Automating NERC CIP Compliance for EMS. Walter Sikora 2010 EMS Users Conference

Transcription

1 Automating NERC CIP Compliance for EMS Walter Sikora 2010 EMS Users Conference

2 What do we fear? Thieves / Extortionists Enemies/Terrorists Stuxnet Malware Hacker 2025 Accidents / Mistakes 9/21/2010 # 2

3 What do we fear? Wally, the Auditor Wally Magna -- WECC Senior Compliance CIP Engineer 9/21/2010 # 3

4 NERC CIP Penalties No CIP fines assessed to date, but: Other NERC enforcement actions: ~70 fines totaling ~$1.8M in 2010 And remember FPL $25M settlement in October 2009 The will and the way are in place! Source: GE Presentation 9/21/2010 # 4

5 NERC CIP Standards CIP-001 CIP-002 CIP-003 CIP-004 CIP-005 CIP-006 CIP-007 CIP-008 CIP-009 Sabotage Reporting Critical Cyber Asset Identification Security Management Controls Personnel and Training Electronic Security Perimeters Physical Security of Critical Cyber Assets Systems Security Management Incident Reporting and Response Planning Recovery Plans for Critical Cyber Assets 9/21/2010 # 5

6 NERC CIP Standards Phase 4 CIP- 002 CIP- 003 CIP- 004 CIP- 005 CIP- 006 CIP- 007 CIP- 008 CIP- 009 Critical Cyber Asset Identification Security Management Controls Personnel and Training Electronic Security Perimeters Physical Security of Critical Cyber Assets Systems Security Management Incident Reporting and Response Planning Recovery Plans for Critical Cyber Assets CIP- 010 CIP- 011 BES Cyber System Categorization BES Cyber System Protection CIP-010 and -011 on track to be complete and submitted to NERC Dec. 24, 2010 Critical Cyber Assets displaced by BES Cyber System Components Broader applicability Differentiated H/M/L Impact Ratings 9/21/2010 # 6

7 Transmission and Distribution Central EMS Site Substations tied to EMS Multiple regions Site 1 Site 2 Site 3 9/21/2010 # 7

8 Challenges for NERC CIP Assessment Challenges How do you produce data, reports and audit documentation for assessors? How do you incorporate and deal with findings from assessors? How do you verify that the findings have been corrected? Site 1 Site 2 Site 3 9/21/2010 # 8

9 Challenges for NERC CIP Assessment Challenges Internal Operational Challenges How do you manage forensics and support? How do you monitor and respond to alerts? How do you plan and track your configuration strategy? How do you manage your OS patches? How do you manage your software inventory (SCADA/DCS Servers, HMI, Historians, PLC/RTU/IED, switches, routers, perimeter devices) and their versions? How do you manage the licenses for your software? Site 1 Site 2 Site 3 9/21/2010 # 9

10 Challenges for NERC CIP Assessment Challenges Internal Operational Challenges NERC CIP Operational Challenges How do you collect and archive all your logs? How do you collect and archive all your compliance data? How do you ensure you haven t fallen out of compliance? How can you plan and track your patch strategy? Site 1 Site 2 Site 3 9/21/2010 # 10

11 Challenges for NERC CIP Assessment Challenges Internal Operational Challenges NERC CIP Operational Challenges NERC CIP Audit and Audit Preparation Challenges How do you produce data, reports and audit documentation for auditors? How do you incorporate and deal with findings from auditors? How do you verify that the findings have been corrected? Site 1 Site 2 Site 3 9/21/2010 # 11

12 Challenges for NERC CIP Assessment Challenges How do you produce data, reports and audit documentation for assessors? How do you incorporate and deal with findings from assessors? How do you verify that the findings have been corrected? Internal Operational Challenges NERC CIP Operational Challenges NERC CIP Audit and Audit Preparation Challenges How do you produce data, reports and audit documentation for auditors? How do you incorporate and deal with findings from auditors? How do you verify that the findings have been corrected? Site 1 Site 2 Site 3 9/21/2010 # 12

13 Compliance Manager Assessment Challenges How do you produce data, reports and audit documentation for assessors? How do you incorporate and deal with findings from assessors? How do you verify that the findings have been corrected? Compliance Standard (NERC) Assessment Reports Compliance Reports Assessment Results Compliance Manager Site 1 Site 2 Site 3 9/21/2010 # 13

14 Compliance Manager Assessment Challenges Internal Operational Challenges How do you manage forensics and support? Forensic Difference Report Day N Report Support call Configuration (Day N) Factory Configuration (Day 1) Compliance Manager SEM Day 1 Report Site 2 9/21/2010 # 14

15 Compliance Manager Assessment Challenges Internal Operational Challenges How do you manage forensics and support? How do you monitor and respond to alerts? How do you plan and track your configuration strategy? How do you manage your OS patches? How do you manage your software inventory (SCADA/DCS Servers, HMI, Historians, PLC/RTU/IED, switches, routers, perimeter devices) and their versions? How do you manage licenses for your software? Compliance Manager Patch/Config/ Software Reports Forensic Reports Logs, Compliance Data SEM SEM SEM Site 1 Site 2 Site 3 9/21/2010 # 15

16 Compliance Manager Assessment Challenges Internal Operational Challenges NERC CIP Operational Challenges How do you collect and archive all your logs? How do you collect and archive all your compliance data? How do you ensure you haven t fallen out of compliance? How can you plan and track your patch strategy? Data archiving Compliance Manager NERC CIP Compliance Reports Patch Reports Logs, Compliance SEM Data SEM SEM Site 1 Site 2 Site 3 9/21/2010 # 16

17 Compliance Manager Assessment Challenges Internal Operational Challenges NERC CIP Operational Challenges NERC CIP Audit and Audit Preparation Challenges How do you produce data, reports and audit documentation for auditors? How do you incorporate and deal with findings from auditors? How do you verify that the findings have been corrected? Compliance Manager NERC CIP Compliance/Audit Reports Logs, Compliance SEM Data SEM SEM Site 1 Site 2 Site 3 9/21/2010 # 17

18 Security Log and Configuration data retention and analysis Audit Reports Compliance Management System Security Operations Console Security Event SEM Manager 9/21/2010 # 18

19 Report Samples 9/21/2010 # 19

20 Report Samples 9/21/2010 # 20

21 Report Samples 9/21/2010 # 21

22 Report Samples 9/21/2010 # 22

23 Summary EMS Security Compliance Technology integration Implement and integrate multiple layers of security technology. while assuring no adverse impact to critical control systems Operations efficiency Integrate security administration into daily operational processes. with little or no increase in operations expense and personnel Defense in Depth Security sustainability Compliance audit support Respond rapidly to intense auditor demands regarding current and historical systems security information. or face regulatory fines and corporate compliance exceptions Compliance automation 9/21/2010 # 23

24 Automate Compliance It will be repeatable It will be simple It will be more efficient No more fear: Learn to Love compliance 9/21/2010 # 24

25 Web Blog Corporate Overview 9/21/2010 # 25