BSM for IT Governance, Risk and Compliance: NERC CIP

Transcription

1 BSM for IT Governance, Risk and Compliance: NERC CIP Addressing NERC CIP Security Program Requirements SOLUTION WHITE PAPER

2 Table of Contents INTRODUCTION ABOUT NERC CIP ABOUT BUSINESS SERVICE MANAGEMENT FROM BMC Achieving NERC CIP Compliance with BSM from BMC NERC CIP 002 CRITICAL CYBER ASSET IDENTIFICATION* NERC CIP 003 SECURITY MANAGEMENT CONTROLS NERC CIP 004 PERSONNEL AND TRAINING NERC CIP 005 ELECTRONIC SECURITY PERIMETER(S) NERC CIP 007 SYSTEMS SECURITY MANAGEMENT NERC CIP 008 INCIDENT REPORTING AND RESPONSE PLANNING NERC CIP 009 RECOVERY PLANS FOR CRITICAL CYBER ASSETS CONCLUSION

3 INTRODUCTION ABOUT NERC CIP The North American Electric Reliability Council s (NERC) Critical Infrastructure Protection (CIP) Standards identify the minimum requirements to implement and maintain a cyber-security program and to protect those cyber assets deemed critical to the reliability of the North American bulk electric system operation. Utilities that fail to properly address these standards not only risk getting fined millions of dollars, but also risk having a negative impact on shareholder value, customer confidence, and the stable and consistent operation of the power grid. The NERC standard is divided in to eight separate reliability standards: CIP-002: Critical Cyber Asset Identification CIP-003: Security Controls CIP-004: Personnel and Training CIP-005: Electronic Security Perimeter(s) CIP-006: Physical Security of Critical Cyber Assets CIP-007: Systems Security CIP-008: Incident Reporting and Response Planning CIP-009: Recovery Plans for Critical Cyber Assets These eight standards are comprised of fifty-one major requirements, each of which refers to many more specific requirements. This volume of specific requirements includes both technical and managerial controls, much like other industry mandates, such as PCI DSS. These control requirements are applicable to any entity that owns, operates, or uses any portion of the bulk power system. Compliance to these reliability standards is mandatory. The compliance process includes formal NERC audits conducted by the Regional Reliability Councils. The process also requires active self-certification, as well as the periodic reporting of compliance data and the selfreporting of any noncompliance with NERC policies, procedures, or standards. ABOUT BUSINESS SERVICE MANAGEMENT FROM BMC Business Service (BSM) from BMC Software provides a comprehensive and unified platform that simultaneously optimizes IT costs, demonstrates transparency, increases business value, controls risk, and assures quality of service. Delivering an ERP for IT, BSM simplifies, standardizes, and automates IT processes so you can manage business services efficiently across their lifecycle. With BSM, your organization has the trusted information it needs, can prioritize work based on business critical services, and can orchestrate workflow across your core IT management functions. As the recognized leader in BSM, BMC is uniquely positioned to help you succeed in your NERC CIP compliance efforts. BSM offers a unified approach that enables you to govern the delivery of business services throughout their lifecycle, enforce policies, and automate compliance across your entire IT environment mainframe, distributed, virtual, and Cloud. BSM from BMC provides a common and unified platform to identify and secure Critical Cyber Assets as defined in the NERC CIP standards. Integration between products across the BSM portfolio is the cornerstone for addressing the NERC CIP requirements. In some cases, BSM provides both general support and complete support. A good example is ensuring that the Electronic Security Perimeter denies access by default, and that explicit access permissions have been specified. While BSM does not provide firewall functionality specifically, it does provide configuration compliance audit and automated remediation to ensure the Critical Cyber Assets are configured appropriately with regards to discrete access control requirements. In other cases, BSM provides a total solution that integrates governance and risk management, control automation, incident and change management, and policy-based measurement and reporting to resolve the standard requirements in a way that exceeds the capabilities of other solutions. The BSM solution for the NERC CIP Standards is a good example of a complete solution with enhancements in comparison to other solutions. 1

4 Every entity has to define both the intensity of the control and the frequency of the associated tests for many requirements in NERC CIP. BSM from BMC provides options to meet your unique requirements from routinely scheduled audits that identify and alert to real-time monitoring that detects and alerts on relevant events. BMC solutions provide a choice, with integration to the industry s leading IT service management suite of solutions to classify, escalate, and track the resulting incidents. BSM delivers a comprehensive solution that provides the appropriate levels of risk mitigation and superior performance within constraints. Achieving NERC CIP Compliance with BSM from BMC NERC CIP 002 CRITICAL CYBER ASSET IDENTIFICATION 1 Requirement R3- Critical Cyber Asset Identification Using the list of Critical Assets developed pursuant to Requirement R2, the Responsible Entity shall develop a list of associated Critical Cyber Assets essential to the operation of the Critical Asset. Configuration Repository and Baseline BMC Atrium Discovery and Dependency Mapping BMC Atrium CMDB Enriches the BMC Atrium CMDB by automatically discovering people, business processes, applications, and IT infrastructure data. Provides an up-to-date single source of truth of the Critical Cyber Assets within the IT environment (servers, network devices, etc.) Allows easy reporting on key attributes of those assets to assist in the risk assessment process. NERC CIP 003 SECURITY MANAGEMENT CONTROLS Requirement R3- Exceptions Instances where the Responsible Entity cannot conform to its cyber security policy must be documented as exceptions and authorized by the senior manager or delegate(s). Monitoring and Reporting Collecting Monitoring Data Timely Operation of Internal Controls BMC IT Business Suite BMC IT Controls Records the results of an attestation and also documents and tracks exceptions. Includes templates and policies that enable flexible management of configuration standards, access controls, and other manual processes where attestation of controls is necessary to comply with the NERC CIP standards. Requirement R4- Information Protection The Responsible Entity shall implement and document a program to identify, classify, and protect information associated with Critical Cyber Assets. Data Classification Scheme BMC Atrium CMDB BMC Atrium Orchestrator Creates an enterprise-wide data model that incorporates a classification scheme to ensure data integrity and quality. Enables seamless integration between support and operations processes, enabling closed-loop support for program management necessary for NERC CIP compliance. 1 SOURCE FOR ALL REQUIREMENTS: The North American Electric Reliability Council s (NERC) Critical Infrastructure Protection (CIP) Standards, May 2010 ( 20) 2

5 Requirement R5- Access Control The Responsible Entity shall document and implement a program for managing access to protected Critical Cyber Asset information. Segregation of Duties BMC Remedy Identity BMC Partner Solution Provides role-based access controls that define the identity provisioning framework for segregation of duties. Includes flexible workflow approval options, in addition to the creation of policy definition and enforcement surrounding your Critical Cyber Assets. Job Change and Termination Emergency and Temporary Access Authorizations BMC Remedy Identity BMC Partner Solution Addresses detailed objectives related to changing or revoking access rights during job change and termination. Integrates with the BMC Remedy IT Service Suite and the BMC Atrium CMDB to provide broad awareness of identity processes around Critical Cyber Assets. Requirement R6- Change Control and Configuration The Responsible Entity shall establish and document a process of change control and configuration management for adding, modifying, replacing, or removing Critical Cyber Asset hardware or software, and implement supporting configuration management activities to identify, control and document all entity or vendor-related changes to hardware and software components of Critical Cyber Assets pursuant to the change control process Change Request Initiation and Control Control of Changes Emergency Changes BMC Application Release BMC BladeLogic Client BMC BladeLogic Network BMC BladeLogic Server Suite BMC Remedy IT Service Suite BMC Remedy Change and Release Provides provisioning and patch management processes. Automates change commitment assurance, roll-back, and configuration change drift detection. Supports a vast array of servers, devices, platforms, and more, allowing you deep insight and control over many of your Critical Cyber Assets. Configuration Baseline Configuration Control Technology Standards BMC Application Release BMC BladeLogic Client BMC BladeLogic Network BMC BladeLogic Server Suite BMC Remedy IT Service Suite BMC Remedy Change and Release BMC Remedy Service Desk Enables the establishment of gold standard configurations, allowing the provisioning and enforcement of technology standards. Provides ITIL -certified change management and problem management processes for managing and tracking change activity in Critical Cyber Assets. 3

6 Configuration Baseline Configuration Procedures Emergency Changes Change Request Initiation and Control Control of Changes BMC Remedy IT Service Suite BMC Remedy Change and Release Provides management and tracking of configuration baseline change and problem management processes. Gives you control over Critical Cyber Asset configurations even during emergency change situations enabling you to maintain NERC CIP compliance even when making out-of-cycle changes. NERC CIP 004 PERSONNEL AND TRAINING Requirement R4- Access The Responsible Entity shall maintain list(s) of personnel with authorized cyber or authorized unescorted physical access to Critical Cyber Assets, including their specific electronic and physical access rights to Critical Cyber Assets. Segregation of Duties BMC Remedy Identity BMC Partner Solution BMC BladeLogic Client BMC BladeLogic Server Suite Maintains segregation of duties using RBAC-based management of identities. Provides flexible workflow approval options that provide accountability for access to Critical Cyber Assets. Job Change and Termination Emergency and Temporary Access Authorizations BMC Remedy Identity BMC Partner Solution Helps address detailed objectives related to changing or revoking access rights during job change and termination. Improves consistency and quality of service by automating routine identity processes, ensuring proper access control to Critical Cyber Assets. NERC CIP 005 ELECTRONIC SECURITY PERIMETER(S) Requirement R1- Electronic Security Perimeter The Responsible Entity shall ensure that every Critical Cyber Asset resides within an Electronic Security Perimeter. The Responsible Entity shall identify and document the Electronic Security Perimeter(s) and all access points to the perimeter(s). Definition of Interfaces BMC Atrium Discovery and Dependency Mapping BMC Atrium CMDB BMC Application Release BMC BladeLogic Client BMC BladeLogic Network BMC BladeLogic Server Suite Provides a current and accurate inventory and classification of assets, which includes interfaces to and from systems. Enables organizations to establish controls, such as disabling network ports and monitoring the Electronic Security Perimeter access points, creating a granular and layered approach to perimeter protection. 4

7 Requirement R2- Electronic Access Controls The Responsible Entity shall implement and document the organizational processes and technical and procedural mechanisms for control of electronic access at all electronic access points to the Electronic Security Perimeter(s). Segregation of Duties BMC Remedy Identity BMC Partner Solution BMC Application Release BMC BladeLogic Client BMC BladeLogic Network BMC BladeLogic Server Suite Provides role-based access controls that define and enable an identity provisioning framework that supports the segregation of duties. Enforces control between development or test environments and production on an administrator or system level. Provides flexible workflow and approval options that ensure consistent application of access control to Critical Cyber Assets. Manages and monitors granular access control to Critical Cyber Assets across the pool of administrator roles. Job change and Termination Emergency and Temporary Access Authorizations BMC Remedy Identity BMC Partner Solution BMC IT Business Suite BMC IT Controls Addresses the detailed needs of changing or revoking access rights during job change and termination. Offers policy definition and enforcement of roles governing access to Critical Cyber Assets even when emergency or otherwise temporary access is required. Requirement R3- Monitoring Electronic Access The Responsible Entity shall implement and document an electronic or manual process (es) for monitoring and logging access at access points to the Electronic Security Perimeter(s) twenty-four hours a day, seven days a week. Audit Trails Design BMC BladeLogic Server Suite Generates comprehensive reports of attempts to access data, change configurations, create or delete system level objects, view audit trails, or log in by individual users, including system administrators. Provides comprehensive reporting capabilities that provide a foundation for managing security-related events across platforms within the Electronic Security Perimeter. Use and Monitoring of System Utilities BMC Application Release BMC BladeLogic Client BMC BladeLogic Network BMC BladeLogic Server Suite Provides role-based access management to enforce authorized use of approved system utilities, and can be used to disable or remove unnecessary, unapproved, or insecure system utilities. Reports on the number and type of system utilities running on each server, ensuring consistency across the Critical Cyber Assets. 5

8 Monitoring and Reporting BMC ProactiveNet Performance Provides patented predictive analytics, which leads to fewer alerts getting generated and makes these alerts more intelligent through self-learning analytics. Provides early warning of potential problems, which allows for proper risk management of security-related issues within the Electronic Security Perimeter with fewer manual reviews of event data. Requirement R4- Cyber Vulnerability Assessment The Responsible Entity shall perform a cyber vulnerability assessment of the electronic access points to the Electronic Security Perimeter(s) at least annually. Ensure System Security BMC Application Release BMC BladeLogic Client BMC BladeLogic Network BMC BladeLogic Server Suite Enforces patch management for OS and Security Products (AV, Firewalls, etc.) to ensure protection from malicious software Audits and remediates configurations to prevent malware from being introduced from external devices Reports on remediation activities Provides closed-loop audit and remediation of vulnerable systems with the Electronic Security Perimeter, allowing you to proactively manage vulnerability risks to Critical Cyber Assets as part of routine operations, eliminating the need for disruptive annual perimeter scans. Configuration Control BMC Application Release BMC BladeLogic Client BMC BladeLogic Network BMC BladeLogic Server Suite Provides sophisticated patch management controls that enable quick response to vendor security advisories and reduce reaction time from days to minutes. Audits Critical Cyber Assets for a vendorsupplied or custom list of patches, then automatically downloads, deploys, and verifies the deployment of the patches, reducing the risk exposure of Critical Cyber Assets. 6

9 NERC CIP 007 SYSTEMS SECURITY MANAGEMENT Requirement R1- Test Procedures The Responsible Entity shall ensure that new Cyber Assets and significant changes to existing Cyber Assets within the Electronic Security Perimeter do not adversely affect existing cyber security controls. For purposes of Standard CIP-007-3, a significant change shall, at a minimum, include implementation of security patches, cumulative service packs, vendor releases, and version upgrades of operating systems, applications, database platforms, or other third-party software or firmware. Testing Strategies and Plans Testing of Changes System Testing Standards BMC Application Release Provides testing support by automating the application release management process and associated workflows across the development lifecycle. Enables users to develop test policies for pre-production testing and staging without interruption to production operations and environments, maintaining uptime of Critical Cyber Assets. Requirement R2- Ports and Services The Responsible Entity shall establish, document and implement a process to ensure that only those ports and services required for normal and emergency operations are enabled. Security Testing and Accreditation BMC Atrium Discovery and Dependency Mapping BMC Atrium CMDB BMC BladeLogic Network Provides current and accurate inventory and classification of assets, including interfaces to and from systems. Includes standard policies and templates that can be used to enable port security. Enacts self-healing policies to lock-down or prevent non-compliant changes to specific ports on Critical Cyber Assets within the Electronic Security Perimeter. Requirement R3- Security Patch The Responsible Entity, either separately or as a component of the documented configuration management process specified in CIP Requirement R6, shall establish, document and implement a security patch management program for tracking, evaluating, testing, and installing applicable cyber security software patches for all Cyber Assets within the Electronic Security Perimeter(s). System Software Installation System Software Maintenance Configuration Recording Configuration Baseline Configuration Control BMC Application Release BMC BladeLogic Client BMC BladeLogic Network BMC BladeLogic Server Suite Enables organizations to quickly respond to vendor security advisories reducing reaction time from days to minutes. Stores OS images in the OS Image Library, where they can: Be pre-staged or updated/reloaded to single or multiple devices. Enable the BMC solutions to roll back to a previous image, if needed. Scans Critical Cyber Assets for a vendorsupplied or custom list of patches, and then automatically downloads, deploys, and verifies the deployment of the patches Generates reports on adherence to patch policies. 7

10 Requirement R4- Malicious Software Prevention The Responsible Entity shall use anti-virus software and other malicious software ( malware ) prevention tools, where technically feasible, to detect, prevent, deter, and mitigate the introduction, exposure, and propagation of malware on all Cyber Assets within the Electronic Security Perimeter(s). Malicious Software Prevention, Detection, and Correction BMC Application Release BMC BladeLogic Client BMC BladeLogic Network BMC BladeLogic Server Suite Packages and deploys anti-virus software, even detecting and remediating clients and servers whose malware protection is not current Provides reports on which Critical Cyber Assets are out of compliance with antimalware policies (server). Requirement R5- Account The Responsible Entity shall establish, implement, and document technical and procedural controls that enforce access authentication of, and accountability for, all user activity, and that minimize the risk of unauthorized system access. User Account Identification, Authentication and Access BMC Remedy Identity BMC Partner Solution BMC Application Release BMC BladeLogic Client BMC BladeLogic Network BMC BladeLogic Server Suite Provides role-based access control, ensuring that unique names and numbers are assigned, provisioned, and tracked for user identities. Identifies risk factors for users defined and provides key risk indicator reporting. Automates account creation, including password randomization, and requires that passwords be changed when a user first logs in. Monitors, enforces, and reports on requirements, such as that passwords be changed at least every 90 days, as well as on requirements that passwords be made up of both numeric and alphabetic characters. Requirement R6- Security Status Monitoring The Responsible Entity shall ensure that all Cyber Assets within the Electronic Security Perimeter, as technically feasible, implement automated tools or organizational process controls to monitor system events that are related to cyber security. Internal Control Monitoring Security Surveillance BMC ProactiveNet Performance Increases the value of your existing monitoring solutions, avoiding costly rip and replace measures. Provides intelligent alerting on security issues within the Electronic Security Perimeter, reducing the number of unnecessary events by up to 90 percent. 8

11 Requirement R8- Cyber Vulnerability Assessment The Responsible Entity shall perform a cyber vulnerability assessment of all Cyber Assets within the Electronic Security Perimeter at least annually. Operational Security and Internal Control Assurance Ensure System Security BMC Remedy IT Service Suite BMC Application Release BMC BladeLogic Client BMC BladeLogic Network BMC BladeLogic Server Suite Enables you to audit and remediate configurations with ITIL change management to eliminate vulnerable configurations. Delivers a non-invasive approach that reduces the impact of periodic vulnerability testing by tracking security related configuration elements without requiring potentially disruptive scans of Critical Cyber Assets. NERC CIP 008 INCIDENT REPORTING AND RESPONSE PLANNING Requirement R1- Cyber Security Incident Response Plan The Responsible Entity shall develop and maintain a Cyber Security Incident response plan and implement the plan in response to Cyber Security Incidents. Incident Handling BMC Remedy IT Service BMC Remedy Service Desk BMC Atrium CMDB Provides a workflow engine that automates incident management activities and integrates seamlessly with other ITIL service support solutions, such as the BMC Atrium CMDB. Provides a single source for incident management workflows and activities, closing the loop in this key process by linking change and release processes to incidents and problems. Allows organizations to track incident response times and performance and enable continuous improvement of incident management around Critical Cyber Assets. 9

12 NERC CIP 009 RECOVERY PLANS FOR CRITICAL CYBER ASSETS Requirement R1- Recovery Plans The Responsible Entity shall create and annually review recovery plan(s) for Critical Cyber Assets. IT Continuity Plan Contents BMC Service Level BMC Application Release BMC BladeLogic Client BMC BladeLogic Network BMC BladeLogic Server Suite BMC Remedy IT Service Suite BMC Service Request Enables the definition, monitoring, management, and reporting of SLAs, OLAs, and UCs across a broad range of services, including customer commitments for ongoing service and service support requirements. Can be used to continually monitor specified services against predefined performance criteria and alert exceptions, and report achievement over various time periods. Identifies and nests OLAs to support SLAs. Improves confidence in configuration backup and rollback procedures Enables users to rapidly provision new assets in accordance with NERC configuration settings. Requirement R2- Exercises The recovery plan(s) shall be exercised at least annually. An exercise of the recovery plan(s) can range from a paper drill, to a full operational exercise, to recovery from an actual incident. Testing the IT Continuity Plan BMC Service Level BMC Application Release BMC BladeLogic Client BMC BladeLogic Network BMC BladeLogic Server Suite BMC Remedy IT Service Suite Enables the definition, monitoring, management, and reporting of SLAs, OLAs, and UCs across a broad range of services, including customer commitments for ongoing service and service support requirements. Enables users to easily change/restore configurations for disaster recovery testing purposes. 1 0

13 Requirement R3- Change Control Recovery plan(s) shall be updated to reflect any changes or lessons learned as a result of an exercise or the recovery from an actual incident. Updates shall be communicated to personnel responsible for the activation and implementation of the recovery plan(s) within thirty calendar days of the change being completed. Testing the IT Continuity Plan BMC Service Level BMC Application Release BMC BladeLogic Client BMC BladeLogic Network BMC BladeLogic Server Suite BMC Remedy IT Service Suite Can be used to continually monitor specified services against predefined performance criteria and alert exceptions, and report achievement over various time periods. Identifies and nests OLAs to support SLAs Enables users to easily change/restore configurations for disaster recovery testing purposes, minimizing the impact of testing on Critical Cyber Assets. Requirement R4 Backup and Restore The recovery plan(s) shall include processes and procedures for the backup and storage of information required to successfully restore Critical Cyber Assets. For example, backups may include spare electronic components or equipment, written documentation of configuration settings, tape backup, etc. Back-Up and Restoration BMC Service Level BMC Application Release BMC BladeLogic Client BMC BladeLogic Network BMC BladeLogic Server Suite BMC Remedy IT Service Suite Can be used to continually monitor specified services against predefined performance criteria and alert exceptions, and report achievement over various time periods. Identifies and nests OLAs to support SLAs Allows organizations to easily change/ restore configurations for disaster recovery testing purposes, minimizing the impact of testing on Critical Cyber Assets. Requirement R5- Testing Backup Media Information essential to recovery that is stored on backup media shall be tested at least annually to ensure that the information is available. Testing can be completed off site. Back-Up and Restoration Offsite Backup Storage BMC IT Business Suite BMC IT Controls BMC Database Recovery Provides the frameworks and processes to track and manage the state of compliance and execute the policies associated with backup, restoration, and offsite backup. Provides the ability to attest to certifications concerning policies for backup, restoration, and offsite backup storage, as well as track the current state of process compliance (independent of the state of process maturity). 1 1

14 CONCLUSION Every entity has to define both the intensity of the control and the frequency of the associated tests for many requirements in NERC CIP. BSM from BMC provides options to meet your unique requirements from routinely scheduled audits that identify and alert to real-time monitoring that detects and alerts on relevant events. BMC solutions provide a choice, with integration to the industry s leading IT service management suite of solutions to classify, escalate, and track the resulting incidents. BSM delivers a comprehensive platform that provides the appropriate levels of risk mitigation and superior performance within constraints. For more information, including additional products that will support your unique NERC CIP requirements, please visit Business runs on IT. IT runs on BMC Software. Business thrives when IT runs smarter, faster, and stronger. That s why the most demanding IT organizations in the world rely on BMC Software across both distributed and mainframe environments. Recognized as the leader in Business Service, BMC offers a comprehensive approach and unified platform that helps IT organizations cut cost, reduce risk, and drive business profit.. For the four fiscal quarters ended March 31, 2010, BMC revenue was approximately $1.91 billion. Visit for more information. BMC, BMC Software, and the BMC Software logo are the exclusive properties of BMC Software, Inc., are registered with the U.S. Patent and Trademark Office, and may be registered or pending registration in other countries. All other BMC trademarks, service marks, and logos may be registered or pending registration in the U.S. or in other countries. ITIL is a registered trademark, and a registered community trademark of the Office of Government Commerce, and is registered in the U.S. Patent and Trademark Office, and is used here by BMC Software, Inc., under license from and with the permission of OGC. All other trademarks or registered trademarks are the property of their respective owners BMC Software, Inc. All rights reserved. *142861*