THE NORTH AMERICAN ELECTRIC RELIABILITY CORPORATION STANDARDS FOR CRITICAL INFRASTRUCTURE PROTECTION (NERC-CIP)

WHITE PAPER

2SecureAuth Tel: + 1 949-777-6959 www.secureauth.com

White Paper NERC for CIP

TABLE OF CONTENTS

What is NERC CIP? ........................................................................................................................ 4

What is SCADA? ............................................................................................................................ 4

The SecureAuth Authentication System ................................................................................... 5

Adaptive (risk-based) Authentication........................................................................................ 5

Additional Adaptive Authentication with SecureAuth Threat Service .................................. 6

SecureAuth Authentication’s NERC CIP Compliance Checklist* ............................................ 6

Summary ....................................................................................................................................... 7

3SecureAuth Tel: + 1 949-777-6959 www.secureauth.com

White Paper NERC for CIP

The North American Electric Reliability Corporation (NERC) maintains standards for Critical Infrastructure Protection (CIP) covering security requirements with a main goal to improve all North American power system’s security. In this white paper you will learn how to meet compliance with the NERC for CIP using SecureAuth IdP’s unique strong authentication capabilities including adaptive (risk-based) authentication.

Introduction

4SecureAuth Tel: + 1 949-777-6959 www.secureauth.com

White Paper NERC for CIP

What is NERC CIP?

What is SCADA?

The North American Electric Reliability Corporation (NERC) maintains the various cybersecurity standards for Critical Infrastructure Protection (CIP). Consisting of 9 standards and 45 requirements covering security requirements ranging from perimeter protection, cyber assets controls, end-to-end accountability and reliability, training, security management and disaster recovery, the CIP program’s main goal is to improve all North American power system’s security.

Under NERC CIP, organizations are required to identify critical assets and to regularly perform risk analysis of said assets. Defining of policies for monitoring and changing the configuration of assets as well as policies governing access to those assets is a requirement. In addition, NERC CIP requires the use of firewalls to block vulnerable ports and the implementation of cyber-attack monitoring.

Further, organizations are required to enforce controls protecting access to critical cyber assets while systems for monitoring security events must be deployed, and must have comprehensive contingency plans. With CIP version 3, only general BES (bulk electric systems) facilities were required to comply with these standards, yet as Version 5 comes into place April 2016, and version 6 in 2017, all tiered classifications for BES facilities are required to comply.

Supervisory control and data acquisition (SCADA) is a system operating with coded signals over communication channels so as to provide control of remote equipment (typically one communication channel per remote station). The control system typically is connected to various data tools gathering and analyzing activity records. SCADA is a type of industrial control system (ICS) consisting of Remote Terminal Units (RTUs)/Programmable logic controllers (PLCs) or the “brains” of the various processes and the Human Machine Interface (HMI) which is usually linked to a database. But, SCADA systems historically distinguish themselves from other ICS systems by the sheer number of large-scale processes that can include multiple sites across various distances encompassing industrial, infrastructure, and facility-based processes. While most believe SCADA is safe, the actuality of SCADA systems today are networked, meaning that unauthorized access even via a simple command prompt to the main HMI or to any of the networked units, could potentially compromise the whole environment.

5SecureAuth Tel: + 1 949-777-6959 www.secureauth.com

White Paper NERC for CIP

The SecureAuth Authentication System

Adaptive (risk-based) Authentication

SecureAuth solves the problems of cyber security controls, monitoring, adaptive enforcement and authentication. The end result is a multifactor, adaptive solution that:

+ Requires Limited or no Software

+ Requires No Hard Tokens to Carry

+ Enables Geo-Location via IP and/or Country controls

+ Enables Geo-Velocity controls (Historical analysis of authentication access and geo-location)

+ Allows IP white-listing/black-listing controls

+ Checking the reputation of the IP address of the user’s machine against the SecureAuth Threat Service, a combination of multiple industry leading sources of threat intelligence and threat information.

+ Behavioral Biometrics – unique keystroke dynamics on varying devices

+ Multiple phone number related fraud checks including preventing attackers from spamming and guessing one-time passcodes, blocking recently ported phone numbers, blocking global carrier networks, and blocking certain class of phones (e.g. virtual, mobile, landline, toll-free, etc..)

+ Works from Any Browser on Any Site (Home, Office, Internet Café, etc.)

+ Fractions of the cost of Tokens

The result is a more secure interface that meets government compliance, ease-of-use user experience, and limits any disruptions of processes without breaking the IT budget.

Utilizing various workflow options and integration points, SecureAuth provides adaptive and multi-factor authentication in one solution. For example, Use Case A, an engineer onsite needs to log into one of the SCADA units and as their IP address shows they are onsite in HQ, authentication could potentially be allowing user name and password. Then there is, Use Case B, a staff member needs to connect to the same SCADA unit but they are on the other side of the country connecting remotely, because staff member is logging in from new location, we can require a multi-factor authentication method before proceeding. Group membership along with IP/location can easily be utilized in defining the adaptive authentication a user experiences and security controls when accessing SCADA and/or NERC CIP’ed systems.

Let’s say the engineer from Use Case A has rights to all the SCADA units and the staff member from Use Case B does not. The staff member happens to be asked to look into one of the PLCs, they don’t have access but they do know the engineer from Use Case A, so they ask to “borrow” their credentials to login. With SecureAuth’s geo-velocity solution, the staff member trying to utilize the engineer’s credentials to authenticate will be utilizing Allow, Deny, Step-up, Step-down, or Redirect options, meaning that the systems can detect IP address changes and adaptively address authentication.

6SecureAuth Tel: + 1 949-777-6959 www.secureauth.com

White Paper NERC for CIP

Additional Adaptive Authentication with SecureAuth Threat Service

SecureAuth Authentication’s NERC CIP Compliance Checklist*

The SecureAuth Threat Service provides highly enriched and actionable threat intelligence that enhances SecureAuth IdP’s adaptive authentication. We combine threat intelligence and threat information from leading industry sources and open source providers that are continually updated in real time. With the ability to analyze the IP address of where the user is authenticating from, and all other layers of risk via adaptive authentication, SecureAuth can help detect and protect against cyber-threats before harm can be done.

We help identify and stop bad actors who attempt to log in externally, as well as bad actors who are inside and moving laterally in your network — even if they have valid credentials. We can easily integrate with your existing infrastructure in hours, not weeks or months, and we maintain a smooth user experience by requiring multi-factor authentication only when risk factors are present.

CIP-003-3 R5 &D1.4 (Security Management Controls)

CIP-005-5 R2-Part 2.3

CIP-005-3a R2.4(Electronic Security Perimeter(s))

CIP-007-5 R4-Part 4.1, 4.3, R5-Part 5.1, 5.5, 5.6

CIP-007-3a R5.3 & R6(Systems Security Management)

CIP-011-1 Part 1.2(Information Protection)

Access control flexibility with auditing

Access controls with Risk Analysis

Access controls with Risk Analysis

25+ Authentication Methods along with Identity Management Options

20+ Authentication Methods with system logging & SIEM options

SecureAuth Adaptive Strong Authentication with SecureAuth Threat Service

X

X

X

X

X

X

Sustainable access security controls with SIEM auditing

Advanced Risk Analysis at the perimeter along with SIEM integration, dashboards and reporting

Risk Analysis at the perimeter along with SIEM integration and reporting

By specifying security system requirements, the multitude of authentication options limit any compromise

Security controls ranging from x.509v3 to RADIUS to SAML with logging

Preventing unauthorized access and secure information handling

NERC CIPRequirements

Future-Proofing:

FeatureSecureAuth Authentication

Benefit

*NOTE: All of the SecureAuth features and benefits listed above also are available for SCADA environments

7SecureAuth Tel: + 1 949-777-6959 www.secureauth.com

White Paper NERC for CIP

SecureAuth provides deployable and scalable solutions to meet both the security requirements of today and tomorrow along with the granularity needed for ever-changing regulations, processes, and controls.

SCADA and organizations under CIP encounter various cyber-attacks and cyberterrorism and while this grows, the security processes and controls necessary can potentially become cumbersome to the point of disruption of critical systems. Solutions that provide external and internal security controls while not limiting or disrupting any and all systems, processes, and controls is what is truly needed in today’s world.

SecureAuth IdP delivers a solution to these Centralized Systems and Organizations.

Summary

8SecureAuth Tel: + 1 949-777-6959 www.secureauth.com

White Paper NERC for CIP

©2018 SecureAuth Corporation. All Rights Reserved. www.secureauth.com SecureAuth™ IdP is a trademark of SecureAuth Corporation in the United States and/or other countries.