NERC CIP Cyber Security Standards V4 – Is it getting better or worse?

Join the conversation:

#CIPv4Webcast

NERC CIP Cyber Security Standards V4: Is it getting better or worse?


#CIPv4Webcast

NERC CIP Cyber Security Standards V4 – Is it getting better or worse?

Paul Reymann, CEO, ReymannGroup, Inc.James Stanton, Senior Energy Consultant, ReymannGroup, Inc.Cindy Valladares, Compliance Solutions Manager, Tripwire, Inc.


#CIPv4WebcastIT SECURITY & COMPLIANCE AUTOMATION

We will cover…

The New Prescriptive Bright-line Criteria

Struggles between FERC, NERC, & Industry

Practices for Security, Reliability, and Compliance

Smart Grid Evolution Benefits & Challenges

Visibility, Intelligence, and Automation are Key



Energy’s Inverted Security Model

Smart Grid

One Big Network

SCADA

Internal Applications

Cyber Asset

Open to Cyber-ThreatsOpen to Cyber-Threats



Cyber Security is a Priority!

Our work has also raised concerns about the increasing reliance on information technology and control systems, which are potentially vulnerable to cyber attack, including the systems used in the electricity sector.

General Accounting Office (GAO)

Foreign governments already have or are developing computer attack capabilities, and potential adversaries are developing a body of knowledge about U.S. systems and methods to attack these systems.

National Security Agency

The Stuxnet worm is affecting industry control systems worldwide, with over half of the infections occurring in the United States. The work exploits a zero-day vulnerability present in unpatched Windows software, and is targeting supervisory control and data acquisition (SCADA) systems.

Kent Dahlgren, Tripwire

Intelligent situational awareness and cyber-security with the right automated solutions is paramount!



CIP Version 4 Vetting Process

• Majority vote of the Ballot Pool of Registered Ballot Body participants.

Industry Approval

• NERC Board of Trustees.• Dissenting & minority positions highlighted with the drafting.

team’s and NERC staff’s comments.

NERC Approval

• Elect to approve as written;• Approve conditionally; or • Reject the standards.

FERC Approval

• Opportunity for industry to file comments.• Comments addressed in the Final Rule.FERC NOPR

6



Potential FERC Timeline Scenario

NOPR in Federal Register

Industry Comments

Due

Final Order Published in

Federal Register

Effective Date

0 Days 30 Days 120 Days 150 Days

+ 24 months per NERC proposed implementation

plan



CIP Version 4 Bright-line Criteria

• Risk-based Assessment is Out.

• Prescriptive Criteria to Define Criticality of Assets is In.

Bright-line Criteria

• 1500 MW Generators.• Transmission Facilities

at 500kv or Higher.• Reliability Coordinator

Control Centers.

Bright-line Examples • Required.

• Identify Compliance Milestones.

• Follow Specific Criteria.

Implementation Plan

8



Next Practices for Security, Reliability, & Compliance

Prescriptive Risk

Assessment

Identify All Assets

Categorize All Assets with Bright-line

Criteria

9

Prescriptive Controls: “What

to do”

Business Decision: “How to implement

controls”

Validate Security Controls

Document All Steps & Corrective

Actions

Continuously Manage & Monitor

Collect & Retain Data to Identify &

Respond to Security Incidents



Smart Grid Evolution – Benefits & Challenges

10

Consumer Participation

Optimize Asset

Utilization & Efficiency

Proactive Response to

System Disturbances

Accommodates all generation

& storage options

Provides Quality

Power for Digital

Economy

Enables New Products,

Services, & Markets

Rethink:

Business Practices

Privacy Issues

Threats

Vulnerabilities

Security Controls



How do you get started?

Select the right technologies for:• Change control• Log management• Security event monitoring• Tracking & monitoring access to the network

Automate & centralize the CIP compliance process and technologiesWithout security, reliability will suffer

Visibility Intelligence Automation


#CIPv4Webcast

Tripwire Solutions



More Prescriptive Guidance

13



What Needs To Change?

14



Tripwire Solutions for NERC

An integrated change auditing, configuration control and log management solution

A proven solution for continually monitoring the integrity of files and configurations in SCADA and other mission critical systems

A log management and SIEM solution to monitor and review logs and events of interest

A compliance solution that incorporates specific tests for NERC-CIP or DISA requirements on a number of different platforms:

AIX PowerPC 5.3 systems HP-UX (PA-RSIC) v11 systems Red Hat Linux Solaris SPARC SuSE Linux systems

Windows 2003 servers Win XP Desktops Windows 2003 and Active

Directory domain controllers Windows Server 2000



Tripwire and Relevant CIPs

CIP-002: Critical Cyber Asset Identification

CIP-003: Security Management Controls

CIP-004: Personnel and Training

CIP-005: Electronic Security Perimeters

CIP-006: Physical Security of Critical Cyber Assets

CIP-007: Systems Security Management

CIP-008: Incident Reporting and Response Management

CIP-009: Recovery Plans for Critical Cyber Assets



Tripwire and Relevant CIPs

CIP-002: Critical Cyber Asset Identification• R1: Identify Critical Assets and Critical Cyber Assets

CIP-003: Security Management Controls• R5: Document and implement program for managing access to CCA• R6: Change control and configuration management

CIP-005: Electronic Security Perimeters• R2: Control access points into electronic security perimeter • R3: Monitoring electronic access and review and assess logs for unauthorized access• R4: Control default accounts, passwords and network management

CIP-007: Systems Security Management• R1: Changes to CA and CCA don’t affect cyber security controls• R5: Records on user activity to minimize risk of unauthorized system access• R6: Maintain logs of system events related to cyber security and retain logs• R9: Review and update all documentation• Customized: for Security Patch Management | Malicious Software Prevention | Cyber

Vulnerability Assessment


#CIPv4WebcastIT SECURITY & COMPLIANCE AUTOMATION18

VIA: Simply Compliant, More Secure.

Pre-Incident

Post-Incident

Implement Secure Configurations

State EventsPolicy

Continuous Monitoring



Tripwire Enterprise Tripwire Log Center

File Integrity Monitoring

Compliance Policy Manager

Log Manager

SecurityEvent Manager

Tripwire VIATM

VISIBILITY INTELLIGENCE AUTOMATION

Tripwire VIA: Intelligent Threat Control



www.tripwire.com/energy-compliance



Additional Thought Leadership

• Summarizes key points• Describes the affect of CIP

compliance vs. noncompliance• Offers a Due Diligence Checklist• Complimentary copy


#CIPv4Webcast

Questions

Paul Reymann

(410) 956-7336

[email protected]

James Stanton

(410) 956 7334

[email protected]

Cindy Valladares

[email protected]

Twitter: @cindyv

mailto:[email protected]


#CIPv4Webcast

www.tripwire.comTripwire Americas: 1.800.TRIPWIRETripwire EMEA: +44 (0) 20 7382 5420Tripwire Japan: +812.53206.8610Tripwire Singapore: +65 6733 5051Tripwire Australia-New Zealand: +61 (0) 402 138 980

THANK YOU!

Cindy [email protected]

@cindyv

mailto:[email protected]

NERC CIP Cyber Security Standards V4 – Is it getting better or worse?

Technology

Transcript of NERC CIP Cyber Security Standards V4 – Is it getting better or worse?