Essential Power Case Study: Protecting Critical Infrastructure From Cyber Attacks
-
Upload
energysec -
Category
Technology
-
view
133 -
download
5
description
Transcript of Essential Power Case Study: Protecting Critical Infrastructure From Cyber Attacks
Essential Power, LLC
The Road to CIP Compliance
Stephen Theodos, CISSP
Essential Power, LLC ~ Proprietary & Confidential
2
About Essential Power
Founded in 2008 Own and operate five generation facilities throughout the
Northeast Our fleet is primarily peaking power fueled predominantly by
natural gas Just over 2,000 megawatts of total generation capacity Headquartered in Princeton, NJ
Essential Power, LLC ~ Proprietary & Confidential
3
Discussion Overview
What did we start with?
What hurdles did we face as our company developed and as enforcement dates loomed for CIP?
How were we able to overcome these challenges?
What are some potential hurdles coming up regarding future risk and CIP 5?
Essential Power, LLC ~ Proprietary & Confidential
4
Bears, Beets, ……
Essential Power, LLC ~ Proprietary & Confidential
5
The beginning…
Inherited our generation networks Lacked thoughtful design Used overlapping IP address subnets Lacked “intelligent hardware”
Minimal Security
No Logging
No backup plan
Essential Power, LLC ~ Proprietary & Confidential
6
Action Plan
Retrofit security as much as possible to existing networks A complete redesign from scratch was not possible at the time Our time frame was incredibly short
A new mindset - not just generation of energy, but securely Defense In Depth Deter, Delay, Detect, Defend
Essential Power, LLC ~ Proprietary & Confidential
7
… More Actions
Perform our GAP analysis Secure all devices Manage and document all user accounts Create ESPs and PSPs
Enable logging on all devices Monitor these logs for any unexpected behavior Make sure we are meeting our CIP requirements
Essential Power, LLC ~ Proprietary & Confidential
8
ESP Illustration
Essential Power, LLC ~ Proprietary & Confidential
9
Benefits of a SIEM
CIP-005 and CIP-007 require reviewing of log samples from Critical Cyber Assets and Access Control and Monitoring devices and requires us to have an auditable log of user activity
It was determined a Security Information and Event Management (SIEM) system that would collect and correlate system logs in a centralized server location would be required
A centralized SIEM would mean convergence of existing segregated networks Network Address Translation was required due to the overlapping
networks
Opportunities to Detect Cyberthreat Gaps
The Cyber Threat Kill Chain-Lockheed Martin
LEVEL OF EXPOSURE
CH
AN
CE
OF
DETEC
TIO
N
Recon Weaponi
zation &
Delivery
Exploitation C2-Command & Control
Malicious Action(Exfiltration and
Business Disruption)
Most Efficient Points to Detect
11
Security Configuration Management
Working Together to Enforce Security Policies, Detect Anomalies, and Integrate with Ops
Secu
re S
erve
r & N
etw
ork
Confi
gura
tions
Time
MEGASCAN required to
reassess
Periodic Assessment
Continuous Security Configuration Mgmt Understands Changes in the Environment The Goal is Security, not Audit Lower Costs, Greater Efficiency Continual Risk Reduction Measurable, Sustainable Security
Configuration Changes Occur Constantly
Manual Assessment
The goal: An enterprise-wide policy for secure
configuration standards
(“80% of CIS Benchmarks”)
Essential Power, LLC ~ Proprietary & Confidential
12
Choosing a SIEM
We reviewed three different SIEM vendors during our RFP / review process
Ultimately chose Tripwire, due to a combination of factors
At the time, they were one of the few vendors that had predetermined CIP rules
Offered solid value for the overall cost compared to other competitors
Their support team was willing and able to assist us throughout the deployment
Interface was simple, intuitive, and provided exactly what we needed to see
We opted for both Tripwire Log Center and Tripwire Enterprise
Essential Power, LLC ~ Proprietary & Confidential
13
NERC CIP Requirements that Tripwire Log Center meets
CIP-005 R3.2. Alerting for Cyber Security Incidents for access control and monitoring devices
CIP-005 R5.3. Retain and review electronic access logs for at least ninety calendar days for Access Control and Monitoring devices
CIP-007 R6.2 Alerting for Cyber Security Incidents for critical cyber assets
CIP-007 R6.3 Logs of system events related to cyber security for critical cyber assets
CIP-007 R6.4 Retain Logs of critical cyber assets for 90 days CIP-007 R6.5 Reviewing Logs of for critical cyber assets at
least every 90 days CIP-008 R3 Logs related to reportable incidents shall be kept
for 3 years
Essential Power, LLC ~ Proprietary & Confidential
14
NERC CIP Requirements that Tripwire Enterprise meets
CIP-003 R5 requires Responsible Entities to “document and implement a program for managing access to protected Critical Cyber Asset information.”
CIP-003 R6 requires change control and configuration management processes to be established and documented
CIP-007 R3 Security Patch Management. The file integrity monitoring reports unauthorized modifications or changes and provides documentation of authorized changes
CIP-007 R5 Account Management requires technical and procedural controls that enforce access authentication and accountability for all user activity
Essential Power, LLC ~ Proprietary & Confidential
15
Security Benefits Provided
Easy to use GUI allows for easy modification of rules and alerts
Daily and weekly traffic reports to set baseline traffic patterns and easily analyze any anomalies
Daily change reports let us know immediately if and when any changes occur to the file system
Essential Power, LLC ~ Proprietary & Confidential
16
Alerting and Notification
Instant notification of cyber security related events
Advanced correlation of system logs which saves many hours of log review
Essential Power, LLC ~ Proprietary & Confidential
17
Auditing And Forensic Data
Practical and useful search criteria for audits and investigations
The data is easily available for forensic analysis if necessary
Essential Power, LLC ~ Proprietary & Confidential
18
Future Risks
“The concern over cybersecurity risks to critical infrastructure, of which power generation is a significant element, is unlikely to wane in the foreseeable future.” – Steven Parker, President of EnergySec
Essential Power, LLC ~ Proprietary & Confidential
19
Moving Forward
How are we preparing for CIP 5?
Updating and cleaning up current CIP document repository
Verifying and updating documentation of all electronic devices as necessary
Using a 3rd party to perform a GAP analysis of where we may be lacking when it comes to CIPv5 preparation
Scheduling mock audits internally
Attempting to allocate resources accordingly
Essential Power, LLC ~ Proprietary & Confidential
20
Newer and Smarter Defenses
Vendors have increased their support of CIP compliance initiatives
SIEMs are smarter and more capable than in the past
Newer technologies constantly available to make our lives easier
Better “whitelist” capabilities Improved patch management Improved port scanning and confirmation Ability to tie in physical security logging and alerts Easier access to compliance reports and audit results
Essential Power, LLC ~ Proprietary & Confidential
21
Essential Power, LLC ~ Proprietary & Confidential
22
Thoughts on Deployments of SIEM
Provide appropriate security controls to your SIEM
Spend time tuning it! The system can only run as well as it is configured
Don’t be afraid to contact the vendor directly for support
Use it frequently! Hands on is the best way to learn
Essential Power, LLC ~ Proprietary & Confidential
23
Q&A
Questions? Comments?
Essential Power, LLC ~ Confidential24