NERC CIP
-
Upload
cedric-niamke -
Category
Documents
-
view
215 -
download
0
Transcript of NERC CIP
-
7/27/2019 NERC CIP
1/30
2012Copyright.ConfidentialandproprietarytoTheStructureGroup,LLC.
NERC CIP Considerations when Procuring and
Implementing SCADA Systems
1
September 18, 2012
EMS Users Conference
-
7/27/2019 NERC CIP
2/30
2012Copyright.ConfidentialandproprietarytoTheStructureGroup,LLC.
Introductions
MarioMarchelli
Director,EnergyManagement&ControlSystemsPracticeLead
(832)
563
GilbertPerez
Manager,EMCSPractice
(786)8799544
2
-
7/27/2019 NERC CIP
3/30
2012Copyright.ConfidentialandproprietarytoTheStructureGroup,LLC.
Agenda
BestpracticesforSCADAprocurement
Bestpractices
for
SCADA
implementation
BestpracticesforSCADAGoLive
ProperstepsforretirementoflegacySCADA
Conclusions
3
-
7/27/2019 NERC CIP
4/30
2012Copyright.ConfidentialandproprietarytoTheStructureGroup,LLC.
BestPracticesforSCADASystemProcurement
4
CorrectlycommunicatecorporatestandardsforElectronicSecurityPerimeters(ESPs)toyourvendor.
Specify
the
location
of
the
Production
Assets.
SpecifythelocationoftheDevelopmentAssets.
SpecifythelocationoftheTraining(DTS)Assets.
Specify
the
location
of
the
read
only
servers
and
theremoteaccesstothem.
Reference:R1.ElectronicSecurityPerimeter
CIP005
WorkwithyourvendorinordertodriveyourdesiredESPDesign
-
7/27/2019 NERC CIP
5/30
2012Copyright.ConfidentialandproprietarytoTheStructureGroup,LLC.
BestPracticesforSCADASystemProcurement
5
Requestthefollowingsecurityenhancements:
SecuredDNP3.
Secured
ICCP.
ServiceDMZwhichwillhousetheprintersand
othernonessentialdevices.
Reference:R2.ElectronicAccessControls
CIP005
TighterSecuritywillcontinuetobeimposedontheindustry,planforthefuture
today
-
7/27/2019 NERC CIP
6/30
2012Copyright.ConfidentialandproprietarytoTheStructureGroup,LLC.
BestPracticesforSCADASystemProcurement
6
Testing/QA
environment
SpecifythelocationoftheQAAssets.
Vendorprovidedtoolsfortesting
Vendorservicesfortesting
Reference:R1.TestProcedures
CIP
007
CIP007R1isthemosthighlyviolatedofalltheCIPStandards.Requesttoolswhich
willhelpyouachievecompliance
-
7/27/2019 NERC CIP
7/30
-
7/27/2019 NERC CIP
8/30
2012Copyright.ConfidentialandproprietarytoTheStructureGroup,LLC.
BestPracticesforSCADASystemProcurement
8
Testingandvalidationofthepatchesforsecuritycontrolsnotjustfunctionality.
Reference:R3.SecurityPatchManagement
CIP007
Sharetheresponsibilityofkeepingyoursystemuptodatewithyourvendor.
-
7/27/2019 NERC CIP
9/30
2012Copyright.ConfidentialandproprietarytoTheStructureGroup,LLC.
BestPracticesforSCADASystemProcurement
9
Disableguestaccounts. Implementpasswordcomplexityandagerequirements. Limittheuseofadministratoraccounts. Implement
the
principle
of
least
privilege.
Reference:R5.AccountManagement
CIP007
SharedAccountsareheadache,placetheburdenonyourvendor
-
7/27/2019 NERC CIP
10/30
2012Copyright.ConfidentialandproprietarytoTheStructureGroup,LLC.
BestPracticesforSCADASystemProcurement
10
Implementthe
usage
of
centralized
logging.
ImplementtheusageofHostBasedIntrusionDetectionSystem(HIDS)/IntrusionDetectionSystem(IDS).
Reference:R6.SecurityStatusMonitoring
CIP007
-
7/27/2019 NERC CIP
11/30
-
7/27/2019 NERC CIP
12/30
2012Copyright.ConfidentialandproprietarytoTheStructureGroup,LLC.
BestPracticesforSCADASystemProcurement
12
Whowill
conduct
the
assessment?
Vendor
Inhouse
Third
party
Decide: Timingofassessment.
Responsible
party
Reference:R8.CyberVulnerabilityAssessment
CIP007
DecidewhoperformsyourvulnerabilityassessmentpriorissuingtheRFP
-
7/27/2019 NERC CIP
13/30
-
7/27/2019 NERC CIP
14/30
-
7/27/2019 NERC CIP
15/30
2012Copyright.ConfidentialandproprietarytoTheStructureGroup,LLC.
Agenda
BestpracticesforSCADAprocurement
Bestpractices
for
SCADA
implementation
BestpracticesforSCADAGoLive
ProperstepsforretirementoflegacySCADA
Conclusions
15
-
7/27/2019 NERC CIP
16/30
2012Copyright.ConfidentialandproprietarytoTheStructureGroup,LLC.
BestPracticesforSCADASystemImplementation
16
HowtotestthenewSCADASystem:
If controlling
Testonesubstationatatime.
AvoidSubstations
deemed
Critical
Assets
Avoidtestingon500and300KVsites
(CIPVersion4)
Establishwell
documented
test
procedures.
CIP002
-
7/27/2019 NERC CIP
17/30
2012Copyright.ConfidentialandproprietarytoTheStructureGroup,LLC.
BestPracticesforSCADASystemImplementation
OnceanewSCADAsystemhastheabilitytocontroltheBulkElectricalSystem,alloftheCriticalCyberAssets(CCAs)associatedwiththenewsystemneedtobe
declaredandaddedtoyourexistingCCAlist.
Reference:R2.(V4) R3.(V3)CriticalCyberAssetIdentification
Make
your
companys
Cyber
Security
Policy
readily
availabletoallvendoremployeeswhowillworkonyour
system.Reference:R1.CyberSecurityPolicy
17
CIP002
DonotforgettoaddyournewcriticalCyberAssetstoyourCCAlist
CIP003
-
7/27/2019 NERC CIP
18/30
2012Copyright.ConfidentialandproprietarytoTheStructureGroup,LLC.
BestPracticesforSCADASystemImplementation
18
Ifpossible,establishanewESPforthenewSCADA
system.Doing
so
will
allow
you
to:
Conducttestingpriortogoingonline.
Establishwelldocumentedfirewallrules.
Insurethatnonewvulnerabilitiesareintroducedtothecurrentproductionenvironment.
Allowsfortheimplementationofnewernetwork
equipmentwithminimalinterruptiontothe
existingnetwork.Reference:R2.ElectronicAccessControls
CIP005
ImplementinganewESPisthebestpathtotake
-
7/27/2019 NERC CIP
19/30
-
7/27/2019 NERC CIP
20/30
-
7/27/2019 NERC CIP
21/30
2012Copyright.ConfidentialandproprietarytoTheStructureGroup,LLC.
Agenda
BestpracticesforSCADAprocurement
Bestpractices
for
SCADA
implementation
BestpracticesforSCADAGoLive
ProperstepsforretirementoflegacySCADA
Conclusions
21
-
7/27/2019 NERC CIP
22/30
2012Copyright.ConfidentialandproprietarytoTheStructureGroup,LLC.
BestPracticesforSystemGoLive
22
Require
the
vendor
to
train
their
employees
per
your
CIP
program. Requirethevendortoproviderecordsofthetrainingresults.
Contractuallanguagetoaddressliabilitiesfornoncompliance.Reference:R2.Training
RequirethevendortoprovidePersonnelRiskAssessmentforthefollowing:
ProjectPersonnel
Maintenanceand
support
personnel.
HardwareOEMsupportpersonnel.
RequirethevendortoprovideyourecordsofthePRAresults.Reference:R3.PersonnelRiskAssessment(PRA)
CIP004
ProperCIP
Personnel
credentials
for
Contractors
and
Vendors
is
amust.
-
7/27/2019 NERC CIP
23/30
2012Copyright.ConfidentialandproprietarytoTheStructureGroup,LLC.
BestPracticesforSystemGoLive
23
Verifythat
logging
is
being
performed
for
all
of
the
following
securityevents:
Failedaccessattempts.
Successful
access
attempts.
Antivirusandantimalwarealerts.
*Developaplan
in
order
to
test
that
the
security
events
listed
above
are
being
properlyloggedoncethesystemgoeslive.
Reference:R6.SecurityStatusMonitoring
CIP007
Testingof themonitoringcapabilitiespriortogoingLIVEisessential.
-
7/27/2019 NERC CIP
24/30
2012Copyright.ConfidentialandproprietarytoTheStructureGroup,LLC.
BestPracticesforSystemGoLive
24
RemoteAccess(VendorandEmployees)
Two
factor
authentication
for
vendor
access
thru
the
firewall.
SecuredVPNaccess. Loggingofallvendoraccess. Layeredsecurity,possiblyajumpserverwithtwofactor
authentication.
CIP005
Utilizestrictsecuritycontrolswhenallowingremoteaccessoncethesystem
isliveisamust
-
7/27/2019 NERC CIP
25/30
2012Copyright.ConfidentialandproprietarytoTheStructureGroup,LLC.
Agenda
BestpracticesforSCADAprocurement
Bestpractices
for
SCADA
implementation
BestpracticesforSCADAGoLive
ProperstepsforretirementoflegacySCADA
Conclusions
25
-
7/27/2019 NERC CIP
26/30
2012Copyright.ConfidentialandproprietarytoTheStructureGroup,LLC.
ProperStepsforretirementoflegacySCADAsystems
26
Whenredeployingmagneticmedia,overwritethe
mediausingDoDStandard.
Whendisposingofmedia,youmustphysicallydestroy
such
media*Pleasenotethatyoumustoverwriteordestroythediscardedmediawhile
itstillresideswithinthePSP.
You
must
created
and
maintained
records
of
disposed
and/orredeployedmedia.
Reference:R7.DisposalorRedeployment
CIP007
Followingthepropersequenceofeventsisessential.
-
7/27/2019 NERC CIP
27/30
2012Copyright.ConfidentialandproprietarytoTheStructureGroup,LLC.
ProperStepsforretirementoflegacySCADAsystems
ElectronicSecurity
Perimeter
IfanewESPwascreated,retiretheoldESP.RemovetheESPwheretheretiredequipmentresidedfromanydrawings.
PhysicalSecurityPerimeter
Ifanew
PSP
was
created,
retire
the
old
PSP.
RemovetheoldPSPfromthePhysicalSecurityPlan.
27
CIP005
CIP006
-
7/27/2019 NERC CIP
28/30
2012Copyright.ConfidentialandproprietarytoTheStructureGroup,LLC.
Agenda
BestpracticesforSCADAprocurement
Bestpractices
for
SCADA
implementation
BestpracticesforSCADAGoLive
ProperstepsforretirementoflegacySCADA
Conclusions
28
-
7/27/2019 NERC CIP
29/30
2012Copyright.ConfidentialandproprietarytoTheStructureGroup,LLC.
Conclusions
BecomepartnerswithyourselectedvendorinsharingtheCIPSecurityresponsibilities.
Selectavendor
which
has
embraced
CIP
Security
and
has
acultureofexceedingtheCIPRequirements.
DeveloptestplansforSecurityTestingcontrolsduringthe
implementationof
your
new
SCADA
system.
Oncethesystemgoeslive,insurethatallofthevendorpersonnelworkingonyoursystemhavetheproperCIP
credentials.
Properdisposalofyourdiscardedsystemisessential.
29
-
7/27/2019 NERC CIP
30/30
2012Copyright.ConfidentialandproprietarytoTheStructureGroup,LLC.
KeyCyberSecurityConsiderations Questions?
30