Meeting NERC CIP Requirements with CyberLock

Transcription

1 Meeting NERC CIP Requirements with CyberLock Webinar: Tuesday, June 19 th, :30 AM PDT Phone: +1 (646) Access Code: By:

2 Today s Agenda Presented By US Power Grid NERC/CIP Key-Centric Access Control Case Study Summary Q&A 2

3 Presented By An industry leader in design & manufacturing: Access Control Data Collection Electrical Engineering Founded in 1979 Based in Corvallis, Oregon America s most innovative city* James T. McGowan High tech & security industry veteran Vice President of Sales and Marketing * Most patents per 100,000 people as measured by scale-adjusted metropolitan indicators from the online journal of the Public Library of Science. 3

4 United States Power Grid 500 companies manage over 186,000 miles of transmission lines that make up the contiguous United States power grid. 4

5 Objective The US Power Grid requires a comprehensive security system to protect both physical and cyber assets. If you are involved with the physical security of any of these power networks, this webinar is for you. 5

6 Securing the Grid US Power Grid Critical Infrastructure Matter of National Security Requires Protection Documented Security Standards + = Compliance 6

7 NERC Formed in 2006 Non-Profit Dates back to 1968 Mission To ensure the reliability of the North American bulk power system Responsibilities Develop Standards Ensure Compliance Assess Resources Education & Training Investigate Disruptions Critical Infrastructure Protection (NERC/CIP) 7

8 NERC CIP CIP (Critical Infrastructure Protection) A program that coordinates all of NERC s efforts to improve physical and cyber security for the power system of North America Collaborates with U.S. Department of Energy Department of Homeland Security Public Safety Canada 8

9 Compliance Where are the standards? All things NERC Standards page Click on Critical Infrastructure Protection (CIP) 9

10 10

11 CIP Title: Cyber Security Security Management Controls Number: CIP Purpose: Standard CIP requires that Responsible Entities have minimum-security management controls in place to protect Critical Cyber Assets. Key Point: implement a program for managing access to protected Critical Cyber Asset information 11

12 CIP-005-3a Title: Cyber Security Electronic Security Perimeter(s) Number: CIP-005-3a Purpose: Standard CIP requires the identification and protection of the Electronic Security Perimeter(s) inside which all Critical Cyber Assets reside, as well as all access points on the perimeter. Standard CIP should be read as part of a group of standards numbered Standards CIP through CIP Key Points: access control model that denies access by default, such that explicit access permissions must be specified. entity shall review or otherwise assess access logs for attempts at or actual unauthorized accesses at least every ninety calendar days. 12

13 CIP-006-3c Title: Cyber Security Physical Security of Critical Cyber Assets Number: CIP-006-3c Purpose: Standard CIP is intended to ensure the implementation of a physical security program for the protection of Critical Cyber Assets. Standard CIP should be read as part of a group of standards numbered Standards CIP through CIP Key Points: shall document and implement the operational and procedural controls to manage physical access at all access points to the Physical Security Perimeter(s) twenty-four hours a day, seven days a week. access shall document and implement the technical and procedural controls for monitoring physical access at all access points to the Physical Security Perimeter(s) twenty-four hours a day, seven days a week. 13

14 What s Needed? An Access Control System Realistic Proven Affordable Secure Traceable Compliant Key-Centric System 14

15 How Does It Work? Electronic cylinders are installed Smart keys are distributed System is programmed Audit trails are created 15

16 A Day In the Life 2 1 Schedules & permissions are set in software Key holders update permissions via Communicators 3 Updating permissions and downloading audit trails occur simultaneously Audit trails uploaded into software 5 4 Key holders access locks Key holders download activity via Communicators 16

17 Locks ecylinders Replace Existing Cylinders CIP-006 manage physical access to all access points Intelligent locks No power/wiring needed Power comes from key Lost key list Highly secure No pick-able keyway 17

18 Keys Smart Keys Distribute Smart Keys CIP-005 access control model that denies access by default, such that explicit access permissions must be specified Key energizes lock Validates credentials Schedule of permissions Remembers every touch Flexible uploads 18

19 Communicators Communication Devices Authorize Access CIP-006 Predefined electronic access rights uploaded to key Log access to physical security Communicators provide interface to software Updates Download audit trails Upload new system info 19

20 Software System Management View and Manage Access CIP-006 electronic access where the access rights are predefined in a computer database Intuitive GUI Browser-based system Protocol agnostic 20

21 CyberLock The Leader in Key-Centric Access Control Launched in million+ CyberLocks manufactured 290+ lock designs Multiple key options Stable, feature-rich software Expansion platform Lock-centric option 3 rd party integration Fulfills NERC CIP Access Control Requirements 21

22 ITC Holdings, Novi, Michigan Challenge: Meeting NERC/CIP requirements for physical assets that support power transmission for over 24 million people Solution: CyberLock Benefit: CyberLock restricts and audits access to physical and cyber facilities, eliminating key duplication issues; management is now able to track and control both employee and contractor access Case Study 22

23 Summary Deploy CyberLock to achieve NERC CIP Compliance Proven Affordable Secure Traceable Compliant 23

24 Next Steps How to learn more: On the web: Via Via phone:

25 Wrap Up Questions & Answers 25