Meeting NERC CIP Access Control Standards Presented on February 12, 2014
Presented By: CyberLock The leading supplier of key-centric access control systems Based in Corvallis, Oregon James T. McGowan Technology & security industry veteran Vice President of Sales & Marketing 2
Objective If you are involved in the physical security requirements needed for NERC CIP compliance this webinar is for you. 3
NERC North American Electric Reliability Corporation Originally a voluntary industry organization Focused on developing reliability standards Empowered with the Energy Policy Act of 2005 Became Electric Reliability Organization (ERO) Able to enforce standards and penalize non-compliance Mission: Ensure the reliability of the North American bulk power system 4
NERC CIP Critical Infrastructure Protection Originally 8 specific reliability standards Intended to protect BES* against cyber attacks Approved January 18, 2008 *BES = Bulk Electric System 5
www.nerc.com 6
NERC CIP www.nerc.com/pa/ci/pages/default.aspx Cri$cal Infrastructure 7
CIP Standards CIP Standards 8
NERC CIP Standards Original Eight: CIP-002-1 (BES Cyber System Categorization) CIP-003-1 (Security Management Controls) CIP-004-1 (Personnel & Training) CIP-005-1 (Electronic Security Perimeters) CIP-006-1 (Physical Security of BES Cyber Assets) CIP-007-1 (System Security Management) CIP-008-1 (Incident Reporting and Response Planning) CIP-009-1 (Recovery Plans for BES Cyber Systems) Recent Additions: CIP-010-1 (Configuration Change Management & Vulnerability Assessments) CIP-011-1 (Information Protection) 9
Sounds Easy to Follow? These are standards in motion: 8 = Number Subject to Enforcement 10 = Number Subject to Future Enforcement 3 = Number Pending Regulatory Filing 50 = Number Inactive 10
Why Comply? Helps protect the North American BES Critical Infrastructure cyber attacks are increasing Over 200 incidents reported between Oct 12 and May 13* 53% Energy related *Source = ICS-CERT Monitor April/May/June 2013 11
Why Comply? Avoid fines Possible fine, per day, for each day a violation continues. *Source = Sanction Guidelines of the NERC, Appendix 4B, December 20, 2012 12
CIP-003-3 Title: Cyber Security Security Management Controls Number: CIP-003-3 Purpose: Standard CIP-003-3 requires that Responsible Entities have minimum-security management controls in place to protect Critical Cyber Assets. Key Points: implement a program for managing access to protected Critical Cyber Asset information NOTE: Subject to Enforcement 13
CIP-005-5 Title: Cyber Security Electronic Security Perimeter(s) Number: CIP-005-5 Purpose: To manage electronic access to BES Cyber Systems by specifying a controlled Electronic Security Perimeter in support of protecting BES Cyber Systems against compromise that could lead to misoperation or instability in the BES. Key Points: access control model that denies access by default, such that explicit access permissions must be specified. entity shall review or otherwise assess access logs for attempts at or actual unauthorized accesses at least every ninety calendar days. NOTE: Subject to Enforcement 14
CIP-006-3c Title: Cyber Security Physical Security of Critical Cyber Assets Number: CIP-006-3c Purpose: Standard CIP-006-3 is intended to ensure the implementation of a physical security program for the protection of Critical Cyber Assets. Key Points: shall document and implement the operational and procedural controls to manage physical access at all access points to the Physical Security Perimeter(s) twenty-four hours a day, seven days a week. access shall document and implement the technical and procedural controls for monitoring physical access at all access points to the Physical Security Perimeter(s) twenty-four hours a day, seven days a week. NOTE: Subject to Enforcement 15
CIP-006-5 Title: Cyber Security Physical Security of BES Cyber Systems Number: CIP-006-5 Purpose: : To manage physical access to BES Cyber Systems by specifying a physical security plan in support of protecting BES Cyber Systems against compromise that could lead to misoperation or instability in the BES. Key Points: Utilize at least one physical access control to allow unescorted physical access into each applicable Physical Security Perimeter to only those individuals who have authorized unescorted physical access. Where technically feasible, utilize two or more different physical access controls (this does not require two completely independent physical access control systems) to collectively allow unescorted physical access into Physical Security Perimeters to only those individuals who have authorized unescorted physical access. NOTE: Subject to Future Enforcement (7/1/15) 16
Summary of the Solution Cost effective, practical solution that: Manages access to protected critical cyber assets Denies access by default Records physical access attempts Manages physical access to facility perimeter(s) Controls access for only authorized personnel Provides a secondary physical access control solution 17
Access Control Options Mechanical Solution Master Key System Lock-Centric Solution Key Card System Key-Centric Solution Electronic Locks & Smart Keys 18
What is Key-Centric? Electronic access control to locks without power: Intelligent cylinders that replace mechanical cylinders Smart keys that hold permissions, store usage information, and energize the lock Access control management software that drives the system 19
Key-Centric In Action 2 1 Schedules & permissions are set in so:ware Key holders upload schedules and permissions via downloaders 3 Updating permissions and downloading audit trails occur simultaneously Audit trails uploaded into so:ware 5 4 Key holders access locks Key holders download access ac$vity via downloaders 20
Practical Applications: Manage access to protected critical cyber assets: Install key-centric cam locks on cabinets Deny access by default: Key-centric locks can only be opened by authorized users 21
Practical Applications: Manage physical access to facility perimeter(s): Install key-centric padlocks on perimeter fences Control access for only authorized personnel: Set permissions in management software 22
Electronic Locks Install locks Fit into existing hardware No power/wiring needed Install anywhere Highly secure No pick-able keyway CIP-006 manage physical access to all access points 23
Programmable Keys Program and distribute keys Key has user information Schedules Permissions Remembers every touch Battery energizes lock CIP-005 access control model that denies access by default, such that explicit access permissions must be specified 24
Downloading Stations Download/upload information Install in convenient locations Employee entrances Break rooms Interface with software Download audit trails Upload new system info CIP-006 Predefined electronic access rights uploaded to key Log access activity to physical security 25
Management Software Manage System Hierarchy of Administrators Browser-based access Intuitive GUI CIP-006 electronic access where the access rights are predefined in a computer database 26
Which System? The Leader in Key-Centric Access Control: CyberLock Field Proven Introduced in 2000 1 Million + CyberLock cylinders deployed Flexible 300+ Lock Designs Multiple Key & Downloading Options Feature-rich software Stable, Linux-based Access via off-the-shelf browsers Expansion options Lock-Centric capabilities 3 rd party integration Fulfills NERC CIP Access Control Requirements 27
Summary Meet NERC CIP Access Control Standards with CyberLock: Proven Affordable Practical Scalable Supports compliance: CIP-003-3 CIP-005-5 CIP-006-3c CIP-006-5 28
For More Information sales@cyberlock.com 541-738-5500 29