Imperva Automates NERC CIP Compliance and Secures Critical Infrastructure

Transcription

1 C A S E S T U DY Imperva Automates NERC CIP Compliance and Secures Critical Infrastructure

2 NERC Regulations Aim to Increase Cyber Security for North American Bulk Power Systems There are numerous cyber-security regulations to which owners, operators and users of bulk electric power systems in North America must comply. In addition to NERC - the North American Electric Reliability Corporation, there is often the need to to comply with multiple, and often overlapping cyber related regulations including the PCI Data Security Standards for the processing of credit card information and Sarbanes- Oxley for publicly traded corporations. These are in addition to the numerous noncyber-related power generation and distribution industry regulations requiring company compliance. The challenge of identifying and routinely meeting the requirements can be a daunting for many organizations. Meeting the aggressive NERC requirements, including the April 2016 deadline for NERC CIP (Critical Infrastructure Protection) Version 5 Framework is challenging by itself. The NERC CIP Framework only address a minimal baseline for security. Simply meeting compliance does not guarantee that an organization s web applications and data are secure. Those organizations wishing to enhance their security postures need to use NERC as a starting point and put in place more holistic solutions related to incident prevention, detection, and response. With the substantial punitive non-compliance penalties under NERC - some as high as $1 million dollars per day, organizations are driving to put in place preventive, investigative, and corrective cyber controls that enhance overall cyber security, are operationally efficient, and produce compliance outputs as a natural byproduct of the security best practices. CASE STUDY Addressing NERC Compliance in a Multi-Regulated Environment Electric Company Minimizes Resources Required for Maintaining Regulatory Compliance After spending close to $1 million dollars to mitigate auditor-discovered deficiencies during a PCI DSS audit, this company was interested in finding solutions that were applicable across PCI DSS, Sarbanes-Oxley, and NERC. There seemed to be a never-ending process of internal auditors, business application owners, and IT managers coming together to define and implement controls followed by wading through the volumes of information generated for the pieces that were relevant for each regulatory auditor. The process was too slow, too costly, and the manual efforts would not scale across multiple regulations without adding additional headcount which they did not have the budget to do. Solution Multiple database security vendors were trialed over a three month period before they deployed and standardized on Imperva SecureSphere. Imperva was able to discover a number of previously unknown database vulnerabilities across three different database platforms. Imperva also delivered regulation-specific reports, the ability to quickly and easily create ad-hoc reports, and captured the data necessary to address auditor requests such as: What are the vulnerabilities within databases that process financial information and/or store credit card information How are critical databases protected How are privileged users tracked How was the latest security incident addressed People-centric questions who, what, when and how Benefits Imperva SecureSphere Database Activity Monitoring provided an extensible reporting framework for addressing audits. It reduced the resources required to capture audit data for databases by over 75% while generating audit information in a comprehensive yet easy to understand format. In addition to addressing multiple regulations, overall security was increased. Finally, the deployment was functional and providing value the first day and required very little customization. The compliance and security teams that deployed and administered the solution were able to do so without database expertise. 2

3 Imperva provides that much needed universal connectivity and continuity across multiple regulatory frameworks, regulations, and requirements. Leveraging automation, centralized management, and an efficient, scalable architecture to deploy rapidly and sustain regulatory security requirements across a heterogeneous web, database, Big Data, and file environments. Intersection of Compliance and Security In January of 2008, FERC (Federal Energy Regulatory Commission) approved the initial NERC CIP Framework. But even before the official approval, bulk power organizations were working on solutions to address cyber security while also adhering to preliminary versions of the NERC CIPs from Several topics permeate multiple CIP standards and highlight the critical areas where compliance and security intersect: Cyber asset discovery and classification Cyber asset protection and monitoring Incident response i.e. survivability Auditing Reporting Applications and databases make up a substantial assortment of what is considered a critical cyber asset within bulk power organizations. Like any organization, bulk electric has enterprise applications such as SAP, Oracle e-business Suite, and PeopleSoft. Some of these systems reside in the corporate or IT network, others within the operations or control system network, while others are designed specifically to communicate across the once air gapped connection points. Some examples are: Customer self-service portals Supply chain management Customer relationship management Financial management Call centers Field force automation Archiving Frontends for legacy solutions Application relays for measurement We purchased SecureSphere to protect our Web applications from external attacks. We quickly realized that the same security should be applied to our internal applications protecting both engineering and IT. Today we monitor how all applications are being used and have regular meetings to review SecureSphere reports. Reporting has already identified security vulnerabilities within our applications, and alerted us to privileged operators not following organizational policy for data handling. DIRECTOR OF CYBER SERVICES AT A FORTUNE 500 SUPPLIER TO RETAIL AND WHOLESALE ELECTRIC AND NATURAL GAS CUSTOMERS Securing these application and database cyber assets is important for addressing NERC and other regulations as well as improving overall security. Not only do these assets process and store sensitive data, but they can also be used to administer non-cyber assets thus having a direct impact on the availability of control system assets such as SCADA (Supervisory Control and Data Acquisition). 3

4 Imperva Solutions for NERC As the market leader in data and application security in the cloud and on-premises, organizations with mission-critical environments trust SecureSphere to discover, audit, protect, and monitor their most sensitive assets. In addition to securing those assets, Imperva provides purpose-built compliance capabilities that automate the reporting process needed for demonstrating compliance with multiple regulations including NERC, PCI, Sarbanes-Oxley, GLBA, and others. The Application Defense Center (ADC), a premier research organization for security analysis, vulnerability discovery, and compliance expertise within Imperva ensures that the security analytics and compliance capabilities within Imperva are up-to-date with the most current trends. This takes the form of attack analytics, alerting, and reports. With ADC content, addressing multiple cyber regulations can be as easy as just addressing one. Control System/SCADA Operations Environment Databases Applications Applications Corporate/IT Environment Internet Databases Web Applications Auditors were hounding us to implement better oversight for our databases. With limited staff, none of which were DBAs, we needed a solution that was easy to implement, use, and would deliver the information our auditors needed. SecureSphere was taken out of the box and monitoring our databases in a half day with minimal configuration. We didn t even need to bring in our database contractor. The next day we brought the Imperva sales engineer into the office along with our auditors. The SE gave a demo of the product and we asked our auditors if this was what they wanted: they said yes. So we bought it and got back to the business of keeping the lights on. Mission-Critical Systems Internet Customers, Partners, Attackers EXECUTIVE DIRECTOR/PROJECT COORDINATOR AT ONE OF THE LARGEST DIVERSIFIED ENERGY COMPANIES IN NORTH AMERICA Architecture for Case Study: Securing applications and databases across environments 4

5 High-level Mapping of Imperva Solutions to NERC CIPS NERC CIP RELIABILITY STANDARDS FOR CYBER CIP-002 BES Cyber System Categorization CIP-003 Security Management Controls IMPERVA SOLUTIONS Automatically discover cyber assets (applications and databases), sensitive data, and scan for vulnerabilities within those systems (sensitive systems/networks/ports that should not be scanned can be white listed) Control access to applications, databases, and sensitive data CIP-004 Personnel and Training CIP-005 Electronic Security Perimeter CIP-006 Physical Security of Critical Cyber Assets Imperva professional services can provide training. Standard audit reports can be generated listing authorized users. Advanced reports combining multiple elements (user identities, data accessed, method of access). i.e. SQL operation and query, and context i.e. source application, time, IP) can also be configured and optionally scheduled for user or task specific analysis Protect against Web application attacks Monitor and enforce database access Collect and analyze audit data for compliance and forensic analysis Protect applications used for archiving physical security logs CIP-007 Systems Security Management Limit application and database operations based on normal versus emergency operations CIP-008 Incident Reporting & Response Planning Role-based incident reporting, real-time dashboards, with drill-down analysis CIP-009 Recovery Plans for Critical Cyber Assets CIP-010 Configuration Management CIP-011 Information Protection Testing of application and database security policy rollovers between normal and emergency operations Integrate with a change management ticketing system to verify change approval. Routine run vulnerability assessments to scan for risks. Utilize the Imperva data security framework and solutions to discover, classify, assess systems and users, set policy, monitor, measure and report. CASE STUDY Securing Applications and Databases Across Environments Hydro Plant Embraces Cyber Security A company allows customers and partners to interact with their portals for customer self-service and Business Process Outsourcing (BPO). Tens of thousands of customers and hundreds of partners were interacting with these systems daily. Following a data theft incident, they wanted a solution designed to protect applications and the sensitive data within them. Solution Reasons for choosing Imperva Leveraged for applications and databases Correlate sessions between applications and databases pinpointing which user, through a Web application, accessed what data in a database In case of emergency, reduce the allowable access to applications to a pre-defined set of minimal, allowable services Protect applications that are Internet-facing, within the corporate network, and within the control system network Benefits During the evaluation period, Imperva discovered several applications within the control system environment communicating with systems in the corporate environment. This was an unexpected finding for several members of the IT team. Further, some of those corporate systems were made available online to partners. Because of the inherent risk of having the control system environment exposed, they decided to secure applications across their entire ecosystem. SecureSphere Web Application Firewall (WAF) and Database Firewall protects their applications and databases from external attackers, attackers masquerading as trusted users, and nefarious or careless insiders. 5

6 Compliance Reporting Automation The process of going through an audit can be time-consuming and costly. Many organizations spend vast amounts of resources conducting information discovery exercises which are manual and highly error prone. Imperva SecureSphere not only automates many of the requirements for discovery and audit reporting, but helps to reduce risks associated with failing an audit by providing accurate and holistic output. To further accelerate the audit process over 300 pre-built reports come standard with SecureSphere. The creation of custom reports is fast and easy, requiring no actual report writing or SQL scripting. In addition to security and compliance-specific reports, purpose-built reports that cover common enterprise applications such as SAP, Oracle e-business Suite, and PeopleSoft are also offered thus delivering a comprehensive reporting framework for application and database analysis and auditing. Imperva SecureSphere helps automate the process of addressing multi-regulated environments. It provides purpose-built content such as audit-level reports to illustrate compliance with NERC. It also provides a universal solution across control system, corporate, and Internet-facing environments where application and database assets require security. Addressing security and compliance in tandem provide both sensitive data protection and automation and standardization of audit tasks in a single, easy to use solution. Following the tenants of maximum availability, Imperva SecureSphere is designed to require the absolute minimum impact on networks, and enterprise applications. In most cases, network architecture reconfiguration and software configuration changes are not even required, nor is the installation of software. Thus, performance is not impacted on these enterprise applications. This model of a minimal operational footprint is one of the chief reasons why Imperva SecureSphere is so desirable in control system environments. There is also the added bonus of supporting separation of duties. For example, by providing auditing capabilities that reside within Imperva, outside of a database, DBA activity can be monitored without enlisting the support of the DBAs. This is a very powerful capability and allows for the detailed monitoring of privileged users. When it comes to protecting databases and applications in the cloud and on-premise, SecureSphere Web and Database Security Solutions deliver industry-leading security. In addition to securing critical infrastructure, Imperva can help automate NERC CIP compliance and other cyber regulations. 2016, Imperva, Inc. All rights reserved. Imperva, the Imperva logo, SecureSphere, Incapsula, Skyfence, CounterBreach and ThreatRadar are trademarks of Imperva, Inc. and its subsidiaries. All other brand or product names are trademarks or registered trademarks of their respective holders. CS-Imperva-NERC-US-0316-v4 imperva.com 6