A Tactical Approach to Continuous
Compliance
Walt Sikora, Vice President Security Solutions
EMMOS 2013
9/24/2013 2
Abstract
NERC has moved quickly to address shortcomings and lack of
clarity in previous versions of CIP standards. While this was a
positive move, overall, it also presents some unique challenges
for Asset Owners.
This presentation will briefly cover changes and challenges
presented with NERC CIPv5 adoption and deliver tactical steps
that Asset Owners can take to fulfill requirements and achieve
continuous compliance when addressing CIP-010-5 “Cyber
Security – Configuration Management and Vulnerability
Assessment”.
9/24/2013 3
Industrial Defender ranked #1
two years in a row by
independent analysts
• Security and compliance since
2002
• Exclusively focused on OT
• Pioneering automation systems
management: security,
compliance and change
management for ICS
• Turnkey technology and service
solution
• Multiple applications, one
platform
• Vendor agnostic
• Purpose built
10,000+ technology deployments
400+ customers
25+ countries
Industrial Defender at a Glance
9/24/2013 4
NERC CIP v4 v. NERC CIP v5
Version 4 Version 5
42 requirements; 113 parts 37 requirements; 148 parts
No contextual information Includes background, rationale, and
guidelines and Technical Basis
Measures on high level requirement only Measures for each requirement, including
parts
14 requirements with Technical Feasibility
Exception (TFE) triggering language
12 requirements with TFE triggering
language
Undefined periodic terms Clear periodic requirements: initial
requirements in Implementation Plan
Many binary Violation Severity Levels
(VSLs)
More gradated VSLs
Source: http://www.nerc.com/docs/standards/sar/Webinar_Slides-Project_2008-06-April_10,_2012.pdf
9/24/2013 5
Implications of the Changes
Change Implication
Less requirements, more parts More clarity, more coverage
Increased context, background, rationale More clarity
Measures for each requirement and part More clarity, more examples
Less potential for TFEs More mitigation, workarounds, or additional
solution(s)
Clearly defined periodic terms More clarity, less room for periodic errors
More gradated VSLs More flexibility
“Entities are not required to self-report deficiencies if they are identifying,
assessing and correcting them”
9/24/2013 6
High, Medium, and Low Impact
• CIP-002-5 Attachment 1
– Impact Rating Criteria
– Rates BES Cyber Systems by:
• High Impact Rating (H)
• Medium Impact Rating (M)
• Low Impact Rating (L)
– Criteria listed for each rating level
– Rating level will determine which requirements/sub-requirements a BES
Cyber System owner will have to meet
– Rating level(s) are associated with each requirement
9/24/2013 7
Strategic Goals for complying with CIP-010-5
• High-level strategy
– Continuous compliance
– Reduce overhead
– Improved resource allocation
• How do you get there?
– Are you there yet?
9/24/2013 8
What we now know…
• Automation Systems becoming more complex
o Mix of legacy and next generation architectures
o Heterogeneous Systems
o Exponential Increase in intelligent devices
o Unclear responsibility/ownership
• Need for increased security
• Lots of technologies that can help
• Remember: No silver bullets!
• Managing change introduces additional business
process requirements and labor allocation
• Fewer Resources / increasing skill set gaps
Balancing Operational Requirements with
Security, Compliance, Change Management requirements
Maintain Reliability &
Performance standards
Ensure profitability
Report on activities
Priorities & Objectives
9/24/2013 9
Change Management
Question:
Do you anticipate growth in intelligent devices over the next 3-5 years?
How will you manage: Patching? Firmware Updates? Configurations?
User Access?
Hardened
networking
devices
Servers: PCS,
SCADA, …
HMI
Stations Firewalls
Work
stations
IEDs,
Sensors, Controllers
PLCs
9/24/2013 10
Quick Review of CIP-010-5 – Configuration Management
• R1 – Configuration Change Management
– R1.1 – Baseline configuration for:
• OS
• Commercial or Open-source Application(s)
• Custom software
• Logical network accessible ports
• Security Patches
– R1.2 – Authorize and document changes that deviate from the existing
baseline configuration
– R1.3 – For deviations, update baselines and documentation required by
CIP-007 and CIP-005 as necessary within 30 calendar days
– R1.4 – For changes that deviate
• R1.4.1 – Determine potentially impacted cyber security controls prior to change
• R1.4.2 – After change, verify controls are not adversely affected
• R1.4.3 – Document results of verification
9/24/2013 11
ABB Siemens* Emerson*
Do you have more than one control system to worry about?
*Some vendors may supply security solutions for only their system
9/24/2013 12
TICKETING MANAGEMENT
How many tools do you need to manage your EMS?
CHANGE MANAGEMENT
Change Ticketing
Source Code
Development
EVENT MANAGEMENT
Email/Web Events
DPI
Root Cause Analysis
PATCH MANAGEMENT
Patch Application
Ticketing workflows
Ticketing approvals
USER MANAGEMENT
Access Management
ASSET MANAGEMENT
GIS
Maintenance
Work Orders
NETWORK MANAGEMENT
Network Visualization
IED CONFIGURATION MANAGEMENT
Operational
Algorithms
Configuration
Change Initiation
Pre-Post change
Config/Policy Exceptions
Change Documentation
ICS Collectors
Logic Rules
Event Correlation
Documentation
Tasks
Patch Monitoring
Patch Base line
Patch Exception
User Base Lines
User Activity
Reporting
Device inventory
Logic Rules
Event Correlation
Configuration Backups
Event Correlation
Security logging
Change monitoring
Configuration Backups
What Industrial Defender’s ASM Covers
9/24/2013 13
Cryptzone SE46
The current approach to security,
compliance and change
management typically takes at
least 10 screens.
Tripwire
McAfee
McAfee
WizNucleus
Lumension
Trigeo SEM
eEye Retina
McAfee
Industrial Defender
Industrial Defender
SonicWall
9/24/2013 14
The current approach to security,
compliance and change
management typically takes at
least 10 screens.
Tripwire
McAfee
Trigeo SEM
eEye Retina
Industrial Defender
SonicWall
Cryptzone SE46
Industrial DefenderMcAfee
With the Automation Systems
Manager organizations can:
Secure vulnerabilities from
malicious attacks and human
error.
Implement regulatory
compliance measures and
efficiently process reporting
requirements from a
centralized dashboard.
Manage change across a
growing, heterogeneous
and complex automation
environment.
McAfee
WizNucleus
Lumension
9/24/2013 15
DCS SCADA
PLC RTU
Automation Systems Management Architecture
PCS
Automation Systems Manager (ASM)Application Capabilities
ConfigurationChange Management
PolicyManagement
ReportingEvent
ManagementAsset
Management
Controller
s
9/24/2013 16
Reporting
PolicyManagement
ConfigurationChange Management
EventManagement
AssetManagement
A single unified view of all assets within the automation system’s
environment. Enables onboarding and decommissioning of assets,
reports device status, information access and state information.
Brings visibility to control system and networks by providing event log data.
Receives and consolidates events from multiple security sources,
centralizes operations and reduces expenses.
Enables operators to track and audit device settings, software, firewall rules
and user accounts and view and baseline the system configurations, ports &
services, and software.
Enables operators to communicate new policies, track acceptance
and manage conformance.
A comprehensive suite of standard configurable reports to meet
regulatory requirements and simplify adherence to internal requirements.
Enables users to define, generate and automate reports as needed.
Software Applications essential
to Security, Compliance and
Change Management
9/24/2013 17
Configuration Management – 2 Approaches
Passive
Always watching
Never changing production
“Oh, we see a change. Is it ok?
Click ‘Yes’ or ‘No’”
Baseline gets updated after the
fact if ‘Yes’
Production asset gets
manually reverted if ‘No’
Active
Always watching
Never changing production
“Oh, we see a change. Revert that change back to the approved configuration automatically.”
No permanent changes to production until approved configuration change
Baseline gets updated to enable change
9/24/2013 18
Situational awareness
9/24/2013 19
Central asset information
9/24/2013 20
Which ports are used?
9/24/2013 21
Device ports and services configuration details
9/24/2013 22
Software inventory
9/24/2013 23
Patches installed
9/24/2013 24
Cyber Asset Details
9/24/2013 25
Security Event Monitoring
9/24/2013 26
Compliance reporting
9/24/2013 27
• Security performance monitoringo ABB 800xA, Symphony/Harmony, Infi90,
Network Manager, FACTS, SYS600C and
MicroSCADA
o Automsoft RAPID Historian
o Emerson DeltaV and Emerson Ovation
o Emerson/Westinghouse WDPF
o GE XA/21
o GE PowerOn Fusion
o Foxboro I/A Series
o Honeywell Experion
o Itron OpenWay System
o Rockwell RSView
o Schneider/Telvent Oasys, Citect
Momentum, Quantum
o Siemens PCS7
o Yokogawa Centrum CS 3000
• Operating systemso Windows 7
o Win 2k, 2k3, 2k8 R2, XP, WinNT
o HP-UX PA-RISC & Itanium
o Linux
o DEC Tru-64
o Sun Solaris
o IBM AIX
• Industrial ruleso DNP3
o Modbus
o ICCP
o IEC 61850
o TCP/IP
Experience across many automation environments
9/24/2013 28
Supervise™ Services
• Event Monitoring• Configuration Baseline Monitoring• Move, Add, Change Management
Sustain™ Services
• Firmware/Patch Updates• Performance/Alert Tuning• Re-Baselining Software, Patches,
Ports & Services
Survive™ Services
• Backup• Restoration• Disaster Recovery
Automation Systems Manager (ASM)Application Capabilities
CLIENTS SERVERS PERIMETER DEVICES NETWORK DEVICES
Automation Systems End-Points ( )Optional Agent
ConfigurationChange Management
PolicyManagement
ReportingEvent
ManagementAsset
Management
It’s a program, not a project
9/24/2013 29
Industrial Defender
Your Solution for Automation
Systems Management
Meet the Challenges
Deeply integrated with a number of EMS vendors to ensure
performance & reliability
Tackle increasing security, compliance and change management
challenges despite resource constraints.
Simplify and scale with a complete turnkey solution:
Address resource and expertise challenges with
a single view, vendor agnostic platform.
Enable IT and OT to work together via
a purpose built solution.
Reduce overall TCO with a unified approach.
Sustain your automation environment as a program – not a
project!
• Rapidly changing technologies
• Evolving security threats, both internal
& external
• Lack of expertise
Challenges
Choosing Solutions
• Purpose built for control systems
• Eliminate manual work
• Report on activities
• Compatible with all your systems
9/24/2013 30
Web
www.industrialdefender.com
Blog
blog.industrialdefender.com
@i_defender
Top Related