Change and Configuration Management
|
|
- Rosanna Leonard
- 8 years ago
- Views:
Transcription
1 Change and Configuration Management for CIP Compliance OCTOBER 21, 2009 Developed with:
2 Presenters Bart Thielbar, CISA Senior Research hanalyst Sierra Energy Group, a Division of Energy Central CIP-003, R6 Primer and Related Requirements Kim Morris Director, Architecture and Information Security Public Service of New Mexico (PNM) Change and Configuration Strategies for CIP 2
3 Change and Configuration Management CIP-003, R6 Primer and Related Requirements BART THIELBAR, CISA SENIOR RESEARCH ANALYST
4 Disclaimer The information from this webcast is provided for informational purposes only. An entity's adherence to the examples contained within this presentation does not constitute compliance with the NERC Compliance Monitoring and Enforcement Program ("CMEP") requirements, NERC Critical Infrastructure Protection ("CIP") CIP) Reliability Standards, or any other NERC Reliability Standards or rules. While the information included in this material may provide some of the methodology that NERC has elected to use to assess compliance with the requirements of the Reliability Standard, this material should not be treated as a substitute for the Reliability Standard or viewed as additional Reliability Standard requirements. In all cases, the entity should rely on the language contained in the Reliability Standard itself, and not on the language contained in this presentation, to determine compliance with the CIP Reliability Standards. 4
5 Agenda Purpose, Applicable CIP Standards Change and Configuration Management New Developments related to V2 and TFE s Audit Trail Requirements 5
6 Why Good Change and Configuration Management? Differing practices and polices among departments and/or units within departments t Differing documentation practices Managerial visibility and organizational control Risk Management NERC s Interests = Best Interests of Reliability 6
7 Applicable CIP Standards and Rules CIP 003, R6: Change Control and Configuration Management CIP 007: Within Context of Change and Configuration Management Test Procedures Ports and Services Security Patch Management Malicious Software Prevention Security Status t Monitoring i Disposal or Redeployment Documentation Review and Maintenance 7
8 Schedule for Table 3 Entities Requirement Begin Work Substantially Compliant Compliant Auditably Compliant CIP 003, R6 12/31/06 12/31/08 12/31/09 12/31/10 CIP /31/06 12/31/08 12/31/09 12/31/10 8
9 Change Management Documented process of change control Adding, modifying, replacing, or removing Critical Cyber Assets Applies to hardware and software Easy to develop tunnel vision i and focus only on software Links with Configuration Management 9
10 Configuration Management Documented process of change control Identify, control, and document All entity or vendor related changes to Critical Cyber Assets Links with Change Management 10
11 Overview/Explanation Documentation that tracks changes to Critical Cyber Asset hardware or software to include: Adding: adding hardware/software to existing system Modifying: making a change to existing hardware/software Replacing: adding new hardware/software Removing: retire/redeploy hardware/software Configuration management activities to: Identify: when a change needs to be made or has been made Control: approval for changes Document: documentation for the whole process 11
12 Process Summary Items requiring documentation when changed: Process documentation (use good version control) Critical Asset & Critical Cyber Asset List Test environment Patch management Changes to Electronic Security Perimeter (ESP) Changes to Physical Security Perimeter (PSP) Process for identifying and changing g ports and services settings Criteria in the change process: Types of changes Who initiates the changes Who approves the changes Approvals and dates for all auditable items Testing records 12
13 Change Management vs. Configuration Management (One View) Change Management Process and activities undertaken to make changes to CCA s Ex: Applying a software upgrade or adding additional memory to laptop Configuration Management Process and activities iti undertaken to establish and/or make changes to configuration of CCA s Ex: Setting up a new CCA and/or changing configuration of existing CCA such as port activation The documented process must address both 13
14 Testing Why: Ensure that new cyber assets and/or changes to cyber assets (not just CCA) do not compromise CCA serving Bulk Electric System Significant Change: Security patches, service packs, vendor releases/upgrades (including operating systems, applications, databases, etc.) Environment: Test Environment is very important must reflect the production environment Documentation: Test results must be documented (good, bad or neutral) All consistent with generally accepted best practices for change management 14
15 Speaking of that Good change and configuration management practices are just good business Should be viewed as a part of overall control and governance framework CIP Standards have specific requirements, but individual policy and practice may go beyond Manage the risks or they may manage you! 15
16 A Simplified View Change Control and Configuration Management (CIP 003, R6) Test Procedures Asset Management Documentation Review and Maintenance Security Issues and dimpacts (e.g., patch management, virus protection, etc.) Access Review and Maintenance 16
17 The Audit Trail Recall -> Once again, all associated measures, measure documentation ti Documentation emphasizing: Process for change control and configuration management Test procedures, test environment, test results Security & Access issues (Ports & Services, Patch Mgmt, Malicious Software Protection, Security Status Monitoring, Cyber Vulnerability Assessment & Account Management) Disposal or Redeployment Annual review & update of CIP 007 Documentation If changes to systems or controls, documentation needs to be updated within 90 days* 17
18 New Developments 9/30/09 FERC Order changes documentation requirement from 90 days to 30 days for CIP 007, R9. This is effective in April, Also applicable to CIP 006, R1.7, CIP 008, R1.4; and CIP 009, R3 10/12/09 NERC Compliance Bulletin # Addresses Interim Approach to Technical Feasibility Exceptions (TFE s) May be requested for CIP 007, R2.3, R4, R5.3, R5.3.1, R5.3.2, R5.3.3, R6 and R6.3 18
19 Possible Penalties and Sanctions Up to $1 M per day, per violation Violation Severity (level of non compliance) Violation Risk Factors Mitigating factors may reduce penalties and sanctions Quality of compliance program, self-reporting, voluntary corrective actions, etc. Aggravating factors may increase penalties and sanctions Repeat violations, evasion, inaction, unwarranted intentional violations based on economic choice, etc. May potentially impact reputation, rate cases, etc. 19
20 Final Thoughts Always remember the importance of tone at the top and how it influences a culture of compliance Change and Configuration Management Practices are about Risk Management and impact many areas of CIP compliance efforts Compliance is a process, not an event Documentation, documentation, documentation NERC s Interests = Best Interests of Reliability 20
21 Change and Configuration Management Change and Configuration Strategies for CIP KIM MORRIS DIRECTOR, ARCHITECTURE AND INFORMATION SECURITY
22 Agenda NERC Guidance CIP Interdependencies with Change Control and Configuration Management Questions & Answers 22
23 Based in Albuquerque, N.M., PNM Resources is an energy holding company with 2008 consolidated operating revenues from continuing and discontinued operations of $2.5 billion. Through its utilities - PNM and TNMP - and energy subsidiary - First Choice Power - PNM Resources serves electricity to 859,000 homes and businesses in New Mexico and Texas. Current Capacity 2717 MW 23
24 CIP Standards Applicability 24
25 CIP Component Breakdown Citi Critical lasset tinventory Selection Criteria Security Perimeter Asset Selection Perimeter Definition Access Controls Cyber Assets Change Configuration Management Management 25
26 CC & CM in a Nutshell Applies to Hardware and Software in the Security Perimeter Industrial control systems Example: Control Center SCADA Physical Security Management Systems Example: CCTV, Badge reader systems Communications within ESP IT Management Services Examples: Monitoring and Management systems 26
27 Change Control Definition Summary Establish and Document a process for managing Change for Critical Cyber Assets Applicability Change Management Process Requestors Approval Authority Testers Implementers Supporting Documentation 27
28 Configuration Management Definition Summary Establish and Document configuration management process for adding, modifying, replacing or removing critical cyber asset hardware or software Applicability Document Management 90 Day window (change to 30-days in V2) Version Control Classification and Protection Testing Training Asset Inventory Ports and Services 28
29 Interdependencies 29 Function Organization ntrol Industrial Co Systems Control Cente er Operations IT Manageme ent Services Access Control X X X X X X X Change Management X X X X X X Document Control X X X X X X X X X Testing and Quality Assurance X X X X X X Network Management X X X X X Incident Response X X X X X X X X Systems Management X X X X X Training X X X X X X X X X Recovery Operations X X X X X X Governance X X X X X X X X X Exception Management X X X X X X Physical Secu urity General Coun nsel Human Resou urces Communicati ions Generation Substations
30 Documentation, Documentation Governance Documents: Policy Procedures Controls Asset Configuration Examples: Cyber Security Policy Test Plans Recovery Plans Monitoring 30
31 Document Maintenance Change Management Ensure ongoing document review via change management process Asset Configuration Ports and Services Hardware/Software Release & Patch Level Recovery Plans Training Plans Testing and Q/A Procedures and Testing Results Asset Inventory 31
32 Document Governance Scheduled Periodic Reviews Annual Review Internal Governance Team Vulnerability Assessment Validate Documentation 32
33 Leverage Existing Processes Governance Methodologies Incident Management Vulnerability Management Risk Management Change Management Configuration Management Corporate IT Security Existing Policies and Procedures Existing Governance Processes 33
34 Sample Reference Approach 34
35 Organization Roles for Compliance Senior Manager Compliance Manager 3 rd Party Security Network Training Corporate Support Engineer Engineer Engineer IT Security 35
36 Leverage Existing Programs and Standards Organizations Financial Sarbanes Oxley (SOX) Reliability NERC Information Technology Infrastructure Library ITIL National Institute of Standards NIST International Standards Institute ISO 36
37 Test Procedures Change Management Applicability Security Patches Application and OS Updates Database Updates Firmware/Hardware Documentation Considerations Testing and Q/A Back out Plans Contingency Operations i.e. Illness, weather, disaster Recovery Operations Ports and Services Training TFE s 37
38 Training, Training, Training Change and Configuration Management Training Asset Additions, Changes, Disposals Incident Response Governance Polices and Procedures 38
39 Change and Configuration Guidance for Malicious Software Prevention Change Control and Configuration Management Antivirus and Malware Engines and Management Software Dat and Signature files Intrusion Prevention Host-Based versus Appliance-Based Signature updates TFE s (per current NERC guidance) 39
40 Technical Feasibility Exceptions (TFE s) Recommendations per current NERC guidance: Establish standardized policy and process for TFE s Capture forms for TFE s in Security Policy Utilize standard exception process for TFE s 40
41 A Look into the Future.. AMI and Smart Grid Impacts IP enabled networks Integrated Utility Electronic Security Perimeter Smart Controls Network visibility ibilit to the home 41
42 Final Thoughts Additional Cyber Risks will continue to be identified Ensure compliance program can adapt to meet the changing demands of the organization and reliability Streamline Processes and Controls Six Sigma Tools and automated processes Find opportunities to use existing processes and controls Think like an auditor 42
43 Questions & Answers 9/30/09 FERC Order: NERC Compliance Bulletin: 007_Public_Notice Notice-V1.pdf Contact Information: The magazine for building a smart grid and delivering information-enabled energy. FREE subscriptions available at 43
44 Questions & Answers 9/30/09 FERC Order: NERC Compliance Bulletin: 007_Public_Notice Notice-V1.pdf Contact Information: Your source for IT and smart grid research, analysis, and consulting. Visit 44
45 Questions & Answers 9/30/09 FERC Order: NERC Compliance Bulletin: 007_Public_Notice Notice-V1.pdf Contact Information: Go to where the power industry gathers for news, information, and analysis, visit com 45
46 Questions & Answers 9/30/09 FERC Order: NERC Compliance Bulletin: 007_Public_Notice Notice-V1.pdf Contact Information: 46 Get the inside scoop with Energy Central Professional News Service. Start your FREE trial at
47 Questions & Answers 9/30/09 FERC Order: NERC Compliance Bulletin: 007_Public_Notice Notice-V1.pdf Contact Information: Join the discussion, raise your question, and voice your opinion at 47
48 Questions & Answers 9/30/09 FERC Order: NERC Compliance Bulletin: 007_Public_Notice Notice-V1.pdf Contact Information: The magazine for C-level executives about the business of energy. FREE subscriptions available at 48
49 CIP Compliance Series Webcasts For comprehensive preparation for the implementation, compliance, and auditing phases of the CIP standards program, attend all six. Upgrade and save 10%. Apply your single event purchase to the cost of the entire series. Call or for information. Date Topic 9/23/09 Identifying Critical Assets (On Demand) 10/6/09 Program Governance Issues (On Demand) 10/21/09 Change Management Systems (On Demand) 11/11/09 Personnel Issues & Training 12/2/09 Physical & Electronic Access Controls 12/16/09 Testing Procedures & Recovery Plans 49
50 Thank You for Joining Us For the latest news, articles and blogs, please visit
Plans for CIP Compliance
Testing Procedures & Recovery Plans for CIP Compliance DECEMBER 16, 2009 Developed with: Presenters Bart Thielbar, CISA Senior Research hanalyst Sierra Energy Group, a Division of Energy Central Primer
More informationStandard CIP 007 3a Cyber Security Systems Security Management
A. Introduction 1. Title: Cyber Security Systems Security Management 2. Number: CIP-007-3a 3. Purpose: Standard CIP-007-3 requires Responsible Entities to define methods, processes, and procedures for
More informationStandard CIP 007 3 Cyber Security Systems Security Management
A. Introduction 1. Title: Cyber Security Systems Security Management 2. Number: CIP-007-3 3. Purpose: Standard CIP-007-3 requires Responsible Entities to define methods, processes, and procedures for securing
More informationInformation Shield Solution Matrix for CIP Security Standards
Information Shield Solution Matrix for CIP Security Standards The following table illustrates how specific topic categories within ISO 27002 map to the cyber security requirements of the Mandatory Reliability
More informationPatching & Malicious Software Prevention CIP-007 R3 & R4
Patching & Malicious Software Prevention CIP-007 R3 & R4 Scope Compliance Assessment Summary Introspection & Analysis Program-In Review Maturity Model review Control Design review Process Components of
More informationTASK -040. TDSP Web Portal Project Cyber Security Standards Best Practices
Page 1 of 10 TSK- 040 Determine what PCI, NERC CIP cyber security standards are, which are applicable, and what requirements are around them. Find out what TRE thinks about the NERC CIP cyber security
More informationLogRhythm and NERC CIP Compliance
LogRhythm and NERC CIP Compliance The North American Electric Reliability Corporation (NERC) is a nonprofit corporation designed to ensure that the bulk electric system in North America is reliable, adequate
More informationNERC Cyber Security. Compliance Consulting. Services. HCL Governance, Risk & Compliance Practice
NERC Cyber Security Compliance Consulting Services HCL Governance, Risk & Compliance Practice Overview The North American Electric Reliability Corporation (NERC) is a nonprofit corporation designed to
More informationCompleted. Document Name. NERC CIP Requirements CIP-002 Critical Cyber Asset Identification R1 Critical Asset Identifaction Method
NERC CIP Requirements CIP-002 Critical Cyber Asset Identification R1 Critical Asset Identifaction Method R2 Critical Asset Identification R3 Critical Cyber Asset Identification Procedures and Evaluation
More informationTRIPWIRE NERC SOLUTION SUITE
CONFIDENCE: SECURED SOLUTION BRIEF TRIPWIRE NERC SOLUTION SUITE TAILORED SUITE OF PRODUCTS AND SERVICES TO AUTOMATE NERC CIP COMPLIANCE u u We ve been able to stay focused on our mission of delivering
More informationNERC Cyber Security Standards
SANS January, 2008 Stan Johnson Manager of Situation Awareness and Infrastructure Security Stan.johnson@NERC.net 609-452-8060 Agenda History and Status of Applicable Entities Definitions High Level of
More informationNorth American Electric Reliability Corporation (NERC) Cyber Security Standard
North American Electric Reliability Corporation (NERC) Cyber Security Standard Symantec Managed Security Services Support for CIP Compliance Overviewview The North American Electric Reliability Corporation
More informationThe first step in protecting Critical Cyber Assets is identifying them. CIP-002 focuses on this identification process.
CIPS Overview Introduction The reliability of the energy grid depends not only on physical assets, but cyber assets. The North American Electric Reliability Corporation (NERC) realized that, along with
More informationBSM for IT Governance, Risk and Compliance: NERC CIP
BSM for IT Governance, Risk and Compliance: NERC CIP Addressing NERC CIP Security Program Requirements SOLUTION WHITE PAPER Table of Contents INTRODUCTION...................................................
More informationTop 10 Compliance Issues for Implementing Security Programs
www.dyonyx.com Top 10 Compliance Issues for Implementing Security Programs This White Paper articulates the top ten issues that we have encountered in the design and implementation of comprehensive Security
More informationVerve Security Center
Verve Security Center Product Features Supports multiple control systems. Most competing products only support a single vendor, forcing the end user to purchase multiple security systems Single solution
More informationNERC CIP VERSION 5 COMPLIANCE
BACKGROUND The North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) Reliability Standards define a comprehensive set of requirements that are the basis for maintaining
More informationCyber Security Compliance (NERC CIP V5)
Cyber Security Compliance (NERC CIP V5) Ray Wright NovaTech, LLC Abstract: In December 2013, the Federal Energy Regulatory Commission (FERC) issued Order No. 791 which approved the Version 5 CIP Reliability
More informationTop Ten Compliance Issues for Implementing the NERC CIP Reliability Standard
Top Ten Compliance Issues for Implementing the NERC CIP Reliability Standard The North American Electric Reliability Corporation 1 s (NERC) CIP Reliability Standard is the most comprehensive and pervasive
More informationSummary of CIP Version 5 Standards
Summary of CIP Version 5 Standards In Version 5 of the Critical Infrastructure Protection ( CIP ) Reliability Standards ( CIP Version 5 Standards ), the existing versions of CIP-002 through CIP-009 have
More informationBest Practices in ICS Security for System Operators. A Wurldtech White Paper
Best Practices in ICS Security for System Operators A Wurldtech White Paper No part of this document may be distributed, reproduced or posted without the express written permission of Wurldtech Security
More informationReliabilityFirst CIP Evidence List CIP-002 through CIP-009 are applicable to RC, BA, IA, TSP, TO, TOP, GO, GOP, LSE, NERC, & RE
R1 Provide Risk Based Assessment Methodology (RBAM) R1.1 Provide evidence that the RBAM includes both procedures and evaluation criteria, and that the evaluation criteria are riskbased R1.2 Provide evidence
More informationInformation Security Policy and Handbook Overview. ITSS Information Security June 2015
Information Security Policy and Handbook Overview ITSS Information Security June 2015 Information Security Policy Control Hierarchy System and Campus Information Security Policies UNT System Information
More informationNERC CIP Compliance with Security Professional Services
NERC CIP Compliance with Professional Services The North American Electric Reliability Corporation (NERC) is a nonprofit corporation designed to ensure that the bulk electric system in North America is
More informationHow to Lead the People in a Program Based Environment
SESSION ID: GRC-W01 Balancing Compliance and Operational Security Demands Steve Winterfeld Bank Information Security Officer CISSP, PCIP What is more important? Compliance with laws / regulations Following
More informationThe Emergence of the ISO in Community Banking Patrick H. Whelan CISA IT Security & Compliance Consultant
THE MARKET LEADER IN IT, SECURITY AND COMPLIANCE SERVICES FOR COMMUNITY FINANCIAL INSTITUTIONS The Emergence of the ISO in Community Banking Patrick H. Whelan CISA IT Security & Compliance Consultant Agenda
More informationCIP-005-3 Electronic Security Perimeter (ESP) - Dan Mishra FRCC Compliance Workshop May 09-13, 2011
CIP-005-3 Electronic Security Perimeter (ESP) - Dan Mishra FRCC Compliance Workshop May 09-13, 2011 1 Purpose Specific NERC CIP-005 Requirements Underlying fundamentals of the ESP architecture Building
More informationSupporting our customers with NERC CIP compliance. James McQuiggan, CISSP
Supporting our customers with NERC CIP compliance James, CISSP Siemens Energy Sector Energy products and solutions - in 6 Divisions Oil & Gas Fossil Power Generation Renewable Energy Service Rotating Equipment
More informationApril 8, 2013. Ms. Diane Honeycutt National Institute of Standards and Technology 100 Bureau Drive, Stop 8930 Gaithersburg, MD 20899
Salt River Project P.O. Box 52025 Mail Stop: CUN204 Phoenix, AZ 85072 2025 Phone: (602) 236 6011 Fax: (602) 629 7988 James.Costello@srpnet.com James J. Costello Director, Enterprise IT Security April 8,
More informationHow To Protect A Smart Grid From Cyber Security Threats
Smart Grid Cyber Security System Reliability, Defense-in-Depth, Business Continuity, Change Management, Secure Telecommunications, Endpoint Protection, Identity Management, and Security Event Management
More informationTyson Jarrett CIP Enforcement Analyst. Best Practices for Security Patch Management October 24, 2013 Anaheim, CA
Tyson Jarrett CIP Enforcement Analyst Best Practices for Security Patch Management October 24, 2013 Anaheim, CA A little about me Graduated from the University of Utah with a Masters in Information Systems
More informationSCADA Compliance Tools For NERC-CIP. The Right Tools for Bringing Your Organization in Line with the Latest Standards
SCADA Compliance Tools For NERC-CIP The Right Tools for Bringing Your Organization in Line with the Latest Standards OVERVIEW Electrical utilities are responsible for defining critical cyber assets which
More informationMuscle to Protect Your Grid July 2009. Sustainable and Cost-effective Muscle to Protect Your Grid
July 2009 Sustainable and Cost-effective Muscle to Protect Your Grid Page 2 Ensuring the reliability of the North American power grid is no small task and one that continues to grow in complexity on a
More informationCyber Security for NERC CIP Version 5 Compliance
GE Measurement & Control Cyber Security for NERC CIP Version 5 Compliance imagination at work Contents Cyber Security for NERC CIP Compliance... 5 Sabotage Reporting... 6 Security Management Controls...
More informationAn Introduction to SIEM & RSA envision (Security Information and Event Management) January, 2011
An Introduction to SIEM & RSA envision (Security Information and Event Management) January, 2011 Brian McLean, CISSP Sr Technology Consultant, RSA Changing Threats and More Demanding Regulations External
More informationIT Security & Compliance Risk Assessment Capabilities
ATIBA Governance, Risk and Compliance ATIBA provides information security and risk management consulting services for the Banking, Financial Services, Insurance, Healthcare, Manufacturing, Government,
More informationLessons Learned CIP Reliability Standards
Evidence for a requirement was not usable due to a lack of identifying information on the document. An entity should set and enforce a "quality of evidence" standard for its compliance documentation. A
More informationIT Security & Compliance. On Time. On Budget. On Demand.
IT Security & Compliance On Time. On Budget. On Demand. IT Security & Compliance Delivered as a Service For businesses today, managing IT security risk and meeting compliance requirements is paramount
More informationCritical Controls for Cyber Security. www.infogistic.com
Critical Controls for Cyber Security www.infogistic.com Understanding Risk Asset Threat Vulnerability Managing Risks Systematic Approach for Managing Risks Identify, characterize threats Assess the vulnerability
More informationFERC, NERC and Emerging CIP Standards
Protecting Critical Infrastructure and Cyber Assets in Power Generation and Distribution Embracing standards helps prevent costly fines and improves operational efficiency Bradford Hegrat, CISSP, Principal
More informationCIP-010-2 Cyber Security Configuration Change Management and Vulnerability Assessments
CIP-010-2 Cyber Security Configuration Change Management and Vulnerability Assessments A. Introduction 1. Title: Cyber Security Configuration Change Management and Vulnerability Assessments 2. Number:
More informationThe Importance of Cybersecurity Monitoring for Utilities
The Importance of Cybersecurity Monitoring for Utilities www.n-dimension.com Cybersecurity threats against energy companies, including utilities, have been increasing at an alarming rate. A comprehensive
More informationForeScout CounterACT and Compliance June 2012 Overview Major Mandates PCI-DSS ISO 27002
ForeScout CounterACT and Compliance An independent assessment on how network access control maps to leading compliance mandates and helps automate GRC operations June 2012 Overview Information security
More informationGE Oil & Gas. Cyber Security for NERC CIP Versions 5 & 6 Compliance
GE Oil & Gas Cyber Security for NERC CIP Versions 5 & 6 Compliance Cyber Security for NERC CIP Versions 5 & 6 Compliance 2 Contents Cyber Security for NERC CIP Compliance... 5 Sabotage Reporting... 6 Security
More informationIRA Risk Factors Update for CIP. Ben Christensen Senior Compliance Risk Analyst, Cyber Security October 14, 2015
IRA Risk Factors Update for CIP Ben Christensen Senior Compliance Risk Analyst, Cyber Security October 14, 2015 2 Agenda Why the changes? What s new? Example of a Risk Factor How does this effect CIP V5?
More informationImplementation Plan for Version 5 CIP Cyber Security Standards
Implementation Plan for Version 5 CIP Cyber Security Standards April 10September 11, 2012 Prerequisite Approvals All Version 5 CIP Cyber Security Standards and the proposed additions, modifications, and
More informationHow to Integrate NERC s Requirements in an Ongoing Automation and Integration Project Framework
How to Integrate NERC s Requirements in an Ongoing Automation and Integration Project Framework Jacques Benoit, Cooper Power Systems Inc., Energy Automations Solutions - Cybectec Robert O Reilly, Cooper
More informationGE Measurement & Control. Cyber Security for NERC CIP Compliance
GE Measurement & Control Cyber Security for NERC CIP Compliance GE Proprietary Information: This document contains proprietary information of the General Electric Company and may not be used for purposes
More informationSecurity Solutions to Meet NERC-CIP Requirements. Kevin Staggs, Honeywell Process Solutions
Kevin Staggs, Honeywell Process Solutions Table of Contents Introduction...3 Nerc Standards and Implications...3 How to Meet the New Requirements...4 Protecting Your System...4 Cyber Security...5 A Sample
More informationAutomating NERC CIP Compliance for EMS. Walter Sikora 2010 EMS Users Conference
Automating NERC CIP Compliance for EMS Walter Sikora 2010 EMS Users Conference What do we fear? Thieves / Extortionists Enemies/Terrorists Stuxnet Malware Hacker 2025 Accidents / Mistakes 9/21/2010 # 2
More informationCyber Security Seminar KTH 2011-04-14
Cyber Security Seminar KTH 2011-04-14 Defending the Smart Grid erik.z.johansson@se.abb.com Appropriate Footer Information Here Table of content Business Drivers Compliance APT; Stuxnet and Night Dragon
More informationHow To Protect A Network From Attack From A Hacker (Hbss)
Leveraging Network Vulnerability Assessment with Incident Response Processes and Procedures DAVID COLE, DIRECTOR IS AUDITS, U.S. HOUSE OF REPRESENTATIVES Assessment Planning Assessment Execution Assessment
More informationISACA North Dallas Chapter
ISACA rth Dallas Chapter Business Continuity Planning Observations of Critical Infrastructure Environments Ron Blume, P.E. Ron.blume@dyonyx.com 214-280-8925 Focus of Discussion Business Impact Analysis
More informationJenifer Vallace Associate Cyber Security Analyst. Best User Reporting Practices September 24, 2013 CIP 101
Jenifer Vallace Associate Cyber Security Analyst Best User Reporting Practices September 24, 2013 CIP 101 Agenda What s needed when filling out: Self Reports (SR) Self Certifications (SC) Mitigation Plans
More informationCyber Security Standards Update: Version 5
Cyber Security Standards Update: Version 5 January 17, 2013 Scott Mix, CISSP CIP Technical Manager Agenda Version 5 Impact Levels Format Features 2 RELIABILITY ACCOUNTABILITY CIP Standards Version 5 CIP
More informationSecurity Controls What Works. Southside Virginia Community College: Security Awareness
Security Controls What Works Southside Virginia Community College: Security Awareness Session Overview Identification of Information Security Drivers Identification of Regulations and Acts Introduction
More informationNERC CIP Tools and Techniques
NERC CIP Tools and Techniques Supplemental Project - Introduction Webcast Scott Sternfeld, Project Manager Smart Grid Substation & Cyber Security Research Labs ssternfeld@epri.com (843) 619-0050 October
More informationMalicious Software Prevention for NERC CIP-007 Compliance: Protective Controls for Operating Systems and Supporting Applications
Malicious Software Prevention for NERC CIP-007 Compliance: Protective Controls for Operating Systems and Supporting Applications Matthew E. Luallen, Founder, Cybati / Past Co- Founder of Encari Paul J.
More information2012 CIP Spring Compliance Workshop May 7-11. Testing, Ports & Services and Patch Management
2012 CIP Spring Compliance Workshop May 7-11 Testing, Ports & Services and Patch Management Purpose This presentation provides an overview of the CIP-007-3 R1 Test Procedures which includes a discussion
More informationNorth American Electric Reliability Corporation: Critical Infrastructure Protection, Version 5 (NERC-CIP V5)
Whitepaper North American Electric Reliability Corporation: Critical Infrastructure Protection, Version 5 (NERC-CIP V5) NERC-CIP Overview The North American Electric Reliability Corporation (NERC) is a
More informationDomain 1 The Process of Auditing Information Systems
Certified Information Systems Auditor (CISA ) Certification Course Description Our 5-day ISACA Certified Information Systems Auditor (CISA) training course equips information professionals with the knowledge
More informationAddressing the SANS Top 20 Critical Security Controls for Effective Cyber Defense
A Trend Micro Whitepaper I February 2016 Addressing the SANS Top 20 Critical Security Controls for Effective Cyber Defense How Trend Micro Deep Security Can Help: A Mapping to the SANS Top 20 Critical
More informationContinuous Compliance for Energy and Nuclear Facility Cyber Security Regulations
Continuous Compliance for Energy and Nuclear Facility Cyber Security Regulations Leveraging Configuration and Vulnerability Analysis for Critical Assets and Infrastructure May 2015 (Revision 2) Table of
More informationNavigate Your Way to NERC Compliance
Navigate Your Way to NERC Compliance NERC, the North American Electric Reliability Corporation, is tasked with ensuring the reliability and safety of the bulk power system in North America. As of 2010,
More informationDocument ID. Cyber security for substation automation products and systems
Document ID Cyber security for substation automation products and systems 2 Cyber security for substation automation systems by ABB ABB addresses all aspects of cyber security The electric power grid has
More informationState of Oregon. State of Oregon 1
State of Oregon State of Oregon 1 Table of Contents 1. Introduction...1 2. Information Asset Management...2 3. Communication Operations...7 3.3 Workstation Management... 7 3.9 Log management... 11 4. Information
More informationExternal Supplier Control Requirements
External Supplier Control s Cyber Security For Suppliers Categorised as Low Cyber Risk 1. Asset Protection and System Configuration Barclays Data and the assets or systems storing or processing it must
More informationFERC Regulations: Managing Compliance Through ETRM Technology
www.allegrodev.com FERC Regulations: Managing Compliance Through ETRM Technology Bart Thielbar Senior Research Analyst Sierra Energy Group; The R&A Division of Energy Central Abstract An Allegro White
More informationTOP 10 CHALLENGES. With suggested solutions
NERC CIP VERSION 5 TOP 10 CHALLENGES With suggested solutions 401 Congress Avenue, Suite 1540 Austin, TX 78791 Phone: 512-687- 6224 E- Mail: chumphreys@theanfieldgroup.com Web: www.theanfieldgroup.com
More informationHoneywell Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Honeywell Process Solutions (HPS) June 4, 2014
Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Process Solutions (HPS) June 4, Industrial Cyber Security Industrial Cyber Security is the leading provider of cyber security
More informationCIP- 005 R2: Understanding the Security Requirements for Secure Remote Access to the Bulk Energy System
CIP- 005 R2: Understanding the Security Requirements for Secure Remote Access to the Bulk Energy System Purpose CIP-005-5 R2 is focused on ensuring that the security of the Bulk Energy System is not compromised
More informationCritical Infrastructure Security: The Emerging Smart Grid. Cyber Security Lecture 5: Assurance, Evaluation, and Compliance Carl Hauser & Adam Hahn
Critical Infrastructure Security: The Emerging Smart Grid Cyber Security Lecture 5: Assurance, Evaluation, and Compliance Carl Hauser & Adam Hahn Overview Assurance & Evaluation Security Testing Approaches
More informationOvation Security Center Data Sheet
Features Scans for vulnerabilities Discovers assets Deploys security patches transparently Allows only white-listed applications to run in workstations Provides virus protection for Ovation Windows workstations
More informationHIPAA Security Alert
Shipman & Goodwin LLP HIPAA Security Alert July 2008 EXECUTIVE GUIDANCE HIPAA SECURITY COMPLIANCE How would your organization s senior management respond to CMS or OIG inquiries about health information
More informationGoals. Understanding security testing
Getting The Most Value From Your Next Network Penetration Test Jerald Dawkins, Ph.D. True Digital Security p. o. b o x 3 5 6 2 3 t u l s a, O K 7 4 1 5 3 p. 8 6 6. 4 3 0. 2 5 9 5 f. 8 7 7. 7 2 0. 4 0 3
More informationThe North American Electric Reliability Corporation ( NERC ) hereby submits
December 8, 2009 VIA ELECTRONIC FILING Kirsten Walli, Board Secretary Ontario Energy Board P.O Box 2319 2300 Yonge Street Toronto, Ontario, Canada M4P 1E4 Re: North American Electric Reliability Corporation
More informationHow Much Cyber Security is Enough?
How Much Cyber Security is Enough? Business Drivers of Cyber Security Common Challenges and Vulnerabilities Cyber Security Maturity Model Cyber Security Assessments September 30, 2010 Business in the Right
More informationNERC CIP Compliance. Dave Powell Plant Engineering and Environmental Performance. Presentation to 2009 BRO Forum
NERC CIP Compliance Dave Powell Plant Engineering and Environmental Performance Presentation to 2009 BRO Forum August 12, 2009 1 NERC CIP 101 What is NERC CIP? CIP Terminology CIP compliance overview CIP
More informationEEI Business Continuity. Threat Scenario Project (TSP) April 4, 2012. EEI Threat Scenario Project
EEI Business Continuity Conference Threat Scenario (TSP) April 4, 2012 EEI Threat Scenario 1 Background EEI, working with a group of CIOs and Subject Matter Experts, conducted a survey with member companies
More informationDefending Against Data Beaches: Internal Controls for Cybersecurity
Defending Against Data Beaches: Internal Controls for Cybersecurity Presented by: Michael Walter, Managing Director and Chris Manning, Associate Director Protiviti Atlanta Office Agenda Defining Cybersecurity
More informationGE Intelligent Platforms. Meeting NERC Change Control Requirements for HMI/SCADA and Control Systems
GE Intelligent Platforms Meeting NERC Change Control Requirements for HMI/SCADA and Control Systems Meeting NERC Change Control Requirements for HMI/SCADA and Control Systems Overview There is a lot of
More informationi-pcgrid Workshop 2015 Cyber Security for Substation Automation The Jagged Line between Utility and Vendors
March 25-27, 2014 Steven A. Kunsman i-pcgrid Workshop 2015 Cyber Security for Substation Automation The Jagged Line between Utility and Vendors ABB Inc. March 26, 2015 Slide 1 Cyber Security for Substation
More informationDigi Device Cloud: Security You Can Trust
Digi Device Cloud: Security You Can Trust Abstract Historically, security has oftentimes been an afterthought or a bolt-on to any engineering product. In today s markets, however, security is taking a
More informationNERC CIP Substation Cyber Security Update. John M Shaw Presentation to UTC Region 7 February 19, 2009 jshaw@garrettcom.com
NERC CIP Substation Cyber Security Update John M Shaw Presentation to UTC Region 7 February 19, 2009 jshaw@garrettcom.com It s February 19, 2009 132 project days left to compliance Do you know where (what)
More informationCIP 010 1 Cyber Security Configuration Change Management and Vulnerability Assessments
CIP 010 1 Cyber Security Configuration Change Management and Vulnerability Assessments A. Introduction 1. Title: Cyber Security Configuration Change Management and Vulnerability Assessments 2. Number:
More informationMaintaining PCI-DSS compliance. Daniele Bertolotti daniele_bertolotti@symantec.com Antonio Ricci antonio_ricci@symantec.com
Maintaining PCI-DSS compliance Daniele Bertolotti daniele_bertolotti@symantec.com Antonio Ricci antonio_ricci@symantec.com Sessione di Studio Milano, 21 Febbraio 2013 Agenda 1 Maintaining PCI-DSS compliance
More informationThe Firewall Audit Checklist Six Best Practices for Simplifying Firewall Compliance and Risk Mitigation
The Firewall Audit Checklist Six Best Practices for Simplifying Firewall Compliance and Risk Mitigation Copyright, AlgoSec Inc. All rights reserved The Need to Ensure Continuous Compliance Regulations
More informationCritical Security Controls
Critical Security Controls Session 2: The Critical Controls v1.0 Chris Beal Chief Security Architect MCNC chris.beal@mcnc.org @mcncsecurity on Twitter The Critical Security Controls The Critical Security
More informationSmall Firm Focus: A Practical Approach to Cybersecurity Friday, May 29 9:00 a.m. 10:15 a.m.
Small Firm Focus: A Practical Approach to Cybersecurity Friday, May 29 9:00 a.m. 10:15 a.m. Topics: Explain why it is important for firms of all sizes to address cybersecurity risk. Demonstrate awareness
More informationIT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:
IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including: 1. IT Cost Containment 84 topics 2. Cloud Computing Readiness 225
More informationSecuring OS Legacy Systems Alexander Rau
Securing OS Legacy Systems Alexander Rau National Information Security Strategist Sample Agenda 1 Today s IT Challenges 2 Popular OS End of Support & Challenges for IT 3 How to protect Legacy OS systems
More informationThe Convergence of IT Security and Compliance with a Software as a Service (SaaS) approach
The Convergence of IT Security and Compliance with a Software as a Service (SaaS) approach by Philippe Courtot, Chairman and CEO, Qualys Inc. Information Age Security Conference - London - September 25
More informationUniversity of Central Florida Class Specification Administrative and Professional. Information Security Officer
Information Security Officer Job Code: 2534 Serve as the information security officer for the University. Develop and computer security system standards, policies, and procedures. Serve as technical team
More informationReclamation Manual Directives and Standards
Vulnerability Assessment Requirements 1. Introduction. Vulnerability assessment testing is required for all access points into an electronic security perimeter (ESP), all cyber assets within the ESP, and
More informationCyber Security and Privacy - Program 183
Program Program Overview Cyber/physical security and data privacy have become critical priorities for electric utilities. The evolving electric sector is increasingly dependent on information technology
More informationSecurity Information & Event Management (SIEM)
Security Information & Event Management (SIEM) Peter Helms, Senior Sales Engineer, CISA, CISSP September 6, 2012 1 McAfee Security Connected 2 September 6, 2012 Enterprise Security How? CAN? 3 Getting
More informationThe Cloud in Regulatory Affairs - Validation, Risk Management and Chances -
45 min Webinar: November 14th, 2014 The Cloud in Regulatory Affairs - Validation, Risk Management and Chances - www.cunesoft.com Rainer Schwarz Cunesoft Holger Spalt ivigilance 2014 Cunesoft GmbH PART
More informationDigital Infrastructure - A Model For Success
Organizer: BRIDGING BARRIERS: LEGAL AND TECHNICAL OF CYBERCRIME CASES Session 6 : Securing Your Fortress Best practices, standards, techniques and technologies secure your organization from cyber criminals.
More informationEnterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006
Enterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006 April 2013 Hologic and the Hologic Logo are trademarks or registered trademarks of Hologic, Inc. Microsoft, Active Directory,
More information