Structure NERC CIP Considerations when Procuring and … CIP Considerations... · 2012-09-18 ·...

©2012 Copyright. Confidential and proprietary to The Structure Group, LLC.

NERC CIP Considerations when Procuring and Implementing SCADA Systems

1

September 18, 2012

EMS Users Conference


Introductions

Mario MarchelliDirector, Energy Management & Control Systems Practice Lead(832) 563‐[email protected]

Gilbert PerezManager, EMCS Practice(786) 879‐[email protected]

2


Agenda

•Best practices for SCADA procurement•Best practices for SCADA implementation•Best practices for SCADA Go‐Live•Proper steps for retirement of legacy SCADA•Conclusions

3


Best Practices for SCADA System Procurement

4

• Correctly communicate corporate standards for Electronic Security Perimeters (ESP’s) to your vendor.

‐ Specify the location of the Production Assets.‐ Specify the location of the Development Assets.‐ Specify the location of the Training (DTS) Assets.‐ Specify the location of the read only servers and the remote access to them.

Reference: R1. Electronic Security Perimeter

CIP‐005

Work with your vendor in order to drive your desired ESP Design …



5

Request the following security enhancements:‐ Secured DNP3.‐ Secured ICCP.‐ “Service DMZ” which will house the printers and other non‐essential devices.

Reference: R2. Electronic Access Controls

CIP‐005

Tighter Security will continue to be imposed on the industry, plan for the future today …



6

• Testing / QA environment‐ Specify the location of the QA Assets.

• Vendor provided tools for testing

• Vendor services for testing

Reference :R1. Test Procedures

CIP‐007

CIP‐007 R1 is the most highly violated of all the CIP Standards. Request tools which will help you achieve compliance…



7

• Documentation of your baseline software, ports and services.

• Removing any non‐essential software, ports and services prior to delivery of the SCADA system.

Reference: R2. Ports and Services

CIP‐007

Hardening of systems is a must, auditors love to dwell on ports and services ….



8

• Testing and validation of the patches for security controls not just functionality.

Reference: R3. Security Patch Management

CIP‐007

Share the responsibility of keeping your system up to date with your vendor ….



9

• Disable guest accounts.• Implement password complexity and age requirements.• Limit the use of administrator accounts.• Implement the principle of least privilege.

Reference: R5. Account Management

CIP‐007

Shared Accounts are headache , place the burden on your vendor…



10

• Implement the usage of centralized logging.

• Implement the usage of Host Based Intrusion Detection System(HIDS)/Intrusion Detection System(IDS).

Reference: R6. Security Status Monitoring

CIP‐007



11

• Implement logging tools which allows tracking of generic usernames.

‐ Track the user utilizing the generic username.

‐ Track the date and time which the generic username was utilized.

‐ Track the actions which were taken.

Reference: R5. Account Management

CIP‐007

Shared Accounts are headache, request tools for managing these accounts on your vendor.



12

Who will conduct the assessment?‐ Vendor ‐ In‐house ‐ Third party

• Decide:‐ Timing of assessment.‐ Responsible party

Reference: R8. Cyber Vulnerability Assessment

CIP‐007

Decide who performs your vulnerability assessment prior issuing the RFP …



13

• Virtualization:‐ CIP and Non‐CIP

• Storage Area Networks:‐ CIP and Non‐CIP.‐ IP connections.

Reference: System Design (CIP‐005 and CIP‐007)

CIP‐007

Other issues to consider prior issuing the RFP …



14

• Consider a vendor‐provided backup solution.

Reference: R4. Backup and Restore

• Include in your RFP that the vendor must restore the SCADA system from backup media prior to going online. *Please note that you must documented the full restoration of the SCADA in order to provide book‐ending evidence.

Reference: R5. Testing Backup Media

CIP‐009

Request tools and procedures to address Disaster Recovery on a per CCA basis…


Agenda


15


Best Practices for SCADA System Implementation

16

• How to test the new SCADA System:– If controlling

– Test one substation at a time.– Avoid Substations deemed Critical Assets

– Avoid testing on 500 and 300 KV sites(CIP Version 4)

– Establish well documented test procedures.

CIP‐002



•Once a new SCADA system has the ability to control the Bulk Electrical System, all of the Critical Cyber Assets (CCA’s) associated with the new system need to be declared and added to your existing CCA list.

Reference: R2. (V4) ‐ R3. (V3) Critical Cyber Asset Identification

•Make your company’s Cyber Security Policy readily available to all vendor employees who will work on your system.

Reference: R1. Cyber Security Policy

17

CIP‐002

Do not forget to add your new critical Cyber Assets to your CCA list …

CIP‐003



18

• If possible, establish a new ESP for the new SCADA system. Doing so will allow you to:

–Conduct testing prior to going on‐line.–Establish well documented firewall rules.–Insure that no new vulnerabilities are introduced to the current production environment.

–Allows for the implementation of newer network equipment with minimal interruption to the existing network.

Reference:R2. Electronic Access Controls

CIP‐005

Implementing a new ESP is the best path to take ……



19

Prior to the new ESP going live, you must perform a Cyber Vulnerability Assessment.‐ Verify that the vendor has provide you a listing of the ports

and services. Reference: R4. Cyber Vulnerability Assessment (CVA)

Once the new ESP is established or the equipment has been added to the existing ESP, you must update the documentation to reflect the modification of the network or controls within ninety calendar days of the changes. Reference: R5.2 Documentation

CIP‐005

Vulnerability Testing and documentation are a must prior to going online…..

©2012 Copyright. Confidential and proprietary to The Structure Group, LLC. 20

Technical Feasibility ExceptionsRequest the following Technical Feasibility Documentation:

‐ List of devices for which a TFE must be taken.

‐ Equipment vendor letters stating the specific requirement which cannot be met.

‐ Roadmap for eliminating all of these TFE’s

Reference: CIP‐005 and CIP‐007


Lets not forget those TFE’s …


Agenda


21


Best Practices for System Go‐Live

22

• Require the vendor to train their employees per your CIP program.• Require the vendor to provide records of the training results.• Contractual language to address liabilities for non‐compliance.

Reference: R2. Training

• Require the vendor to provide Personnel Risk Assessment for the following:– Project Personnel– Maintenance and support personnel.– Hardware OEM support personnel.

• Require the vendor to provide you records of the PRA results.Reference: R3. Personnel Risk Assessment (PRA)

CIP‐004

Proper CIP Personnel credentials for Contractors and Vendors is a must….



23

Verify that logging is being performed for all of the following security events:

‐ Failed access attempts.

‐ Successful access attempts.

‐ Anti‐virus and anti‐malware alerts.*Develop a plan in order to test that the security events listed above are being properly logged once the system goes live.

Reference: R6. Security Status Monitoring

CIP‐007

Testing of the monitoring capabilities prior to going LIVE is essential….



24

Remote Access (Vendor and Employees)

• Two factor authentication for vendor access thru the firewall.

• Secured VPN access.• Logging of all vendor access. • Layered security, possibly a jump server with two factor

authentication.

CIP‐005

Utilize strict security controls when allowing remote access once the system is live is a must …


Agenda


25


Proper Steps for retirement of legacy SCADA systems

26

– When redeploying magnetic media, overwrite the media using DoD Standard.

– When disposing of media, you must physically destroy such media*Please note that you must overwrite or destroy the discarded media while it still resides within the PSP.

– You must created and maintained records of disposed and/or redeployed media.

Reference: R7. Disposal or Redeployment

CIP‐007

Following the proper sequence of events is essential….


Proper Steps for retirement of legacy SCADA systems

Electronic Security Perimeter• If a new ESP was created, retire the old ESP.

• Remove the ESP where the retired equipment resided from any drawings.

Physical Security Perimeter• If a new PSP was created, retire the old PSP.

• Remove the old PSP from the Physical Security Plan.

27

CIP‐005

CIP‐006


Agenda


28


Conclusions

Become partners with your selected vendor in sharing the CIP Security responsibilities.

Select a vendor which has embraced CIP Security and has a culture of exceeding the CIP Requirements.

Develop test plans for Security Testing controls during the implementation of your new SCADA system.

Once the system goes live, insure that all of the vendor personnel working on your system have the proper CIP credentials.

Proper disposal of your discarded system is essential.

29


Key Cyber Security Considerations – Questions?

30

Structure NERC CIP Considerations when Procuring and … CIP Considerations... · 2012-09-18 ·...

Documents

Transcript of Structure NERC CIP Considerations when Procuring and … CIP Considerations... · 2012-09-18 ·...