NERC CIP MAPPING RKNEAL, INC. VERVE SECURITY CENTER. See how the Verve Security Center addresses the requirements of NERC CIP version 5

Transcription

1 VERVE SECURITY CENTER NERC CIP MAPPING See how the addresses the requirements of NERC CIP version 5

2 3 NERC CIP VERSION 5 Defense In Depth Protection For ICS Systems ADOPTS NEW CYBER SECURITY CONTROLS AND INCORPORATES A SIGNIFICANTLY LARGER SCOPE OF THE SYSTEMS PROTECTED. NERC CIP V5 mandates systems to have one or more methods for detecting malicious activity. The North American Electric Reliability Corporation s (NERC) mission is to ensure the reliability of the North American bulk electric system. To combat vulnerabilities, NERC has devised a series of standards categorized as Critical Infrastructure Protection (CIP). The first version of NERC s CIP standards went into effect in July Several new versions have since been implemented to add additional requirements. While NERC CIP Version 3 is currently operational, Version 5 has been approved and will become enforceable beginning in April Rkneal has been supporting the power industry since our company was founded in We are first and foremost an engineering firm specializing in industrial control systems (ICS), but naturally transitioned into cyber security ten years ago. Rkneal offers professional security services and solutions designed and tested for ICS environments. Our extensive ICS background also led to the development of our flagship product, the. Verve is a centralized security suite that consolidates multiple technologies into a unified management console. Each layer of Verve was carefully selected to detect, prevent and respond to cyber attacks.

3 4 5 occurred. It also shows if this was completed within 35 calendar days of release. VERVE COMPLIANCE MATRIX The following matrix provides more details on how the can help facilitate NERC CIP compliance efforts. CIP Table R2 Part 2.3 Verve allows a user to create patching profiles for specific endpoints or groups of endpoints. These profiles allow users to select approved, not approved or reviewed attributes for each applicable patch. Information for who applied these attributes, date and time are stored in a database. Reports can be generated to detail this information for audit purposes. NERC CIP REQUIREMENT CIP Table R1 Part 1.3 CIP Table R1 Part 1.5 CIP Table R2 Part 2.2 CIP Table R1 Part 1.1 APPLICATION Within Verve, there is a foreign-device application that can read current configurations for Electronic Access Points (EAP) and determine if deny rules are in place. Taking this a step further, Verve can generate reports that show the current access-list configuration of the EAP. There is an optional intrusion detection system component of Verve to allow customers to monitor networks for known and/or suspected malicious communications. This tool will alert when suspicious activity is detected. By itself, Verve cannot verify that encryption is being performed but it can verify that the correct configuration in the EAP exists. Verve has the ability to scan endpoints and determine which ports are open as well as document the business reason each port is required. This helps administrators determine if software or configuration on an endpoint has caused new undocumented ports to be opened. CIP Table R3 Part 3.1 The approved patches can be applied immediately or anytime in the future (i.e. outage). Patch profiles can also be saved so a user can resume their patching process when new patches are released. When the time comes to apply patches, a user can load saved profiles and create a patching action from the approved patch list. Verve offers a compliance tool option to allow customers to develop and track mitigation plans based on detected vulnerabilities. Once these mitigation plans are in place, users can manually or automatically create the approved patch list in Verve and deploy patches. After patches have been applied, mitigation plans will be updated with updated patch information and display the resolved vulnerabilities. Because of Verve s plug and play feature, it can integrate with most of the major antivirus software currently on the market. Through the Verve Management Console, users can send update tasks and scan tasks to antivirus agents. Verve utilizes an air-gapped system where antivirus signature updates are retrieved from a proxy server outside the ESP and hand carried to the through an approved USB. From here, antivirus updates can be sent via the Verve Management Console. If a development system is available, Verve can apply these signature updates to that environment first before applying them to the live system. Alerts and reports regarding detected viruses can be configured along with reports detailing the dates for current antivirus signatures. CIP Table R2 Part 2.1 CIP Table R2 Part 2.2 Verve s core component (patching) is installed on each applicable asset and will inventory current patch level, installed software, firmware (if applicable and can be obtained using command lines), local users, vulnerabilities and applicable patches. For assets that cannot have an agent installed, assets will either manually be installed or if they are network devices, their configuration will automatically be obtained and put under the change management component. If this is an air-gapped environment, an agent will be loaded on a proxy server that sits outside the ESP (with protected access). The agent will periodically retrieve updated patch information from the Verve agent. If Verve is not capable of retrieving patches automatically, custom patches can be built and applied through the deployment wizard. Verve utilizes built-in relevance code to determine if a patch is applicable to a specific endpoint. This includes newly released patches as well as older patches. Reports can be generated to show the current patch status for specific endpoints or a group of endpoints. Reports can also be generated to show which applicable patches have not yet been applied. Users can review, approve, not approve, etc. new patches within the Verve Management Console. Users also have access to reports that detail when patches were reviewed, who reviewed them and the date this activity CIP Table R3 Part 3.2 CIP Table R3 Part 3.3 Verve s SIEM component can also detect malicious activity on the network by monitoring events coming from an endpoint. The correlation engine looks for failures and malicious activity across the network and alerts when there is suspected activity. The application whitelisting feature of Verve allows computers to be locked down so only approved applications are allowed to run. This component also allows users to block USB drives based on the serial number of that device. Reports of blocked file execution attempts and blocked USB access attempts can easily be generated. Alerts can also be configured to notify appropriate personnel if someone attempts to run blocked applications or access blocked USB devices. The whitelisting component of Verve stops malicious code from executing by preventing all unauthorized applications from running. If Verve is integrated with antivirus, the antivirus application will also be able to clean endpoints of detected malicious code. Verve utilizes an air-gapped environment to retrieve signature updates when direct Internet connection is not allowed. This means a user will download the signature updates to a computer that is connected to the Internet and then copy them to the Verve server. The signature updates are then imported into the antivirus system.

4 6 7 CIP Table R4 Part 4.1 If a development system is available, Verve can apply these antivirus signatures to this system first in order to satisfy the testing requirements of NERC CIP. When antivirus signatures have been approved for distribution in the production environment, a user can manually roll these out or decide to have them automatically distributed. Verve s compliance tool tracks antivirus signature testing and generates reports detailing the testing process. The logging/siem component of Verve collects logs from any endpoint capable of sending logs to a remote server. It utilizes a correlation engine to detect patterns of possible malicious code and will alert when malicious activity is detected. The SIEM technology allows users to customize what to alert on and who will be notified when specific alerts are sent. Alerts can be sent via or text message. The SIEM is capable of monitoring logins, failed access/login attempts and detected malicious activity. Custom reports can also be built to tailor the information to a user or auditor s liking. CIP Table R1 Part 1.1 images to be created based upon customer need and schedule. Backups are stored locally and can be accessed in the event of a recovery. All backups can be tested for success by converting them to a virtual machine and testing that the backups successfully boot. If backups are successful, an entry is made in the Verve database to facilitate audit purposes. Verve has the ability to integrate with several of the change management technologies currently on the market. Once installed, Verve can track and baseline computer configurations, create baseline comparisons and report on any changes that are detected. Verve can track local users, local system groups, security policies, installed software, services, ports, applied system patches and any file or folder path on an endpoint. Along with endpoint change management, Verve can also monitor changes to network devices, ESXi servers, databases and Active Directory users and groups. Verve is configured to track changes and alert when a change is detected. Reports can also be generated to detail what was changed, who changed it and when the change occurred. CIP Table R4 Part 4.2 CIP Table R4 Part 4.3 CIP Table R5 Part 5.1 The SIEM feature of Verve can monitor the BES cyber system(s) for and alert on detected successful logins (4.1.1), detected failed logins and access attempts (4.1.2), detected malicious code (4.1.3) and virtually any other security event pertaining to malicious intent. All of the underlying components that make up the can store logs for at least 90 days. Verve was designed to store logs/data for each endpoint for up to three (3) years. Verve doesn t enforce authentication, but all of the Verve applications require authentication and can also be tied to Active Directory to manage access for these applications. CIP Table R1 Part 1.2 The optional compliance tool expands on the change detection process by offering a full change management suite which provides ticket creation, change approval process and change deployment. When a change is needed, a ticket is created and sent through the approval process automatically. Once administrators approve the change and the change is made, the compliance tool will ingest the new baseline data and add this information to the ticket to satisfy tracking and auditing requirements. The change management component of Verve allows a user to approve detected changes on endpoints and update the existing baseline. All previous baselines are stored for historical review and comparison. Changes can also be tied to change tickets. CIP Table R5 Part 5.4 CIP Table R5 Part 5.5 CIP Table R5 Part 5.6 CIP Table R5 Part 5.7 CIP Table R1 Part 1.3 For endpoints that have the Verve agent installed, users can change passwords on all detected local accounts. The password change event is detected by both Verve and the SIEM for documentation and auditing purposes. And while Verve cannot change passwords on unmanaged assets, it can gather information regarding passwords that have been changed on these devices. The change management component of Verve can evaluate the Windows password policy on each protected endpoint and highlight whether or not it meets NERC CIP requirements for password length and complexity. It can also generate reports detailing which endpoints are in compliance. Alerts can notify appropriate personnel when machines are no longer compliant. Verve s change management feature can evaluate the Windows password policy for each protected asset and determine if the max password age is 15 months or less. Reports and alerts can be configured to notify the appropriate personnel as well. The change management component of Verve can evaluate the Windows policy for each protected endpoint and determine if failed logins are limited for each endpoint. The SIEM will also alert if three or more failed logins on the same endpoint are detected. The backup and recovery component of Verve allows for periodic endpoint CIP Table R1 Part 1.3 CIP Table R2 Part 2.1 CIP Table R3 Part 3.1 CIP Table R3 Part 3.2 Verve s change management component will alert personnel when a deviation from the current baseline is detected. Users can then review the change and determine if it is supposed to be approved and promoted to the current baseline. The change management component will alert personnel when a change is detected. Reporting can be generated to show the details of those changes as well as who made the changes. An administrator can then determine if these changes were warranted and promote these changes to the new baseline. The vulnerability assessment tool scans every endpoint and looks not only at open ports and services, but also for vulnerabilities within the endpoint s software packages. This component provides users with detailed reports that include remediation tactics. The Verve vulnerability assessment tool also includes exception management, allowing the user to document known ports and services that are needed for business reasons. This list is automatically imported into the report to save our customers valuable time. Verve s vulnerabilty assessment component can actively scan assets in the BES system or test system to detect known vulnerabilities and configuration issues. Verve stores the scan results indefinitely and reports can be generated using this data. Verve takes this a step further by providing steps to mitigate the detected vulnerabilities.

5 Please contact Rkneal to find out more information about the or to schedule a product demonstration. FOR MORE INFORMATION: 1010 Market Street Suite 550 St. Louis, MO info@ support@ Rkneal, Inc., All Rights Reserved.