If the bulk electric system (BES) in North America suffered a cyber attack, the consequences could be serious-cities and entire states could suffer blackouts, commerce could come to a standstill, and the door could be opened for looting and even terrorist attacks. Realizing these consequences, the energy industry pressured the North American Electricity Reliability Corporation (NERC) to take a long, hard look at why the Critical Infrastructure Protection (CIP) standards have not been protecting the BES as intended. To address these shortcomings and today's changing IT environment and threats, NERC proposed additional CIP standards, NERC CIP 10 and 11.
3. James Stanton Paul Reymann Cindy Valladares
Senior Energy Consultant CEO Compliance Solutions Manager
ReymannGroup, Inc. ReymannGroup, Inc. Tripwire, Inc.
4. We will cover…
Energy Industry Inverted Security Model
Round 1 & 2 of CIP Audits
Next Practices for Security & Compliance
Visibility, Intelligence, and Automation are Key
10. Protect
Protect Critical
Electronic Cyber
Access to Assets
Control
Systems
Self
Certifications
& Audits
New CIP Standards
11. Round Round
1 Initial Self- 2
CIP Version 4
Assessments
in 4Q10
& Audits
Consider
Requests for potential effect
Clarifications on reliability, if
compromised
Applies to all
Focused on
users of the
Critical Cyber
Bulk Electric
Assets Only
System
12. Examples
ID account types, e.g., individual, group, shared, guest, system, and admin.
ID use restrictions for wireless technologies
Document all communication paths that transmit or receive digital information external
to each BES Cyber System.
Deny access by default and allow explicitly authorized communication.
Develop an inventory of (its) physical or virtual BES Cyber System Components
(excluding software running on the component), including its physical location.
Authorize and document changes to the BES Cyber System that deviate from the
existing inventory within 30 days of the change being completed.
Document:
• A process for classifying events as Cyber Security Incidents
• Roles and responsibilities of Cyber Security Incident response teams, Cyber
Security Incident handling procedures, and communication plans.
• A Process for reporting Cyber Security Incidents to the Electricity Sector Information
Sharing and Analysis Center (ES-ISAC) either directly or through an intermediary.
Review the incident response plan at least once every 12 months
13. Next Practices for Security & Compliance
Perform a risk-based assessment – This will change!
Identify systems, services, devices, data, people of critical assets.
Categorize all assets (i.e., High, Medium, or Low Impact).
Control limited need to know access.
Validate security controls.
Document all steps & corrective actions.
Continuously manage and monitor.
Collect and retain data to identify & respond to security incidents
16. change auditing, configuration control log
management
SCADA and other mission critical systems
monitor and review logs
on a number of different platforms:
AIX PowerPC 5.3 systems Windows 2003 servers
HP-UX (PA-RSIC) v11 systems Win XP Desktops
Red Hat Linux Windows 2003 and Active
Solaris SPARC Directory domain controllers
SuSE Linux systems Windows Server 2000
19. No Visibility
Drifting
Desired State
High-risk
Temporary
Success
Time
20. Maintain
Desired State
Non-stop monitoring & collection
Dynamic analysis to find suspicious activities
Assess &
Achieve Alert on impact to policy
Remediate options to speed remedy
Time
Tripwire VIA delivers intelligent threat control by providing…Visibility across your infrastructure to know what is happening at all times.Intelligence to know which changes or events are suspect and may put your infrastructure and data at risk of compromise.Automation to help you to categorize high risk changes and events, remediate certain conditions, and automate compliance requirements such as reporting.