NERC CIP Compliance - SERC Home Page

www.encari.com
NERC CIP Compliance
Lessons Learned
and Sustainable Compliance
for the NERC CIP-007-1 Standard

www.encari.com
Agenda
• Implicit Requirements of Cyber Assets
covered by 007
• Technical Feasibility Exceptions
• Commissioning of new Critical Assets and
intra-ESP Cyber Assets
• 007 Requirements
2

www.encari.com
Implicit Requirements
1. An understanding of what the words “cyber
asset” mean
2. An accurate inventory of cyber assets
located within your ESPs
3. Well defined ESPs and the devices providing
access control and monitoring
4. Personnel are available to document,
implement and enforce compliance program
3

www.encari.com
Technical Feasibility Exceptions
• Industrial Defender / Teltone devices
• Intrusion Detection devices
• Numerous generation PLCs and HMIs
• Network communication devices such as hubs,
switches, routers, and firewalls serving as only
communication networks or ESP access points
• Vendor challenges as they attempt to meet the
requirements
– Slow cycle of patch approval, unprotected
portals for patches, integrated unchangeable
passwords
4

www.encari.com
Commissioning of New Critical
Asset
• Order of implementation plan
– Physical Security Perimeter
– Electronic Security Perimeter
– Compliant Cyber Asset introduced in to the ESP
• Possible alternate solution is to establish
time-restricted, external interactive access
for the Cyber Asset prior to implementing
the ESP and required PSP
5

www.encari.com
Commissioning of New Cyber
Assets
• Scenario 1 (Cyber Assets and existing CCAs)
– Ensuring appropriate checks that any new
system directly connected to the ESP protected
network are compliant upon commissioning
• Scenario 2 (Cyber Assets, but no CCAs)
– Enabling appropriate change controls to ensure
no “critical” cyber assets are enabled at the
facility
6

www.encari.com
007-R1 : Test Procedures
• Developing a test environment that mimics
production
– Control Center
• Utilize a dual-NAT, mantrap firewall to allow a mirrored environment
with the same IP address structure; cautiously investigate virtualized
solutions
– Transmission
• Engineer a duplicate RTU to front end communications model to
associate with test environment
– Generation
• Hard (We are actively working on solutions; I & C procuring duplicate
PLCs, Foxboro, Emerson, GE Mark x, ABB Bailey, …)
7

www.encari.com
007.R2 : Ports and Services
• Compensating controls for Ports and
Services that can not be disabled
– Intrusion Detection System to passively monitor
unapproved intra-ESP communication flows
associated with ports attached to services that
can not be disabled
– Host-based firewall integrated solutions such as
*nix IPChains or the native Windows IPSEC
engine or firewall
8

www.encari.com
007.R3 : Security Patch Management
• Tracking security updates for firmware,
operating systems and applications
• Appliance considerations – how to update
and / or identify system necessity
• Testing patches (see 007.R1)
• Investigate application whitelisting options
9

www.encari.com
007.R4 : Malicious Software Prevention
• Antivirus capabilities for devices
• Testing and updating signatures on a routine
basis
• Investigate application whitelisting options
10

www.encari.com
007.R5 : Account Management
• Operator logins at generating facilities
– May need to combine physical and technical
controls to identify personnel utilizing shared
accounts during a period of time within a
physically controlled generation control room
• Administrative and Shared user accounts
– Some user accounts are allocated by the vendor
and can not be modified
– This can be challenging to manage in
spreadsheets, using a tool is becoming simpler
11

www.encari.com
007.R6 : Security Status Monitoring
• Managing (detecting, responding and
escalating) the high volume of monitored
events generated by each Cyber Asset
– Immediate review of the volume of events to
quantify what is truly of “interest” and what are
mis-configurations
– Reconfiguring systems
– Alarm notifications across shared infrastructure
(codebook)
12

www.encari.com
007.R7 : Cyber Asset Decommissioning
• Managing the Cyber Asset lifecycle
– Only dispose and not redeploy (too difficult to track)
– Actual media destruction difficulty due to massive media
types and challenge to actually assure destruction (known
difficulty review identify protection laws and violations)
– Purchase degausser with annual integrity validation and
guarantee expectations of support / insurance contracts
13

www.encari.com
007.R8 : Vulnerability Assessments
• There are many interpretations of what a
vulnerability assessment is
• Combine the annual vulnerability
assessments with the other “annual”
requirements
– Review next slide
14

www.encari.com
15

www.encari.com
007.R9 : Documentation Management
• Example evidence to support compliance
– TFEs
– R1. Actual test procedure results associated with any “significant change” as
identified during the CIP-003, R6 change management program
– R2. Spreadsheet containing ports and services and why they are necessary,
compensating controls (automated or manual)
– R3. Actual security patch notifications and review for applicability, status of
patch, compensating controls and approval of by senior management
– R4. Actual anti-virus updates and the transition from corporate to test to
control network
– R5. Spreadsheet of administrative, shared and individual user accounts, who
authorized, manual or automated history, password complexity validation
– R6. Security notifications or manual review logs with actual response history
– R7. Death certificates of Cyber Assets in the ESP
– R8. Vulnerability assessment remediation report and action plan
– R9. Having a documentation system with calendaring and versioning control
16

Q&A
• Contact Information
Matthew Luallen – Co-Founder, Encari
312-375-4715
mluallen@encari.com
Visit our blog at Control Engineering magazine’s
website
www.controleng.com
17