GE Oil & Gas. Cyber Security for NERC CIP Versions 5 & 6 Compliance

Similar documents
Cyber Security for NERC CIP Version 5 Compliance

GE Measurement & Control. Cyber Security for Industrial Controls

GE Measurement & Control. Cyber Security for NERC CIP Compliance

GE Measurement & Control. Cyber Security for NEI 08-09

GE Measurement & Control. Top 10 Cyber Vulnerabilities for Control Systems

NERC CIP VERSION 5 COMPLIANCE

TRIPWIRE NERC SOLUTION SUITE

How To Secure Your System From Cyber Attacks

Honeywell Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Honeywell Process Solutions (HPS) June 4, 2014

Ovation Security Center Data Sheet

Ovation Security Center Data Sheet

NovaTech NERC CIP Compliance Document and Product Description Updated June 2015

SCADA Compliance Tools For NERC-CIP. The Right Tools for Bringing Your Organization in Line with the Latest Standards

North American Electric Reliability Corporation (NERC) Cyber Security Standard

Retention & Destruction

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

Achieving PCI-Compliance through Cyberoam

Best Practices for PCI DSS V3.0 Network Security Compliance

RuggedCom Solutions for

Payment Card Industry Data Security Standard

Industrial Security Solutions

Company Co. Inc. LLC. LAN Domain Network Security Best Practices. An integrated approach to securing Company Co. Inc.

North American Electric Reliability Corporation: Critical Infrastructure Protection, Version 5 (NERC-CIP V5)

Industrial Security for Process Automation

Alberta Reliability Standard Cyber Security System Security Management CIP-007-AB-5

Summary of CIP Version 5 Standards

Technology Solutions for NERC CIP Compliance June 25, 2015

Cautela Labs Cloud Agile. Secured. Threat Management Security Solutions at Work

NERC CIP Whitepaper How Endian Solutions Can Help With Compliance

Verve Security Center

Staying Secure After Microsoft Windows Server 2003 Reaches End of Life. Trevor Richmond, Sales Engineer Trend Micro

State of Texas. TEX-AN Next Generation. NNI Plan

Completed. Document Name. NERC CIP Requirements CIP-002 Critical Cyber Asset Identification R1 Critical Asset Identifaction Method

PCI Requirements Coverage Summary Table

Protecting the Palace: Cardholder Data Environments, PCI Standards and Wireless Security for Ecommerce Ecosystems

Critical Controls for Cyber Security.

IT Security and OT Security. Understanding the Challenges

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL

Cisco Advanced Services for Network Security

LogRhythm and PCI Compliance

Alcatel-Lucent Services

Simplify Your Network Security with All-In-One Unified Threat Management

SANS Top 20 Critical Controls for Effective Cyber Defense

MANAGED FILE TRANSFER: 10 STEPS TO SOX COMPLIANCE

Network Access Control in Virtual Environments. Technical Note

Lessons Learned CIP Reliability Standards

Cyber Security Compliance (NERC CIP V5)

Larry Wilson Version 1.0 November, University Cyber-security Program Critical Asset Mapping

FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review.

Security for. Industrial. Automation. Considering the PROFINET Security Guideline

Using Monitoring, Logging, and Alerting to Improve ICS Security ICSJWG 2015 Fall Meeting October 27, 2015

CYBER SECURITY. Is your Industrial Control System prepared?

Symphony Plus Cyber security for the power and water industries

whitepaper 4 Best Practices for Building PCI DSS Compliant Networks

IBM Security QRadar Vulnerability Manager Version User Guide

PCI Requirements Coverage Summary Table

Today s Topics. Protect - Detect - Respond A Security-First Strategy. HCCA Compliance Institute April 27, Concepts.

How To Manage Security On A Networked Computer System

LogRhythm and NERC CIP Compliance

Network/Cyber Security

LogInspect 5 Product Features Robust. Dynamic. Unparalleled.

The Comprehensive Guide to PCI Security Standards Compliance

Invensys Security Compliance Platform

Network and Security Controls

CIP Cyber Security Configuration Change Management and Vulnerability Assessments

Joe Andrews, MsIA, CISSP-ISSEP, ISSAP, ISSMP, CISA, PSP Sr. Compliance Auditor Cyber Security

ForeScout CounterACT CONTINUOUS DIAGNOSTICS & MITIGATION (CDM)

Concierge SIEM Reporting Overview

CYBER SECURITY Is your Industrial Control System prepared? Presenter: Warwick Black Security Architect SCADA & MES Schneider-Electric

74% 96 Action Items. Compliance

Security Policy for External Customers

LogPoint 5.1 Product Features Robust. Dynamic. Unparalleled.

Update On Smart Grid Cyber Security

Document ID. Cyber security for substation automation products and systems

Cyber Security. BDS PhantomWorks. Boeing Energy. Copyright 2011 Boeing. All rights reserved.

Take the Red Pill: Becoming One with Your Computing Environment using Security Intelligence

Protecting productivity with Plant Security Services

Best Practices in ICS Security for System Operators. A Wurldtech White Paper

Firewalls. Securing Networks. Chapter 3 Part 1 of 4 CA M S Mehta, FCA

Oracle Maps Cloud Service Enterprise Hosting and Delivery Policies Effective Date: October 1, 2015 Version 1.0

Building A Secure Microsoft Exchange Continuity Appliance

What s Wrong with Information Security Today? You are looking in the wrong places for the wrong things.

Seven Strategies to Defend ICSs

Information Technology Branch Access Control Technical Standard

Remote Services. Managing Open Systems with Remote Services

Reclamation Manual Directives and Standards

Supporting our customers with NERC CIP compliance. James McQuiggan, CISSP

TOP 10 WAYS TO ADDRESS PCI DSS COMPLIANCE. ebook Series

PICO Compliance Audit - A Quick Guide to Virtualization

PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP

IBM Security QRadar Vulnerability Manager Version User Guide IBM

March

Information Shield Solution Matrix for CIP Security Standards

Protecting Your Organisation from Targeted Cyber Intrusion

Full-Context Forensic Analysis Using the SecureVue Unified Situational Awareness Platform

Emerson Smart Firewall

CorreLog Alignment to PCI Security Standards Compliance

Grid and Multi-Grid Management

Transcription:

GE Oil & Gas Cyber Security for NERC CIP Versions 5 & 6 Compliance

Cyber Security for NERC CIP Versions 5 & 6 Compliance 2

Contents Cyber Security for NERC CIP Compliance... 5 Sabotage Reporting... 6 Security Management Controls... 6 Personnel & Training... 6 Electronic Security Perimeters... 6 Physical Security of BES Cyber Systems... 7 System Security Management... 7 Recovery Plans for BES Cyber Systems... 7 Configuration Change Management & Vulnerability Assessments... 8 Information Protection... 8 GE Proprietary Information: This document contains proprietary information of the General Electric Company and may not be used for purposes other than that for which it was originally furnished except with written permission of GE Oil & Gas. Copyright 2016 General Electric Company. All rights reserved. Cyber Security for NERC CIP Versions 5 & 6 Compliance 3

Cyber Security for NERC CIP Versions 5 & 6 Compliance 4

Cyber Security for NERC CIP Versions 5 & 6 Compliance Many U.S. electric utilities are now federally mandated to comply with NERC CIP requirements that dictate industrial security and remediation technology. Version 6 requires compliance by July 2016 (high and medium impact BES) or July 2017 (low impact BES). To be considered in adapting operations to these regulations is the difficulty of patching industrial controls and the frequent attacks on the equipment. In addition, customers need to address known ICS vulnerabilities without disrupting operations. Because of these factors, electric utilities require a solution that is easy to implement and provides visibility into the industrial network and compliance. As a vendor of industrial controls, GE embraces its responsibilities to assist critical infrastructure owners as they improve their security postures and support compliance efforts related to GE-provided equipment throughout the 10 to 20 year lifecycle of the control system itself. Together with Wurldtech Security Technologies, GE is able to offer security support that spans from initial system design to commissioning, all the way through ongoing support and maintenance. GE offers professional security services and operational technology (OT) security solutions designed and tested for the industrial controls environment. Our trained Operational Technology Security professionals can support in areas including design, assessments, policy development and training. Built to support best practices in security and facilitate more efficient compliance to NERC CIP 5 & 6, GE s Cyber Asset Protection (CAP) Software Update Subscription and SecurityST appliance provide centralized patch management, anti-virus/host intrusion detection updates, centralized account management, logging and event management, intrusion detection, whitelisting and automated backup. OpShield is purpose-built technology to mitigate known industrial vulnerabilities, providing easy-to-apply controls network zoning and improved visualization of the Electronic Security Perimeter. SECURITY DESIGN Security Services Best Practice specifications Reference Architecture Inventory, ESP + PSP drawing SECURITY TRAINING Security Services General ICS security awareness training Program implementer training ASSESS CONTROLS Security Services Create / review policy Gap Assessments Cyber Vulnerability Assessments (CVA) MAINTENANCE Cyber Asset Protection Subscription of qualified and tested patches and signature updates Updated patch applicability reporting System Design, Reliability and Configuration Baseline Documentation Change Control Services Ports & services, applications & protocols Equipment changes Decommission plan CONTROLS SECURITY LIFECYCLE SecurityST Firewall/Network intrusion detection defining the ESP Access Management Centralized Patch Management Security Information & Event Management (SIEM) Automated Back-up & Recovery OpShield Network Segmentation - defining the ESP Intrusion Prevention System (IPS) Protocol Inspection Engine Management Console Threat Intelligence Security Factory Acceptance Testing (FAT) Multi vendor testing Cyber Security for NERC CIP Versions 5 & 6 Compliance 5

The following matrix provides more details on GE s recommended solutions and software to support security best practices and facilitate NERC CIP compliance efforts for Mark VIe and EX2100e control families. NERC CIP V5 & 6 Standards GE Support for Security and Compliance CIP Standards Sabotage Reporting CIP-001-5 GE support for security and NERC CIP 5 & 6 compliance GE s Incident Response policy and procedure includes 3rd party researchers, ICS-CERT, and GE s internal Product Security Incident Response Team (PSIRT). Throughout the controls lifecycle, GE customers receive Technical Instruction Letters that detail known vulnerabilities and associated remediation/ mitigation. The Security Incident Event Management (SIEM) system centralizes and correlates cyber security event data. This reporting can be used to support forensics and event reporting. Security Management Controls CIP-003-6 R2 Personnel & Training CIP-004-6 R1-R5 As the scope of the NERC CIP standards expands to include Low Impact BES Cyber Assets, GE is ready to assist. Many of our solutions available for high and medium impact BES cyber assets apply to low impact assets, including: Training for cyber security awareness Hardware enclosure options for physical security Electronic Access Point solutions for Electronic Access Controls Factory Acceptance Testing and commissioning procedures for incident response Wurldtech has a comprehensive portfolio of security training courses for critical infrastructure and Industrial Control Systems (ICS). The training is developed and delivered by Wurldtech s security experts, people who analyze and implement real-world security solutions at operating facilities. They bring vast experience, examples and stories to provide applicable, actionable instruction. Service engineers supporting your operation receive routine NERC CIP training and background checks before accessing your site s controls. Electronic Security Perimeter CIP-005-5 R1-R2 Physical Security of BES Cyber Systems CIP-006-6 R1 GE s Electronic Access Point (EAP) solutions support technical and procedural mechanisms for control of electronic access to the Electronic Security Perimeter. Operationally validate router and switch configurations Unified Threat Management firewalls protect against IT vulnerabilities OT protocol aware firewalls support operational zones, reinforcing permitted commands between zones and access points Network Intrusion Detection Systems inspect inbound and outbound traffic as well as capture baseline traffic Application whitelisting to protect computers from harmful applications Hardware options include a secure physical network rack. This rack can include a key lock and/or keycard access, including electronic contact switches alerting security personnel when the rack is opened. Secure and documented Chain of Custody in development and throughout the lifecycle, including ongoing delivery of cyber security updates. These updates are transmitted to site via secure sealed shipping envelope. In addition, the CD/DVD includes a hash file to validate the CD/DVD contents have not been altered. Cyber Security for NERC CIP Versions 5 & 6 Compliance 6

CIP Standards System Security Management CIP-007-6 R1-R5 GE support for security and NERC CIP 5 & 6 compliance GE provides and maintains a list of required listening ports and services GE provides hardened switch and HMI configurations to disable unused ports and services. Through GE s CAP subscription service, the Responsible Entity receives a complete Baseline Configuration Report for all items in our scope of supply. Each month any baseline configuration changes (for example, by security update) are reported to the Responsible Entity. The CAP Program includes: Monthly validated patch lists, including any workarounds System Design, Reliability, and Configuration Baseline Documentation When applicable, Cyber Security Technical Information Letter (TIL) Review of impacts to Ports and Services CAP Security Subscription validated testing procedures certificate Patch applicability reporting showing impact, and vulnerability assessment procedures CAP includes ongoing monthly updates for Malicious Code Preventions including Antivirus, Operating System updates, Host Intrusion Detection and Network Intrusion Detection signatures and switch updates. All updates are tested in a representative controls environment OpShield provides protection profile updates that include IDS/IPS signatures for vulnerabilities. SIEM provides real-time capability that centrally alerts, logs and detects cyber security events, allowing operators to monitor unauthorized activity. Access controls are managed through SecurityST s centralized Role Based Access Control. GE supports individual accounts in all of our controls applications. All passwords are changed from defaults and handed over to the Responsible Entity. GE supports complete NERC password parameter requirements including: length, complexity, required password changes, limits to unsuccessful authentication attempts and setting attempt thresholds. Access controls are centrally applied to GE HMIs, routers, switches, firewalls, Network Intrusion Detection Systems and our latest controllers. The SecurityST Appliance includes a Certificate Authority Server (CAS) for two-factor operator authentication between GE Controllers (with ControlST 4.7 or greater) and the GE HMIs. The CAS puts GE controllers in Secure Mode, maintaining session authenticity between GE provided controllers & the Authenticated User on domain controlled HMIs. When in secure mode, all controller access is encrypted. This enables only users with the necessary certificate on authorized HMIs to access the controller. The SecurityST Appliance includes a password management program that extends Microsoft Active Directory capabilities and supports NERC CIP compliant password configuration. Recovery Plans for BES Cyber Systems CIP-009-6 R1-R2 Backup/recovery support through SecurityST and associated network topology: Centralized dashboard for backup and recovery includes backup status, recovery tasks and alerts for backup errors. Redundant set of MS Active Directory Domain Controllers include one as a virtual machine and the other as a physical instance. If the primary or backup domain controller were to fail, the other instance would continue to authenticate authorized users. Use of Virtual Machines (VM) support expedited backup and recovery when backups are executed per best practice. GE Latest Network Design includes complete redundant information flows through redundant ethernet and fiber cabling and hardware. All HMIs and controllers support redundant network connections. Centralized configuration backup and restoration of network devices includes alerting to the Alerting via SIEM when switch configurations change. Switches include stacking technology enabling a stacked pair to act as one switch, providing local built-in failover and recovery in the event of a switch failure. An unconfigured switch can be used to replace a failed switch in the stack, automatically uploading the running configuration from the surviving switch. GE switch configuration includes enhanced Quality of Service ensuring controls traffic (GE Unit Data Highway) has the highest priority. Cyber Security for NERC CIP Versions 5 & 6 Compliance 7

CIP Standards Configuration Change Management & Vulnerability Assessments CIP-010-2 R1, R3 GE support for security and NERC CIP 5 & 6 compliance GE s CAP software update subscription supports patch change management compliance documentation by generating a report that shows the following: Listing of applicable updates to your system Status of the update (applied or missing) Updated reference information, including patch number, bulletin ID and bulletin title US Computer Emergency Readiness Team (US CERT) level of severity associated with update Time required to apply update in the representative operational test environment and whether or not a reboot is required OpShield can monitor or block OT-specific protocols and commands not included in the baseline configuration which will issue an alert to the SIEM. GE provides several options with regards to Paper and Active Vulnerability Assessments: Wurldtech provides expertise needed to perform a NERC CIP Vulnerability Assessment at Responsible Entity site. Wurldtech follows a proven methodology tailored to industrial control, automation and other real-time systems. The result is a comprehensive assessment providing actionable deliverables that will enable the Responsible Entity to mitigate immediate risks, while developing and implementing an effective long-term security strategy that will improve the overall security posture. Performing an Active Vulnerability Assessment during Factory Acceptance Testing (FAT), before commissioning to Responsible Entity. Includes network discovery, port and service identification, vulnerability identification and remediation. Included with the CAP monthly patch and signature updates is an applicability report that shows which updates are applicable, their status (applied or unapplied), the severity ranking of the vulnerability and the time the update took to apply in a test environment. The CAP program also provides the Responsible Entity a paper listing of ports and services identification. Information Protection CIP-011-2 R1-R2 During the Secure Factory Acceptance Test (FAT), GE can provide the Responsible Entity complete information flows enforcement the identification of the security of each information flow, why it is permitted or denied, including the configuration of flow enforcement polices via firewalls, switches and routers. During and after commissioning, GE uses a trusted delivery path with tamper evident seals on all packaging. After commissioning, the CAP Update Subscription Program includes tamper evident seals and an encrypted hash file. The hash file is used by Responsible Entity to validate the CD/DVD electronic contents are un-altered. Cyber Security for NERC CIP Versions 5 & 6 Compliance 8

Cyber Security for NERC CIP Versions 5 & 6 Compliance 9

For more information please contact: GE Oil & Gas Digital Solutions North America: 1-888-943-2272; 1-540-387-8726 Latin America (Brazil): +55-11-3958-0098 Europe (France): +33-2-72-249901 Asia/China (Singapore): +65-6622 1623 Africa/India/Middle East (U.A.E.): +971-2-699 7119 Email: ControlsConnect@ge.com Customer Portal: ge-controlsconnect.com 1800 Nelson Road Longmont, CO, USA 80501 http://www.gemeasurement.com *Denotes a trademark of the General Electric Company. Copyright 2016 General Electric Company. All rights reserved. GER4727 06/2016

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information