NERC CIP Compliance - SERC Home Page
NERC CIP Compliance - SERC Home Page
NERC CIP Compliance - SERC Home Page
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
www.encari.com<br />
<strong>NERC</strong> <strong>CIP</strong> <strong>Compliance</strong><br />
Lessons Learned<br />
and Sustainable <strong>Compliance</strong><br />
for the <strong>NERC</strong> <strong>CIP</strong>-007-1 Standard
www.encari.com<br />
Agenda<br />
• Implicit Requirements of Cyber Assets<br />
covered by 007<br />
• Technical Feasibility Exceptions<br />
• Commissioning of new Critical Assets and<br />
intra-ESP Cyber Assets<br />
• 007 Requirements<br />
2
www.encari.com<br />
Implicit Requirements<br />
1. An understanding of what the words “cyber<br />
asset” mean<br />
2. An accurate inventory of cyber assets<br />
located within your ESPs<br />
3. Well defined ESPs and the devices providing<br />
access control and monitoring<br />
4. Personnel are available to document,<br />
implement and enforce compliance program<br />
3
www.encari.com<br />
Technical Feasibility Exceptions<br />
• Industrial Defender / Teltone devices<br />
• Intrusion Detection devices<br />
• Numerous generation PLCs and HMIs<br />
• Network communication devices such as hubs,<br />
switches, routers, and firewalls serving as only<br />
communication networks or ESP access points<br />
• Vendor challenges as they attempt to meet the<br />
requirements<br />
– Slow cycle of patch approval, unprotected<br />
portals for patches, integrated unchangeable<br />
passwords<br />
4
www.encari.com<br />
Commissioning of New Critical<br />
Asset<br />
• Order of implementation plan<br />
– Physical Security Perimeter<br />
– Electronic Security Perimeter<br />
– Compliant Cyber Asset introduced in to the ESP<br />
• Possible alternate solution is to establish<br />
time-restricted, external interactive access<br />
for the Cyber Asset prior to implementing<br />
the ESP and required PSP<br />
5
www.encari.com<br />
Commissioning of New Cyber<br />
Assets<br />
• Scenario 1 (Cyber Assets and existing CCAs)<br />
– Ensuring appropriate checks that any new<br />
system directly connected to the ESP protected<br />
network are compliant upon commissioning<br />
• Scenario 2 (Cyber Assets, but no CCAs)<br />
– Enabling appropriate change controls to ensure<br />
no “critical” cyber assets are enabled at the<br />
facility<br />
6
www.encari.com<br />
007-R1 : Test Procedures<br />
• Developing a test environment that mimics<br />
production<br />
– Control Center<br />
• Utilize a dual-NAT, mantrap firewall to allow a mirrored environment<br />
with the same IP address structure; cautiously investigate virtualized<br />
solutions<br />
– Transmission<br />
• Engineer a duplicate RTU to front end communications model to<br />
associate with test environment<br />
– Generation<br />
• Hard (We are actively working on solutions; I & C procuring duplicate<br />
PLCs, Foxboro, Emerson, GE Mark x, ABB Bailey, …)<br />
7
www.encari.com<br />
007.R2 : Ports and Services<br />
• Compensating controls for Ports and<br />
Services that can not be disabled<br />
– Intrusion Detection System to passively monitor<br />
unapproved intra-ESP communication flows<br />
associated with ports attached to services that<br />
can not be disabled<br />
– Host-based firewall integrated solutions such as<br />
*nix IPChains or the native Windows IPSEC<br />
engine or firewall<br />
8
www.encari.com<br />
007.R3 : Security Patch Management<br />
• Tracking security updates for firmware,<br />
operating systems and applications<br />
• Appliance considerations – how to update<br />
and / or identify system necessity<br />
• Testing patches (see 007.R1)<br />
• Investigate application whitelisting options<br />
9
www.encari.com<br />
007.R4 : Malicious Software Prevention<br />
• Antivirus capabilities for devices<br />
• Testing and updating signatures on a routine<br />
basis<br />
• Investigate application whitelisting options<br />
10
www.encari.com<br />
007.R5 : Account Management<br />
• Operator logins at generating facilities<br />
– May need to combine physical and technical<br />
controls to identify personnel utilizing shared<br />
accounts during a period of time within a<br />
physically controlled generation control room<br />
• Administrative and Shared user accounts<br />
– Some user accounts are allocated by the vendor<br />
and can not be modified<br />
– This can be challenging to manage in<br />
spreadsheets, using a tool is becoming simpler<br />
11
www.encari.com<br />
007.R6 : Security Status Monitoring<br />
• Managing (detecting, responding and<br />
escalating) the high volume of monitored<br />
events generated by each Cyber Asset<br />
– Immediate review of the volume of events to<br />
quantify what is truly of “interest” and what are<br />
mis-configurations<br />
– Reconfiguring systems<br />
– Alarm notifications across shared infrastructure<br />
(codebook)<br />
12
www.encari.com<br />
007.R7 : Cyber Asset Decommissioning<br />
• Managing the Cyber Asset lifecycle<br />
– Only dispose and not redeploy (too difficult to track)<br />
– Actual media destruction difficulty due to massive media<br />
types and challenge to actually assure destruction (known<br />
difficulty review identify protection laws and violations)<br />
– Purchase degausser with annual integrity validation and<br />
guarantee expectations of support / insurance contracts<br />
13
www.encari.com<br />
007.R8 : Vulnerability Assessments<br />
• There are many interpretations of what a<br />
vulnerability assessment is<br />
• Combine the annual vulnerability<br />
assessments with the other “annual”<br />
requirements<br />
– Review next slide<br />
14
www.encari.com<br />
15
www.encari.com<br />
007.R9 : Documentation Management<br />
• Example evidence to support compliance<br />
– TFEs<br />
– R1. Actual test procedure results associated with any “significant change” as<br />
identified during the <strong>CIP</strong>-003, R6 change management program<br />
– R2. Spreadsheet containing ports and services and why they are necessary,<br />
compensating controls (automated or manual)<br />
– R3. Actual security patch notifications and review for applicability, status of<br />
patch, compensating controls and approval of by senior management<br />
– R4. Actual anti-virus updates and the transition from corporate to test to<br />
control network<br />
– R5. Spreadsheet of administrative, shared and individual user accounts, who<br />
authorized, manual or automated history, password complexity validation<br />
– R6. Security notifications or manual review logs with actual response history<br />
– R7. Death certificates of Cyber Assets in the ESP<br />
– R8. Vulnerability assessment remediation report and action plan<br />
– R9. Having a documentation system with calendaring and versioning control<br />
16
Q&A<br />
• Contact Information<br />
Matthew Luallen – Co-Founder, Encari<br />
312-375-4715<br />
mluallen@encari.com<br />
Visit our blog at Control Engineering magazine’s<br />
website<br />
www.controleng.com<br />
17