Cyber Security Compliance Industrial Computing NERC CIP-007 v. 5 Patch Management: Factors for Success A Presentation By: EnergySec FoxGuard Solutions NRG
It s Interactive Please submit your questions through the control panel to get answers LIVE from our panelists. 2
It s Hip to Chat EnergySec is hosting an online chat to accompany this webinar which is open to all registered EnergySec Community participants. To join the chat as a guest, visit: https://hipchat.energysec.org/geuq1qmni If you have a HipChat account already, join us in the room. Note: Registered users have access to the chat history, file attachments, and links 3
Agenda Introductions CIP-007-5 Requirements Need Challenges Understanding Patch and Update Management Customer Insight Q&A 4
Meet Your Panelists Karl Perman VP, Services EnergySec Monta Elkins Security Architect FoxGuard SoluJons Larry Snow NERC CIP Manager/East and Midwest NRG 5
CIP-007-5- SECURITY PATCH MANAGEMENT 6
CIP-007-5 Part 2.1 High Impact BES Cyber Systems and their associated: EACMS, PACS, PCA Medium Impact BES Cyber Systems and their associated: EACMS, PACS, PCA A patch management process for tracking, evaluating, and installing cyber security patches for applicable Cyber Assets. The tracking portion shall include the identification of a source or sources that the Responsible Entity tracks for the release of cyber security patches for applicable Cyber Assets that are updateable and for which a patching source exists. 7
CIP-007-5 Part 2.2 High Impact BES Cyber Systems and their associated: EACMS, PACS, PCA Medium Impact BES Cyber Systems and their associated: EACMS, PACS, PCA At least once every 35 calendar days, evaluate security patches for applicability that have been released since the last evaluation from the source or sources identified in Part 2.1. 8
CIP-007-5 Part 2.3 High Impact BES Cyber Systems and their associated: EACMS, PACS, PCA Medium Impact BES Cyber Systems and their associated: EACMS, PACS, PCA For applicable patches identified in Part 2.2, within 35 calendar days of the evaluation completion, take one of the following actions: Apply the applicable patches; or Create a dated mitigation plan; or Revise an existing mitigation plan. Mitigation plans shall include the Responsible Entity s planned actions to mitigate the vulnerabilities addressed by each security patch and a timeframe to complete these mitigations. 9
CIP-007-5 Part 2.4 High Impact BES Cyber Systems and their associated: EACMS, PACS, PCA Medium Impact BES Cyber Systems and their associated: EACMS, PACS, PCA For each mitigation plan created or revised in Part 2.3, implement the plan within the timeframe specified in the plan, unless a revision to the plan or an extension to the timeframe specified in Part 2.3 is approved by the CIP Senior Manager or delegate. 10
Why the need for a patch management program? Know, track, and mitigate the known software vulnerabilities associated with BES Cyber Assets. Intention is to be aware of in a timely manner and manage all known vulnerabilities not install every security patch (SDT intent) 11
Challenges What is a cyber security patch? Who can be a source? When does the assessment timeframe clock start? When to patch and when to mitigate? 12
Understanding Patch & Update Management 13
Monta Elkins is the Security Architect for FoxGuard Solutions, nation s leading ICS patch provider. A security researcher and consultant; he was formerly Security Architect for Rackspace, and the first ISO for Radford University. He has been a speaker at DEFCON, Homeland Security s ICSJWG (Industrial Control Systems Joint Working Group), EnergySec's Security Summit, VASCAN, GE Digital Energy's Annual Software Summit, Educause Security Professionals Conference, Toshiba's Industrial Control System's Conference and other security conferences. Monta is the author and instructor of the Defense against the Dark Arts hands-on, hacker tools and techniques classes. He also teaches rapid prototyping and Arduino classes with Let's Code Blacksburg. Monta Elkins, Security Architect FoxGuard Solutions 14
WHAT IS A PATCH? P A TC H UPDATE UPGRADE FIRMWARE ENHANCEMENT SERVICE BULLETIN! Feature Enhancements And / Or Security Patches! Focus Is On The Security Patches, As These Address Vulnerabilities To Their Company (Not To Mention The Compliance Requirements) 15
SOURCE? WHY WE CARE! The Source Of A Patch May Be:! Product/Software Vendor! SCADA Vendor! Aggregated Resource Of Patches From A Variety Of Vendors! NERC RFI 16
PATCHING CHALLENGES Current Patching Challenges! NERC CIP-007-5! Wide Variety Of Sources! LARGE Documentation Effort! Patching Restrictions (Warranty Issues)! Timing Constraints! Lots Of Specialized Equipment! Patching Even One Substation Is A Large Effort! 17
DEVICES & APPLICATIONS SUPPORTED OPERATING SYSTEMS 3 RD PARTY APPLICATIONS SUPPORTED ASSETS NETWORK DEVICES FIELD DEVICES 18
STAGES OF PATCH MANAGEMENT 1. ASSET IDENTIFICATION & BASELINE 2. AVAILABILITY 3. APPLICABILITY 4. ACQUISITION 5. VALIDATION 6. DEPLOYMENT 19
BENEFITS OF AGGREGATOR! Patch Security Information! Is This A Security Related Patch! Are There Related CERT Notices, CVE s! Allow Multiple Customer Accounts With Access Control To Support Large Organizations (e.g.)! Compliance Manager Role! Implementation Engineer Role! Compliance Support Documentation! e.g. CIP Requires Documenting Patch Sources For Cyber Assets And Evaluating Available Patches Every 35 Days! Positive Notification! Notification For Each Device On A Regular Schedule! Notification Of Negative Change 20
PATCH & UPDATE MANAGEMENT PROGRAM Co-operative Agreement with the Department of Energy! Patch & Update Data Aggregator, Web Portal Service! Patch & Update Authentication / Hashing! Validation Techniques & Methodologies! Scanning & Patch Deployment Engine 21
CUSTOMER INSIGHT Larry Snow has been in the power generation business for 32 years. He has spent many years as a Controls Engineer. Larry has also been involved in NERC-CIP since 2008 and is currently the NERC-CIP Manager for NRG East & Midwest Regions. Larry Snow, NERC-CIP Manager NRG East & Midwest Regions 22
THE NRG PERSPECTIVE! The Patching Burden! How Did We Reduce This Burden?! How We Saved Time And Effort The company, product and service names used in this presentation are for identification purposes only. All trademarks and registered trademarks are the property of their respective owners. 23
GROUP DISCUSSION! The Question & Answers Session! FoxGuard Can Help Meet Your Compliance Needs. Ask Us How. Points To Remember! Comprehensive Patch Management Solutions! Over 10 Years Of Patching Expertise In The Energy Industry! Long History Of Program Management! Our Company Is Designed To Be An Extension Of Yours 24
CONTACT INFORMATION HEADQUARTER WEBSITE TELEPHONE EMAIL LINKEDIN TWITTER 2285 Prospect Drive, Christiansburg VA 24073 877.446.4732 requestinfo@foxguardsolutions.com www.linkedin.com/company/717871 twitter.com/foxguardinc 25