Automating Compliance Lab for CIP Version 5 Testing
1. Slide Header…
Standards of Excellence
Automating the
Compliance Lab for
CIP Version 5
Chuck Reynolds
Chief Technology Officer,
TSI
Wednesday, October 30, 2013
QualiSystems Proprietary & Confidential
3. • NERC = North American Electric Reliability Corporation
• Non-profit corporation
• Charter: ensure reliability, adequacy and security
• Maintains comprehensive planning and operations
standards
• CIP = Critical Infrastructure Protection
• NERC CIP Standards 002-011
• Ensure protection of critical cyber assets
• 8 primary standards, 41 requirements, 164 subrequirements
• Mandatory compliance for all major electric companies
4. Accelerating Pace of CIP Standards Development
• Electric utilities required to retain:
•
•
12 months of auditable data, documents and records on their
information security controls
Specific logs for 90 days
• Currently being audited based on CIP version 3
• Mandated to become fully compliant with version 4 by April of 2014
• However, CIP version 5 drafted and is awaiting final approval
•
•
More comprehensive and specific device standards
Version 6 in the works and may usurp version 5 deployment
• Getting ahead of the game is a smart move given the flux
•
One major entity is already implementing version 5 tests!
6. • Fines for compliance violations
up to $1M per day
• Since CIP compliance standards
were published in 2008,
more than $150 million in
fines have been levied
• 80% of pre-production test lab
equipment & personnel can be
devoted to CIP compliance
testing
7. No live inventory visibility
Offline test topology design
Chaotic connectivity, costly disconnects
Lack of device configuration base-lining
Manual provisioning/testing
Manual report generation
8. •
Compliance Risk
• Lack of test integrity and repeatability due to operator
errors, process variance
• Manual processes difficult to document
• Incomplete reporting—manual analysis can’t digest voluminous test
results data
• Personnel struggle to keep pace with compliance test coverage
requirements
•
CAPEX/OPEX Waste
• Large ratio of test setup to actual testing
• Days spent in the setup process for a 2 hour test - Very
•
•
low asset utilization.
Millions of dollars in capital equipment only 15% to 20%
utilized
Wasted real-estate and power costs
9. •
Infrastructure Management
• Live inventory, connectivity control
•
Test Equipment Resource Sharing
• Integrated test environment design, reservation and scheduling
•
Device Provisioning
• Automated base-lining procedures, device configuration
•
Test Automation
• Automate manual test procedures
• Test IP sharing, reuse, repeatability
•
Reporting and Documentation
• Automated certification reporting and audit trail documentation
• Reduced risk of non-compliance and real attacks
10. • All resources are managed in a single repository
• Tag devices according to user-defined parameters
• Easily find the required type of device you need
• Track and report device utilization
11. • Draw the topology route requirement
• No need to remember or lookup physical cabling
• Actual connectivity is invisible to the end user
• Manual and automated patching
• Generate patching table reports and emails
• Automatically control L1 Switches
MRV
ONPATH
Apcon
Curtiss-Wright
12. • Replace the static diagram with a live workspace
•
•
•
•
•
Drag & drop devices
Draw required connections and activate
Directly provision devices
Power up and down devices
Directly open CLIs to devices
13. • Central calendar-based scheduling
• Plan ahead lab operations
• Resolve allocation conflicts
• Locate device availability in a snap
14. •
Embedded integration with lab resources
•
•
•
•
•
•
•
Customize your own provisioning
•
•
•
•
•
Control interfaces
GUI
Scripts
Leading testing vendors
Custom drivers
Third Party Apps
No need to program
Quick and standard reuse
Simple graphical flowchart
Easy device response analysis
Examples
•
•
•
Automatic discovery
Validate setup
Nightly maintenance run
Telnet, SSH, Web Services, Serial…
Windows, Java, Web…
TCL, Perl, Python, PowerShell…
Ixia, Spirent, Shenick, MRV, ONPATH…
NET, Exe, LabVIEW, ActiveX,…
NMAP, iPerf, MSBA, WireShark, ….
15. Test Automation Example--Looping NMAP test
•
Drag & Drop
•
Flow Chart Test
•
Easy parallelism
•
Tools
•
•
•
•
•
Wide spectrum
Open architecture
Add your own
Standard use
Share
•
•
Assets
Knowledge
16. Compliance Tracking Dashboards and Reports
• Dashboards
• At a glance views
of compliance
• Real-time remote
viewing for
auditors
• Custom Reports
• Structured to
match CIP
reporting
requirements
18. Lab Maturity Model
• From CHAOS to COMPLIANCE
• Effective and Efficient Lab Resources
• Faster test cycles, Increased utilization, Improved value
• Ensure compliance, protect the bottom line
• Incorporate best test practices as part of the business model
• Create Eco-System with Suppliers to Coordinate Testing
•
Shared tests, lab management practices
Our speakers today are:QualiSystems’ Vice-President of Marketing, Alex Henthorn-Iwane. Prior to joining QualiSystems, Alex was Vice-President of Marketing at Packet Design, Inc., a provider of network management software, and has 20+ years of experience in product management, marketing and technical roles at networking and security technology providers. For more information, please check out our website at qualisystems.com.Who is TSI? Briefly, TSI is Technical Systems Integrators, enterprise solution integrator specializing Test Lifecycle Management tools with over 27 years of doing business in North America. One of our speakers will be TSI’s Chief Technology Officer, Chuck Reynolds. Chuck is the founder and chief technologist at TSI, enterprise solution integrator specializing Test Lifecycle Management tools for over 27 years. Prior to founding TSI, Chuck was a senior Application engineer at Hewlett Packard and a lead Test Automation Engineer at Martin Marietta Aerospace, and has 30+ years of experience in product management and delivering technical solutions to leading edge customers in a variety of markets.And now, I’ll turn it over to you, Chuck.
Chuck: (1:15)Thank you, Welcome to today’s webinar:As you heard in our introduction, I’ve been involved in test, engineering and QA labs most of my career, so I know first hand the pain, frustration and sometimes chaos that comes with your daily routines. In today’s webinar :We will review some of what is NERC and CIP Compliance Standards NERC came about after some disastrous failures in the power grid some years ago. Since then NERC has been quite busy ensuring that our power grid is reliable and secure for allNERC has developed a set of Critical Infrastructure Protection guidelines or standards that provided for a uniform standard across the companies involved in providing our power so that it remains secure and reliable for all.
Chuck: (1:15)The CIP audit requirements have mainly been documentation and reporting standards around process verification and validation to date. There are many software packages and databases available that address these reporting standards that most Energy companies have adopted in one form or another. What’s new in the version 5 and most likely subsequent releases of the standards is the more detailed device standards which imply significant engineering effort to complete. Since these engineering efforts must drive the report generation and are likely to be repeated time and time again, there are significant costs associated with these typically manual engineering tasks that must be performed on the hardware devices in the test and production lab. Let’s take a look at some of these new tasks.
Chuck: (1:15)**This is not trivial**These are just some of the new requirements found in the version 5 release. Most of these require a knowledgeable telecom or IT test engineer to manually perform and while these are critical tasks they are tedious and time consuming for test engineers to perform and require extensive provisioning and setup before the test can even begin. Allocating the topology, checking the baseline previous results, comparing against the baseline and the generating the reports necessary can occupy these valuable company resources and prevent them from focusing on more appropriate issues. Even non-CIP related testing can occur for things like new product interoperability testing and compatibility testing in these same labs with the same manual processes and extensive use of valuable company assets (Engineers and Devices).
Chuck So what happens if you don’t make the commitment to ensuring these standards are not met? Not an option within the Energy Entities – this has to be addressed or the fines are substantial. So how can we tell if we are running our CIP and interoperability test lab(s) efficiently?
Chuck **Narrative picture**--Alex try a shotJust take a look at your own lab and see if these items apply to your lab. Are your test engineers manually performing the tests and manually updating report spreadsheets and documents? If so, then there is an opportunity to automate and speed up your compliance testing and reporting efforts as well as decrease the costs and use of resources meeting the compliance requirements.
Chuck Lack of automation for CIP Version 5 requirements creates compliance risk and wastethat can add up to significant losses to your entity. Manual processes are never a good thing because too often things can slip through the cracks. With CIP testing you cannot afford even a single failure due to human oversightsThen consider the capital and operating waste. Does expensive equipment sit around idle in your lab? Do you even know how often devices are being utilized in the lab? All that equipment powered up while not being used? On top of all of this, let’s not forget the real risk lurking behind CIP testing which is falling victim to a cyber security attack that results in down customer time. So what does it take to automate your CIP compliance testing – Let’s turn it over to Alex to discuss the ingredients of a Successful CIP Lab Automation.Alex?
AlexIf you’re considering automation for your CIP compliance and pre-production test lab environment, you’ll want to look for a solution or architecture that can address some key points that we’ll cover in the following slides.
Alex
Alex
Alex
Alex
Alex - you want to focus on the 3rd party apps here.
Alex:Chuck – You have a technical use case of how automation can be applied to CIP cyber security testing—would you mind sharing about that?Chuck:Sure, this is right out of the CIP specification. Here’s an example of how you can dynamically check a large number of devices and profile all their ports to ensure there are no ports or services that shouldn’t be open on the collection of devices. The NMAP results can be validated and checked against previously run NMAP results to make sure that the CIP baseline is met regardless of software or firmware upgrades or just plain changes by users. The same thing can be done against software releases, password checking, baseline configuration validation across all of the devices in the lab. Alex:Now that the automation has run and the results are checked the data needs to be aggregated and used to generate compliance reports….