Structure NERC CIP Considerations when Procuring and … CIP Considerations... · 2012-09-18 ·...
Transcript of Structure NERC CIP Considerations when Procuring and … CIP Considerations... · 2012-09-18 ·...
©2012 Copyright. Confidential and proprietary to The Structure Group, LLC.
NERC CIP Considerations when Procuring and Implementing SCADA Systems
1
September 18, 2012
EMS Users Conference
©2012 Copyright. Confidential and proprietary to The Structure Group, LLC.
Introductions
Mario MarchelliDirector, Energy Management & Control Systems Practice Lead(832) 563‐[email protected]
Gilbert PerezManager, EMCS Practice(786) 879‐[email protected]
2
©2012 Copyright. Confidential and proprietary to The Structure Group, LLC.
Agenda
•Best practices for SCADA procurement•Best practices for SCADA implementation•Best practices for SCADA Go‐Live•Proper steps for retirement of legacy SCADA•Conclusions
3
©2012 Copyright. Confidential and proprietary to The Structure Group, LLC.
Best Practices for SCADA System Procurement
4
• Correctly communicate corporate standards for Electronic Security Perimeters (ESP’s) to your vendor.
‐ Specify the location of the Production Assets.‐ Specify the location of the Development Assets.‐ Specify the location of the Training (DTS) Assets.‐ Specify the location of the read only servers and the remote access to them.
Reference: R1. Electronic Security Perimeter
CIP‐005
Work with your vendor in order to drive your desired ESP Design …
©2012 Copyright. Confidential and proprietary to The Structure Group, LLC.
Best Practices for SCADA System Procurement
5
Request the following security enhancements:‐ Secured DNP3.‐ Secured ICCP.‐ “Service DMZ” which will house the printers and other non‐essential devices.
Reference: R2. Electronic Access Controls
CIP‐005
Tighter Security will continue to be imposed on the industry, plan for the future today …
©2012 Copyright. Confidential and proprietary to The Structure Group, LLC.
Best Practices for SCADA System Procurement
6
• Testing / QA environment‐ Specify the location of the QA Assets.
• Vendor provided tools for testing
• Vendor services for testing
Reference :R1. Test Procedures
CIP‐007
CIP‐007 R1 is the most highly violated of all the CIP Standards. Request tools which will help you achieve compliance…
©2012 Copyright. Confidential and proprietary to The Structure Group, LLC.
Best Practices for SCADA System Procurement
7
• Documentation of your baseline software, ports and services.
• Removing any non‐essential software, ports and services prior to delivery of the SCADA system.
Reference: R2. Ports and Services
CIP‐007
Hardening of systems is a must, auditors love to dwell on ports and services ….
©2012 Copyright. Confidential and proprietary to The Structure Group, LLC.
Best Practices for SCADA System Procurement
8
• Testing and validation of the patches for security controls not just functionality.
Reference: R3. Security Patch Management
CIP‐007
Share the responsibility of keeping your system up to date with your vendor ….
©2012 Copyright. Confidential and proprietary to The Structure Group, LLC.
Best Practices for SCADA System Procurement
9
• Disable guest accounts.• Implement password complexity and age requirements.• Limit the use of administrator accounts.• Implement the principle of least privilege.
Reference: R5. Account Management
CIP‐007
Shared Accounts are headache , place the burden on your vendor…
©2012 Copyright. Confidential and proprietary to The Structure Group, LLC.
Best Practices for SCADA System Procurement
10
• Implement the usage of centralized logging.
• Implement the usage of Host Based Intrusion Detection System(HIDS)/Intrusion Detection System(IDS).
Reference: R6. Security Status Monitoring
CIP‐007
©2012 Copyright. Confidential and proprietary to The Structure Group, LLC.
Best Practices for SCADA System Procurement
11
• Implement logging tools which allows tracking of generic usernames.
‐ Track the user utilizing the generic username.
‐ Track the date and time which the generic username was utilized.
‐ Track the actions which were taken.
Reference: R5. Account Management
CIP‐007
Shared Accounts are headache, request tools for managing these accounts on your vendor.
©2012 Copyright. Confidential and proprietary to The Structure Group, LLC.
Best Practices for SCADA System Procurement
12
Who will conduct the assessment?‐ Vendor ‐ In‐house ‐ Third party
• Decide:‐ Timing of assessment.‐ Responsible party
Reference: R8. Cyber Vulnerability Assessment
CIP‐007
Decide who performs your vulnerability assessment prior issuing the RFP …
©2012 Copyright. Confidential and proprietary to The Structure Group, LLC.
Best Practices for SCADA System Procurement
13
• Virtualization:‐ CIP and Non‐CIP
• Storage Area Networks:‐ CIP and Non‐CIP.‐ IP connections.
Reference: System Design (CIP‐005 and CIP‐007)
CIP‐007
Other issues to consider prior issuing the RFP …
©2012 Copyright. Confidential and proprietary to The Structure Group, LLC.
Best Practices for SCADA System Procurement
14
• Consider a vendor‐provided backup solution.
Reference: R4. Backup and Restore
• Include in your RFP that the vendor must restore the SCADA system from backup media prior to going online. *Please note that you must documented the full restoration of the SCADA in order to provide book‐ending evidence.
Reference: R5. Testing Backup Media
CIP‐009
Request tools and procedures to address Disaster Recovery on a per CCA basis…
©2012 Copyright. Confidential and proprietary to The Structure Group, LLC.
Agenda
•Best practices for SCADA procurement•Best practices for SCADA implementation•Best practices for SCADA Go‐Live•Proper steps for retirement of legacy SCADA•Conclusions
15
©2012 Copyright. Confidential and proprietary to The Structure Group, LLC.
Best Practices for SCADA System Implementation
16
• How to test the new SCADA System:– If controlling
– Test one substation at a time.– Avoid Substations deemed Critical Assets
– Avoid testing on 500 and 300 KV sites(CIP Version 4)
– Establish well documented test procedures.
CIP‐002
©2012 Copyright. Confidential and proprietary to The Structure Group, LLC.
Best Practices for SCADA System Implementation
•Once a new SCADA system has the ability to control the Bulk Electrical System, all of the Critical Cyber Assets (CCA’s) associated with the new system need to be declared and added to your existing CCA list.
Reference: R2. (V4) ‐ R3. (V3) Critical Cyber Asset Identification
•Make your company’s Cyber Security Policy readily available to all vendor employees who will work on your system.
Reference: R1. Cyber Security Policy
17
CIP‐002
Do not forget to add your new critical Cyber Assets to your CCA list …
CIP‐003
©2012 Copyright. Confidential and proprietary to The Structure Group, LLC.
Best Practices for SCADA System Implementation
18
• If possible, establish a new ESP for the new SCADA system. Doing so will allow you to:
–Conduct testing prior to going on‐line.–Establish well documented firewall rules.–Insure that no new vulnerabilities are introduced to the current production environment.
–Allows for the implementation of newer network equipment with minimal interruption to the existing network.
Reference:R2. Electronic Access Controls
CIP‐005
Implementing a new ESP is the best path to take ……
©2012 Copyright. Confidential and proprietary to The Structure Group, LLC.
Best Practices for SCADA System Implementation
19
Prior to the new ESP going live, you must perform a Cyber Vulnerability Assessment.‐ Verify that the vendor has provide you a listing of the ports
and services. Reference: R4. Cyber Vulnerability Assessment (CVA)
Once the new ESP is established or the equipment has been added to the existing ESP, you must update the documentation to reflect the modification of the network or controls within ninety calendar days of the changes. Reference: R5.2 Documentation
CIP‐005
Vulnerability Testing and documentation are a must prior to going online…..
©2012 Copyright. Confidential and proprietary to The Structure Group, LLC. 20
Technical Feasibility ExceptionsRequest the following Technical Feasibility Documentation:
‐ List of devices for which a TFE must be taken.
‐ Equipment vendor letters stating the specific requirement which cannot be met.
‐ Roadmap for eliminating all of these TFE’s
Reference: CIP‐005 and CIP‐007
Best Practices for SCADA System Implementation
Lets not forget those TFE’s …
©2012 Copyright. Confidential and proprietary to The Structure Group, LLC.
Agenda
•Best practices for SCADA procurement•Best practices for SCADA implementation•Best practices for SCADA Go‐Live•Proper steps for retirement of legacy SCADA•Conclusions
21
©2012 Copyright. Confidential and proprietary to The Structure Group, LLC.
Best Practices for System Go‐Live
22
• Require the vendor to train their employees per your CIP program.• Require the vendor to provide records of the training results.• Contractual language to address liabilities for non‐compliance.
Reference: R2. Training
• Require the vendor to provide Personnel Risk Assessment for the following:– Project Personnel– Maintenance and support personnel.– Hardware OEM support personnel.
• Require the vendor to provide you records of the PRA results.Reference: R3. Personnel Risk Assessment (PRA)
CIP‐004
Proper CIP Personnel credentials for Contractors and Vendors is a must….
©2012 Copyright. Confidential and proprietary to The Structure Group, LLC.
Best Practices for System Go‐Live
23
Verify that logging is being performed for all of the following security events:
‐ Failed access attempts.
‐ Successful access attempts.
‐ Anti‐virus and anti‐malware alerts.*Develop a plan in order to test that the security events listed above are being properly logged once the system goes live.
Reference: R6. Security Status Monitoring
CIP‐007
Testing of the monitoring capabilities prior to going LIVE is essential….
©2012 Copyright. Confidential and proprietary to The Structure Group, LLC.
Best Practices for System Go‐Live
24
Remote Access (Vendor and Employees)
• Two factor authentication for vendor access thru the firewall.
• Secured VPN access.• Logging of all vendor access. • Layered security, possibly a jump server with two factor
authentication.
CIP‐005
Utilize strict security controls when allowing remote access once the system is live is a must …
©2012 Copyright. Confidential and proprietary to The Structure Group, LLC.
Agenda
•Best practices for SCADA procurement•Best practices for SCADA implementation•Best practices for SCADA Go‐Live•Proper steps for retirement of legacy SCADA•Conclusions
25
©2012 Copyright. Confidential and proprietary to The Structure Group, LLC.
Proper Steps for retirement of legacy SCADA systems
26
– When redeploying magnetic media, overwrite the media using DoD Standard.
– When disposing of media, you must physically destroy such media*Please note that you must overwrite or destroy the discarded media while it still resides within the PSP.
– You must created and maintained records of disposed and/or redeployed media.
Reference: R7. Disposal or Redeployment
CIP‐007
Following the proper sequence of events is essential….
©2012 Copyright. Confidential and proprietary to The Structure Group, LLC.
Proper Steps for retirement of legacy SCADA systems
Electronic Security Perimeter• If a new ESP was created, retire the old ESP.
• Remove the ESP where the retired equipment resided from any drawings.
Physical Security Perimeter• If a new PSP was created, retire the old PSP.
• Remove the old PSP from the Physical Security Plan.
27
CIP‐005
CIP‐006
©2012 Copyright. Confidential and proprietary to The Structure Group, LLC.
Agenda
•Best practices for SCADA procurement•Best practices for SCADA implementation•Best practices for SCADA Go‐Live•Proper steps for retirement of legacy SCADA•Conclusions
28
©2012 Copyright. Confidential and proprietary to The Structure Group, LLC.
Conclusions
Become partners with your selected vendor in sharing the CIP Security responsibilities.
Select a vendor which has embraced CIP Security and has a culture of exceeding the CIP Requirements.
Develop test plans for Security Testing controls during the implementation of your new SCADA system.
Once the system goes live, insure that all of the vendor personnel working on your system have the proper CIP credentials.
Proper disposal of your discarded system is essential.
29
©2012 Copyright. Confidential and proprietary to The Structure Group, LLC.
Key Cyber Security Considerations – Questions?
30