Technology Solutions for NERC CIP Compliance June 25, 2015
2 Encari s Focus is providing NERC CIP Compliance Products and Services for Generation and Transmission Utilities, Municipalities and Cooperatives
3 ADMINISTRATIVE ITEMS Thanks to each of you for taking the time to participate in our webinar today, June 25, 2015 at 10:30 CST! Three administrative items: 1. Questions you would like to have addressed while the webinar is underway, please type the question and send it to me [Molly Decker mdecker@encari.com] using the "Question" feature within our Webinar interface. If we are unable to address your question during this Webinar, we will make sure to respond to the question soon thereafter (see item 3 below). 2. Full-screen mode - within the Webinar interface in order to see the entire contents of the slides that will be presented. 3. Presentation materials - We will notify each of you via email when you are able to download a copy of the webinar slides and transcribed questions raised during this webinar along with Encari's responses to the questions from our web site.
4 MEET THE PRESENTERS Peter has been with Encari since 2008. He has helped Encari s clients develop NERC CIP compliance programs, including policy and procedure documentation, as well as implementing technical solutions in support of NERC CIP compliance including security information event management solutions, configuration management, multi-factor authentication, document management and centralized authentication and access control. He also has architected security solutions for Smart Grid systems. Peter Brown Senior Critical Infrastructure Protection Consultant Prior to joining Encari, Peter was a system administrator, network architect, backup and recovery expert, email system engineer and directory services consultant. When Peter is not making power system more secure, he is sailing or cheering on the Cubs and the Blackhawks.
5 Background April s webinar, CIP v5 Applies to Us! Uh Oh, Now What? addressed the applicability of NERC CIP version 5, including: An overview of a BES Cyber System categorization methodology The requirements that apply to Medium Impact BES Cyber Systems The requirements that apply to Low Impact BES Cyber Systems This month we are focusing on how to use technology to ease the burden of NERC CIP compliance.
6 Standards that will be covered We will talk about standards that do not specifically require security technology such as firewalls. We will not address technology solutions for the following standards: CIP 002 5.1 BES Cyber System Categorization CIP-005-5 Electronic Security Perimeter(s) CIP-006-5 Physical Security of BES Cyber Systems CIP-008-5 Incident Reporting and Response Planning CIP-009-5 Recovery Plans for BES Cyber Systems CIP-011-1 Information Protection CIP-014-1 Physical Security
NERC CIP v5 Requirements, Measures, and Technology Solutions Requirements Measures Technologies CIP-003-5 R1 and R2 Annual approval of documented cyber security policies CIP-004-5.1 R1 Security awareness that, at least once each calendar quarter, reinforces cyber security practices Revision history Records of review Workflow evidence from a document management system Documentation that the quarterly reinforcement has been provided Workflow System, Document Management System Workflow System CIP-004-5.1 R1 Security awareness that, at least once each calendar quarter, reinforces cyber security practices Documentation that the quarterly reinforcement has been provided Workflow System
NERC CIP v5 Requirements, Measures, and Technology Solutions Requirements Measures Technologies CIP-004-5.1 R4 Each Responsible Entity shall implement, in a manner that identifies, assesses, and corrects deficiencies, one or more documented access management programs CIP-004-5.1 R5 Access revocation Verification between the system generated list of individuals who have been authorized for access (i.e., workflow database) and a system generated list of personnel who have access (i.e., user account listing) Dated evidence Dated workflow or sign-off forms showing a review of logical and physical access Logs or other demonstration showing such persons no longer have access that the Responsible Entity determines is not necessary Centralized Access Control, Workflow System Workflow System, Centralized Logging CIP-007-5 R1 Enable only logical network accessible ports that have been determined to be needed Listings of the listening ports from either the device configuration files, command output (such as netstat), or network scans of open ports Configuration files Configuration Management
NERC CIP v5 Requirements, Measures, and Technology Solutions Requirements Measures Technologies CIP-007-5 R2 For applicable patches apply the applicable patches; or CIP-007-5 R3 Deploy method(s) to deter, detect, or prevent malicious code Records of the installation of the patch (e.g., exports from automated patch management tools that provide installation date, verification of BES Cyber System Component software revision, or registry exports that show software has been installed) An example of evidence may include, but is not limited to, records of the Responsible Entity s performance of these processes Configuration Management Centralized Logging CIP-007-5 R4 Log events for identification of, and after-the-fact investigations of, Cyber Security Incidents A paper or system generated listing of event types for which the BES Cyber System is capable of detecting and, for generated events, is configured to log Centralized Logging
NERC CIP v5 Requirements, Measures, and Technology Solutions Requirements Measures Technologies CIP-007-5 R4 Generate alerts for security events that the Responsible Entity determines necessitates an alert Paper or system generated listing of security events that the Responsible Entity determined necessitate alerts, including paper or system generated list showing how alerts are configured Security Information Event Management CIP-007-5 R4 Retain applicable event logs for at least the last 90 consecutive calendar days Documentation of the event log retention process and paper or system generated reports showing log retention configuration set at 90 days or greater Centralized Logging CIP-007-5 R4 Review a summarization or sampling of logged events as determined by the Responsible Entity at intervals no greater than 15 calendar days to identify undetected Cyber Security Incidents Documentation describing the review, any findings from the review (if any), and dated documentation showing the review occurred Security Information Event Management
NERC CIP v5 Requirements, Measures, and Technology Solutions Requirements Measures Technologies CIP-007-5 R5 System Access Control (account and access management) CIP-007-5 R5 System Access Control (password management) Documentation describing how access is authenticated A listing of accounts by account types showing the enabled or generic account types A listing of shared accounts and the individuals who have authorized access to each shared account Records of a procedure that passwords are changed when new devices are in production; or documentation in system manuals or other vendor documents showing default vendor passwords were generated pseudo-randomly and are thereby unique to the device System-generated reports or screen-shots of the system enforced password parameters, including length and complexity; or attestations that include a reference to the documented procedures that were followed Centralized Access Control Centralized Access Control, Workflow System
NERC CIP v5 Requirements, Measures, and Technology Solutions Requirements Measures Technologies CIP-007-5 R5 System Access Control (access management) CIP-010-1 R1 Develop a baseline configuration, individually or by group CIP-010-1 R1 Authorize and document changes that deviate from the existing baseline configuration Documentation of the account lockout parameters; or rules in the alerting configuration showing how the system notified individuals after a determined number of unsuccessful login attempts A spreadsheet identifying the required items of the baseline configuration for each Cyber Asset, individually or by group A record in an asset management system that identifies the required items of the baseline configuration A for change each Cyber request Asset, record individually and associated or electronic by group. authorization (performed by the individual or group with the authority to authorize the change) in a change management system for each change Documentation that the change was performed in accordance with the requirement Centralized Access Control, Security Information Event Management Configuration Management Configuration Management, Workflow System
NERC CIP v5 Requirements, Measures, and Technology Solutions Requirements Measures Technologies CIP-010-1 R1 For a change that deviates from the existing baseline configuration, update the baseline configuration as necessary within 30 calendar days of completing the change. Updated baseline documentation with a date that is within 30 calendar days of the date of the completion of the change Document Management, Workflow System CIP-010-1 R1 For a change that deviates from the existing baseline configuration, prior to the change, determine required cyber security controls in CIP 005 and CIP 007 that could be impacted by the change; following the change, verify that required cyber security controls determined in 1.4.1 are not adversely affected; and document the results of the verification. CIP-010-1 R2 Monitor at least once every 35 calendar days for changes to the baseline configuration; document and investigate detected unauthorized changes A list of cyber security controls verified or tested along with the dated test results Logs from a system that is monitoring the configuration along with records of investigation for any unauthorized changes that were detected Configuration Management, Workflow System Configuration Management, Workflow System
Technology Solutions and the Requirements they Address Requirement Workflow Document Management Configuration Management Centralized Logging SIEM Centralized Access Control CIP-003-5 R1 Cyber Security Policy CIP-003-5 R2 Cyber Security Policy CIP-004-5.1 R1 Security Awareness Program CIP-004-5.1 R4 Access Management Program CIP-004-5.1 R1 Access Management Revocation CIP-007-5 R1 Ports and Services CIP-007-5 R2 Security Patch Management CIP-007-5 R3 Malicious Code Prevention CIP-007-5 R4 Security Event Monitoring CIP-007-5 R5 System Access Control CIP-010-1 R1 Configuration Change Management CIP-010-1 R2 Configuration Monitoring
15 Technology Solution - Workflow Features and Functions: Represent processes as steps (activities) and decision points Assign activities to individuals Assign due dates; apply schedules Record completions and outcomes Report on activities Products: Usually included as additional functionality to other products (SIEM, Configuration Management) Encari NERC CIP Compliance Minder
16 Technology Solution Document Management Features and Functions: Track document revisions and versions Workflow and collaboration Track approvals, publication, distribution and viewing Generate reports Products: Documentum M-Files SharePoint
17 Technology Solution Configuration Management Features and Functions: Establishes baseline configurations of system settings and software versions. Can also track hardware. Vulnerability management is a variant. Applies patches and updates, generates reports. Products: Kace Qualys Microsoft Systems Management Server (SMS)
18 Technology Solution Centralized Logging Features and Functions: Collects logs in central location, simplifies retention and review. Advanced systems can apply retention policies. More advanced systems can parse logs, correlate events and generate alerts. Products: Kiwi GFI Events Manager Splunk
19 Technology Solution Security Information Event Management (SIEM) Features and Functions: Collects logs and other operational data from a wide variety of systems. Parses logs and correlates events, including IDS and Netflow data. Generates alerts and reports, dashboards, highly customizable, can aid forensics and investigation of events. There is a continuum form log management to SIEM as functionality increases. Products: NetIQ Sentinel LogRythm ArcSight
20 Technology Solution Centralized Access Control Features and Functions: Manage authentication and authorization centrally. Simplifies maintenance of approvals, access lists and shared accounts. Facilitates account revocation. Standards: LDAP Kerberos RADIUS
21 Q & A SESSION Q & A THANK YOU FOR ATTENDING OUR WEBINAR All submitted questions during this webinar will be addressed by Encari, documented, and distributed to all attendees in a Q&A document as soon as possible.
22 CONTACT US (847) 947-8448 webinars@encari.com; demos@encari.com; contactus@encari.com http://www.encari.com https://www.facebook.com/encari.powersecure https://twitter.com/encarips http://bit.ly/encarilinkedin