Leveraging Technology to Enhance Security, Reliability & NERC-CIP Ver.5 Compliance by PAS and NovaTech
1. Presented by PAS and NovaTech
July 2013
Leveraging Technology to Enhance
Security, Reliability
&
NERC-CIP Ver. 5 Compliance
2. AGENDA
• Group Introductions
• Agenda
• Review CIP V5 Requirements
• Discussion of current practices in generation plants and substations
– Inventory
– Configuration management
– Change management
• Case Study of Southern Co.
• Panel impressions
• Questions – General Discussion
3. Introductions
• Richard Powell – Manager Cyber Security Solutions - PAS
– CISSP, CISA
– Business development for cyber security
– Head of cyber security consulting for a leading CIP consulting group
– Head of security and compliance for a large municipal utility
• Kevin Johnson – V.P. Business Development – NovaTech
– Member of Executive Management Team
– Strategic Initiatives & Emerging Technologies
– Southeast Utilities Regional Manager
4. Future NERC CIP Standards
NERC CIP Version 4
(approved 4/19/2012)
Effective date 4/1/2014
Critical generating assets:
o 1500MW power in a
single interconnection
o 1000MVAR reactive
power in a single
interconnection
o “Reliability Must Run”
units
o “Black start” units
NERC CIP Version 5
(Submitted to FERC 1/31/2013)
•Impact Categorization, instead of Critical
Assets
•New process is introduced in proposed
CIP-002-05 for identifying and classifying
BES Cyber Systems according to “Low-
Medium-High” impact
•Two new standards
– 010 - Configuration
Management and Vulnerability
Assessments
– 011 – Information Protection
•Routable and non-Routable Protocols
•Remote Access
•Malicious Code Prevention.
5. CIP 002-011 (Version 5): Overview
NERC CIP CYBER SECURITY STANDARDS Version 5
Ten Standards /43 Requirements
NERC CIP CYBER SECURITY STANDARDS Version 5
Ten Standards /43 Requirements
CRITICAL
CYBER
ASSETS
CRITICAL
CYBER
ASSETS
SECURITY
MANAGEMENT
CONTROLS
SECURITY
MANAGEMENT
CONTROLS
PERSONNEL
AND
TRAINING
PERSONNEL
AND
TRAINING
ELECTRONIC
SECURITY
ELECTRONIC
SECURITY PHYSICAL
SECURITY
PHYSICAL
SECURITY
SYSTEMS
SECURITY
MANAGEMENT
SYSTEMS
SECURITY
MANAGEMENT
INCIDENT
REPORTING
AND
RESPONSE
PLANNING
INCIDENT
REPORTING
AND
RESPONSE
PLANNING
RECOVERY
PLANS FOR BES
CYBER ASSETS
RECOVERY
PLANS FOR BES
CYBER ASSETS
CIP-002 CIP-003 CIP-004 CIP-005 CIP-006 CIP-007 CIP-008 CIP-009
1. PLAN
2. VISTOR
CONTROL
PLAN
3. MAINTE-
NANCE AND
TESTING
1. PLAN
2. VISTOR
CONTROL
PLAN
3. MAINTE-
NANCE AND
TESTING
1. PORTS AND
SERVICES
2. SECURITY
PATCH
MANAGEMENT
3. MALICIOUS
CODE
PREVENTION
4. SECURITY
EVENT
MONITORING
5. SYSTEM ACCESS
CONTROLS
1. PORTS AND
SERVICES
2. SECURITY
PATCH
MANAGEMENT
3. MALICIOUS
CODE
PREVENTION
4. SECURITY
EVENT
MONITORING
5. SYSTEM ACCESS
CONTROLS
1. CYBER
SECURITY
INCIDENT
RESPONSE
PLAN
2. IMPLEMEN-
TATION
AND
TESTING
OF CYBER
SECURITY
INCIDENT
RESPONSE
PLANS
3. CYBER
SECURITY
INCIDENT
RESPONSE
PLAN
REVIEW
1. CYBER
SECURITY
INCIDENT
RESPONSE
PLAN
2. IMPLEMEN-
TATION
AND
TESTING
OF CYBER
SECURITY
INCIDENT
RESPONSE
PLANS
3. CYBER
SECURITY
INCIDENT
RESPONSE
PLAN
REVIEW
1. RECOVERY
PLANS
2. RECOVERY
PLAN
IMPLEMEN-
TATION AND
TESTING
3. RECOVERY
PLAN
REVIEW,
UPDATE, AND
COMMUNI-
CATION
1. RECOVERY
PLANS
2. RECOVERY
PLAN
IMPLEMEN-
TATION AND
TESTING
3. RECOVERY
PLAN
REVIEW,
UPDATE, AND
COMMUNI-
CATION
1. LOW,
MEDIUM,
HIGH
CRITERIA
2. 15-MONTH
REVIEW
1. LOW,
MEDIUM,
HIGH
CRITERIA
2. 15-MONTH
REVIEW
1. ELECTRONIC
SECURITY
PERIMETER
2. REMOTE
ACCESS
MANAGEMENT
1. ELECTRONIC
SECURITY
PERIMETER
2. REMOTE
ACCESS
MANAGEMENT
1. AWARENESS
2. TRAINING
3. PERSONNEL
RISK
ASSESSMENT
4. ACCESS
5. ACCESS
REVOCATION
PROGRAM
1. AWARENESS
2. TRAINING
3. PERSONNEL
RISK
ASSESSMENT
4. ACCESS
5. ACCESS
REVOCATION
PROGRAM
1. CYBER SECURITY
POLICY FOR
HIGH /MEDIUM
2. CYBER SECURITY
POLICY FOR LOW
3. LEADERSHIP
4. DOCUMENT
DELEGATES
1. CYBER SECURITY
POLICY FOR
HIGH /MEDIUM
2. CYBER SECURITY
POLICY FOR LOW
3. LEADERSHIP
4. DOCUMENT
DELEGATES
Source: NERC (www.nerc.com)
CIP = Critical Infrastructure Protection.
NERC = North American Electric Reliability Corporation.
BES = Bulk Electric System
CONFIG.
CHANGE &
VULN.
ASSESS.
CONFIG.
CHANGE &
VULN.
ASSESS.
INFORMATION
PROTECTION
INFORMATION
PROTECTION
CIP-010 CIP-011
1. CONFIGUR-
ATION
CHANGE
MANAGE-
MENT
PROCESS
2. CONFIGUR-
ATION
MONITOR-
ING
3. VULNER-
ABILITY
ASSESS-
MENTS
1. CONFIGUR-
ATION
CHANGE
MANAGE-
MENT
PROCESS
2. CONFIGUR-
ATION
MONITOR-
ING
3. VULNER-
ABILITY
ASSESS-
MENTS
1. INFORMATION
PROTECTION
PROCESS
2. BES CYBER
ASSET REUSE
AND
DISPOSAL
1. INFORMATION
PROTECTION
PROCESS
2. BES CYBER
ASSET REUSE
AND
DISPOSAL
5
6. Panel Discussion
Question: What do you see as the major challenges at your Utility in
complying with Version 5 especially related to the above as defined in CIP 7 &
10?
Development and Implementation of a NERC CIP Compliance Program can
involve many functions of an organization including Operations,
Administration, IT, etc.
Question: What steps has your company taken to date to prepare for
Version 5 compliance related to personnel?
•Staffing
•Training
Follow-up Question: Has you the organization considered the financial and
resource implications associated with the data mining and management
associated with the Inventory Development of the installed assets? and if so
what measures?
13. Security Configuration Management
• Common Operating Environment (COE)
• Configuration Baselines
• COEs specify
– Allowed installed software and their versions
– Allowed hardware configurations
– Patches
– Ports/Services
– User access privileges
14. Change Management - iMOC™
• 3rd
Generation MOC workflow application
– Designed specifically for automation systems
– Built upon Integrity framework
– Leverages Web 2.0 technologies to facilitate information push &
collaboration with other applications
• Intelligent platform
– Creates searchable documentation
• Identifies all links and places-used
• Improves discovery
– Embeds checklists
– Approval routing and documentation
– Provides links to critical information
– Automatically reconciles changes
• Work flow is customizable to fit existing change management processes
15. Reporting:
#ptc2013 | 15
REPORTS
SECURITY PATCH MGT.
ACCOUNT MANAGEMENT
MALICIOUS SOFTWARE
DEVICE DISCOVERY
CUSTOM USER REPORTS
COMPLIANCE REPORTS
MOC REPORTS
SYSTEM ALERT STATUS
PSP – ASSET REPORT
ESP – ASSET REPORT
DASHBOARD
INVENTORY
UN-RECONCILED CHANGES
PORTS & SERVICES
SECURITY PATCH MANAGEMENT
ANTIVIRUS MANAGEMENT
PASSWORD MANAGEMENT
MEDIA DISPOSAL MANAGEMENT
BACKUP & STORAGE
NERC ALERTS
LISTINGS
ASSET INVENTORY
CYBER ASSET INVENTORY
CONTROL DEVICE DATA (WMIC)
AUTHORIZED USER LIST
APPROVED OS PATCHES
APPROVED VENDOR PATCHES
APPROVED DEVICE PORTS
APPROVED ANTI-VIRUS DEF.’s
BACKUP AND STORAGE SCHED.
PASSWORD MGT. SCHEDULE
SYSTEM LOGS
16. Proposed Orion-Integrity Architecture
Active
Directory
Server
RSA PAS
Integrity
Server
Generation
Electronic
Security
Perimeter
(ESP)
Substation
Electronic
Security
Perimeter
(ESP)
ESP/Jump Server
OrionLX - SCP
OrionLX -
RCP
RTU
Protective
Relay
Protective
Relay
Broadband
Connection
RTU
DCS
PLC PLC
Servers can be physical or virtual
20. NovaTech Connection Manager (Server Style)
IED Software
(e.g. AcSELerator)
NovaTech
Connection Manager
• Virtual Serial Port for serial based
configuration software
Users
Windows based
Connection
Manager PC
Server
Remote access
to server
Identity
Management
Server
Secure connection agent runs
in the OrionLX
V5 is potentially a mixed blessing over V4. Possibly fewer things to do to more assets.
We know that good Cyber Security standards under Version 5 would suggest that companies implement the following practices for their critical cyber assets: Inventory of Critical Assets Configuration Management & Baseline identification Management of Change We know that good Cyber Security standards under Version 5 would suggest that companies implement the following practices for their critical cyber assets: Inventory of Critical Assets Configuration Management & Baseline identification Management of Change Aug 8, 2013
Looking at this map, Imagine a world with one common control system platform, all hardware and software running at the same rev. level, running the same logic and configuration that never changes,
That is not my world! If you are a supplier to the Electric Utility Industry, please don ’t be offended if your name does not show up on this map, I am fairly certain we use your stuff also. As you might imagine, trying to maintain accurate asset inventories, implement effective management of change processes, and ensuring consistent cyber security policies and practices is quite a challenge in the robustly diverse environment we find ourselves in. As daunting as this challenge is, you are often reminded in life that things can get more interesting. As we all know, our world is changing. Technology is evolving. Some of our ideas to embrace “open” systems , and improve “connectivity” seemed like such worthy goals at the time . As it turns out, fixing some of these problems is easier than proving that you did. We realized that we needed good policies, good processes, good people, and good plans to meet these requirements. Our early experience demonstrated that reliance on too many manual tools and processes allowed for unacceptable compliance risk.
Illustrates the automation data that feeds CSI, how the raw data is transformed into normalized control information, and the types of information available to the end user. Data input: Raw Automation Data from plant control systems 2 Terabytes once a week. Asset models: Normalize raw automation data from different control system types – Normalized data can then be compared against the fleet. Information Output: Compliance Dashboards, Asset Inventory Reports, Compliance Variance Reports, and custom queries.
First generation was paper-based systems Second generation was “electronification” of paper-based systems The third generation uses Web 2.0 technologies to simplify the MOC process. It can push approvals to the appropriate approver at the moment that the approval is ready. An intelligent, 3 rd generation MOC application designed specifically for the unique challenges of automation systems. Leverages Web 2.0 technologies and the capabilities of the Integrity Software and Integrity Recon to enable users to: Define and implement an efficient and easy to use management of change process for their entire automation system Detect and report all changes made to their automation systems Reconcile all detected changes with the specific MOC cases that authorized them Automatically report unreconciled MOC cases