Control System Integrity (CSI)

Transcription

1 Control System Integrity (CSI) Tools and Processes to Automate CIP Compliance for Control System Automating NERC Compliance Assurance February, ARC Forum Orlando Florida

2 Southern Company Facility Map

3 Cisco (Control Networks) Modicon (PLC) Siemens (TCS) ABB (DCS) Yokogawa GE Bently Nevada Mitsubishi (TCS) Woodward (TCS) Foxboro (DCS) Metso (DCS) Emerson (DCS) Allen Bradley (PLC) Schweitzer (Relay) Siemens (EMS) RTU AspenTech GE Mark VI Spectrum (CEMS) Toshiba (TCS) GE Fanuc (PLC) Southern Company Control Types

4 CIP Standards Requirements in RED will use the CSI tool to support Generation s compliance management

5 CIP Compliance Management Tools Generation s Compliance Assurance Tool CONTROL SYSTEM INTEGRITY (CSI) CHANGE MANAGEMENT Plant Controls Southern Company s Risk Management Tool VULNER- ABILITY CSI CONTROLS CIP TOOL INVENTORY GENERATION CONTROL SYSTEM INTEGRITY INVENTORY Plant Automation Data REPORTS REPORTING DESIGN CAPABILITIES FUTURE CSI Functional Model

6 CSI Primary Purpose Compliance CSI is a tool used to help Southern Company Generation meet the compliance requirements associated with the NERC Cyber Security Standards. CSI will be used to collect and archive plant Automation Data, transform this data into compliance information. This information will be used to manage and document security processes, and provide compliance assurance documentation. Strategic Direction

7 DCSs, PLCs, Historians Automation Data Configurations, User Interfaces, Device data, System Logs, Inventory System Architecture Overview Secure Web Interface IIS Data Input Control Configurations Control device data (WMI) Control Graphics Discovered devices on plant network Manual Inventory NERC Properties Approved User List Approved OS Patches Approved Vendor Patches Approved Device Ports & Services Approved Anti-Virus Definitions Backup and Storage Sched. Password Management Schedule Database Compliance Management Features Information Output CIP Compliance Dashboard 2,3,7,9 Asset Inventory 2.R2 Device Discovery Report 2.R2 Change Management Report 3.R6 People with Access to CCAs 4.R4 Port Variances 7.R2 Services Variances 7.R2 OS Patch Variances 7.R3 App. Patch Variances 7.R3 Antivirus Definition Updates 7.R4 User Accounts 7.R5.1 Password Change Management 7.R5.3 Media Disposal Management 7.R7.3 Backup & storage records 9.R4

8 NERC Cyber Security Compliance INVENTORY Capabilities: CSI imports automation data from plant controls devices at selected location Inventory list of control system assets and their compliance status Detailed information about each device Query and report capability on device details Security patch management Malicious software prevention management Ports and Services monitoring User Account management Password Change Management Backup and storage management Compliance Management Features

9 NERC Cyber Security Compliance INVENTORY Benefit of automating inventory process Avoid the cost of an annual manual inventory of assets Inventory must be auditable on-going CSI tool minimizes future manual inventories Limitation: CSI only collects data on networked devices Manual Inventory Statistics Time to Complete 12 weeks No. of People 4-5 No. of Devices inventoried manually 777 No. of Devices inventoried by CSI 112 Est. No. of NERC CCA devices 128 Compliance Management Features

10 NERC Cyber Security Compliance CHANGE MANAGEMENT(MOC) Capabilities: Change control and configuration management process Workflow Process Proposing Change Authorizing Change Reconciling Change Notification of Change Types of changes to be managed Asset Inventory Changes (adds, deleted, or modifications to inventory) Control System Configuration Changes Control System Software Changes (adds, deletes, revisions, patches) Cyber Security Changes (ports, services, OS security patches, AV updates) Compliance Management Features

11 REPORTING LISTINGS DASHBOARD REPORTS ASSET INVENTORY CYBER ASSET INVENTORY CONTROL DEVICE DATA (WMIC) AUTHORIZED USER LIST APPROVED OS PATCHES APPROVED VENDOR PATCHES APPROVED DEVICE PORTS APPROVED ANTI-VIRUS DEF. s BACKUP AND STORAGE SCHED. PASSWORD MGT. SCHEDULE SYSTEM LOGS INVENTORY UN-RECONCILED CHANGES PORTS & SERVICES SECURITY PATCH MANAGEMENT ANTIVIRUS MANAGEMENT PASSWORD MANAGEMENT MEDIA DISPOSAL MANAGEMENT BACKUP & STORAGE NERC ALERTS SECURITY PATCH MGT. ACCOUNT MANAGEMENT MALICIOUS SOFTWARE DEVICE DISCOVERY CUSTOM USER REPORTS COMPLIANCE REPORTS MOC REPORTS SYSTEM ALERT STATUS PSP ASSET REPORT ESP ASSET REPORT CSI - REPORTING

12 Thank You