The Benefits of Network Security Monitoring for Grid-Edge Devices An in-depth analysis of how passive network security monitoring helps asset owners maintain an accurate, up-to-date asset inventory list, while also protecting the grid’s edge from cyber threats.

Contents

Executive Summary 3

1. Introduction 4

2. Approach & Implementation 5 A. Approach 5 B. Example Network Topology 6 C.ReviewofIEDSettingsandConfiguration 6

3. Asset Inventory Tracking 6 A. Overview 6 B. Example Use-Cases Demonstrated 7 C.VulnerabilityIdentification 7 4. Security Monitoring 8 A. Overview 8 B. Example Use-Cases and Scenarios Tested 8 5. Approach Findings, Benefits and Event Grouping 9 6. Conclusion 10 References 11

3

Executive Summary

Amongthemanycybersecuritychallengesassociatedwithprotectingthecriticalinfrastructurepowergrid,twoofthemostchallengingaremaintaininganaccurateassetinventorylistandperformingsecuritymonitoringofdevicesatthegrid’sedge.Notonlyarethesecapabilitiesfundamentaltoavoidregulatoryfinesupwardsofamilliondollarsaday,aswesawrecentlywhenNERCissueda$10millionfine[1],buttheyalsohelpensuretheoverallsecurity,safety,andreliabilityofthegrid. Oftenthoughtofasmutuallyexclusive,thispapershowsthatthroughadvancednetworksecuritymonitoring,assetownerscanmaintain,inreal-time,anaccurateandup-to-dateassetinventorylistwhilealsoprotectingthegrid’sedgefromcyberthreats.Bysteppingthroughthedifferentusecasesforpassivenetworksecuritymonitoring,thepaperdemonstrateshowassetownerscanreachahigherreturnontheirinvestmentinsuchawaythatistechnically,economically,andoperationallyfeasible.

4

Noonewillarguesecuringcriticalinfrastructureisimportantandatoppriorityforcriticalinfrastructureassetowners.AssetownersarefacednotonlywithevolvingregulatoryrequirementssuchastheNorthAmericanElectricReliabilityCorporation’s(NERC)CriticalInfrastructureProtection(CIP)standards[2],butalsogrowingattentionfromcybersecurityresearchersandthreatactorstargetingindustrialcontrolsystem(ICS)technologiesfortheirpersonalmotivations.ThesemotivationscanvaryfrombringingawarenessandhelpingtheICScommunitytocompromisingsystemsforfinancialgainornationstateobjectives.

Originally,controlsystemlocalareanetworks(LAN)werenotconnectedtoanyInternet/Intranetconnecteddevices.Thoughitdidn’tguaranteecompletesecurity,thisdidcreatetheso-calledair-gap,physicallyseparatingthedevicesfromotherInternetconnecteddevices.However,foranincreaseinefficiencyandremotemonitoring/controlcapabilities,thecontrolsystemhadtobeintegratedwithothernetworks.TherecommendednetworkarchitectureforacontrolsystemcombinesthepracticesofITsecuritytothecontrolsystemwiththegoalofadefense-in-depthsecuredenvironment[3].However,simplyapplyingITsecuritymethodstoICSenvironmentscannotbeconsideredanend-allapproachtocybersecurity,especiallysincesolutionslikefirewallscanbemisconfiguredandhavetheirownsetofvulnerabilities.

Withthegrowthinandimplementationofsmartgridtechnologiesthereisoftenambiguityintherolesandresponsibilitiesassociatedwithmaintainingcyber-basedtechnologiesonthegrid’sedge.ElectricutilitiesareoftenfacedwithaskingthemselvesshouldtheresponsibilityforpowergridcybersecurityfallundertheITortelecomdepartmentsorshoulditbegiventothepowersystemengineersandintegrators.Ineithercase,effectivelyimplementingpowersystemautomationcontrolenvironmentsthatarereliable,resilient,andsecureisaninterdisciplinaryengineeringchallengethatinvolvesmultipleregulatorystandards.

Nomatterwhothethreatactorisorwhattheirmotivationsare.Thefirststepinsecuringcriticalinfrastructureisunderstandingwhatexistsfromanassetinventoryperspective.Withoutknowingwhatexistsandwhatyouhavetosecure,allfuturethreatmodelingactivities,strategyandroadmapdevelopment,ormitigation/remediationactivitieswillbeincompleteorlesseffective.Assetinventoryissomethingbothinformationtechnology(IT)andoperationaltechnology(OT)professionalscanagreeisnotaneasytask;historicallyspeakingithasbeenespeciallylaborintensiveforICSassetownerswith“grid-edge”devices(orfielddevices),oftenrequiringphysicalsitevisits.Grid-edgeassetinventorydifficultiesaredrivenbythecomplexandagingheterogeneousenvironmentsmostassetownersoperateinthatspanacrosscity,county,state,orcountrylines.Today,advancementsinnetworksecuritymonitoringandprotocoldeeppacketinspectionallowassetownerstoobtainreal-timeassetinventoryinformationfromdevicescommunicatingoverserialorTCP/IPbasedcommunicationchannelsbyleveragingthebuilt-incapabilitiesofgrid-edgedevices.Thishelpsassetownerstonotonlymanagetheirassetinventory,butalsodetectavarietyofnetwork,security,andoperationalbasedanomalies.

1. Introduction

“Implementing power system automation control environments that are eliable, resilient, and secure is an interdisciplinary engineering challenge that involves multiple regulatory standards.”

5

ELECTRONIC SECURITY PERIMETER (ESP)

REMOTE ENGINEER/ OPERATOR

LOCAL ENGINEER

(a)

(b)

CONTROL SYSTEM: SUBSTATION, POWER PLANT, ETC.

IED 1

ETHERNET LINK

SERIAL LINK

MIRRORED COMMUNICATION

ALERTS & FINDINGS

IED 2 IED 3

ASSET MANAGEMENT

NSM TOOL

SPAN PORTRTU

COMPLIANCE

OPERATIONS

SECURITY

One-way Communication

Example Network Topology Used for Evaluating the NSM Tool

A. Approach Thedevelopedapproachiscenteredonthepremiseofbeingcompletelypassiveandnon-intrusivetothecontrolsystemenvironment.Usingamanagednetworkswitch,asingleportisconfiguredasthespanport.Thisspanormirroringportreplaysthecommunicationtrafficfromalloradesignatedsubsetoftheotherportsontheswitch.Byplacinganetworksecuritymonitoring(NSM)toolonthisspanport,adetailedanalysisofeachcommunicationpacketisperformed.Thisallowsallinboundandoutboundtraffictobemonitoredaswellasthetrafficbetweeneachintelligentelectronicdevice(IED)atthegrid’sedge.

SelectionofthedevicesandtheNSMtoolisbasedonanextensivereviewoftheexistingtechnologiesavailableonthemarkettoday.Whilemostmicroprocessor-basedrelays,remoteterminalunits,andmanagedswitchescanbeimplementedinthisapproach,notallcontrolsystemNSMtoolsarecreatedequal.Therefore,forcompletenessandsothereadercanrecreatetheapproachdemonstrated,theNSMtoolselectedforthisimplementationistheeyeInspect(formerlySilentDefense)softwaresolutionbyForescout.Theprimaryobjectiveofthisimplementationistopassivelyderiveasmuchinformationfromsniffingthenetworkaspossible.ToevaluatetheeffectivenessoftheNSMtoolselected,theextractedinformationisplacedintooneoffourcategories:assetmanagement,security,compliance,andoperations.Eachcategorydescribesabusinessunitthatisresponsibleforthataspectofthegrid,andthereforewillfindvalueinthatinformation.Additionally,someinformationmaybeclassifiedintomultiplecategories.Forinstance,afailedloginonIED1isasecurityeventthatwillalsoneedtobenotedforcompliance.TheNSMtoolselectedhastheabilitytoexportthefindingsviamultipleformatsforauditingpurposesandforthetrackingofassetinformation.Thisallowstheextractedassetinformationtobeimportedintoasystem-wideassetmanagementtoolor,inthecaseofacybersecurityevent,intoasecurityinformationandeventmanagement(SIEM)system.

2. Approach & Implementation

6

B. Example Network Topology TheexamplenetworktopologyimplementedisshowninFigure1andincludes3protectionrelays,aremoteterminalunit(RTU),amanagedswitch,andafirewall.Alldevicesarelogicallydefinedwithinanelectronicsecurityperimeter(ESP).Forservicing,engineersortechniciansaretypicallyallowedtoentertheESPandconnectatransientcyberasset(TSA)totheIEDs[2].Ethernetlink(a)andseriallink(b)showtwooptionsfordirectlycommunicatingwithsuchdevices.Forcontrol,thestandardcontrolsystemprotocolsDNP3andModbusareusedwhilefordiagnosticseachIED’swebinterfacesareenabled.Additionally,avendor’sspecificprotocol,whichisanextensionoftheTelnetprotocol,isusedforcommunicationbetweentheRTUandIEDs.ThemanagedswitchisconfiguredtomirrorallTXandRXtrafficoneveryporttoaSPANport.TheNSMserverhasmultiplenetworkinterfacesandtheoneconnectedtothespanportisconfiguredforRXonly,whiletheSPANportitselfisconfiguredforTXonly.

C. Review of IED Settings and Configuration AssoonastheNSMtoolcameonline,itbegananalyzingallthecommunicationinthecontrolsystemlocalareanetworkincludingallingressandegresstraffic.Usingthisobservedinformation,theNSMtoolbegantoorganizetheobserveddevicesintoanetworkmapaccordingtothePurdueModel[5].Afterjustafewminutes,theNSMtoolhadaccuratelymappedalldevicesandprotocolsthatwhereutilizedoverthenetwork.Toconfirmthis,areviewoftheIEDsettingsfileswasperformed.TheIPinformationcontainedinthesefileswasthenusedtoconfirmthespecificwhitelistedIPsthatwouldbeusedtotriggeranalarmintheNSMtool.

InadditiontotheIPsettingsinformation,thesettingsandconfigurationfilesofeachIEDwasalsoexaminedtodeterminehowtheIEDwasalarmingoncybersecurityevents.RequiredbyIEEEstandardStdC37.240-2014,allIEDsarerequiredtoalarmon:unsuccessfulloginattempts,reboot,configurationchanges,andfirmwarechanges[6].Similartoprotectionsettings,thesecybersecurityalarmsettingsareconfiguredusingthevendor’ssoftware.Anotheroftenoverlooked,similarityisthatthesecyberalarmscanbemappedtoanybinarypointofacontrolsystemprotocol(e.g.DNP3).Additionally,theseandothercyber-relatedalarmsweremappedintheIEDandsentoutviaSyslog.WiththisinformationtheNSMtool’sbuiltinscriptingenginewasusedtopassivelydetectandtriggeraneventalarmformultiplecyber-events,asdescribedindetailinSectionIV.

3. Asset Inventory Tracking

A. Overview Maintaininganaccurateandup-to-datebaselineconfigurationoftenreliesonamanualandhandwrittenprocess.Amoreefficientandlesserror-proneapproachistoleveragetheexistingsystemtoautomaticallyobserveanddocumentchangesastheyaremade.AsnotedinSectionII,theexampletopologyutilizesavendor’sslightvariationoftheTelnetprotocoltocommunicatebetweentheRTUandIEDs.Sincethisinformationistransmittedinplaintextandiscopiedandreplayedoverthespanport,theNSMtoolisabletocaptureandanalyzethisinformation.

Therearenumberofwaystoachievethisfunctionality.DependingonthevendoroftheIED,oneoptionistosettheRTUtoperiodicallypolltherelayforitsstatus,andthereturnedinformationwillcontainfirmwareversion,modelnumber,andtheserialnumberofthedevice.However,basedonthesetpollrate,thisinformationmayonlybepolledeverydayoreveneveryweek.Therefore,amoreresponsiveapproachistohavetheIEDtriggerabinaryalarmuponafirmwarechange.Afterreceivingthealarm,theRTUthenpollstheIEDfortheinformationidentifyingthenewfirmwareversion.ThisprocessthenallowstheNSMtooltoimmediatelydetectandlogthesechanges.OncereceivedbytheNSMtool,thenetworkmapisupdatedtoreflectthelatestconfigurationchangeoftheasset.Thisinformationcanthenbesharedwithasystem-wideassetmanagementtool.

7

ThethreeexampleusecasesbelowdescribevariouswaysanengineerortechnicianwouldbeallowedtoalterthefirmwareonanIEDatthegrid’sedge.It’simportanttonotethattheseactionscouldbeperformedbyanattackerwhohasaccesstothenetworkorbyamaliciousinsider.Theresultsarestillthesameandthedevelopedapproachwillbeabletocapture,detect,andalertuponanyfirmwarechanges.

B. Example Use Cases Demonstrated 1. Remote engineer upgrades firmware on IED 1: There are several applications that may permit a remote engineer tohaveinteractiveaccesstoanIED.Thisaccessallowstheengineertoperformanynumberofcommandsasthoughhewasphysicallyatthedevice.Dependingonhowthisremoteaccessisconfigured,hecouldbeallowedtocommunicatedirectlytotheIED,ortheRTUcanbeconfiguredasanaccesspointrouter.

2. Local engineer upgrades IED 2 firmware via Ethernet connection: Iftheprevioususecaseisnotallowed,anengineerortechnicianmayberequiredtotraveltothesitetoperformthenecessarymaintenance.Whilelocallyinthecontrolhouseorplant,theengineerplugsintothenetworkswitchusinganapprovedtransientcyberasset[2]andlogicallyconnectstotheIED.OnceconnectedtheengineerrunstheupgradecommandanduploadsthefirmwaretotheIED. 3. Local engineer upgrades IED 3 firmware via direct serial connection:Thelastusecaseisunique,sinceitrequiressomeadditionalprogrammingintheRTUinordertofullycapturetheupgrade.Unliketheotherexamples,thiscommunicationisnotbeingperformedoverthenetwork,andthereforewillnotbecaptured.Additionally,thepollingofthedeviceisbeingperformedviaaserialconnectionbetweentheRTUandtherelay.ThispollingisthereforealsonotbeingcapturedbytheNSMtool.ThesolutionhereistotelltheRTUtologthefirmwarechangeofIED3andallassociatedinformationtoSyslog.Thiswaywhentheupdatedassetinformationisplacedonthenetwork,theparsingfeatureoftheNSMtoolisstillabletocaptureandlogtheevent.

C. Vulnerability Identification Byhavinganaccuraterepresentationofthecurrentfirmwareversioninstalledoneachdevice,theNSMtoolwasabletoidentifyknownvulnerabilitiesthatareassociatedwiththatversionofthefirmware,protocols,anddetectedsoftware.Thesevulnerabilitiesarebasedonthecommonvulnerabilityenumeration(CVE)standardandhaveanassociatedriskscoreidentifyingtheimpactthatvulnerabilitycouldhavetothesystem.Thisinformationcanbeusedtodeterminewhenthedeviceneedsservicing.Thisabilitygreatlyreducesthepotentialattacksurfaceandhelpseasetheburdenassociatedwithmeetinganumberofcomplianceandmaintenancerequirements.

8

4. Security Monitoring

A. Overview

Networksecuritymonitoring(NSM)isalongtimebestcybersecuritypracticeofcollecting,analyzing,andescalatingindicationsofcompromise.NSMinICSnetworksisquicklygainingtractionbecausethatitcanbeaccomplishedwithoutimpactingtheunderlyingOTsystems,sincenonewtrafficorcommunicationsarebeingintroduced.Withallnetworktrafficbeingcaptured,theICSNSMtechnologycanleverageitsdeeppacketinspectioncapabilitiestocompletelyparseanICSprotocol.Thisprovidesacompleteunderstandingofwhatactivityisoccurringinreal-time.Throughthesecapabilitiesandaddedsituationalawareness,assetownerscanreducemeantimetodetection,response,andrecoveryforanycyberincidentsoccurringinICSnetworks.Additionally,itprovidesbothITandOTincidentresponderstheabilitytoobtainnetworkpacketcapturescontainingtheexactpacketsandmessagesrelatedtoanincident,resultinginaconciseaudittrail.Byhavinganunderstandingofthecontrolsystemprotocols,theICSNSMtechnologywasabletoautomatically:

• Deriveanetworkwhitelist,includingICS/SCADAprotocolspecificfunctioncodes

• DeriveaICS/SCADAprotocolwhitelistincludingprocessvalues(binaryoranalog)

• Derivetherolethedeviceisperformingintheindustrialcontrolsystem

• Createanetworkmapwithallthenetworkflowsbetweendevices

• Detectknownnetwork-basedindicatorsofcompromisefrommalwareormaliciouscampaigns

• Alert when operational thresholds are reached

• Extract device health information and alert when non-optimal conditions exist

B. Example Use Cases and Scenarios Tested

Rogue device joins ICS network: WithallapproveddevicesaccuratelymappedandplacedinthePurduemodel,thisessentiallycreatesawhitelistofdevicesthatareapprovedtotalktooneanother.AnydevicesthatconnecttothenetworkwillautomaticallybecapturedbytheNSMtool.

Identify network communication failures: Moreofanoperationalaspectofthegrid,theexaminedNSMtoolwasabletodeterminewhencommunicationbetweendevicesceases.Thiscapabilitycanbeextremelyvaluablesinceitcanhelpdiagnoseabrokenlinkordowninterface.

Unauthorized device sends ICS/SCADA operate command: With the whitelisted map created and since the testedNSMtoolunderstandscontrolsystemprotocols,thetoolwasabletosuccessfullydetectwhenanunauthorizeddeviceinitiatesacommandtoagrid-edgedevice.Inthiscase,thetoolwasabletolearnthemaster-slaverelationshipsofthenetworkdevices,andthereforebecomecapableofdetectinganomalies.

Failed or successful remote or local logins into an RTU or IED: Theimplementeddeviceswereconfiguredtosoundanalarmuponeitherasuccessfulorfailedlogin.ThesealarmswerethendetectedbytheNSMtool.

Use of default passwords: BydetectingtheMACaddressofeachdeviceonthenetwork,theNSMtoolisabletodeterminethespecificmanufacturerofthatdevice.Usingabuilt-indatabaseofvendorutilizeddefaultpasswords,theNSMtoolcomparesdetectedusernameandpasswordpairstothisdatabase.Wheneveramatchisfoundanotificationisproducedidentifyingthenetworkeddevicethathasdefaultusernameandpasswords.

1

2

3

4

5

9

Dangerous ICS/SCADA DNP3 function code sent to an RTU: Thereareanumberofbuiltinfunctioncodesthat identify the health of the assets at the grid’s edge. These codes help determine the health of the assets andcanbeusedtodetectanumberofman-in-themiddleattacks.Inbothcases,theNSMtoolaccuratelycapturedandloggedtheseevents.

Malformed ICS protocol packet sent to master: Thesepacketsindicateadvancedlevelsofspoofing.SincetheNSMtoolisawareoftheutilizedcontrolsystemprotocols,itwasabletodetectavarietyofmalformedpackets.

Port scanning or other network profiling activities: AsdemonstratedbyIndustroyer,thefirstmalwarespecificallydesignedtoattackpowersystems,trusteddevicescanbecomerogueandstartinitiatingportscans [7].Thisattackdemonstratedtheneedtobeabletodetectanyportscanning,eventhoughtheseactionsmayoriginatefromadevicethatisalreadylocatedwithinthetrustedcontrolsystemnetwork.

IP spoofing and ARP poisoning: ThereareseveralcontrolsystemprotocolsanddevicesthatarevulnerabletoadvancedlevelsofspoofingandARPpoisoning.ByexaminingeachcommunicationpacketatmultiplelayersoftheOSImodel,theNSMtoolwasabletoalarmontheseevents.

Anomalous utility operator activities (either intentional or accidental): SincethetestedNSMtoolcanbeconfiguredtobecontextuallyawareofthecontrolapplicationandalreadyunderstandstheutilizedprotocols,triggerswerecreatedthatmonitorforsuspiciousorunrealisticoperations.Forinstance,multipleback-to-backbreakeropencommandscanbeclassifiedassuspiciousactivityandthereforewarrantanotification.Thistypeofeventwasalsoobservedinthe2016Ukrainecyberattackthatresultedinthephysical loss of power [7].

5. Approach Findings, Benefits and Event Grouping

Whenleveragedproperly,networksecuritymonitoringofferssubstantialvaluebeyondthatofjustcybersecurity.OtherbusinessunitsthatcanbenefitfromtheinformationproducedbyaNSMtoolinclude:operational, compliance,asset management,andmaintenance.Whenutilizedinthismanner,NSMcanbeusedtoincreasetheoverallreturnoninvestmentofthedevicesthatarealreadyinstalledinthefield,whilealsohelpingeasetheburdenacrossmultipledepartments.Table1shows15sampleeventsoritemsthatwereautomaticallyidentifiedbytheselectedNSMtool.Thoughnotanexhaustivelistofallthetestsperformed,theseexamplesdemonstratethebreadthofinformationthancanbecapturedandsenttovariousdepartmentsorbusinessunits.Forexample,theactofmakingafirmwarechangeandthespecificfirmwareversionthatisinstalledonadevicehasvalueforallfourgroupsidentified.Thesecurityteamneedstoknowthattheactionisbeingperformed,whiletheassetmanagementandcomplianceteamsneedtoknowthefinalversionthatisinstalled.Operationalpersonnelalsowillfindthisinformationhelpfulsinceitconfirmsanyvendorfeatures(likeanaddedprotectionelement)thatmaybeusedforfuturegridenhancements.

“NSM can be used to increase the overall return on investment of the devices that are already installed in the field”

6

7

8

9

10

10

6. Conclusion Implementingnetworksecuritymonitoringinindustrialcontrolsystemnetworksprovidesassetownerstheabilitytoleveragetheirexistinginfrastructureandinvestmentstogainoperational,compliance,assetinventory,network,andcybersecuritybenefits.Byextractingintelligencefromdevicecommunications,ICSassetownerscanconfiguretheirexistingassetstobecome“cyberaware”byenablingbuiltinfeaturesoftennotutilizedorunknowntothem.Bysteppingthroughaseriesofusecasescenarios,thisworkdemonstratedtheutilizationoftechnologyfortheextractionofsecurity,compliance,operational,andassetmanagementinformation.Giventhepassivenatureofthedevelopedapproach,thisworkdemonstrateshowtosafelyextractthisinformationinreal-time,producinganefficientandfeasiblewayofsecuringandmanagingthegrid’sedge.

Example Item/ Event Asset Management Cybersecurity Compliance Operations

DeviceSerialNumber

Settings Changes

FirmwareChanges

NetworkMapping

VulnerabilityTracking

Whitelisting Alerts

Blacklisting Alerts

FailedLogin

Active User

PortScanning

Spoofing

PhysicalEntry

ProtocolErrors

Repeated Control Commands

TimeSynchronizationErrors

Table 1 Sample of Observed Items/Events and Information Categorization

Learn more about how eyeInspect enhances cybersecurity & streamlines compliance for electric utilities.

Read Solution Brief

11

About the Authors

Nathan Wallace Cybirical LLC NathanhasaB.S.inelectricalengineering,aB.S.inphysics,aM.S.inengineering,andaPh.D.inengineeringcyberspacefromLouisianaTechUniversity.HestartedhiscareerwithEntergy’srelaysettingsandconfigurationgroup.Hethenjoinedasmallutilityasanassociateengineer,performingfieldmaintenanceofsystemprotectionandcommunicationequipment.Afterseeingthegrid’sgrowingrelianceoncyber-basedtechnologies,hepursuedagraduatedegreefocusingonpowersystemcybersecurity,wherehealsoworkedasadigitalforensicsexaminer.NathancurrentlyisastaffengineeratAmpiricalandacofounderofAmpirical’ssisterfirmCybirical,whereheistheDirectorofCyberEngineering.HeisamemberoftheIEEEPower&EnergySociety(IEEEPES),ComputerSociety,andcurrentlychairstwostandarddevelopmentgroupsintheIEEEPESPowerSystemCommunications&Cybersecurity(PSCC)TechnicalCommittee.

Brian ProctorForescoutBrianhasspentmostofhiscareer(13+years)asaICS/SCADAcybersecurityengineerandcybersecurityteamleadworkingfortwoprogressiveCaliforniaInvestorOwnedUtilities(IOUs).Heholdsavarietyoftechnicalcertifications,includingtheGlobalIndustrialControlSystemProfessional(GICSP),CertifiedInformationSystemsSecurityProfessional(CISSP),CertifiedinRiskandInformationSystemsControl(CRISC),andiscertifiedinprojectmanagementfromUniversityofCaliforniaatIrvine.In2013,BrianwaspresentedwiththeCriticalInfrastructurePrivateSectorawardfromSecuringoureCity,aSanDiegobasedcybersecuritynon-profitorganization.In2016,Brianwasaco-inventorofaR&Dmagazinetop100awardwinnerforoneofthetopinventionsoftheyearrelatingtoaGPSanti-spoofingmitigationtechnology

[1]https://www.forescout.com/company/blog/largest-nerc-cip-fine-to-date/

[2]NorthAmericanElectricReliabilityCorporation(NERC),Standard:CriticalInfrastructureProtection(CIP)https://www.nerc.com/pa/Stand/

Pages/CIPStandards.aspx

[3]USDept.ofHomelandSecurity,“Recommendedpractice:Improvingindustrialcontrolsystemcybersecuritywithdefense-in-depth

strategies,”2009.

[5]PeterBernusandLaszloNemes(1996)“Aframeworktodefineagenericenterprisereferencearchitectureandmethodology.”Computer

IntegratedManufacturingSystemsVol9(3)p.179-191.

[6]IEEEStandardStdC37.240-2014“IEEEStandardCybersecurityRequirementsforSubstationAutomation,Protection,andControlSystems.”

Approved10Dec.2014.

[7]AntonCherepanov,ESET“Win31/Industroyer–ANewThreatforIndustrialControlSystems.”[Online]https://www.welivesecurity.com/wp-

content/uploads/2017/06/Win32_Industroyer.pdf

Forescout Technologies, Inc.190 W Tasman Dr.San Jose, CA 95134 USA

Toll-Free (US) 1-866-377-8771Tel (Intl) +1-408-213-3191Support +1-708-237-6591

© 2020 Forescout Technologies, Inc. All rights reserved. Forescout Technologies, Inc. is a Delaware corporation. A list of our trademarks and patents can be found at https://www.forescout.com/company/legal/intellectual-property-patents-trademarks. Other brands, products, or service names may be trademarks or service marks of their respective owners. Version 07_20

Learn more at Forescout.com

Want More Information?

TolearnmoreabouteyeInspectanditsbenefitsforelectricutilities,scheduleameetingwithourcyberresilienceexpertsatwww.forescout.com/schedule-your-eyeinspect-demo/