How to Integrate NERC s Requirements in an Ongoing Automation and Integration Project Framework

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "How to Integrate NERC s Requirements in an Ongoing Automation and Integration Project Framework"

Transcription

1 How to Integrate NERC s Requirements in an Ongoing Automation and Integration Project Framework Jacques Benoit, Cooper Power Systems Inc., Energy Automations Solutions - Cybectec Robert O Reilly, Cooper Power Systems Inc. Energy Automations Solutions - Cybectec Abstract This paper addresses the challenges faced by utilities and/or integration companies during deployment and engineering phases of automation and integration projects, with regards to complying with the new cyber-security requirements set out by NERC. This paper will focus on approaches to these new challenges to ensure the project stays within schedule and budget, from the point of view of substation requirements, management and of the different SCADA systems. Introduction This technical paper will discuss the challenges of minimizing the impact of adding NERC CIP compliance to an ongoing project consisting of updating a substation s automation systems. Originally aimed at providing faster access to a higher amount of operational and non-operation data within a substation framework, the changeover is an opportunity to upgrade some of the protection and metering devices. But now, the project must also include compliance with cyber-security requirements. While at first glance NERC requirements may seem to be an insurmountable task, when one takes a closer look at the standards, it becomes obvious that proper planning and best practices are the key to accomplishing compliance. Moreover, proper planning will minimize the impact of NERC CIP compliance on the project s budget and timeline. From a project implementation point of view, NERC CIP mainly describes what is required from utilities, but does not provide any technical information on how to implement a project to meet those requirements. This leaves a lot of room for interpretation and implementation.

2 From a project viewpoint, one must decide quickly which requirements would normally be addressed outside of a project scope and hence would not impact adversely its timeline or budget. Since they should be the responsibility of other groups within the organization, we will not discuss the following CIP standards in this paper: CIP-001 CIP-008 CIP-009 Sabotage Reporting Incident reporting and Response Planning Recovery Plans for Critical Cyber Assets Instead, we will discuss how the following key CIP requirements have a direct impact on your ongoing project and should be addressed in any ongoing project: CIP Reference # CIP-002-R3 CIP-003-R4.1 CIP-003-R5.1 CIP-003-R6 CIP-004-R2 CIP-004-R3 CIP-004-R4 CIP-005-R2 CIP-006-R2 CIP-007-R1 CIP-007-R2 CIP-007-R3 CIP-007-R4 CIP-007-R5 General Description Critical cyber asset identification Critical cyber asset information to be protected (items defined by management team) Access control (personnel cleared to access protected information) Change control and configuration management Training of all personnel (operation, technical, contractors, etc.) Personnel risk assessment Personnel access to critical cyber assets Electronic access controls (ensure electronic access is only permitted to approved personnel) Physical access controls Test procedures (supplied by others) Ports and Services (ensure only the required ports and services are active, all others are turned off) Security patch management Malicious software prevention Account management For the readers convenience, we have summarized the different CIP requirements in the appendix. The Original Project The example chosen is that of modernizing an existing substation automation system. This type of project was selected because it is probably the worst case: not only is new equipment added, but legacy equipment is also kept in the substation. The implementation must be done while keeping legacy systems in operation. Moreover, the project must allow for compliance with all applicable

3 CIP requirements, and be able to pass a compliance audit near the end of the project. We will use the example of a typical legacy substation which has been in operation for more than fifteen years and undergone normal additions required by increased client demand. In most cases, such substations would resemble the following diagram.

4 Fig. 1 - Existing substation automation before project

5 The first order of business when moving an ongoing project towards NERC compliance is to plan for the substation s auditability As the project engineer, one must keep in mind that the plan must be approved by the company s NERC committee, and that deadlines and budgets are not expected to be impacted. A Review of the Project Usually, projects are planned and budgeted with preliminary engineering performed more than 18 months before actual implementation. This delay can create an issue relating to equipment and software costs, as well as delivery lead times. The first project review for CIP compliance will require the retrieval of all information on the previously selected components for the project. Then all potential critical cyber-assets will need to be documented. The list will finally be reviewed to ensure that the security requirements can be met with the equipment that had been originally selected. The initial substation planned architecture is presented below:

6 Fig. 2 - Automation overview diagram of planned project

7 It is important to review any potential new features of the equipment that had originally been selected in the planning stages of the project. Quite often, the product contains new features/capabilities that will in the end save time in the detailed engineering and commissioning phases. Hence, although one may feel the operation is time-consuming at first, it will probably save time by the end of the project. What remains to be examined is the increased paperwork and preliminary audit added to the factory acceptance test (FAT). The risk assessment portion could be performed during the audit and FAT. The project should be executed with a best practice approach which should bring the risk within a manageable context. Establishing the Security Perimeter The connection between the substation and the corporate WAN had been planned using a router and firewall. This setup had been approved by the IT group. In view of the NERC CIP requirements for an electronic perimeter, this configuration can no longer be considered adequate. For instance, this device does not meet the access control and logging requirements. Most substations also contain older devices such as power meters and DFRs with limited communications capabilities. These devices require some form of protocol converter. Also, in addition to the main access points, the EMS group requires the use of a dial-up connection for remote access to the metering equipment. Dial-up access is flagged as a major potential security risk by NERC CIP standards. Now it is clear to the engineering team that using only a router will not comply with NERC CIP s required electronic security perimeter. One might recommend a gateway device in addition to the router. Gateway devices usually provide secure communications capabilities using modem connections, serial, and TCP/IP. They create a single point of access to the substation making it easier to secure the electronic perimeter. Although they will vary form vendor to vendor, these gateway devices usually also provide an additional firewall and security features. Isolating the substation s critical assets and physically installing them in strategic and secure locations within the substation also helps to meet the CIP physical perimeter security requirements.

8 Equipment Inventory Once the electronic security perimeter has been defined, the inventory of equipment must be established and documented. Although this seems a difficult task on the onset, it is more easily prepared than one might think. All the information required is already available so that equipment data is brought back to the central systems (be it SCADA, EMS, Asset Management, or others) via the intelligent gateway. Designing how information is to move from substation to control center will also help define what information is more important. During this phase it is recommended to have short and to the point brainstorming sessions with the different groups wishing to have access and to have them document their requirements. One might be surprised how demands are reduced when written versions are required. Once this information has been identified, the intelligent gateway can be used to limit access to this information. Access levels and user groups should be used to only allow specified systems and users read or write access. Any other system should not be allowed to retrieve/operate on the information. For information which is made available via the intelligent gateway; the unit s security environment should be configured to let only the specified computer system(s) access the specified and approved information. This information should be documented for future auditing requirements. Access Control, Personnel Risk Assessment, Access to Cyber Assets and Account Management Before NERC CIP standards, these points were not normally part of a project. However, CIP standards make their assessment and documentation mandatory. Fortunately, help usually can be found in other groups within one s organization. Human resources and senior management can define access levels and the personnel who will have them, as well as perform the personnel risk assessment. This should not impact the project s budget. Only documentation of those accesses would remain to be produced. One can use a central security server or the intelligent gateway s security features to manage accounts. Obviously, central account management is much more efficient in providing comprehensive authentication and simplifies meeting the NERC requirement of being able to remove access rights rapidly. Central

9 user management may however require new servers and software, which would normally be expensed from the IT budget. Change Control Although change control and configuration management may seem new, most project managers who have been through a number of projects understand this as the mandatory documentation process to control risk during an automation upgrade project. Hence it is usually planned in the original weekly review list. At this point already seven items of your CIP requirements list have been addressed or planned for: CIP-002-R3 CIP-003-R4.1 CIP-003-R5.1 CIP-003-R6 CIP-004-R3 CIP-004-R4 CIP-005-R2 CIP-007-R5 Critical cyber asset identification Critical cyber asset information to be protected Access control Change control and configuration management Personnel risk assessment Personnel access to critical cyber assets Electronic access controls Account management So far, there was very little impact on budget or timelines, except for delays regarding reviews of personnel risk and their security clearance. However, this requirement is usually the responsibility of human resources for personnel and of the purchasing group for the contractors. Security Patch Management and Malicious Software Prevention The manufacturer of the gateway device will usually provide the tools to properly handle any patch management and prevent malicious software. Many techniques exist and it is not in the scope of this paper to decide which approach is better for this facet of the CIP requirements. Suffice it to mention that today, tools and equipment are available for this purpose. However, it is still up to the project team to validate that these tools will perform as required by the project and corporation. Test Procedures and Port Blocking During the final engineering phase, one should prepare a framework of the testing methodologies that could be required to validate the new automation system and its integration into the current substations operations. This is usually

10 done with the help of the vendor or the integrator. When dealing with a change/addition to an existing substation, careful planning must performed to ensure that the system will interface and react properly and promptly to the substation operation requirements. This detailed testing phase is the most appropriate time to check that all of the ports and services not required by applications are turned off. This can be done remotely, since it is easy to forget this type of work during commissioning of the systems at the substation. The IT group can provide the tools required for these tests. However, vulnerability testing should not be performed on a live system as it may render it inoperable. If possible, one should change the default ports. For example, DNP3 via TCP/IP uses port by default. With newer systems and applications, this can be changed, hence preventing anybody from accessing your system by trying to ping the standard ports.

11 Fig. 3 Overview drawing of the final concept for the new automation systems

12 Personnel Training Training is usually the last item on a project s list. In today s complex operational environment it should not be neglected. Personnel training has always been a priority for most organizations and is planned and budgeted accordingly. NERC CIP standards simply require more detailed documentation regarding training sessions, attendees and the personnel s ability to react appropriately in different situations. Training should be a requirement from all vendors providing the software/hardware for the project. The training should include detailed hands-on lessons with the applications, hardware and general software. Security Software Security software should be chosen together with the IT group and should provide a centralized approach, where it is easier to manage access rights and users, data logging, intrusion monitoring and system health monitoring. Local security should also be implemented in the substation, for onsite personnel. Local security must provide the capability of being integrated into the centralized approach to simplify overall user and application management but also to provide the capability for the security to be available at the local level when connection(s) to the centralized systems is not available. Conclusion Proper planning is the key to minimizing the impact of NERC CIP standards on a project s timeline and budget. Individual steps towards NERC CIP compliance are not complex: they simply require a little more effort on the documentation and planning sides. When one has experience with retrofit projects, proper documentation and training become a life-saver at project s end.

13 Appendix: CIP Standard Solutions Breakdown Requirement Description Solution CIP-002-R3 Critical cyber asset Reuse project inventory identification CIP-003-R4.1 Critical cyber asset information to be protected Review with different groups requiring access to information CIP-003-R5.1 Access control Seek access models from upper management, use centralized authentication model CIP-003-R6 Change control and configuration management Reuse project change management infrastructure CIP-004-R2 Training of all personnel Improve documentation CIP-004-R3 Personnel risk assessment Human Resources and Purchasing to conduct assessments CIP-004-R4 Personnel access to critical cyber assets Seek access models from upper management, use centralized authentication model CIP-005-R2 Electronic access controls Use centralized authentication model CIP-006-R2 Physical access controls Install card reader or video camera CIP-007-R1 Test procedures Use exhaustive FAT procedures CIP-007-R2 Ports and Services Reassign ports when possible, use intelligent gateway to restrict access CIP-007-R3 Security Patch Management Use intelligent gateway with security patch management feature built-in CIP-007-R4 Malicious software prevention Use intelligent gateway with malicious software prevention feature built-in CIP-007-R5 Account management Use centralized authentication model

The first step in protecting Critical Cyber Assets is identifying them. CIP-002 focuses on this identification process.

The first step in protecting Critical Cyber Assets is identifying them. CIP-002 focuses on this identification process. CIPS Overview Introduction The reliability of the energy grid depends not only on physical assets, but cyber assets. The North American Electric Reliability Corporation (NERC) realized that, along with

More information

Cyber Security Compliance (NERC CIP V5)

Cyber Security Compliance (NERC CIP V5) Cyber Security Compliance (NERC CIP V5) Ray Wright NovaTech, LLC Abstract: In December 2013, the Federal Energy Regulatory Commission (FERC) issued Order No. 791 which approved the Version 5 CIP Reliability

More information

Making the most out of substation IEDs in a secure, NERC compliant manner

Making the most out of substation IEDs in a secure, NERC compliant manner Making the most out of substation IEDs in a secure, NERC compliant manner Jacques Benoit, Product Marketing Manager, Cybectec Inc. Jean-Louis Pâquet, Chief of Technology, Cybectec Inc. Abstract An increasing

More information

RuggedCom Solutions for

RuggedCom Solutions for RuggedCom Solutions for NERC CIP Compliance Rev 20080401 Copyright RuggedCom Inc. 1 RuggedCom Solutions Hardware Ethernet Switches Routers Serial Server Media Converters Wireless Embedded Software Application

More information

Open Enterprise Architectures for a Substation Password Management System

Open Enterprise Architectures for a Substation Password Management System CIGRÉ Canada 21, rue d Artois, F-75008 PARIS (154) Conference on Power Systems http : //www.cigre.org Toronto, October 4-6, 2009 Open Enterprise Architectures for a Substation Password Management System

More information

NERC CIP Tools and Techniques

NERC CIP Tools and Techniques NERC CIP Tools and Techniques Supplemental Project - Introduction Webcast Scott Sternfeld, Project Manager Smart Grid Substation & Cyber Security Research Labs ssternfeld@epri.com (843) 619-0050 October

More information

Summary of CIP Version 5 Standards

Summary of CIP Version 5 Standards Summary of CIP Version 5 Standards In Version 5 of the Critical Infrastructure Protection ( CIP ) Reliability Standards ( CIP Version 5 Standards ), the existing versions of CIP-002 through CIP-009 have

More information

The Advantages of an Integrated Factory Acceptance Test in an ICS Environment

The Advantages of an Integrated Factory Acceptance Test in an ICS Environment The Advantages of an Integrated Factory Acceptance Test in an ICS Environment By Jerome Farquharson, Critical Infrastructure and Compliance Practice Manager, and Alexandra Wiesehan, Cyber Security Analyst,

More information

NERC CIP Substation Cyber Security Update. John M Shaw Presentation to UTC Region 7 February 19, 2009 jshaw@garrettcom.com

NERC CIP Substation Cyber Security Update. John M Shaw Presentation to UTC Region 7 February 19, 2009 jshaw@garrettcom.com NERC CIP Substation Cyber Security Update John M Shaw Presentation to UTC Region 7 February 19, 2009 jshaw@garrettcom.com It s February 19, 2009 132 project days left to compliance Do you know where (what)

More information

John M Shaw Presentation to UTC Region 7 February 19, 2009 jshaw@garrettcom.com

John M Shaw Presentation to UTC Region 7 February 19, 2009 jshaw@garrettcom.com NERC CIP Substation Cyber Security Update John M Shaw Presentation to UTC Region 7 February 19, 2009 jshaw@garrettcom.com It s February 19, 2009 132 project days left to compliance Do you know where (what)

More information

TASK -040. TDSP Web Portal Project Cyber Security Standards Best Practices

TASK -040. TDSP Web Portal Project Cyber Security Standards Best Practices Page 1 of 10 TSK- 040 Determine what PCI, NERC CIP cyber security standards are, which are applicable, and what requirements are around them. Find out what TRE thinks about the NERC CIP cyber security

More information

INTEGRATING SUBSTATION IT AND OT DEVICE ACCESS AND MANAGEMENT

INTEGRATING SUBSTATION IT AND OT DEVICE ACCESS AND MANAGEMENT Utilities WHITE PAPER May 2013 INTEGRATING SUBSTATION IT AND OT DEVICE ACCESS AND MANAGEMENT Table of Contents Introduction...3 Problem Statement...4 Solution Requirements...5 Components of an Integrated

More information

Olav Mo, Cyber Security Manager Oil, Gas & Chemicals, 28.09.2015 CASE: Implementation of Cyber Security for Yara Glomfjord

Olav Mo, Cyber Security Manager Oil, Gas & Chemicals, 28.09.2015 CASE: Implementation of Cyber Security for Yara Glomfjord Olav Mo, Cyber Security Manager Oil, Gas & Chemicals, 28.09.2015 CASE: Implementation of Cyber Security for Yara Glomfjord Implementation of Cyber Security for Yara Glomfjord Speaker profile Olav Mo ABB

More information

SCADA Compliance Tools For NERC-CIP. The Right Tools for Bringing Your Organization in Line with the Latest Standards

SCADA Compliance Tools For NERC-CIP. The Right Tools for Bringing Your Organization in Line with the Latest Standards SCADA Compliance Tools For NERC-CIP The Right Tools for Bringing Your Organization in Line with the Latest Standards OVERVIEW Electrical utilities are responsible for defining critical cyber assets which

More information

Utility Telecom Forum. Robert Sill, CEO & President Aegis Technologies February 4, 2008

Utility Telecom Forum. Robert Sill, CEO & President Aegis Technologies February 4, 2008 Utility Telecom Forum Robert Sill, CEO & President Aegis Technologies February 4, 2008 1 Agenda Asked to describe his job, Mike Selves, director of Emergency Management and Homeland Security in Johnson

More information

Securing Distribution Automation

Securing Distribution Automation Securing Distribution Automation Jacques Benoit, Cooper Power Systems Serge Gagnon, Hydro-Québec Luc Tétreault, Hydro-Québec Western Power Delivery Automation Conference Spokane, Washington April 2010

More information

Security Solutions to Meet NERC-CIP Requirements. Kevin Staggs, Honeywell Process Solutions

Security Solutions to Meet NERC-CIP Requirements. Kevin Staggs, Honeywell Process Solutions Kevin Staggs, Honeywell Process Solutions Table of Contents Introduction...3 Nerc Standards and Implications...3 How to Meet the New Requirements...4 Protecting Your System...4 Cyber Security...5 A Sample

More information

Reclamation Manual Directives and Standards

Reclamation Manual Directives and Standards Electronic Security Perimeter (ESP) Identification and Access Control Process 1. Introduction. A. This document outlines a multi-step process for identifying and protecting ESPs pursuant to the North American

More information

Innovative Defense Strategies for Securing SCADA & Control Systems

Innovative Defense Strategies for Securing SCADA & Control Systems 1201 Louisiana Street Suite 400 Houston, Texas 77002 Phone: 877.302.DATA Fax: 800.864.6249 Email: info@plantdata.com Innovative Defense Strategies for Securing SCADA & Control Systems By: Jonathan Pollet

More information

TRIPWIRE NERC SOLUTION SUITE

TRIPWIRE NERC SOLUTION SUITE CONFIDENCE: SECURED SOLUTION BRIEF TRIPWIRE NERC SOLUTION SUITE TAILORED SUITE OF PRODUCTS AND SERVICES TO AUTOMATE NERC CIP COMPLIANCE u u We ve been able to stay focused on our mission of delivering

More information

Information Shield Solution Matrix for CIP Security Standards

Information Shield Solution Matrix for CIP Security Standards Information Shield Solution Matrix for CIP Security Standards The following table illustrates how specific topic categories within ISO 27002 map to the cyber security requirements of the Mandatory Reliability

More information

Standard CIP 007 3a Cyber Security Systems Security Management

Standard CIP 007 3a Cyber Security Systems Security Management A. Introduction 1. Title: Cyber Security Systems Security Management 2. Number: CIP-007-3a 3. Purpose: Standard CIP-007-3 requires Responsible Entities to define methods, processes, and procedures for

More information

Redesigning automation network security

Redesigning automation network security White Paper WP152006EN Redesigning automation network security Presented at Power and Energy Automation Conference (PEAC), Spokane, WA, March 2014 Jacques Benoit Eaton s Cooper Power Systems Abstract The

More information

NERC CIP VERSION 5 COMPLIANCE

NERC CIP VERSION 5 COMPLIANCE BACKGROUND The North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) Reliability Standards define a comprehensive set of requirements that are the basis for maintaining

More information

Implementation Plan for Version 5 CIP Cyber Security Standards

Implementation Plan for Version 5 CIP Cyber Security Standards Implementation Plan for Version 5 CIP Cyber Security Standards April 10September 11, 2012 Prerequisite Approvals All Version 5 CIP Cyber Security Standards and the proposed additions, modifications, and

More information

NovaTech NERC CIP Compliance Document and Product Description Updated June 2015

NovaTech NERC CIP Compliance Document and Product Description Updated June 2015 NovaTech NERC CIP Compliance Document and Product Description Updated June 2015 This document describes the NovaTech Products for NERC CIP compliance and how they address the latest requirements of NERC

More information

Meeting IED Integration Cyber Security Challenges. Jacques Benoit Manager Cybectec Product and Technology Training Cooper Power Systems

Meeting IED Integration Cyber Security Challenges. Jacques Benoit Manager Cybectec Product and Technology Training Cooper Power Systems Meeting IED Integration Cyber Security Challenges Jacques Benoit Manager Cybectec Product and Technology Training Cooper Power Systems Jacques.Benoit@cybectec.com INTRODUCTION The Nature of the Risk Utilities

More information

Approved 12/14/11. FIREWALL POLICY INTERNAL USE ONLY Page 2

Approved 12/14/11. FIREWALL POLICY INTERNAL USE ONLY Page 2 Texas Wesleyan Firewall Policy Purpose... 1 Scope... 1 Specific Requirements... 1 PURPOSE Firewalls are an essential component of the Texas Wesleyan information systems security infrastructure. Firewalls

More information

Meeting NERC CIP requirements with Cooper Power Systems IED Integration and Automation Solutions

Meeting NERC CIP requirements with Cooper Power Systems IED Integration and Automation Solutions Meeting NERC CIP requirements with Cooper Power Systems IED Integration and Automation Solutions This document describes the security features of Cooper Power Systems SMP Gateway and Yukon IED Manager

More information

North American Electric Reliability Corporation (NERC) Cyber Security Standard

North American Electric Reliability Corporation (NERC) Cyber Security Standard North American Electric Reliability Corporation (NERC) Cyber Security Standard Symantec Managed Security Services Support for CIP Compliance Overviewview The North American Electric Reliability Corporation

More information

Manage Utility IEDs Remotely while Complying with NERC CIP

Manage Utility IEDs Remotely while Complying with NERC CIP Manage Utility IEDs Remotely while Complying with NERC CIP Disclaimer and Copyright The information regarding the products and solutions in this document are subject to change without notice. All statements,

More information

NERC CIP Whitepaper How Endian Solutions Can Help With Compliance

NERC CIP Whitepaper How Endian Solutions Can Help With Compliance NERC CIP Whitepaper How Endian Solutions Can Help With Compliance Introduction Critical infrastructure is the backbone of any nations fundamental economic and societal well being. Like any business, in

More information

CrossBow NERC CIP Compliance Matrix

CrossBow NERC CIP Compliance Matrix Section Requirement CIP-002-1 Cyber Security Critical Cyber Asset Identification R3, M3 the Responsible Entity shall develop a list of associated Critical Cyber Assets essential to the operation of the

More information

Automating NERC CIP Compliance for EMS. Walter Sikora 2010 EMS Users Conference

Automating NERC CIP Compliance for EMS. Walter Sikora 2010 EMS Users Conference Automating NERC CIP Compliance for EMS Walter Sikora 2010 EMS Users Conference What do we fear? Thieves / Extortionists Enemies/Terrorists Stuxnet Malware Hacker 2025 Accidents / Mistakes 9/21/2010 # 2

More information

GE Measurement & Control. Cyber Security for NERC CIP Compliance

GE Measurement & Control. Cyber Security for NERC CIP Compliance GE Measurement & Control Cyber Security for NERC CIP Compliance GE Proprietary Information: This document contains proprietary information of the General Electric Company and may not be used for purposes

More information

Standard CIP 007 3 Cyber Security Systems Security Management

Standard CIP 007 3 Cyber Security Systems Security Management A. Introduction 1. Title: Cyber Security Systems Security Management 2. Number: CIP-007-3 3. Purpose: Standard CIP-007-3 requires Responsible Entities to define methods, processes, and procedures for securing

More information

The President s Critical Infrastructure Protection Board. Office of Energy Assurance U.S. Department of Energy 202/ 287-1808

The President s Critical Infrastructure Protection Board. Office of Energy Assurance U.S. Department of Energy 202/ 287-1808 cover_comp_01 9/9/02 5:01 PM Page 1 For further information, please contact: The President s Critical Infrastructure Protection Board Office of Energy Assurance U.S. Department of Energy 202/ 287-1808

More information

IT Security and OT Security. Understanding the Challenges

IT Security and OT Security. Understanding the Challenges IT Security and OT Security Understanding the Challenges Security Maturity Evolution in Industrial Control 1950s 5/4/2012 # 2 Technology Sophistication Security Maturity Evolution in Industrial Control

More information

CONTROL SYSTEM VENDOR CYBER SECURITY TRENDS INTERIM REPORT

CONTROL SYSTEM VENDOR CYBER SECURITY TRENDS INTERIM REPORT Energy Research and Development Division FINAL PROJECT REPORT CONTROL SYSTEM VENDOR CYBER SECURITY TRENDS INTERIM REPORT Prepared for: Prepared by: California Energy Commission KEMA, Inc. MAY 2014 CEC

More information

Completed. Document Name. NERC CIP Requirements CIP-002 Critical Cyber Asset Identification R1 Critical Asset Identifaction Method

Completed. Document Name. NERC CIP Requirements CIP-002 Critical Cyber Asset Identification R1 Critical Asset Identifaction Method NERC CIP Requirements CIP-002 Critical Cyber Asset Identification R1 Critical Asset Identifaction Method R2 Critical Asset Identification R3 Critical Cyber Asset Identification Procedures and Evaluation

More information

Technology Solutions for NERC CIP Compliance June 25, 2015

Technology Solutions for NERC CIP Compliance June 25, 2015 Technology Solutions for NERC CIP Compliance June 25, 2015 2 Encari s Focus is providing NERC CIP Compliance Products and Services for Generation and Transmission Utilities, Municipalities and Cooperatives

More information

Cyber Security for NERC CIP Version 5 Compliance

Cyber Security for NERC CIP Version 5 Compliance GE Measurement & Control Cyber Security for NERC CIP Version 5 Compliance imagination at work Contents Cyber Security for NERC CIP Compliance... 5 Sabotage Reporting... 6 Security Management Controls...

More information

BSM for IT Governance, Risk and Compliance: NERC CIP

BSM for IT Governance, Risk and Compliance: NERC CIP BSM for IT Governance, Risk and Compliance: NERC CIP Addressing NERC CIP Security Program Requirements SOLUTION WHITE PAPER Table of Contents INTRODUCTION...................................................

More information

Cyber security measures in protection and control IEDs

Cyber security measures in protection and control IEDs Cyber security measures in protection and control IEDs K. Hagman 1, L.Frisk 1, J. Menezes 1 1 ABB AB, Sweden krister.hagman@se.abb.com Abstract: The electric power grids and power systems are critical

More information

Document ID. Cyber security for substation automation products and systems

Document ID. Cyber security for substation automation products and systems Document ID Cyber security for substation automation products and systems 2 Cyber security for substation automation systems by ABB ABB addresses all aspects of cyber security The electric power grid has

More information

Secure Substation Automation for Operations & Maintenance

Secure Substation Automation for Operations & Maintenance Secure Substation Automation for Operations & Maintenance Byron Flynn GE Energy 1. Abstract Today s Cyber Security requirements have created a need to redesign the Station Automation Architectures to provide

More information

The Importance of Cybersecurity Monitoring for Utilities

The Importance of Cybersecurity Monitoring for Utilities The Importance of Cybersecurity Monitoring for Utilities www.n-dimension.com Cybersecurity threats against energy companies, including utilities, have been increasing at an alarming rate. A comprehensive

More information

GE Oil & Gas. Cyber Security for NERC CIP Versions 5 & 6 Compliance

GE Oil & Gas. Cyber Security for NERC CIP Versions 5 & 6 Compliance GE Oil & Gas Cyber Security for NERC CIP Versions 5 & 6 Compliance Cyber Security for NERC CIP Versions 5 & 6 Compliance 2 Contents Cyber Security for NERC CIP Compliance... 5 Sabotage Reporting... 6 Security

More information

North American Electric Reliability Corporation: Critical Infrastructure Protection, Version 5 (NERC-CIP V5)

North American Electric Reliability Corporation: Critical Infrastructure Protection, Version 5 (NERC-CIP V5) Whitepaper North American Electric Reliability Corporation: Critical Infrastructure Protection, Version 5 (NERC-CIP V5) NERC-CIP Overview The North American Electric Reliability Corporation (NERC) is a

More information

Cybersecurity for Energy Delivery Systems 2010 Peer Review. William H. Sanders University of Illinois TCIPG: Network Access Policy Tool (NetAPT)

Cybersecurity for Energy Delivery Systems 2010 Peer Review. William H. Sanders University of Illinois TCIPG: Network Access Policy Tool (NetAPT) Cybersecurity for Energy Delivery Systems 2010 Peer Review Alexandria, VA July 20-22, 2010 William H. Sanders University of Illinois TCIPG: Network Access Policy Tool (NetAPT) (Joint work with David Nicol,

More information

Practical Considerations for Security

Practical Considerations for Security Practical Considerations for Security Steven Hodder GE Digital Energy, Multilin 1. Introduction This paper has been prepared to outline some practical security strategies for protection & control engineers

More information

Verve Security Center

Verve Security Center Verve Security Center Product Features Supports multiple control systems. Most competing products only support a single vendor, forcing the end user to purchase multiple security systems Single solution

More information

Symphony Plus Cyber security for the power and water industries

Symphony Plus Cyber security for the power and water industries Symphony Plus Cyber security for the power and water industries Symphony Plus Cyber Security_3BUS095402_(Oct12)US Letter.indd 1 01/10/12 10:15 Symphony Plus Cyber security for the power and water industries

More information

RUGGEDCOM CROSSBOW. Secure Access Management Solution. siemens.com/ruggedcom. Edition 10/2014. Brochure

RUGGEDCOM CROSSBOW. Secure Access Management Solution. siemens.com/ruggedcom. Edition 10/2014. Brochure RUGGEDCOM CROSSBOW Secure Access Management Solution Brochure Edition 10/2014 siemens.com/ruggedcom Siemens RUGGEDCOM CROSSBOW Secure Access Manager and Station Access Controller Siemens RUGGEDCOM CROSSBOW

More information

PCI v2.0 Compliance for Wireless LAN

PCI v2.0 Compliance for Wireless LAN PCI v2.0 Compliance for Wireless LAN November 2011 This white paper describes how to build PCI v2.0 compliant wireless LAN using Meraki. Copyright 2011 Meraki, Inc. All rights reserved. Trademarks Meraki

More information

Effective Use of Assessments for Cyber Security Risk Mitigation

Effective Use of Assessments for Cyber Security Risk Mitigation White Paper Effective Use of Assessments for Cyber Security Risk Mitigation Executive Summary Managing risk related to cyber security vulnerabilities is a requirement for today s modern systems that use

More information

Supporting our customers with NERC CIP compliance. James McQuiggan, CISSP

Supporting our customers with NERC CIP compliance. James McQuiggan, CISSP Supporting our customers with NERC CIP compliance James, CISSP Siemens Energy Sector Energy products and solutions - in 6 Divisions Oil & Gas Fossil Power Generation Renewable Energy Service Rotating Equipment

More information

LogRhythm and NERC CIP Compliance

LogRhythm and NERC CIP Compliance LogRhythm and NERC CIP Compliance The North American Electric Reliability Corporation (NERC) is a nonprofit corporation designed to ensure that the bulk electric system in North America is reliable, adequate

More information

Ovation Security Center Data Sheet

Ovation Security Center Data Sheet Features Scans for vulnerabilities Discovers assets Deploys security patches transparently Allows only white-listed applications to run in workstations Provides virus protection for Ovation Windows workstations

More information

Securing Modern Substations With an Open Standard Network Security Solution. Kevin Leech Schweitzer Engineering Laboratories, Inc.

Securing Modern Substations With an Open Standard Network Security Solution. Kevin Leech Schweitzer Engineering Laboratories, Inc. Securing Modern Substations With an Open Standard Network Security Solution Kevin Leech Schweitzer Engineering Laboratories, Inc. Copyright SEL 2009 What Makes a Cyberattack Unique? While the resources

More information

State of New Mexico Statewide Architectural Configuration Requirements. Title: Network Security Standard S-STD005.001. Effective Date: April 7, 2005

State of New Mexico Statewide Architectural Configuration Requirements. Title: Network Security Standard S-STD005.001. Effective Date: April 7, 2005 State of New Mexico Statewide Architectural Configuration Requirements Title: Network Security Standard S-STD005.001 Effective Date: April 7, 2005 1. Authority The Department of Information Technology

More information

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data Kenna Platform Security A technical overview of the comprehensive security measures Kenna uses to protect your data V2.0, JULY 2015 Multiple Layers of Protection Overview Password Salted-Hash Thank you

More information

ISACA rudens konference

ISACA rudens konference ISACA rudens konference 8 Novembris 2012 Procesa kontroles sistēmu drošība Andris Lauciņš Ievads Kāpēc tēma par procesa kontroles sistēmām? Statistics on incidents Reality of the environment of industrial

More information

Secure Remote Substation Access Interest Group Part 3: Review of Top Challenges, CIPv5 mapping, and looking forward to 2014!

Secure Remote Substation Access Interest Group Part 3: Review of Top Challenges, CIPv5 mapping, and looking forward to 2014! Secure Remote Substation Access Interest Group Part 3: Review of Top Challenges, CIPv5 mapping, and looking forward to 2014! October 3, 2013 Scott Sternfeld, Project Manager Smart Grid Substation & Cyber

More information

The Protection Mission a constant endeavor

The Protection Mission a constant endeavor a constant endeavor The IT Protection Mission a constant endeavor As businesses become more and more dependent on IT, IT must face a higher bar for preparedness Cyber preparedness is the process of ensuring

More information

Using the DNP3.0 Protocol via Digi Device Servers and Terminal Servers

Using the DNP3.0 Protocol via Digi Device Servers and Terminal Servers Using the DNP3.0 Protocol via Digi Device Servers and Terminal Servers For years, electric power utilities have relied on Digi internal serial cards (i.e., DigiBoard solutions) to connect UNIX, Linux and

More information

SIMPLIFYING THE PATCH MANAGEMENT PROCESS

SIMPLIFYING THE PATCH MANAGEMENT PROCESS SIMPLIFYING THE PATCH MANAGEMENT PROCESS www.icsupdate.com Monta Elkins Security Architect FoxGuard Solutions melkins@foxguardsolutions.com SIMPLIFYING THE PATCH MANAGEMENT PROCESS 2 SIMPLIFYING THE PATCH

More information

Industrial Network Security for SCADA, Automation, Process Control and PLC Systems. Contents. 1 An Introduction to Industrial Network Security 1

Industrial Network Security for SCADA, Automation, Process Control and PLC Systems. Contents. 1 An Introduction to Industrial Network Security 1 Industrial Network Security for SCADA, Automation, Process Control and PLC Systems Contents 1 An Introduction to Industrial Network Security 1 1.1 Course overview 1 1.2 The evolution of networking 1 1.3

More information

Deploying VSaaS and Hosted Solutions Using CompleteView

Deploying VSaaS and Hosted Solutions Using CompleteView SALIENT SYSTEMS WHITE PAPER Deploying VSaaS and Hosted Solutions Using CompleteView Understanding the benefits of CompleteView for hosted solutions and successful deployment architecture Salient Systems

More information

future data and infrastructure

future data and infrastructure White Paper Smart Grid Security: Preparing for the Standards-Based Future without Neglecting the Needs of Today Are you prepared for future data and infrastructure security challenges? Steve Chasko Principal

More information

Recommended IP Telephony Architecture

Recommended IP Telephony Architecture Report Number: I332-009R-2006 Recommended IP Telephony Architecture Systems and Network Attack Center (SNAC) Updated: 1 May 2006 Version 1.0 SNAC.Guides@nsa.gov This Page Intentionally Left Blank ii Warnings

More information

Introduction. Industry Changes

Introduction. Industry Changes Introduction The Electronic Safety and Security Design Reference Manual (ESSDRM) is designed to educate and inform professionals in the safety and security arena. The ESSDRM discusses trends and expertise

More information

SANS Top 20 Critical Controls for Effective Cyber Defense

SANS Top 20 Critical Controls for Effective Cyber Defense WHITEPAPER SANS Top 20 Critical Controls for Cyber Defense SANS Top 20 Critical Controls for Effective Cyber Defense JANUARY 2014 SANS Top 20 Critical Controls for Effective Cyber Defense Summary In a

More information

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL WHAT IS CDM? The continuous stream of high profile cybersecurity breaches demonstrates the need to move beyond purely periodic, compliance-based approaches to

More information

THE TOP 4 CONTROLS. www.tripwire.com/20criticalcontrols

THE TOP 4 CONTROLS. www.tripwire.com/20criticalcontrols THE TOP 4 CONTROLS www.tripwire.com/20criticalcontrols THE TOP 20 CRITICAL SECURITY CONTROLS ARE RATED IN SEVERITY BY THE NSA FROM VERY HIGH DOWN TO LOW. IN THIS MINI-GUIDE, WE RE GOING TO LOOK AT THE

More information

Joe Andrews, MsIA, CISSP-ISSEP, ISSAP, ISSMP, CISA, PSP Sr. Compliance Auditor Cyber Security

Joe Andrews, MsIA, CISSP-ISSEP, ISSAP, ISSMP, CISA, PSP Sr. Compliance Auditor Cyber Security Joe Andrews, MsIA, CISSP-ISSEP, ISSAP, ISSMP, CISA, PSP Sr. Compliance Auditor Cyber Security CIP-005-3 Audit Approach, ESP Diagrams, Industry Best Practices September 24 25, 2013 SALT LAKE CITY, UTAH

More information

Huawei Terminal Security Management Solution Create Enterprise Intranet Security

Huawei Terminal Security Management Solution Create Enterprise Intranet Security Huawei Terminal Security Management Solution Create Enterprise Intranet Security Terminal Security Management Solution 01 Introduction According to the third-party agencies such as the Computer Security

More information

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including: IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including: 1. IT Cost Containment 84 topics 2. Cloud Computing Readiness 225

More information

Utility Modernization Cyber Security City of Glendale, California

Utility Modernization Cyber Security City of Glendale, California Utility Modernization Cyber Security City of Glendale, California Cyber Security Achievements Cyber Security Achievements (cont) 1. Deploying IT Security Awareness training program Q4 2012 2. Purchased

More information

Honeywell Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Honeywell Process Solutions (HPS) June 4, 2014

Honeywell Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Honeywell Process Solutions (HPS) June 4, 2014 Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Process Solutions (HPS) June 4, Industrial Cyber Security Industrial Cyber Security is the leading provider of cyber security

More information

Cyber Security measures in Protection and Control IEDs

Cyber Security measures in Protection and Control IEDs Cyber Security measures in Protection and Control IEDs K. Hagman, L. Frisk, J. Menezes, M.M. Saha ABB AB, Substation Automation Products, Sweden Keywords: security, hardening, authentication, authorization,

More information

CYBER ATTACKS EXPLAINED: PACKET CRAFTING

CYBER ATTACKS EXPLAINED: PACKET CRAFTING CYBER ATTACKS EXPLAINED: PACKET CRAFTING Protect your FOSS-based IT infrastructure from packet crafting by learning more about it. In the previous articles in this series, we explored common infrastructure

More information

Experiment # 6 Remote Access Services

Experiment # 6 Remote Access Services Experiment # 6 Remote Access Services 7-1 : Introduction Businesses today want access to their information anywhere, at any time. Whether on the road with customers or working from home, employees need

More information

8/27/2015. Brad Schuette IT Manager City of Punta Gorda bschuette@pgorda.us (941) 575-3354. Don t Wait Another Day

8/27/2015. Brad Schuette IT Manager City of Punta Gorda bschuette@pgorda.us (941) 575-3354. Don t Wait Another Day Brad Schuette IT Manager City of Punta Gorda bschuette@pgorda.us (941) 575-3354 2015 FRWA Annual Conference Don t Wait Another Day 1 SCADA Subsystems Management Physical Connectivity Configuration Mgmt.

More information

APPENDIX 8 TO SCHEDULE 3.3

APPENDIX 8 TO SCHEDULE 3.3 EHIBIT Q to Amendment No. 60 - APPENDI 8 TO SCHEDULE 3.3 TO THE COMPREHENSIVE INFRASTRUCTURE AGREEMENT APPENDI 8 TO SCHEDULE 3.3 TO THE COMPREHENSIVE INFRASTRUCTURE AGREEMENT EHIBIT Q to Amendment No.

More information

Secure Remote Substation Access Solutions

Secure Remote Substation Access Solutions Secure Remote Substation Access Solutions Supplemental Project - Introduction Webcast October 16, 2013 Scott Sternfeld, Project Manager Smart Grid Substation & Cyber Security Research Labs ssternfeld@epri.com

More information

Lessons Learned CIP Reliability Standards

Lessons Learned CIP Reliability Standards Evidence for a requirement was not usable due to a lack of identifying information on the document. An entity should set and enforce a "quality of evidence" standard for its compliance documentation. A

More information

FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review.

FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review. 1. Obtain previous workpapers/audit reports. FIREWALL CHECKLIST Pre Audit Checklist 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review. 3. Obtain current network diagrams

More information

Control System Integrity (CSI) Tools and Processes to Automate CIP Compliance for Control Systems

Control System Integrity (CSI) Tools and Processes to Automate CIP Compliance for Control Systems Control System Integrity (CSI) Tools and Processes to Automate CIP Compliance for Control Systems James Goosby Manager I&C Systems and Field Support 19 th Annual ARC Industry Forum Agenda About Us Compliance

More information

GE DigitalEnergy. Integrated Substation Control System (iscs) IEC 61850-based Substation Automation Solutions

GE DigitalEnergy. Integrated Substation Control System (iscs) IEC 61850-based Substation Automation Solutions GE DigitalEnergy Integrated Substation Control System (iscs) IEC 61850-based Substation Automation Solutions the Business Case The next generation substation control and automation systems will be linked

More information

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL for INFORMATION RESOURCES Updated: June 2007 Information Resources Security Manual 1. Purpose of Security Manual 2. Audience 3. Acceptable

More information

Supplier Security Assessment Questionnaire

Supplier Security Assessment Questionnaire HALKYN CONSULTING LTD Supplier Security Assessment Questionnaire Security Self-Assessment and Reporting This questionnaire is provided to assist organisations in conducting supplier security assessments.

More information

Muscle to Protect Your Grid July 2009. Sustainable and Cost-effective Muscle to Protect Your Grid

Muscle to Protect Your Grid July 2009. Sustainable and Cost-effective Muscle to Protect Your Grid July 2009 Sustainable and Cost-effective Muscle to Protect Your Grid Page 2 Ensuring the reliability of the North American power grid is no small task and one that continues to grow in complexity on a

More information

Section 1 CREDIT UNION Member Information Security Due Diligence Questionnaire

Section 1 CREDIT UNION Member Information Security Due Diligence Questionnaire SAMPLE CREDIT UNION INFORMATION SECURITY DUE DILIGENCE QUESTIONNAIRE FOR POTENTIAL VENDORS Section 1 CREDIT UNION Member Information Security Due Diligence Questionnaire 1. Physical security o Where is

More information

Network Client. Troubleshooting Guide FREQUENTLY ASKED QUESTIONS

Network Client. Troubleshooting Guide FREQUENTLY ASKED QUESTIONS Network Client Troubleshooting Guide 1 Network Client Troubleshooting Guide The first section of this guide answers some frequently asked questions (FAQs) about the operation of Intellex and the Network

More information

7 Homeland. ty Grant Program HOMELAND SECURITY GRANT PROGRAM. Fiscal Year 2008

7 Homeland. ty Grant Program HOMELAND SECURITY GRANT PROGRAM. Fiscal Year 2008 U.S. D EPARTMENT OF H OMELAND S ECURITY 7 Homeland Fiscal Year 2008 HOMELAND SECURITY GRANT PROGRAM ty Grant Program SUPPLEMENTAL RESOURCE: CYBER SECURITY GUIDANCE uidelines and Application Kit (October

More information

NETASQ & PCI DSS. Is NETASQ compatible with PCI DSS? NG Firewall version 9

NETASQ & PCI DSS. Is NETASQ compatible with PCI DSS? NG Firewall version 9 NETASQ & PCI DSS Is NETASQ compatible with PCI DSS? We have often been asked this question. Unfortunately, even the best firewall is but an element in the process of PCI DSS certification. This document

More information

CIP-005-3 Electronic Security Perimeter (ESP) - Dan Mishra FRCC Compliance Workshop May 09-13, 2011

CIP-005-3 Electronic Security Perimeter (ESP) - Dan Mishra FRCC Compliance Workshop May 09-13, 2011 CIP-005-3 Electronic Security Perimeter (ESP) - Dan Mishra FRCC Compliance Workshop May 09-13, 2011 1 Purpose Specific NERC CIP-005 Requirements Underlying fundamentals of the ESP architecture Building

More information

Cloud Computing for SCADA

Cloud Computing for SCADA Cloud Computing for SCADA Moving all or part of SCADA applications to the cloud can cut costs significantly while dramatically increasing reliability and scalability. A White Paper from InduSoft Larry

More information

Networking Basics for Automation Engineers

Networking Basics for Automation Engineers Networking Basics for Automation Engineers Page 1 of 10 mac-solutions.co.uk v1.0 Oct 2014 1. What is Transmission Control Protocol/Internet Protocol (TCP/IP)------------------------------------------------------------

More information