the costs of eliminating the gaseous chlorine and a final decision reached as to the best course of action. 8.5. SCADA Recommendations This section contains SCADA mitigations for MCWD. The critical vulnerabilities previously identified and categorized for MCWD are repeated here for reader convenience. Each vulnerability is followed by a corresponding recommendation/mitigation . . '. 8.5.1. SCADA Policy/Procedure/Configuration Management Vulnerabilities Vulnerability: The system has no security policy or security plan. There is very little security awareness, security implementations and administration are lax, and there exists a genera/lack of recognition that security is important. Mitigation: The basic solution is to start developing these policies, procedures, and plans. Guidelines for these efforts are found in the SCADA Security Policy Framework. It is important to note that these activities, particularly the security policy development, should take place before technology solutions are incorporated into the system to avoid redoing the technology solutions that conflict with the decided security policy. Vulnerability: SCADA personnel do not receive regular formal security training. Mitigation: Formal security training for SCADA personnel must be done on an ongoing basis. SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY 61 Vulnerability: The dial-up access into the SCADA network for the system administrators utilizes shared passwords and shared accounts. Shared accounts and passwords are weak. In addition, activity logging on remote activities becomes impractical. Mitigation: Create individual accounts for all personnel that login into the SCADA network remotely, including system administrators. Utilize a stronger authentication process, i.e. dial-back, Smart Cards, etc. Audit activities on the remote connection via logging, and review the audit logs as part of the security program on a regular basis. Vulnerability: Inadequate data protection exists as the SCADA data traverses MetroCity network, both as it transferred to other SCADA segments, and as the data is sent to servers on the administrative network. This data is used for a variety of purposes, including public display and engineering efforts. Mitigation: MCWD needs to determine the level of sensitivity associated with particular types of data (I.e.: SCADA sensor data versus control data versus historical data). Appropriate data protection methods can then applied. Tecl:mologies of data protection and separation include, encryption, strong authentication, filtering, etc. SENSITIVE SECURITY INFORMATION: CONFIDENTIAL AND PROPRIETARY 62