shedding light on smart grid & cyber security
DESCRIPTION
If the bulk electric system (BES) in North America suffered a cyber attack, the consequences could be serious-cities and entire states could suffer blackouts, commerce could come to a standstill, and the door could be opened for looting and even terrorist attacks. Realizing these consequences, the energy industry pressured the North American Electricity Reliability Corporation (NERC) to take a long, hard look at why the Critical Infrastructure Protection (CIP) standards have not been protecting the BES as intended. To address these shortcomings and today's changing IT environment and threats, NERC proposed additional CIP standards, NERC CIP 10 and 11.TRANSCRIPT
Shedding Light on Smart Grid & Cyber Security
Shedding Light on Smart Grid & Cyber Security
Paul Reymann, CEO, ReymannGroup, Inc.James Stanton, Senior Energy Consultant, ReymannGroup, Inc.Cindy Valladares, Compliance Solutions Manager, Tripwire, Inc.August 25, 2010
IT SECURITY & COMPLIANCE AUTOMATION3
Today’s Speakers
Paul ReymannCEO ReymannGroup, Inc.
James StantonSenior Energy Consultant ReymannGroup, Inc.
Cindy Valladares Compliance Solutions Manager Tripwire, Inc.
IT SECURITY & COMPLIANCE AUTOMATION
We will cover…
Energy Industry Inverted Security Model
Round 1 & 2 of CIP Audits
Next Practices for Security & Compliance
Visibility, Intelligence, and Automation are Key
IT SECURITY & COMPLIANCE AUTOMATION
Disruptions are possible
High voltage systems are robust, dependable, & secure
It is critical to our economy and national security
Significant disruptions are catastrophic
Energy drives America
IT SECURITY & COMPLIANCE AUTOMATION
Cyber Security is a Priority!
Our work has also raised concerns about the increasing reliance on information technology and control systems, which are potentially vulnerable to cyber attack, including the systems used in the electricity sector.
General Accounting Office (GAO)
Foreign governments already have or are developing computer attack capabilities, and potential adversaries are developing a body of knowledge about U.S. systems and methods to attack these systems.
National Security Agency
A recently discovered worm called Stuxnet is affecting industry control systems worldwide, with over half of the infections occurring in the United States. The work exploits a zero-day vulnerability present in unpatched Windows software, and is targeting supervisory control and data acquisition (SCADA) systems.
Kent Dahlgren, Tripwire
Intelligent situational awareness and cyber-security with the right automated solutions is paramount!
IT SECURITY & COMPLIANCE AUTOMATION
Congress Acted
FERC now has authority to enforce “mandatory” reliability standards.
FERC awarded NERC with responsibility to develop standards and monitor compliance.
Up to $1M fine per day for non-compliance
Criminal prosecution by DOJ
IT SECURITY & COMPLIANCE AUTOMATION
The Game is Changing
The challenge is no longer “if” you will have an information security & compliance program – it is a matter of “how.”
“The Commission expects companies to invest appropriate time and effort in the creation, monitoring, and growth of strong internal compliance programs.…”
FERC Policy Statement on Compliance (Docket PL09-1000 at paragraph 10)
IT SECURITY & COMPLIANCE AUTOMATION
Energy’s Inverted Security Model
Smart Grid
One Big Network
SCADA
Internal Applications
Cyber Asset
Open to Cyber-ThreatsOpen to Cyber-Threats
IT SECURITY & COMPLIANCE AUTOMATION
New CIP Standards
Self Certifications
& Audits
Protect Electronic Access to
Control Systems
Protect Critical Cyber Assets
Protective Measures are Needed
IT SECURITY & COMPLIANCE AUTOMATION
Initial Self-Assessments & Audits
Requests for Clarifications
Focused on Critical Cyber Assets Only
Round 1
CIP Version 4 in 4Q10
Consider potential effect on reliability, if compromised
Applies to all users of the Bulk Electric System
Round 2
IT SECURITY & COMPLIANCE AUTOMATION12
Even Low Impact Assets Have Risk!
Examples of Requirements Proposed for Low Impact BES Cyber Systems:
ID account types, e.g., individual, group, shared, guest, system, and admin.
ID use restrictions for wireless technologies
Document all communication paths that transmit or receive digital information external to each BES Cyber System.
Deny access by default and allow explicitly authorized communication.
Develop an inventory of (its) physical or virtual BES Cyber System Components (excluding software running on the component), including its physical location.
Authorize and document changes to the BES Cyber System that deviate from the existing inventory within 30 days of the change being completed.
Document:
• A process for classifying events as Cyber Security Incidents
• Roles and responsibilities of Cyber Security Incident response teams, Cyber Security Incident handling procedures, and communication plans.
• A Process for reporting Cyber Security Incidents to the Electricity Sector Information Sharing and Analysis Center (ES-ISAC) either directly or through an intermediary.
Review the incident response plan at least once every 12 months
IT SECURITY & COMPLIANCE AUTOMATION
Next Practices for Security & Compliance
Perform a risk-based assessment – This will change!
Identify systems, services, devices, data, people of critical assets.
Categorize all assets (i.e., High, Medium, or Low Impact).
Control limited need to know access.
Validate security controls.
Document all steps & corrective actions.
Continuously manage and monitor.
Collect and retain data to identify & respond to security incidents
IT SECURITY & COMPLIANCE AUTOMATION
How do you get started?
Select the right technologies for:• Change Control• Log Management• Security Event Monitoring• Tracking & monitoring access to the network
Automate & centralize the CIP compliance process and technologies
Visibility Intelligence Automation
Tripwire Solutions
IT SECURITY & COMPLIANCE AUTOMATION
Tripwire Solutions for NERC
An integrated change auditing, configuration control and log management solution
A proven solution for continually monitoring the integrity of files and configurations in SCADA and other mission critical systems
A log management and SIEM solution to monitor and review logs and events of interest
A compliance solution that incorporates specific tests for NERC-CIP or DISA requirements on a number of different platforms:
AIX PowerPC 5.3 systems HP-UX (PA-RSIC) v11 systems Red Hat Linux Solaris SPARC SuSE Linux systems
Windows 2003 servers Win XP Desktops Windows 2003 and Active
Directory domain controllers Windows Server 2000
IT SECURITY & COMPLIANCE AUTOMATION
Tripwire and Relevant CIPs
CIP-002: Critical Cyber Asset Identification
CIP-003: Security Management Controls
CIP-004: Personnel and Training
CIP-005: Electronic Security Perimeters
CIP-006: Physical Security of Critical Cyber Assets
CIP-007: Systems Security Management
CIP-008: Incident Reporting and Response Management
CIP-009: Recovery Plans for Critical Cyber Assets
IT SECURITY & COMPLIANCE AUTOMATION
Tripwire and Relevant CIPs
CIP-002: Critical Cyber Asset Identification• R1: Identify Critical Assets and Critical Cyber Assets
CIP-003: Security Management Controls• R5: Document and implement program for managing access to CCA• R6: Change control and configuration management
CIP-005: Electronic Security Perimeters• R2: Control access points into electronic security perimeter • R3: Monitoring electronic access and review and assess logs for unauthorized access• R4: Control default accounts, passwords and network management
CIP-007: Systems Security Management• R1: Changes to CA and CCA don’t affect cyber security controls• R5: Records on user activity to minimize risk of unauthorized system access• R6: Maintain logs of system events related to cyber security and retain logs• R9: Review and update all documentation• Customized: for Security Patch Management | Malicious Software Prevention | Cyber
Vulnerability Assessment
IT SECURITY & COMPLIANCE AUTOMATION
Des
ired
Sta
te
No Visibility
Drifting
High-riskTemporary
Success
Time
What Hasn’t Worked:Periodic Assessments Create Data But Limited Intelligence
IT SECURITY & COMPLIANCE AUTOMATION
Assess & Achieve
Maintain
Non-stop monitoring & collectionDynamic analysis to find suspicious activitiesAlert on impact to policyRemediate options to speed remedy
Maintain: Security, Compliance & Operations
Des
ired
Sta
te
Time
IT SECURITY & COMPLIANCE AUTOMATION
Tripwire VIA: IT Security & Compliance Automation
Correlate to Suspicious Events
Policy EngineEvent Database
IT SECURITY & COMPLIANCE AUTOMATION
Tripwire VIA: IT Security & Compliance Automation
Correlate to Bad Changes
Correlate to Suspicious Events
Policy EngineEvent Database
IT SECURITY & COMPLIANCE AUTOMATION
Tripwire Enterprise Tripwire Log Center
File Integrity Monitoring
Compliance Policy Manager
Log Manager
SecurityEvent Manager
Tripwire VIATM
VISIBILITY INTELLIGENCE AUTOMATION
Tripwire VIA: Intelligent Threat Control
IT SECURITY & COMPLIANCE AUTOMATION
Additional Thought Leadership
• Summarizes key points• Describes the affect of CIP
compliance vs. noncompliance• Offers a Due Diligence Checklist• Complimentary copy
Questions
Paul Reymann
(410) 956-7336
James Stanton
(410) 956 7334
www.verticalenabler.com
Cindy Valladares
www.tripwire.comTripwire Americas: 1.800.TRIPWIRETripwire EMEA: +44 (0) 20 7382 5420Tripwire Japan: +812.53206.8610Tripwire Singapore: +65 6733 5051Tripwire Australia-New Zealand: +61 (0) 402 138 980
THANK YOU!
Cindy [email protected]