A Tactical Approach to Continuous Compliance. Walt Sikora, Vice President Security Solutions EMMOS 2013

Transcription

1 A Tactical Approach to Continuous Compliance Walt Sikora, Vice President Security Solutions EMMOS 2013

2 Abstract NERC has moved quickly to address shortcomings and lack of clarity in previous versions of CIP standards. While this was a positive move, overall, it also presents some unique challenges for Asset Owners. This presentation will briefly cover changes and challenges presented with NERC CIPv5 adoption and deliver tactical steps that Asset Owners can take to fulfill requirements and achieve continuous compliance when addressing CIP Cyber Security Configuration Management and Vulnerability Assessment. 9/24/2013 2

3 Industrial Defender at a Glance Security and compliance since 2002 Exclusively focused on OT Pioneering automation systems management: security, compliance and change management for ICS Turnkey technology and service solution Multiple applications, one platform Vendor agnostic Purpose built Industrial Defender ranked #1 two years in a row by independent analysts 10,000+ technology deployments 400+ customers 25+ countries 9/24/2013 3

4 NERC CIP v4 v. NERC CIP v5 Version 4 Version 5 42 requirements; 113 parts 37 requirements; 148 parts No contextual information Includes background, rationale, and guidelines and Technical Basis Measures on high level requirement only 14 requirements with Technical Feasibility Exception (TFE) triggering language Measures for each requirement, including parts 12 requirements with TFE triggering language Undefined periodic terms Many binary Violation Severity Levels (VSLs) Clear periodic requirements: initial requirements in Implementation Plan More gradated VSLs Source: 9/24/2013 4

5 Implications of the Changes Change Less requirements, more parts Increased context, background, rationale Measures for each requirement and part Less potential for TFEs Clearly defined periodic terms More gradated VSLs Implication More clarity, more coverage More clarity More clarity, more examples More mitigation, workarounds, or additional solution(s) More clarity, less room for periodic errors More flexibility Entities are not required to self-report deficiencies if they are identifying, assessing and correcting them 9/24/2013 5

6 High, Medium, and Low Impact CIP Attachment 1 Impact Rating Criteria Rates BES Cyber Systems by: High Impact Rating (H) Medium Impact Rating (M) Low Impact Rating (L) Criteria listed for each rating level Rating level will determine which requirements/sub-requirements a BES Cyber System owner will have to meet Rating level(s) are associated with each requirement 9/24/2013 6

7 Strategic Goals for complying with CIP High-level strategy Continuous compliance Reduce overhead Improved resource allocation How do you get there? Are you there yet? 9/24/2013 7

8 What we now know Priorities & Objectives Automation Systems becoming more complex o Mix of legacy and next generation architectures o o o Heterogeneous Systems Exponential Increase in intelligent devices Unclear responsibility/ownership Maintain Reliability & Performance standards Ensure profitability Need for increased security Lots of technologies that can help Remember: No silver bullets! Report on activities Managing change introduces additional business process requirements and labor allocation Fewer Resources / increasing skill set gaps Balancing Operational Requirements with Security, Compliance, Change Management requirements 9/24/2013 8

9 Change Management Question: Do you anticipate growth in intelligent devices over the next 3-5 years? How will you manage: Patching? Firmware Updates? Configurations? User Access? Servers: PCS, SCADA, Work stations HMI Stations Firewalls Hardened networking devices PLCs IEDs, Sensors, Controllers 9/24/2013 9

10 Quick Review of CIP Configuration Management R1 Configuration Change Management R1.1 Baseline configuration for: OS Commercial or Open-source Application(s) Custom software Logical network accessible ports Security Patches R1.2 Authorize and document changes that deviate from the existing baseline configuration R1.3 For deviations, update baselines and documentation required by CIP-007 and CIP-005 as necessary within 30 calendar days R1.4 For changes that deviate R1.4.1 Determine potentially impacted cyber security controls prior to change R1.4.2 After change, verify controls are not adversely affected R1.4.3 Document results of verification 9/24/

11 Do you have more than one control system to worry about? ABB Siemens* Emerson* *Some vendors may supply security solutions for only their system 9/24/

12 How many tools do you need to manage your EMS? What Industrial Defender s ASM Covers CHANGE MANAGEMENT PATCH MANAGEMENT Change Ticketing Source Code Development Change Initiation Pre-Post change Config/Policy Exceptions Change Documentation Patch Monitoring Patch Base line Patch Exception Patch Application ASSET MANAGEMENT TICKETING MANAGEMENT GIS Maintenance Work Orders Device inventory Logic Rules Event Correlation Documentation Tasks Ticketing workflows Ticketing approvals EVENT MANAGEMENT USER MANAGEMENT /Web Events DPI Root Cause Analysis ICS Collectors Logic Rules Event Correlation User Base Lines User Activity Reporting Access Management NETWORK MANAGEMENT IED CONFIGURATION MANAGEMENT Network Visualization Configuration Backups Event Correlation Security logging Change monitoring Configuration Backups Operational Algorithms Configuration 9/24/

13 The current approach to security, compliance and change management typically takes at least 10 screens. Trigeo SEM McAfee Industrial Defender Cryptzone SE46 Tripwire SonicWall Industrial Defender McAfee eeye Retina McAfee WizNucleus Lumension 9/24/

14 The current approach to security, compliance and change management typically takes at least 10 screens. Trigeo SEM McAfee Industrial Defender Cryptzone SE46 With the Automation Systems Manager organizations can: Tripwire Secure vulnerabilities from SonicWall malicious attacks and human error. Implement regulatory compliance measures and efficiently process reporting requirements from a centralized dashboard. eeye Retina Manage change across a growing, heterogeneous and complex automation environment. Industrial Defender McAfee McAfee WizNucleus Lumension 9/24/

15 Automation Systems Management Architecture Automation Systems Manager (ASM) Application Capabilities Asset Management Event Management Configuration Change Management Policy Management Reporting DCS PCS SCADA PLC RTU Controller s 9/24/

16 Software Applications essential to Security, Compliance and Change Management Asset Management Event Management A single unified view of all assets within the automation system s environment. Enables onboarding and decommissioning of assets, reports device status, information access and state information. Brings visibility to control system and networks by providing event log data. Receives and consolidates events from multiple security sources, centralizes operations and reduces expenses. Configuration Change Management Policy Management Enables operators to track and audit device settings, software, firewall rules and user accounts and view and baseline the system configurations, ports & services, and software. Enables operators to communicate new policies, track acceptance and manage conformance. Reporting A comprehensive suite of standard configurable reports to meet regulatory requirements and simplify adherence to internal requirements. Enables users to define, generate and automate reports as needed. 9/24/

17 Configuration Management 2 Approaches Passive Always watching Never changing production Oh, we see a change. Is it ok? Click Yes or No Baseline gets updated after the fact if Yes Production asset gets manually reverted if No Active Always watching Never changing production Oh, we see a change. Revert that change back to the approved configuration automatically. No permanent changes to production until approved configuration change Baseline gets updated to enable change 9/24/

18 Situational awareness 9/24/

19 Central asset information 9/24/

20 Which ports are used? 9/24/

21 Device ports and services configuration details 9/24/

22 Software inventory 9/24/

23 Patches installed 9/24/

24 Cyber Asset Details 9/24/

25 Security Event Monitoring 9/24/

26 Compliance reporting 9/24/

27 Experience across many automation environments Security performance monitoring o ABB 800xA, Symphony/Harmony, Infi90, Network Manager, FACTS, SYS600C and MicroSCADA o Automsoft RAPID Historian o Emerson DeltaV and Emerson Ovation o Emerson/Westinghouse WDPF o GE XA/21 o GE PowerOn Fusion o Foxboro I/A Series o Honeywell Experion o Itron OpenWay System o Rockwell RSView o Schneider/Telvent Oasys, Citect Momentum, Quantum o Siemens PCS7 o Yokogawa Centrum CS 3000 Operating systems o Windows 7 o Win 2k, 2k3, 2k8 R2, XP, WinNT o HP-UX PA-RISC & Itanium o Linux o DEC Tru-64 o Sun Solaris o IBM AIX Industrial rules o DNP3 o Modbus o ICCP o IEC o TCP/IP 9/24/

28 It s a program, not a project Sustain Services Firmware/Patch Updates Performance/Alert Tuning Re-Baselining Software, Patches, Ports & Services Supervise Services Event Monitoring Configuration Baseline Monitoring Move, Add, Change Management Survive Services Backup Restoration Disaster Recovery Automation Systems Manager (ASM) Application Capabilities Asset Management Event Management Configuration Change Management Policy Management Reporting CLIENTS SERVERS PERIMETER DEVICES NETWORK DEVICES Automation Systems End-Points ( Optional Agent) 9/24/

29 Meet the Challenges Industrial Defender Your Solution for Automation Systems Management Deeply integrated with a number of EMS vendors to ensure performance & reliability Tackle increasing security, compliance and change management challenges despite resource constraints. Simplify and scale with a complete turnkey solution: Challenges Rapidly changing technologies Evolving security threats, both internal & external Lack of expertise Address resource and expertise challenges with a single view, vendor agnostic platform. Enable IT and OT to work together via a purpose built solution. Reduce overall TCO with a unified approach. Choosing Solutions Purpose built for control systems Eliminate manual work Report on activities Compatible with all your systems Sustain your automation environment as a program not a project! 9/24/

30 Web Blog blog.industrialdefender.com 9/24/