Automating Compliance Lab for CIP Version 5 Testing
•
1 j'aime•1,202 vues
Overview of TestShell tools applied to the management of and the automation of Energy Test Labs brought to you by TSI
Recommandé
Recommandé
Contenu connexe
Tendances
Tendances (20)
Similaire à Automating Compliance Lab for CIP Version 5 Testing
Similaire à Automating Compliance Lab for CIP Version 5 Testing (20)
Dernier
Dernier (20)
Automating Compliance Lab for CIP Version 5 Testing
- 1. Slide Header… Standards of Excellence Automating the Compliance Lab for CIP Version 5 Chuck Reynolds Chief Technology Officer, TSI Wednesday, October 30, 2013 QualiSystems Proprietary & Confidential
- 2. Speakers
- 3. • NERC = North American Electric Reliability Corporation • Non-profit corporation • Charter: ensure reliability, adequacy and security • Maintains comprehensive planning and operations standards • CIP = Critical Infrastructure Protection • NERC CIP Standards 002-011 • Ensure protection of critical cyber assets • 8 primary standards, 41 requirements, 164 subrequirements • Mandatory compliance for all major electric companies
- 4. Accelerating Pace of CIP Standards Development • Electric utilities required to retain: • • 12 months of auditable data, documents and records on their information security controls Specific logs for 90 days • Currently being audited based on CIP version 3 • Mandated to become fully compliant with version 4 by April of 2014 • However, CIP version 5 drafted and is awaiting final approval • • More comprehensive and specific device standards Version 6 in the works and may usurp version 5 deployment • Getting ahead of the game is a smart move given the flux • One major entity is already implementing version 5 tests!
- 5. More Rigorous Device Certification Standards • CIP 007 - Systems Security Management • • Account tests / Password tests • Patch tests • • Log tests • New device/OS/topology certification • Regular baseline regression testing • Security software configuration validation Antivirus tests CIP 010 - Configuration Change Management and Vulnerability Assessments • Baseline tests / Comparison tests • Port scan tests • Vulnerability Assessments (EISP)
- 6. • Fines for compliance violations up to $1M per day • Since CIP compliance standards were published in 2008, more than $150 million in fines have been levied • 80% of pre-production test lab equipment & personnel can be devoted to CIP compliance testing
- 7. No live inventory visibility Offline test topology design Chaotic connectivity, costly disconnects Lack of device configuration base-lining Manual provisioning/testing Manual report generation
- 8. • Compliance Risk • Lack of test integrity and repeatability due to operator errors, process variance • Manual processes difficult to document • Incomplete reporting—manual analysis can’t digest voluminous test results data • Personnel struggle to keep pace with compliance test coverage requirements • CAPEX/OPEX Waste • Large ratio of test setup to actual testing • Days spent in the setup process for a 2 hour test - Very • • low asset utilization. Millions of dollars in capital equipment only 15% to 20% utilized Wasted real-estate and power costs
- 9. • Infrastructure Management • Live inventory, connectivity control • Test Equipment Resource Sharing • Integrated test environment design, reservation and scheduling • Device Provisioning • Automated base-lining procedures, device configuration • Test Automation • Automate manual test procedures • Test IP sharing, reuse, repeatability • Reporting and Documentation • Automated certification reporting and audit trail documentation • Reduced risk of non-compliance and real attacks
- 10. • All resources are managed in a single repository • Tag devices according to user-defined parameters • Easily find the required type of device you need • Track and report device utilization
- 11. • Draw the topology route requirement • No need to remember or lookup physical cabling • Actual connectivity is invisible to the end user • Manual and automated patching • Generate patching table reports and emails • Automatically control L1 Switches MRV ONPATH Apcon Curtiss-Wright
- 12. • Replace the static diagram with a live workspace • • • • • Drag & drop devices Draw required connections and activate Directly provision devices Power up and down devices Directly open CLIs to devices
- 13. • Central calendar-based scheduling • Plan ahead lab operations • Resolve allocation conflicts • Locate device availability in a snap
- 14. • Embedded integration with lab resources • • • • • • • Customize your own provisioning • • • • • Control interfaces GUI Scripts Leading testing vendors Custom drivers Third Party Apps No need to program Quick and standard reuse Simple graphical flowchart Easy device response analysis Examples • • • Automatic discovery Validate setup Nightly maintenance run Telnet, SSH, Web Services, Serial… Windows, Java, Web… TCL, Perl, Python, PowerShell… Ixia, Spirent, Shenick, MRV, ONPATH… NET, Exe, LabVIEW, ActiveX,… NMAP, iPerf, MSBA, WireShark, ….
- 15. Test Automation Example--Looping NMAP test • Drag & Drop • Flow Chart Test • Easy parallelism • Tools • • • • • Wide spectrum Open architecture Add your own Standard use Share • • Assets Knowledge
- 16. Compliance Tracking Dashboards and Reports • Dashboards • At a glance views of compliance • Real-time remote viewing for auditors • Custom Reports • Structured to match CIP reporting requirements
- 17. Efficiency and Savings from Automating the Test Lab MANUAL AUTOMATED
- 18. Lab Maturity Model • From CHAOS to COMPLIANCE • Effective and Efficient Lab Resources • Faster test cycles, Increased utilization, Improved value • Ensure compliance, protect the bottom line • Incorporate best test practices as part of the business model • Create Eco-System with Suppliers to Coordinate Testing • Shared tests, lab management practices
- 19. Q&A
Notes de l'éditeur
- Our speakers today are:QualiSystems’ Vice-President of Marketing, Alex Henthorn-Iwane. Prior to joining QualiSystems, Alex was Vice-President of Marketing at Packet Design, Inc., a provider of network management software, and has 20+ years of experience in product management, marketing and technical roles at networking and security technology providers. For more information, please check out our website at qualisystems.com.Who is TSI? Briefly, TSI is Technical Systems Integrators, enterprise solution integrator specializing Test Lifecycle Management tools with over 27 years of doing business in North America. One of our speakers will be TSI’s Chief Technology Officer, Chuck Reynolds. Chuck is the founder and chief technologist at TSI, enterprise solution integrator specializing Test Lifecycle Management tools for over 27 years. Prior to founding TSI, Chuck was a senior Application engineer at Hewlett Packard and a lead Test Automation Engineer at Martin Marietta Aerospace, and has 30+ years of experience in product management and delivering technical solutions to leading edge customers in a variety of markets.And now, I’ll turn it over to you, Chuck.
- Chuck: (1:15)Thank you, Welcome to today’s webinar:As you heard in our introduction, I’ve been involved in test, engineering and QA labs most of my career, so I know first hand the pain, frustration and sometimes chaos that comes with your daily routines. In today’s webinar :We will review some of what is NERC and CIP Compliance Standards NERC came about after some disastrous failures in the power grid some years ago. Since then NERC has been quite busy ensuring that our power grid is reliable and secure for allNERC has developed a set of Critical Infrastructure Protection guidelines or standards that provided for a uniform standard across the companies involved in providing our power so that it remains secure and reliable for all.
- Chuck: (1:15)The CIP audit requirements have mainly been documentation and reporting standards around process verification and validation to date. There are many software packages and databases available that address these reporting standards that most Energy companies have adopted in one form or another. What’s new in the version 5 and most likely subsequent releases of the standards is the more detailed device standards which imply significant engineering effort to complete. Since these engineering efforts must drive the report generation and are likely to be repeated time and time again, there are significant costs associated with these typically manual engineering tasks that must be performed on the hardware devices in the test and production lab. Let’s take a look at some of these new tasks.
- Chuck: (1:15)**This is not trivial**These are just some of the new requirements found in the version 5 release. Most of these require a knowledgeable telecom or IT test engineer to manually perform and while these are critical tasks they are tedious and time consuming for test engineers to perform and require extensive provisioning and setup before the test can even begin. Allocating the topology, checking the baseline previous results, comparing against the baseline and the generating the reports necessary can occupy these valuable company resources and prevent them from focusing on more appropriate issues. Even non-CIP related testing can occur for things like new product interoperability testing and compatibility testing in these same labs with the same manual processes and extensive use of valuable company assets (Engineers and Devices).
- Chuck So what happens if you don’t make the commitment to ensuring these standards are not met? Not an option within the Energy Entities – this has to be addressed or the fines are substantial. So how can we tell if we are running our CIP and interoperability test lab(s) efficiently?
- Chuck **Narrative picture**--Alex try a shotJust take a look at your own lab and see if these items apply to your lab. Are your test engineers manually performing the tests and manually updating report spreadsheets and documents? If so, then there is an opportunity to automate and speed up your compliance testing and reporting efforts as well as decrease the costs and use of resources meeting the compliance requirements.
- Chuck Lack of automation for CIP Version 5 requirements creates compliance risk and wastethat can add up to significant losses to your entity. Manual processes are never a good thing because too often things can slip through the cracks. With CIP testing you cannot afford even a single failure due to human oversightsThen consider the capital and operating waste. Does expensive equipment sit around idle in your lab? Do you even know how often devices are being utilized in the lab? All that equipment powered up while not being used? On top of all of this, let’s not forget the real risk lurking behind CIP testing which is falling victim to a cyber security attack that results in down customer time. So what does it take to automate your CIP compliance testing – Let’s turn it over to Alex to discuss the ingredients of a Successful CIP Lab Automation.Alex?
- AlexIf you’re considering automation for your CIP compliance and pre-production test lab environment, you’ll want to look for a solution or architecture that can address some key points that we’ll cover in the following slides.
- Alex
- Alex
- Alex
- Alex
- Alex - you want to focus on the 3rd party apps here.
- Alex:Chuck – You have a technical use case of how automation can be applied to CIP cyber security testing—would you mind sharing about that?Chuck:Sure, this is right out of the CIP specification. Here’s an example of how you can dynamically check a large number of devices and profile all their ports to ensure there are no ports or services that shouldn’t be open on the collection of devices. The NMAP results can be validated and checked against previously run NMAP results to make sure that the CIP baseline is met regardless of software or firmware upgrades or just plain changes by users. The same thing can be done against software releases, password checking, baseline configuration validation across all of the devices in the lab. Alex:Now that the automation has run and the results are checked the data needs to be aggregated and used to generate compliance reports….
- Alex
- Alex
- Alex and Chuck