Patching & Malicious Software Prevention CIP-007 R3 & R4

Similar documents
Standard CIP Cyber Security Systems Security Management

Standard CIP 007 3a Cyber Security Systems Security Management

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

Achieving SOX Compliance with Masergy Security Professional Services

NERC CIP VERSION 5 COMPLIANCE

NERC Cyber Security. Compliance Consulting. Services. HCL Governance, Risk & Compliance Practice

GE Measurement & Control. Cyber Security for NERC CIP Compliance

Completed. Document Name. NERC CIP Requirements CIP-002 Critical Cyber Asset Identification R1 Critical Asset Identifaction Method

PCI COMPLIANCE REQUIREMENTS COMPLIANCE CALENDAR

Critical Controls for Cyber Security.

Summary of CIP Version 5 Standards

BSM for IT Governance, Risk and Compliance: NERC CIP

Alberta Reliability Standard Cyber Security System Security Management CIP-007-AB-5

SCADA and Security Are they Mutually Exclusive? Terry M. Draper, PE, PMP

TOP 10 CHALLENGES. With suggested solutions

SecFlow Security Appliance Review

Security Policy for External Customers

TRIPWIRE NERC SOLUTION SUITE

North American Electric Reliability Corporation: Critical Infrastructure Protection, Version 5 (NERC-CIP V5)

Applying machine learning techniques to achieve resilient, accurate, high-speed malware detection

i-pcgrid Workshop 2015 Cyber Security for Substation Automation The Jagged Line between Utility and Vendors

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

Payment Card Industry Data Security Standard

GE Measurement & Control. Cyber Security for Industrial Controls

Data Management Policies. Sage ERP Online

Cyber Security for NERC CIP Version 5 Compliance

NovaTech NERC CIP Compliance Document and Product Description Updated June 2015

ReliabilityFirst CIP Evidence List CIP-002 through CIP-009 are applicable to RC, BA, IA, TSP, TO, TOP, GO, GOP, LSE, NERC, & RE

North American Electric Reliability Corporation (NERC) Cyber Security Standard

PATCH MANAGEMENT. February The Government of the Hong Kong Special Administrative Region

NERC CIP Whitepaper How Endian Solutions Can Help With Compliance

Malicious Software Prevention for NERC CIP-007 Compliance: Protective Controls for Operating Systems and Supporting Applications

PCI Data Security Standards (DSS)

Larry Wilson Version 1.0 November, University Cyber-security Program Critical Asset Mapping

Ovation Security Center Data Sheet

Modular Network Security. Tyler Carter, McAfee Network Security

SECURING YOUR SMALL BUSINESS. Principles of information security and risk management

NERC CIP Compliance with Security Professional Services

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

Effective Defense in Depth Strategies

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

Industrial Security for Process Automation

Netzwerkvirtualisierung? Aber mit Sicherheit!

Information security controls. Briefing for clients on Experian information security controls

UMHLABUYALINGANA MUNICIPALITY PATCH MANAGEMENT POLICY/PROCEDURE

The Importance of Cybersecurity Monitoring for Utilities

LogRhythm and NERC CIP Compliance

IBM Security IBM Corporation IBM Corporation

Compliance Guide ISO Compliance Guide. September Contents. Introduction 1. Detailed Controls Mapping 2.

SECURITY PATCH MANAGEMENT INSTALLATION POLICY AND PROCEDURES

IT General Controls Domain COBIT Domain Control Objective Control Activity Test Plan Test of Controls Results

Ovation Security Center Data Sheet

IT Security and OT Security. Understanding the Challenges

CS 356 Lecture 25 and 26 Operating System Security. Spring 2013

ForeScout CounterACT and Compliance June 2012 Overview Major Mandates PCI-DSS ISO 27002

Protecting productivity with Plant Security Services

External Supplier Control Requirements

Company Co. Inc. LLC. LAN Domain Network Security Best Practices. An integrated approach to securing Company Co. Inc.

Patch and Vulnerability Management Program

The Protection Mission a constant endeavor

PROJECT BOEING SGS. Interim Technology Performance Report 3. Company Name: The Boeing Company. Contract ID: DE-OE

GE Oil & Gas. Cyber Security for NERC CIP Versions 5 & 6 Compliance

Oracle Maps Cloud Service Enterprise Hosting and Delivery Policies Effective Date: October 1, 2015 Version 1.0

INCIDENT RESPONSE CHECKLIST

Critical Infrastructure Security: The Emerging Smart Grid. Cyber Security Lecture 5: Assurance, Evaluation, and Compliance Carl Hauser & Adam Hahn

Cyber Security Incident Handling Policy. Information Technology Services Center (ITSC) of The Hong Kong University of Science and Technology

Threat Center. Real-time multi-level threat detection, analysis, and automated remediation

Cautela Labs Cloud Agile. Secured. Threat Management Security Solutions at Work

CHAPTER 3 : INCIDENT RESPONSE FIVE KEY RECOMMENDATIONS GLOBAL THREAT INTELLIGENCE REPORT 2015 :: COPYRIGHT 2015 NTT INNOVATION INSTITUTE 1 LLC

NYS LOCAL GOVERNMENT VULNERABILITY SCANNING PROJECT September 22, 2011

Specific recommendations

Cyber security tackling the risks with new solutions and co-operation Miikka Pönniö

Taxonomy of Intrusion Detection System

CIP Cyber Security Configuration Change Management and Vulnerability Assessments

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

Cyber Security. BDS PhantomWorks. Boeing Energy. Copyright 2011 Boeing. All rights reserved.

VA Office of Inspector General

Protecting Your Organisation from Targeted Cyber Intrusion

INFORMATION SECURITY GOVERNANCE ASSESSMENT TOOL FOR HIGHER EDUCATION

On-Premises DDoS Mitigation for the Enterprise

CIP- 005 R2: Understanding the Security Requirements for Secure Remote Access to the Bulk Energy System

Did you know your security solution can help with PCI compliance too?

Critical Security Controls

Network/Cyber Security

GE Measurement & Control. Top 10 Cyber Vulnerabilities for Control Systems

Sample Vulnerability Management Policy

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL

Using Monitoring, Logging, and Alerting to Improve ICS Security ICSJWG 2015 Fall Meeting October 27, 2015

State of Texas. TEX-AN Next Generation. NNI Plan

eguide: Designing a Continuous Response Architecture Executive s Guide to Windows Server 2003 End of Life

IT Security & Compliance. On Time. On Budget. On Demand.

ABB s approach concerning IS Security for Automation Systems

The first step in protecting Critical Cyber Assets is identifying them. CIP-002 focuses on this identification process.

Overcoming PCI Compliance Challenges

CDM Vulnerability Management (VUL) Capability

Transcription:

Patching & Malicious Software Prevention CIP-007 R3 & R4

Scope Compliance Assessment Summary Introspection & Analysis Program-In Review Maturity Model review Control Design review Process Components of an effective Program Version Impact- Perspective

CIP007 R3Assessment-Summary Assessment of available security patches not completed within 30 days. Third-party security patches not assessed for applicability. Security patches not assessed for all in-scope Cyber Assets. Documentation of security patch assessment not retained. Security patch not installed and no compensating measures documented and/or implemented.

CIP007 R3Assessment-Summary Source of Discovery 50% of CIP007 R3 are self reported Annual Trend 2010: 4 Possible violation 2011: 6 Possible violation 2012: 6 Possible violation Limited TFE

Patch Management Program Assessment Maturity Model- Classification & Review Level 1- Initial Level 2- Repeatable Level 3- Defined Level 4- Managed Level 5- Optimizing CCA Risk Profile- Determinants Purpose of asset role Hosted applications & Selection of infrastructure Hardening process

Control Requirement-CIP007 R3 R3. Security Patch Management The Responsible Entity, either separately or as a component of the documented configuration management process specified in CIP-003-3 Requirement R6, shall establish, document and implement a security patch management program for tracking, evaluating, testing, and installing applicable cyber security software patches for all Cyber Assets within the Electronic Security Perimeter(s). R3.1. The Responsible Entity shall document the assessment of security patches and security upgrades for applicability within thirty calendar days of availability of the patches or upgrades. R3.2. The Responsible Entity shall document the implementation of security patches. In any case where the patch is not installed, the Responsible Entity shall document compensating measure(s) applied to mitigate risk exposure.

Patch Management Program Control Design Criteria- Document and Implement Tracking Develop inventory to be tracked Tracking-What, How, When & Why Identify source, release date, evaluation date, testing date, install date and mitigation date. Evaluation of applicability- Document assessment of applicability within 30 days. What and how of evaluation Against tracked vulnerabilities/risk profile criteria Impact on current hardening profile

Patch Management Program Control Design Criteria- Document and Implement Test- Document testing in support of cyber security controls(s) Identify security controls impacted Develop test plans to test security controls Retention of testing records Install- If patch is assessed as applicable and you are not able to install or have not installed then implement and document mitigation controls.

Perspective- Version Impact Version 4- No Impact to Security Patch management. Version 5: o Tracking shall include the identification of a source or sources that the Responsible Entity tracks for the release of cyber security patches [R3] o At least once every 35 calendar days, evaluate security patches for applicability that have been released since the last evaluation from the source or sources identified [3.1] o Creation of a new or update of an existing mitigation plan- Plan to address mitigation and time to implement. Version recognizes the inherent risk of patching posed on the integrity and availability of the system(s) [3.2] o Plan must be implemented within the timeframe specified in the plan, or in a revised plan as approved by the CIP Senior Manager or delegate [R3.2]

R4 R4. Malicious Software Prevention The Responsible Entity shall use anti-virus software and other malicious software ( malware ) prevention tools, where technically feasible, to detect, prevent, deter, and mitigate the introduction, exposure, and propagation of malware on all Cyber Assets within the Electronic Security Perimeter(s). R4.1. The Responsible Entity shall document and implement anti-virus and malware prevention tools. In the case where anti-virus software and malware prevention tools are not installed, the Responsible Entity shall document compensating measure(s) applied to mitigate risk exposure. R4.2. The Responsible Entity shall document and implement a process for the update of anti-virus and malware prevention signatures. The process must address testing and installing the signatures.

Malicious Software Prevention Strategies & Trend Signature based Known threats Fast efficient Ineffective to zero-day Targeted malware Non-Signature based I don t know who you are but I know your behavior Slow & Expensive- Work offline to identify Effective for zero-day False positives

Malicious Software Prevention Sandboxing Suspect file is evaluated in virtual safe environment Not extrapolating pattern, only reviewing behavior. It is not real time- file is sent to AMA for analysis Ineffective as primary-delayed execution Challenges Traditional signature based is extremely useful but limited to known signatures and behavior. Behavior analysis in tandem with signature based is still ineffective. Isolation is not bullet proof Advanced malware-sandbox by itself is not effective IPS- By itself is not effective

Malicious Software Prevention Options- Layered approach More specific and defined approaching data Signature based Reputation approach Anomaly detection Offline tools- Higher inspection capacity of the appliance the greater the effectiveness of successive tool. Effectiveness vs Efficiency Firewall- Restricted permit and encrypted file review IPS instead of IDS- encrypted file review & traffic over run Real time Signature based File reputation File anomaly Advanced malware appliance- 2% impact with the exception of encrypted file

CIP007 R4-Assessment Summary Anti-virus management console not monitored by staff for virus alerts. Anti-virus signature files not tested before update applied. Anti-virus/anti-malware not implemented and no TFE requested. Anti-virus software installed but found not operational on Cyber Asset.

CIP007 R4-Assessment Summary Source of Discovery 64% of CIP007 R3 are self reported Annual Trend 2010: 3 Possible violation 2011: 4 Possible violation 2012: 4 Possible violation TFE: 63 TFE asserted

Malicious Software Prevention Control Design Review- Document and Implement Use of Anti-Virus & other malicious tool evaluation Evaluate the device risk profile Review your toolset option of a single or multiple tools to protect the devices Detect, prevent, deter, and mitigate the introduction, exposure, and propagation of malware Review your toolset option.

Malicious Software Prevention Control Design Criteria- Document and Implement Document and Apply compensating measures Assess traffic and communication path Review conflict with IPS and Firewall rules Network based appliance on switches Assert TFE Document & Implement Process for updating signature files Process to include testing & installation Review of signature update

Perspective- Version Impact Version 4- No Impact to Malicious Software Prevention Requirement. Version 5: o transitions to from R4 to R3 o Holistic less prescriptive- competency based requirement where the entity must document how the malware risk is handled for each BES Cyber System, but it does not prescribe a particular technical method nor does it prescribe that it must be used on every Cyber Asset. The BES Cyber System is the object of protection. o The use of, Deploy method(s) to deter, detect, or prevent malicious code is less prescriptive but does put the burden on the method to deter, detect or prevent.

Compliance & Beyond Good vulnerability prevention program include Develop relationship with vendors & subscribe to vendor updates, blogs and admin groups. Governance structure- Change Control Board & Change control program adoption Define and implement patch cycle Documentation to support-track, Assess, Test, Schedule, Implement and Mitigate Configuration management plan Assess impact on related CIP & 693

Compliance & Beyond Backup & Recovery Incident Response Plan Disaster Recovery Plan Periodically assess the effectiveness of hardening criteria. Effective use of tool set. Monitor vulnerabilities US CERT quarterly report of known vulnerability Department of Homeland Security- Quarterly Report on Cyber Vulnerabilities. NIST National Vulnerability Database Other vendor based sites

Reference Materials A Strategic Approach to Protecting SCADA and Process Control Systems, IBM Global Services Nelson Ruest, A Practical Guide for Patch Testing, A Report by Wise Solutions, 2004. http://www.kb.cert.org/vuls/. US-CERT vulnerability Notes Database; current data on exploits, vulnerabilities, and resolutions. http://nvd.nist.gov/home.cfm. National Vulnerability Database is the U.S. Government repository of standards-based vulnerability management data http://www.cert.org/other_sources/viruses.html. Computer virus resources hosted by Software Engineering Institute and Carnegie Mellon for US-CERT.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information