NERC CIP

7/27/2019 NERC CIP

1/30

2012Copyright.ConfidentialandproprietarytoTheStructureGroup,LLC.

NERC CIP Considerations when Procuring and

Implementing SCADA Systems

1

September 18, 2012

EMS Users Conference

7/27/2019 NERC CIP

2/30


Introductions

MarioMarchelli

Director,EnergyManagement&ControlSystemsPracticeLead

(832)

563

[email protected]

GilbertPerez

Manager,EMCSPractice

(786)8799544

[email protected]

2

7/27/2019 NERC CIP

3/30


Agenda

BestpracticesforSCADAprocurement

Bestpractices

for

SCADA

implementation

BestpracticesforSCADAGoLive

ProperstepsforretirementoflegacySCADA

Conclusions

3

7/27/2019 NERC CIP

4/30


BestPracticesforSCADASystemProcurement

4

CorrectlycommunicatecorporatestandardsforElectronicSecurityPerimeters(ESPs)toyourvendor.

Specify

the

location

of

the

Production

Assets.

SpecifythelocationoftheDevelopmentAssets.

SpecifythelocationoftheTraining(DTS)Assets.

Specify

the

location

of

the

read

only

servers

and

theremoteaccesstothem.

Reference:R1.ElectronicSecurityPerimeter

CIP005

WorkwithyourvendorinordertodriveyourdesiredESPDesign

7/27/2019 NERC CIP

5/30



5

Requestthefollowingsecurityenhancements:

SecuredDNP3.

Secured

ICCP.

ServiceDMZwhichwillhousetheprintersand

othernonessentialdevices.

Reference:R2.ElectronicAccessControls

CIP005

TighterSecuritywillcontinuetobeimposedontheindustry,planforthefuture

today

7/27/2019 NERC CIP

6/30



6

Testing/QA

environment

SpecifythelocationoftheQAAssets.

Vendorprovidedtoolsfortesting

Vendorservicesfortesting

Reference:R1.TestProcedures

CIP

007

CIP007R1isthemosthighlyviolatedofalltheCIPStandards.Requesttoolswhich

willhelpyouachievecompliance

7/27/2019 NERC CIP

7/30

7/27/2019 NERC CIP

8/30



8

Testingandvalidationofthepatchesforsecuritycontrolsnotjustfunctionality.

Reference:R3.SecurityPatchManagement

CIP007

Sharetheresponsibilityofkeepingyoursystemuptodatewithyourvendor.

7/27/2019 NERC CIP

9/30



9

Disableguestaccounts. Implementpasswordcomplexityandagerequirements. Limittheuseofadministratoraccounts. Implement

the

principle

of

least

privilege.

Reference:R5.AccountManagement

CIP007

SharedAccountsareheadache,placetheburdenonyourvendor

7/27/2019 NERC CIP

10/30



10

Implementthe

usage

of

centralized

logging.

ImplementtheusageofHostBasedIntrusionDetectionSystem(HIDS)/IntrusionDetectionSystem(IDS).

Reference:R6.SecurityStatusMonitoring

CIP007

7/27/2019 NERC CIP

11/30

7/27/2019 NERC CIP

12/30



12

Whowill

conduct

the

assessment?

Vendor

Inhouse

Third

party

Decide: Timingofassessment.

Responsible

party

Reference:R8.CyberVulnerabilityAssessment

CIP007

DecidewhoperformsyourvulnerabilityassessmentpriorissuingtheRFP

7/27/2019 NERC CIP

13/30

7/27/2019 NERC CIP

14/30

7/27/2019 NERC CIP

15/30


Agenda


Bestpractices

for

SCADA

implementation



Conclusions

15

7/27/2019 NERC CIP

16/30


BestPracticesforSCADASystemImplementation

16

HowtotestthenewSCADASystem:

If controlling

Testonesubstationatatime.

AvoidSubstations

deemed

Critical

Assets

Avoidtestingon500and300KVsites

(CIPVersion4)

Establishwell

documented

test

procedures.

CIP002

7/27/2019 NERC CIP

17/30



OnceanewSCADAsystemhastheabilitytocontroltheBulkElectricalSystem,alloftheCriticalCyberAssets(CCAs)associatedwiththenewsystemneedtobe

declaredandaddedtoyourexistingCCAlist.

Reference:R2.(V4) R3.(V3)CriticalCyberAssetIdentification

Make

your

companys

Cyber

Security

Policy

readily

availabletoallvendoremployeeswhowillworkonyour

system.Reference:R1.CyberSecurityPolicy

17

CIP002

DonotforgettoaddyournewcriticalCyberAssetstoyourCCAlist

CIP003

7/27/2019 NERC CIP

18/30



18

Ifpossible,establishanewESPforthenewSCADA

system.Doing

so

will

allow

you

to:

Conducttestingpriortogoingonline.

Establishwelldocumentedfirewallrules.

Insurethatnonewvulnerabilitiesareintroducedtothecurrentproductionenvironment.

Allowsfortheimplementationofnewernetwork

equipmentwithminimalinterruptiontothe

existingnetwork.Reference:R2.ElectronicAccessControls

CIP005

ImplementinganewESPisthebestpathtotake

7/27/2019 NERC CIP

19/30

7/27/2019 NERC CIP

20/30

7/27/2019 NERC CIP

21/30


Agenda


Bestpractices

for

SCADA

implementation



Conclusions

21

7/27/2019 NERC CIP

22/30


BestPracticesforSystemGoLive

22

Require

the

vendor

to

train

their

employees

per

your

CIP

program. Requirethevendortoproviderecordsofthetrainingresults.

Contractuallanguagetoaddressliabilitiesfornoncompliance.Reference:R2.Training

RequirethevendortoprovidePersonnelRiskAssessmentforthefollowing:

ProjectPersonnel

Maintenanceand

support

personnel.

HardwareOEMsupportpersonnel.

RequirethevendortoprovideyourecordsofthePRAresults.Reference:R3.PersonnelRiskAssessment(PRA)

CIP004

ProperCIP

Personnel

credentials

for

Contractors

and

Vendors

is

amust.

7/27/2019 NERC CIP

23/30



23

Verifythat

logging

is

being

performed

for

all

of

the

following

securityevents:

Failedaccessattempts.

Successful

access

attempts.

Antivirusandantimalwarealerts.

*Developaplan

in

order

to

test

that

the

security

events

listed

above

are

being

properlyloggedoncethesystemgoeslive.

Reference:R6.SecurityStatusMonitoring

CIP007

Testingof themonitoringcapabilitiespriortogoingLIVEisessential.

7/27/2019 NERC CIP

24/30



24

RemoteAccess(VendorandEmployees)

Two

factor

authentication

for

vendor

access

thru

the

firewall.

SecuredVPNaccess. Loggingofallvendoraccess. Layeredsecurity,possiblyajumpserverwithtwofactor

authentication.

CIP005

Utilizestrictsecuritycontrolswhenallowingremoteaccessoncethesystem

isliveisamust

7/27/2019 NERC CIP

25/30


Agenda


Bestpractices

for

SCADA

implementation



Conclusions

25

7/27/2019 NERC CIP

26/30


ProperStepsforretirementoflegacySCADAsystems

26

Whenredeployingmagneticmedia,overwritethe

mediausingDoDStandard.

Whendisposingofmedia,youmustphysicallydestroy

such

media*Pleasenotethatyoumustoverwriteordestroythediscardedmediawhile

itstillresideswithinthePSP.

You

must

created

and

maintained

records

of

disposed

and/orredeployedmedia.

Reference:R7.DisposalorRedeployment

CIP007

Followingthepropersequenceofeventsisessential.

7/27/2019 NERC CIP

27/30


ProperStepsforretirementoflegacySCADAsystems

ElectronicSecurity

Perimeter

IfanewESPwascreated,retiretheoldESP.RemovetheESPwheretheretiredequipmentresidedfromanydrawings.

PhysicalSecurityPerimeter

Ifanew

PSP

was

created,

retire

the

old

PSP.

RemovetheoldPSPfromthePhysicalSecurityPlan.

27

CIP005

CIP006

7/27/2019 NERC CIP

28/30


Agenda


Bestpractices

for

SCADA

implementation



Conclusions

28

7/27/2019 NERC CIP

29/30


Conclusions

BecomepartnerswithyourselectedvendorinsharingtheCIPSecurityresponsibilities.

Selectavendor

which

has

embraced

CIP

Security

and

has

acultureofexceedingtheCIPRequirements.

DeveloptestplansforSecurityTestingcontrolsduringthe

implementationof

your

new

SCADA

system.

Oncethesystemgoeslive,insurethatallofthevendorpersonnelworkingonyoursystemhavetheproperCIP

credentials.

Properdisposalofyourdiscardedsystemisessential.

29

7/27/2019 NERC CIP

30/30


KeyCyberSecurityConsiderations Questions?

30

NERC CIP

Documents

Transcript of NERC CIP