Virtualization and NERC-CIP Presented by: Cisco Systems Inc., Deloitte & Touche LLP, NIPSCO

Similar documents
Extending Security Analytics to support Operational Efficiency. John A. Greco Deloitte & Touche LLP Cyber Risk Services

Simplify IT. With Cisco Application Centric Infrastructure. Roberto Barrera VERSION May, 2015

6422: Implementing and Managing Windows Server 2008 Hyper-V (3 Days)

Implementing and Managing Windows Server 2008 Hyper-V

Mitigating Information Security Risks of Virtualization Technologies

Virtualization, SDN and NFV

Cloud computing and SAP

NERC CIP VERSION 5 COMPLIANCE

Cisco Unified Network Services: Overcome Obstacles to Cloud-Ready Deployments

A Look at the New Converged Data Center

White Paper. Juniper Networks. Enabling Businesses to Deploy Virtualized Data Center Environments. Copyright 2013, Juniper Networks, Inc.

M6422A Implementing and Managing Windows Server 2008 Hyper-V

Software Defined Environments

Service Organization Control (SOC) Reports Focus on SOC 2 Reporting Standard

STRATEGIC WHITE PAPER. Securing cloud environments with Nuage Networks VSP: Policy-based security automation and microsegmentation overview

Cisco Virtual Wide Area Application Services: Technical Overview

Remote Voting Conference

How To Build A Software Defined Data Center

Big data The three-minute guide

Simplify IT. With Cisco Application Centric Infrastructure. Barry Huang Nov 13, 2014

Cyber Security Compliance (NERC CIP V5)

NCOE whitepaper Master Data Deployment and Management in a Global ERP Implementation

EMC Integrated Infrastructure for VMware

The Advantages of Cloud Services

Overcoming Security Challenges to Virtualize Internet-facing Applications

Identity & Access Management The Cloud Perspective. Andrea Themistou 08 October 2015

Federated Application Centric Infrastructure (ACI) Fabrics for Dual Data Center Deployments

Use Case Brief BUILDING A PRIVATE CLOUD PROVIDING PUBLIC CLOUD FUNCTIONALITY WITHIN THE SAFETY OF YOUR ORGANIZATION

Verve Security Center

The Virtualization Practice

REMOVING THE BARRIERS FOR DATA CENTRE AUTOMATION

Course Syllabus. Implementing and Managing Windows Server 2008 Hyper-V. Key Data. Audience. At Course Completion. Prerequisites

Netzwerkvirtualisierung? Aber mit Sicherheit!

Benefits of virtualizing your network

Network Access Control in Virtual Environments. Technical Note

Third Party Security: Are your vendors compromising the security of your Agency?

Does your Citrix or Terminal Server environment have an Achilles heel?

Data Center Networking Managing a Virtualized Environment

SINGLE-TOUCH ORCHESTRATION FOR PROVISIONING, END-TO-END VISIBILITY AND MORE CONTROL IN THE DATA CENTER

Software defined networking. Your path to an agile hybrid cloud network

VMware vcloud Networking and Security Overview

Auto insurance telematics The three-minute guide

REDCENTRIC INFRASTRUCTURE AS A SERVICE SERVICE DEFINITION

Microsoft Windows Server 2008: MS-6422 Implementing and Managing Hyper V Virtualization 6422

Software-Defined Networks Powered by VellOS

Outline SSS Microsoft Windows Server 2008 Hyper-V Virtualization

MS-6422A - Implement and Manage Microsoft Windows Server Hyper-V

Asset Management in the Cloud How to identify and manage Cloud based assets and services. September 19, 2014

Best Practices for Monitoring Databases on VMware. Dean Richards Senior DBA, Confio Software

How Customers Are Cutting Costs and Building Value with Microsoft Virtualization

Securing Virtual Applications and Servers

Understanding Virtualization and Cloud in the Enterprise

Virtualization System Security

Remote PC Guide Series - Volume 1

The Future of Computing Cisco Unified Computing System. Markus Kunstmann Channels Systems Engineer

Enterprise Cloud Services

CIP Cyber Security Configuration Change Management and Vulnerability Assessments

המרכז ללימודי חוץ המכללה האקדמית ספיר. ד.נ חוף אשקלון טל' פקס בשיתוף עם מכללת הנגב ע"ש ספיר

Business Case for Open Data Center Architecture in Enterprise Private Cloud

Redesigning automation network security

GE Measurement & Control. Top 10 Cyber Vulnerabilities for Control Systems

TRANSFORMATION OPPORTUNITIES WITH THE ALCATEL-LUCENT OPENTOUCH SUITE OPTIMIZING CONVERSATION DELIVERY OVER CENTRALIZED COMMUNICATIONS NETWORKS

Lab Developing ACLs to Implement Firewall Rule Sets

Cisco and VMware Virtualization Planning and Design Service

Next Gen Data Center. KwaiSeng Consulting Systems Engineer

EVOLVED DATA CENTER ARCHITECTURE

Network Virtualization

Virtualization and Cloud Computing

ALCATEL-LUCENT ENTERPRISE DATA CENTER SWITCHING SOLUTION Automation for the next-generation data center

Simplified Private Cloud Management

BladeLogic Software-as-a- Service (SaaS) Solution. Help reduce operating cost, improve security compliance, strengthen cybersecurity posture

Accelerate Your Enterprise Private Cloud Initiative

Cybersecurity The role of Internal Audit

Securely Architecting the Internal Cloud. Rob Randell, CISSP Senior Security and Compliance Specialist VMware, Inc.

CA Virtual Assurance/ Systems Performance for IM r12 DACHSUG 2011

Why is a good idea to use OpenNebula in your VMware Infrastructure?

Zentera Cloud Federation Network for Hybrid Computing

Monitoring & Measuring: Wi-Fi as a Service

Global Headquarters: 5 Speen Street Framingham, MA USA P F

Analytics for Shared Services The three-minute guide

Service Orchestration: The Key to the Evolution of the Virtual Data Center

Private cloud computing

Managing Cloud Infrastructure

Secure Multi Tenancy In the Cloud. Boris Strongin VP Engineering and Co-founder, Hytrust Inc.

MANAGEMENT AND ORCHESTRATION WORKFLOW AUTOMATION FOR VBLOCK INFRASTRUCTURE PLATFORMS

Network Configuration Management

Virtual Machine in Data Center Switches Huawei Virtual System

Network Virtualization Solutions - A Practical Solution

Simplifying. Single view, single tool virtual machine mobility management in an application fluent data center network

VM-Series for VMware. PALO ALTO NETWORKS: VM-Series for VMware

Leveraging SDN and NFV in the WAN

GE Oil & Gas. Cyber Security for NERC CIP Versions 5 & 6 Compliance

Transcription:

Virtualization and NERC-CIP Presented by: Cisco Systems Inc., Deloitte & Touche LLP, NIPSCO utc.org

UTC is a global trade association dedicated to serving critical infrastructure providers, such as electric, gas and water utilities. Through advocacy, education and collaboration, UTC creates a favorable business, regulatory and technology environment for our members who own or operate Information and Communication Technology (ICT) systems in support of their core business. utc.org

Virtualization and NERC-CIP

Agenda Introduction - UTC Value of Virtualization Cisco Virtualization and NERC-CIP Deloitte Virtualization Applied NIPSCO Q&A - Panel

Session Participants Moderator Bob Lockhart VP, Cybersecurity, Technology, and Research UTC. Panelists Tom Alrich Manager Cyber Risk Services Deloitte & Touche, LLP Joe Andrews Manager Cyber Risk Services Deloitte & Touche, LLP John Reno IoT Product and Solutions Marketing Cisco Systems, Inc. Steven Sumichrast Lead System Engineer NIPSCO

The Value of Virtualization

Virtualization Scope Physical Compute Agility Virtual Management Unified Data Center Network Efficiency Cloud Storage Security Simplicity

Cisco Experience Status Quo Architect Design Where Can We Put It? Procure Install Configure Secure Is It Ready? Manual

Design to Production Now: From Weeks To Minutes Architect Design Automated Self-Service Provisioning Capacity On-Demand Policy-Based Provisioning Built-In Governance

Cisco Digital Network Architecture Network-enabled Applications Cloud Service Management Policy Orchestration Open APIs Developers Environment Automation Analytics Insights & Experience Automation & Assurance Security & Compliance Abstraction & Policy Control from Core to Edge Network Data, Contextual Insights Open & Programmable Standards-Based Virtualization Compute Network Storage Cloud-enabled Software-delivered Faster Innovation Reduce Costs & Complexity Lower Risk

Utility Customer Example Operational Efficiency Challenge Lower cost in operations and infrastructure, especially for remote locations Slow and expensive service rollout that requires service calls Solution One standard platform for all locations Services: Routing, Firewall, Wireless LAN Controller, WAN Optimization Benefits Lower cost by utilizing x86 servers with Cisco NFVIS Keep current operational standards with best-of-breed services Agile service deployment and monitoring with Cisco ESA

Virtualization and NERC CIP Tom Alrich and Joe Andrews Deloitte & Touche LLP

Introduction Virtualization provides a lot of benefits. But CIP is silent on it. Is it allowed? Not allowed? Can you do it at all? If you can, can you also remain compliant? Many NERC entities have decided not to virtualize. But some have gone ahead anyway.. Copyright 2016 Deloitte Development LLC. All rights reserved.

A fundamental problem Cyber Assets are Programmable electronic devices! VMs aren t devices. Can you virtualize without worrying about CIP? No. So do you treat all VMs as BES Cyber Systems? Leads to other problems. Then maybe we should forget about virtualization! This solves the CIP problem, but Copyright 2016 Deloitte Development LLC. All rights reserved.

What is a solution? A solution is to rewrite CIP! The SDT is on the case, but Meanwhile, back at the ranch. How is the NERC ERO approaching virtualization? Here s Joe! Copyright 2016 Deloitte Development LLC. All rights reserved.

NERC ERO initial concerns & discussions Mixed trust environments o Managing VM Cyber Assets (disparate trust levels) o Mixed trust authentication For layered virtual architectures o Applicable Standards (i.e., CIP-002, 005, 007, 010, & CIP-011) o Enforcement of logging? o Enforcement of monitoring? o Enforcement of access controls? o Baseline snapshots (previous state VM instances) Copyright 2016 Deloitte Development LLC. All rights reserved.

Audit approach regarding virtualization Virtualization is allowed (with important caveats!) o No mixed-trust environments Medium & High BES Cyber Assets cannot coexist o High watermark concept enforced Lowest impact rated Cyber Asset inherits highest rating o Host (hypervisor) and VM Cyber Assets protection o All VMs, including Host (hypervisor) should be inventoried Copyright 2016 Deloitte Development LLC. All rights reserved.

Successful virtualization adoption recommendations Don t be deterred ERO actually supports innovation Work closely with virtualization vendor support Communicate compliance concerns and requirements Ensure your compliance staff are involved Incorporate best practice virtualization security controls Inform the ERO ahead of time Copyright 2016 Deloitte Development LLC. All rights reserved.

Copyright 2016 Deloitte Development LLC. All rights reserved.

Contact Us Steve Livingston Principal, Cyber Risk Services Deloitte & Touche LLP +1 206 716 7539 slivingston@deloitte.com Tom Alrich Manager, Cyber Risk Services Deloitte & Touche LLP +1 312 515 8996 talrich@deloitte.com Joe Andrews Manager, Cyber Risk Services Deloitte & Touche LLP +1 248 231 5926 joeandrews@deloitte.com Copyright 2016 Deloitte Development LLC. All rights reserved.

This presentation contains general information only and Deloitte is not, by means of this presentation, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This presentation is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor. Deloitte shall not be responsible for any loss sustained by any person who relies on this presentation. About Deloitte Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee ( DTTL ), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as Deloitte Global ) does not provide services to clients. Please see www.deloitte.com/about for a detailed description of DTTL and its member firms. Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. Certain services may not be available to attest clients under the rules and regulations of public accounting. Copyright 2016 Deloitte Development LLC. All rights reserved.

Planning, Planning, Planning Virtualization team may not be same team operating BU applications. Work with BU to understand the applications. Design requirements for CIP clusters may not fit the normal virtualization mold. Primary driving factor is operational and security benefits. Consolidation great; not the primary driver, though. Consider operational cost efficiencies. Backup, Change Control, security controls for CIP-005/CIP-007.

Know Your Environment Baseline the performance of the environments. Baseline the configuration of the environments. Diagrams are key for discussion points. Single line diagrams for logical network topologies. Component diagrams for physical topologies. Involve Network & Security teams. They need to know what to expect from hypervisor traffic (storage, virtual machine migrations, etc).

Consider everything Management consoles must be at least considered for CIP-002 inclusion. Often provide interactive remote access that cannot be restricted by IP Address sources. Two factor considerations for management consoles listed as EACMS w/ Interactive Remote Access. Follow vendor best practices. Individualized Access. Log Everything centrally. Use Hardware monitoring to control unauthorized changes (TPMs).

Secure it! Follow vendor best practices. Isolate all hypervisor management ports. VM escape technologies all rely on exploitation of hypervisor. Minimize keys to the kingdom Only let key personnel have access to hypervisors. Least privilege is key, not only for CIP but for your security sanity! Not everyone needs access to the Hypervisor. Use Layer 2 VLANs to protect networks for the infrastructure; don t be tempted to add that SVI keep the networks islanded within your ESP infrastructure. Use automation tools to help with CIP-010. Scripted tasks to snapshot; increase or decrease capacity; block changes to network or hosts settings.

Test it! SCADA applications are old; they do not always get along with the new kid on the block. Make sure technologies in use do not cause operational issues. Live migrations (e.g. VMware vmotion) often introduce VM stun operations. Stuns may cause clocks to jump forward. Be mean to the environment. Pull cables; Introduce disk latency; introduce network latency; do things you d never do in production. Know what s going to happen before it hits production floor.

Defend it! Be prepared for ERO to ask for evidence showing where the VMs live. Strongly advise mapping VMs to Clusters, and Clusters to Hosts. Develop scripts that generate audit-ready evidence for the audit team to prove your High Impact VMs are stuck on High Impact hypervisors. Use vendor-provided tools to check the configuration of hosts frequently. Log everything including the management console events. Know your virtualization technology inside and out. Knowing your version numbers or where configuration is in the GUI is great; know how that vendor is controlling module loading, what traffic to expect, how does that live migration technology actually work. Confidence portrayed in knowing not only your system but the technology is incredibly important.

Questions? utc.org

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information