Verve Security Center

Transcription

1 Verve Security Center Product Features Supports multiple control systems. Most competing products only support a single vendor, forcing the end user to purchase multiple security systems Single solution for whitelisting, anti-virus, patching, control system change management, backup management, and vulnerability assessments Only whitelisted applications will run. Alerts administrator if unauthorized programs attempt to execute. Whitelisting technology is integrated with anti-virus software Patches and anti-virus updates can be deployed in a simple and controlled process with minimal impact on operations Patches, anti-virus updates, and whitelisting databases can be automatic, air-gapped, or semi airgapped for more secure environments Controlled vulnerability scans to identify and eliminate threats End users can easily identify changes made to control system logic, graphics, databases, firewalls, routers, and switches Stops unauthorized USB drives from being placed on control system Backup of critical systems to ensure timely recovery during failures. Images are tested virtually to ensure recoverability Doesn t allow any inbound ports into control system Consolidated and easy to understand alerts and reports with guidance on responding to events Security information & event management (SIEM) provides required long-term consolidated logging, NERC reporting, alerts, and correlation

2 Overview The North American Electric Reliability Corporation (NERC) has devised a series of standards to advance the dependability of the bulk power system in North America. In particular, NERC developed eight specific standards categorized as Critical Infrastructure Protection (CIP) that are designed to protect the critical cyber assets (hardware, software, data, and communication networks) essential to the reliability of the bulk power system. The NERC CIP requirements are based upon existing security practices in the information technology (IT) profession. However, the sensitivity of control system applications not typical to traditional IT structures imposes specific issues that must be addressed to ensure compliance. In addition, the controlled process must not be disrupted by the chosen security package. Rkneal understands these unique intricacies because of our extensive experience designing and implementing control systems specific to the power industry. As a result, Verve was developed to defend against electronic threats and vulnerabilities, help responsible entities plan for occurrences where recovery of critical cyber assets is required, and aid in NERC CIP compliance. However, the real beauty of Verve is that minimal resources are required to maintain this system because it simplifies normal controls network tasks (patching, anti-virus updates, etc.). The Verve Security Center offers complete protection by consolidating the following components into a centralized security suite: Whitelisting, Anti-virus, Patch Management, Change Management, Backup & Recovery Management (optional), Security Information & Event Management (SIEM), and Vulnerability Scans NERC CIP Standards CIP-002 Critical Cyber Asset Identification CIP-003 Security Management Controls CIP-004 Personnel & Training CIP-005 Electronic Security Perimeter(s) CIP-006 Physical Security of Critical Cyber Assets CIP-007 Systems Security Management CIP-008 Incident Reporting and Response Planning CIP-009 Recovery Plans for Critical Cyber Assets The following table describes how the Verve Security Center can help aid in NERC CIP compliance: CIP-003 R6 Change Control and Configuration Management Establish and document a process of change control and configuration management related to Critical Cyber Assets CIP-005 R1 Electronic Security Perimeter Ensure that every Critical Cyber Asset resides within an Electronic Security Perimeter CIP-007 R1 Test Procedures Ensure that new assets and changes to existing assets do not affect existing cyber security controls CIP-007 R4 Malicious Software Prevention Shall use anti-virus software and other malicious software prevention tools to detect and prevent malware CIP-007 R5 Account Management Establish procedural controls for all user activity CIP-009 R4 Backup and Restore Processes and procedures for backup, storage, testing, and recovery Applicable NERC CIP Standards The change management feature of Verve captures modifications to the control system graphics, logic, or database. Changes to system components are logged in the security information & event management (SIEM) component Combines firewall, whitelisting, anti-virus, patch management, and security information & event management (SIEM) technology into a single solution to ensure endpoints are protected within an Electronic Security Perimeter Updates to anti-virus software and patches can be deployed in a controlled method to ensure the process environment is not affected. Changes to control system graphics, logic, database, and networking equipment are captured with ability to retrieve changes Verve incorporates a number of malware prevention tools including whitelisting, anti-virus, patch management, and security information & event management (SIEM) technology to detect and prevent threats from entering controls networks. Verve also restricts external USB drives from executing without prior approval Provides auditable record of all user activity for both approved/ denied applications and files utilizing security information & event management (SIEM) logging The optional backup feature of Verve captures full image backups for all critical assets. These backups are virtualized and tested for full functionality and recovery. Backups to key control system files are created and tracked on a daily basis to capture any changes to graphics, logic, database, and network equipment configurations Minimize Security Threats Each layer of Verve was designed and selected to minimize the increasing number of cyber attacks. Our security experts provide comprehensive installation, configuration, and training services to curtail the resources necessary for an effective implementation. End users can scan their controls network to see all available software (product version, product publisher, etc.) and monitor vital information (installed memory, IP address, operating system, etc.) on protected endpoints. Verve also possesses the ability to monitor all USB devices and executable content introduced to your system. Total visibility aptitudes include: User responsible for introducing the executable content Where the file was first detected on your system When the file was first discovered by the Verve server How many endpoints contain the file File analysis against an extensive file catalog database

3 Anti-virus In theory, anti-virus software is not needed if whitelisting has been configured. However, anti-virus software has been added to Verve for three simple reasons: NERC CIP standards currently still require it Anti-virus software is essential to ensure viruses are not present on your controls network prior to the implementation of whitelisting Multi-layer threat protection In order for anti-virus software to be effective, virus definitions need to be up-to-date. Due to the sensitivity of controls networks, once updates have been stored on the Verve server they can deployed to protected endpoints in a controlled method to ensure the process environment is not affected. Patch Management The main objective of a patch management program is to create a consistently designed structure that is secure against known vulnerabilities within an operating system and/or software. However, managing updates for multiple endpoints can be an exhaustive endeavor and typically system administrators are also taxed with the consumption and screening of information regarding both security matters and patch releases. This effort becomes even more complicated when additional platforms and accessibility requirements are present. The time it takes for several original equipment manufacturers (OEM) to approve Windows patches, adds to this complexity. Verve s patch management component helps simplify this process. Patch management features include: Whitelisting Rather than operating reactively to the growing list of known viruses, worms, and Trojans, Verve proactively blocks any unapproved executable content from running via whitelisting. Anti-virus has been proven to only block about 30% of potential threats. However, whitelisting is much more effective because it ensures only approved applications are enabled to run on your controls network. Verve baselines all required applications and allows them to run without disruption while blocking all unsanctioned solicitations. Alerts are sent to system administrators if these programs attempt to run. System administrators then have the ability to approve or deny these applications. Whitelisting capabilities include: Ability to lock down any or all protected computers if threat is discovered Prevent malware and data loss. Also protects against previously unknown computer threats Continuous monitoring of all software and portable devices with ability to enforce corporate compliance. This includes devices that are disconnected from the server (i.e. laptops) Ability to customize levels of protection for each individual endpoint Updates for approved software is automatically downloaded (unless air-gapped) Ability to patch multiple operating system types (Windows, Unix) Controlled and easy patch deployment to multiple machines and test groups Reduces time allocated to keeping computers compliant Automates OEM vendor approved patching Change Management Proper documentation is the leading culprit for NERC CIP audit violations. To help avoid this scenario, Verve incorporates an audit trail to track changes made to any control system graphics, logic, database, or networking files. These changes are then logged in the Verve database. Change management features include: Allows plant personnel to track control network changes to graphics, logic, database files, networking code, and any another other readable file notifications can be configured to inform plant personnel of changes Auditable records

4 Typical Verve Network Layout Relay DMZ Patches, Anti-virus Corporate Network Corporate Firewall Internet Typically Managed by IT Plant Firewall DCS Firewall/Router Unit 1 Ovation Root Switch Unit 2 DeltaV Switch Unit 3 Mark V Switch ABB PPA/PPB Common Devices (CEMS, RTU, PLC) Ovation PC's DeltaV PC's Mark V PC's 800xa PC's PPA/PPB PC's Wireless Vlan's Vlan's SCADA PC's SCADA PC's CEMS PC's Hydro PC's Backup & Recovery Management Quality backups are one of the most critical activities associated with proper asset protection. Unfortunately, backups are often overlooked until it is too late and a machine or hard drive has failed. This undoubtedly causes operational headaches since time is of the essence. Security Information & Event Management (SIEM) Fueled by IT audits, standards, and regulatory compliance, SIEM systems are increasingly being installed to automate the analysis process of security, network, and application logs. SIEM technology offers real-time analysis of security alerts and significantly reduces the time between threat detection and the elimination of those threats by continuously monitoring your controls network for suspicious activity. This includes both internal and external threats. Adding a SIEM solution to the Verve Security Center provides yet another layer of protection and the ability to provide customized NERC reporting and correlate security events to help prevent suspicious activity. Verve s backup feature allows users to schedule backups according to your sites specific needs. Once backups have been completed, each backup is tested for recovery using virtualization techniques. Verve captures both image and custom control system vendor backups that an end user can recover a whole machine to, (even dissimilar hardware) saving days if not weeks of locating software, licenses, drivers, OEM software, etc.

5 About Rkneal Rkneal is a certified Women s Business Enterprise (WBE) specializing in design, engineering, and technical services. Our engineers possess extensive experience with every major distributed control system (DCS) and programmable logic controller (PLC) currently on the market. In addition to automation controls, Rkneal provides services related to NERC CIP compliance, cyber security, real-time historians, electrical design, NFPA burner management design & review, and startup & commissioning. Contact Rkneal today to learn how the Verve Security Center can minimize cyber-security threats on your controls network. neal Process Control Software Engineering Consulting Paducah 1640 McCracken Blvd. Paducah, KY St. Louis 1010 Market Street, Suite 550 St. Louis, MO