Successfully reported this slideshow.
Your SlideShare is downloading. ×

Hack attack: Computer safety 101 for water utilities - v.06

Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad

Check these out next

1 of 66 Ad
Advertisement

More Related Content

Similar to Hack attack: Computer safety 101 for water utilities - v.06 (20)

More from Brian Gongol (20)

Advertisement

Recently uploaded (20)

Hack attack: Computer safety 101 for water utilities - v.06

  1. 1. Hack Attack: Computer Safety 101 for Utilities Brian Gongol DJ Gongol & Associates, Inc. November 3, 2021 Nebraska Section AWWA Fall Conference Kearney, Nebraska
  2. 2. Survey of cyber threats to the water sector
  3. 3. Trojan horses
  4. 4. Payloads
  5. 5. DOS/DDOS attacks
  6. 6. Ransomware
  7. 7. Impostors and social engineering
  8. 8. Phishing
  9. 9. Spearphishing An actual spearphishing attempt against Nebraska AWWA:
  10. 10. Spearphishing (again) Oh, and it happened again this year:
  11. 11. Catphishing
  12. 12. Practical steps you can take
  13. 13. "Use antivirus" used to be enough
  14. 14. Use antivirus, but that alone is far from enough
  15. 15. Step 1: Watch what enters the castle
  16. 16. Don't pick up stray memory devices  SD cards  Flash drives  DVDs
  17. 17. Attachments: When in doubt, call first
  18. 18. Isolate mission-critical devices Mission-critical devices  SCADA  Accounting  Payment processing  Sensitive customer data At-risk devices  Internet browsing  Email  Social media  Videos  General computing
  19. 19. Physically guard all your devices This is how Microsoft guards a data center:
  20. 20. Install firewalls wherever possible
  21. 21. Step 2: Secure the gates
  22. 22. Always replace default passwords
  23. 23. Complex passwords  Pick a song, poem, or sentence  Use the first letter of each word (with case) and all numbers and punctuation
  24. 24. Complex passwords  "Oh, say can you see? By the dawn's early light."
  25. 25. Complex passwords  "Oh, say can you see? By the dawn's early light."  "Oh, say can you see? By the dawn's early light."
  26. 26. Complex passwords  "Oh, say can you see? By the dawn's early light."  "Oh, say can you see? By the dawn's early light."  Password: O,scys?Btdel.
  27. 27. Two-factor authentication
  28. 28. Use public WiFi only with a VPN
  29. 29. Don't fall for screen-sharing requests
  30. 30. Look out for near-miss URLs
  31. 31. Step 3: Don't broadcast your information
  32. 32. Avoid photos of desks and work spaces
  33. 33. Avoid photos of desks and work spaces  Passwords  Calendars  Client data  Photos  Other clues
  34. 34. Scrub documents before sharing online
  35. 35. Keep your whereabouts quiet
  36. 36. Step 4: Don't be shy about "who goes there?"
  37. 37. Role-dependent emails  superintendent@springfieldmonorail.gov  billing@springfieldmonorail.gov  bidding@springfieldmonorail.gov
  38. 38. Don't send suspicious-looking materials
  39. 39. Use TO:, CC:, and BCC: fields judiciously
  40. 40. Step 5: Only venture out if prepared for battle
  41. 41. Double-check every link before you click
  42. 42. Never pay without HTTPS
  43. 43. Consider buying cybersecurity insurance
  44. 44. Train employees in cybersecurity hygiene  Doesn't mean getting an IT degree  Better to get small but frequent doses of instruction  Develop habits  Show that cybersecurity is taken seriously "from the top"
  45. 45. Step 6: Keep an eye on the foundation
  46. 46. Keep up on OS updates
  47. 47. Keep your apps updated
  48. 48. Encrypt customer data
  49. 49. Keep vital backups in untouchable spots
  50. 50. Maintain an inventory of devices Utility-owned devices BYOD (Bring Your Own Devices) Permission levels for all devices Accounts permitted on each device Where each device is allowed to go
  51. 51. Know your first call if something goes wrong
  52. 52. Social media: What to do about it safely
  53. 53. Capture (and use) authentic usernames
  54. 54. Use management teams, not shared passwords
  55. 55. Don't ask for sensitive information
  56. 56. Resources
  57. 57. EPA technical assistance https://horsleywitten.com/cybersecurityutilities (Contractor)
  58. 58. EPA incident checklist for water utilities https://www.epa.gov/sites/default/files/2017-11/ documents/171013-incidentactionchecklist- cybersecurity_form_508c.pdf
  59. 59. WaterISAC fundamentals guide https://www.waterisac.org/fundamentals
  60. 60. CERT updates https://us-cert.cisa.gov/
  61. 61. National Cyber Awareness System https://us-cert.cisa.gov/ncas
  62. 62. CERT advisories https://us-cert.cisa.gov/ics/advisories
  63. 63. CERT resources for local governments https://us-cert.cisa.gov/resources/sltt
  64. 64. AWWA cybersecurity resources https://www.awwa.org/Resources-Tools/Resource- Topics/Risk-Resilience/Cybersecurity-Guidance
  65. 65. Questions?  Thank you for your time and attention!  This presentation will be available online at gongol.net/presentations  Brian Gongol DJ Gongol & Associates  515-223-4144  brian@gongol.net  @djgongol on Facebook, LinkedIn, and Twitter
  66. 66. Credits  Screenshots depicting particular threats taken from US- CERT and from the author's own encounters  Photographs are all the original work of the author

×