Notable Changes to NERC Reliability Standard CIP-010-3



Similar documents
CIP Cyber Security Configuration Change Management and Vulnerability Assessments

CIP Ben Christensen Senior Compliance Risk Analyst, Cyber Security

Cyber Security Standards: Version 5 Revisions. Security Reliability Program 2015

Notable Changes to NERC Reliability Standard CIP-005-5

CIP R1 & R2: Configuration Change Management

NERC CIP VERSION 5 COMPLIANCE

CIP Cyber Security Configuration Change Management and Vulnerability Assessments

Summary of CIP Version 5 Standards

Cyber Security Compliance (NERC CIP V5)

North American Electric Reliability Corporation: Critical Infrastructure Protection, Version 5 (NERC-CIP V5)

152 FERC 61,054 UNITED STATES OF AMERICA FEDERAL ENERGY REGULATORY COMMISSION. 18 CFR Part 40. [Docket No. RM ]

2012 CIP Spring Compliance Workshop May Testing, Ports & Services and Patch Management

Alberta Reliability Standard Cyber Security Configuration Change Management and Vulnerability Assessments CIP-010-AB-1

NovaTech NERC CIP Compliance Document and Product Description Updated June 2015

Reclamation Manual Directives and Standards

GE Measurement & Control. Cyber Security for NERC CIP Compliance

Patch and Vulnerability Management Program

NERC CIP Tools and Techniques

Technology Solutions for NERC CIP Compliance June 25, 2015

TOP 10 CHALLENGES. With suggested solutions

Internal Controls And Good Utility Practices. Ruchi Ankleshwaria Manager, Compliance Risk Analysis

TRIPWIRE NERC SOLUTION SUITE

NERC CIP-007 v. 5 Patch Management: Factors for Success

Standard CIP Cyber Security Systems Security Management

Document ID. Cyber security for substation automation products and systems

Implementation Plan for Version 5 CIP Cyber Security Standards

Standard CIP 007 3a Cyber Security Systems Security Management

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

Cyber Security for NERC CIP Version 5 Compliance

GE Measurement & Control. Cyber Security for Industrial Controls

CIP v5/v6 Implementation Plan CIP v5 Workshop. Tony Purgar October 2-3, 2014

Verve Security Center

Best Practices for Cyber Security Testing. Tyson Jarrett Compliance Risk Analyst, Cyber Security

CS 356 Lecture 25 and 26 Operating System Security. Spring 2013

Cyber Security Standards Update: Version 5

Alberta Reliability Standard Cyber Security System Security Management CIP-007-AB-5

NERC CIP Ports & Services. Part 2: Complying With NERC CIP Documentation Requirements

Completed. Document Name. NERC CIP Requirements CIP-002 Critical Cyber Asset Identification R1 Critical Asset Identifaction Method

CIP- 005 R2: Understanding the Security Requirements for Secure Remote Access to the Bulk Energy System

State of South Carolina Policy Guidance and Training

NERC Cyber Security. Compliance Consulting. Services. HCL Governance, Risk & Compliance Practice

North Dakota 2013 IT Security Audit Vulnerability Assessment & Penetration Test Project Briefing

GE Oil & Gas. Cyber Security for NERC CIP Versions 5 & 6 Compliance

Lessons Learned CIP Reliability Standards

SecFlow Security Appliance Review

BSM for IT Governance, Risk and Compliance: NERC CIP

Honeywell Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Honeywell Process Solutions (HPS) June 4, 2014

Course: Information Security Management in e-governance. Day 1. Session 5: Securing Data and Operating systems

Ovation Security Center Data Sheet

Ovation Security Center Data Sheet

Managing for the Long Term: Keys to Securing, Troubleshooting and Monitoring a Private Cloud

Eric Weston Compliance Auditor Cyber Security. John Graminski Compliance Auditor Cyber Security

Alberta Reliability Standard Cyber Security Implementation Plan for Version 5 CIP Security Standards CIP-PLAN-AB-1

Critical Security Controls

LogRhythm and NERC CIP Compliance

SIMPLIFYING THE PATCH MANAGEMENT PROCESS

The first step in protecting Critical Cyber Assets is identifying them. CIP-002 focuses on this identification process.

NERC CIP Version 5 and the PI System

Industrial Security for Process Automation

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

GE Measurement & Control. Top 10 Cyber Vulnerabilities for Control Systems

Security Management. Keeping the IT Security Administrator Busy

Control System Integrity (CSI) Tools and Processes to Automate CIP Compliance for Control Systems

CIP Cyber Security Electronic Security Perimeter(s)

Redesigning automation network security

Cisco Advanced Services for Network Security

CompTIA Security+ In this course, you will implement, monitor, and troubleshoot infrastructure, application, information, and operational security.

Device Hardening, Vulnerability Remediation and Mitigation for Security Compliance

IT Networking and Security

ABB s approach concerning IS Security for Automation Systems

CIP Cyber Security Security Management Controls

PCI Data Security Standard 3.0

CONTROL SYSTEM VENDOR CYBER SECURITY TRENDS INTERIM REPORT

Continuous Compliance for Energy and Nuclear Facility Cyber Security Regulations

Invensys Security Compliance Platform

i-pcgrid Workshop 2015 Cyber Security for Substation Automation The Jagged Line between Utility and Vendors

Cybersecurity Health Check At A Glance

Patching & Malicious Software Prevention CIP-007 R3 & R4

Larry Wilson Version 1.0 November, University Cyber-security Program Critical Asset Mapping

Information Shield Solution Matrix for CIP Security Standards

Critical Infrastructure Security: The Emerging Smart Grid. Cyber Security Lecture 5: Assurance, Evaluation, and Compliance Carl Hauser & Adam Hahn

ForeScout CounterACT and Compliance June 2012 Overview Major Mandates PCI-DSS ISO 27002

Preparing for PCI DSS 3.0 & Ensuring a Seamless Transition. November 2013

PCI COMPLIANCE REQUIREMENTS COMPLIANCE CALENDAR

Exploring the Remote Access Configuration Utility

PCI PA - DSS. Point ipos Implementation Guide. Version VeriFone Vx820 using the Point ipos Payment Core

Medical Device Security Health Imaging Digital Capture. Security Assessment Report for the Kodak CR V4.1

Host Hardening. Presented by. Douglas Couch & Nathan Heck Security Analysts for ITaP 1

Dr. György Kálmán

Joe Andrews, MsIA, CISSP-ISSEP, ISSAP, ISSMP, CISA, PSP Sr. Compliance Auditor Cyber Security

Olav Mo, Cyber Security Manager Oil, Gas & Chemicals, CASE: Implementation of Cyber Security for Yara Glomfjord

Transcription:

C L AR I T Y AS S U R AN C E R E S U LT S M I D W E S T R E LIAB I L I T Y ORGAN I Z AT I ON Notable Changes to NERC Reliability Standard CIP-010-3 Cyber Security Configuration Change Management and Vulnerability Assessments Bill Steiner MRO Principal Risk Assessment and Mitigation Engineer MRO CIP Version 5 Workshop February 12 and 18, 2015 Improving RELIABILITY and mitigating RISKS to the Bulk Power System

Agenda Applicable Systems Baseline Configuration Concept Vulnerability Assessment Transient Cyber Assets and Removable media Plan(s) for Transient Cyber Assets Plan(s) for Removable Media 2

Applicable Systems This Standard includes the Configuration Management requirements for: High Impact BES Cyber Systems Medium Impact BES Cyber Systems Electronic Access Control or Monitoring Systems (EACMS) Physical Access Control Systems (PACS) Protected Cyber Assets (PCA) 3

Baseline Configuration Concept Baseline Configuration Concept The baseline concept is designed to provide clarity on requirement language ( Significant ) found in previous CIP Standard Versions The baseline provides the triggering mechanism for when entities must apply the change management processes Five required items in baseline: Operating system(s) (including version) or firmware where no OS exist Any commercially available or open-source application software (including version) intentionally installed Any custom software installed Any logical network accessible ports Any security patches applied 4

Baseline Configuration Concept Baseline Configuration Concept (continued) Authorize and document changes that deviate from the existing baseline (change management system) Baseline document must be updated within 30 days of change Prior to the change determine security controls (CIP-005 and CIP-007) which could be impacted Following the change verify the controls have not been adversely impacted 5

Baseline Configuration Concept Baseline Configuration Concept (continued) Document Results Evidence must provide reasonable assurance of completion of the test This is typically done by providing screen shots or electronic results of testing STRONG procedural controls, which would include signed, dated, detailed test results along with clear expectations and instructions of work to be completed can meet this requirement 6

Baseline Configuration Concept High Impact Control Centers have additional requirements: Changes which impact the baseline configuration must be tested in an environment which minimize adverse effects to the production environment Environment must be sufficient to ensure CIP-005 and CIP-007 test will be meaningful Along with the test results, the environment of the test must also be documented Include measures which were used to account for differences Must monitor at least every 35 days for changes to the baseline Intent is for automated monitoring when possible, manual procedural controls when not 7

Vulnerability Assessment Must conduct a paper or active vulnerability assessment at least every 15 calendar months Initial assessment must be completed within 12 months after the effective date of CIP Version 5 Paper Vulnerability Assessment Intended to be a comprehensive review and verification of security controls without the impact of active network scanning tools Active Vulnerability Assessment Use of active discovery tools (Nmap, etc.) to provide Network (including wireless), Ports/services, and vulnerability assessment of enabled services Required at least every 36 months (in a test environment) at High Impact Control Centers 8

Transient Cyber Assets and Removable Media Proposed Definition Transient Cyber Asset (NERC Glossary of Terms) A Cyber Asset that (i) is capable of transmitting or transferring executable code, (ii) is not included in a BES Cyber System, (iii) is not a Protected Cyber Asset (PCA), and (iv) is directly connected (e.g., using Ethernet, serial, Universal Serial Bus, or wireless, including near field or Bluetooth communication) for 30 consecutive calendar days or less to a BES Cyber Asset, a network within an ESP, or a PCA. Examples include, but are not limited to, Cyber Assets used for data transfer, vulnerability assessment, maintenance, or troubleshooting purposes. 9

Transient Cyber Assets and Removable Media Proposed Definition Removable Media (NERC Glossary of Terms) Storage media that (i) are not Cyber Assets, (ii) are capable of transferring executable code, (iii) can be used to store, copy, move, or access data, and (iv) are directly connected for 30 consecutive calendar days or less to a BES Cyber Asset, a network within an ESP, or a Protected Cyber Asset. Examples include, but are not limited to, floppy disks, compact disks, USB flash drives, external hard drives, and other flash memory cards/drives that contain nonvolatile memory. These types of devices represent the highest risk to BES Attachment 1 of CIP-010-3 Details the required sections in the plan which must be implemented for Transient Cyber Assets and Removable Media 10

Plan Requirements for Transient Cyber Assets Highlights - Transient Cyber Assets owned by Registered Entities Authorization (all apply) Users, either individually, group, or role Locations, either individually, group, or role Uses, which shall be limited to what is necessary to perform business functions Software Vulnerability Mitigation (use one or combination) Security patching OS and software from read-only media System Hardening Other method(s) 11

Plan Requirements for Transient Cyber Assets Highlights - Transient Cyber Assets owned by Registered Entities Introduction of Malicious Code Mitigation (one or combination) Antivirus software Application whitelisting Other method(s) Unauthorized Use Mitigation (one or combination) Restrict physical access Full-disk encryption with authentication Multi-factor authentication Other method(s) 12

Plan Requirements for Transient Cyber Assets Highlights - Transient Cyber Assets managed by Third Party Software Vulnerabilities (one or combination) Review installed security patch(es) Review security patching process used by the party Review other mitigation performed by the party Other method(s) 13

Plan Requirements for Transient Cyber Assets Highlights - Transient Cyber Assets managed by Third Party, (continued) Introduction of malicious code mitigation (one or combination) Review antivirus update level Review antivirus update process used by the party Review of application whitelisting used by the party Review use of OS and software executable on from read-only media Review of system hardening used by the party Other method(s) Determination of 3 rd party policies for sufficiency 14

Plan Requirements for Removable Media Highlights - Removable Media Authorization Users, either individually, by group, or role Locations, either individually or by group Malicious Code Mitigation Use method(s) to detect malicious code on Removable Media using a Cyber Asset other that a BCS or PCA Mitigate the threat of detected malicious code on Removable Media prior to connecting to a BCA or PCA 15

Plan Requirements - Transient Cyber Assets and Removable Media Attachment 2 of CIP-010-3 Provides detailed examples of expected evidence Can get complicated with Jointly owned facilities 16

Questions? 17

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information