NERC CIP Substation Cyber Security Update. John M Shaw Presentation to UTC Region 7 February 19, 2009 jshaw@garrettcom.com



Similar documents
John M Shaw Presentation to UTC Region 7 February 19, 2009 jshaw@garrettcom.com

RuggedCom Solutions for

E-Commerce Security Perimeter (ESP) Identification and Access Control Process

Secure Substation Automation for Operations & Maintenance

Automating NERC CIP Compliance for EMS. Walter Sikora 2010 EMS Users Conference

Cyber Security Compliance (NERC CIP V5)

How to Integrate NERC s Requirements in an Ongoing Automation and Integration Project Framework

Going Critical. How to Design Advanced Security Networks for the Nation s Infrastructure. w w w. G a r r e t t C o m. C o m

NERC CIP Whitepaper How Endian Solutions Can Help With Compliance

Practical Considerations for Security

Secure Remote Access Solutions Balancing security and remote access Bob Hicks, Rockwell Automation

November Defining the Value of MPLS VPNs

Securing Modern Substations With an Open Standard Network Security Solution. Kevin Leech Schweitzer Engineering Laboratories, Inc.

INTEGRATING SUBSTATION IT AND OT DEVICE ACCESS AND MANAGEMENT

IT Security and OT Security. Understanding the Challenges

Industrial Security for Process Automation

Telephone Company Lease Line Elimination. Dewey Day Principal Operational Technology Architect Pacific Gas & Electric

Opengear Technical Note

RUGGEDCOM CROSSBOW. Secure Access Management Solution. siemens.com/ruggedcom. Edition 10/2014. Brochure

1. Cyber Security. White Paper Data Communication in Substation Automation System (SAS) Cyber security in substation communication network

FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review.

SCADA Compliance Tools For NERC-CIP. The Right Tools for Bringing Your Organization in Line with the Latest Standards

L2F Case Study Overview

Smart Substation Security

Redesigning automation network security

HughesNet Broadband VPN End-to-End Security Using the Cisco 87x

Summary of CIP Version 5 Standards

Introduction. Cyber Security for Industrial Applications

CIP Electronic Security Perimeter (ESP) - Dan Mishra FRCC Compliance Workshop May 09-13, 2011

IP Telephony Management

Protecting Critical Infrastructure. Secure Fashion. Kevin McPoland GarrettCom

North American Electric Reliability Corporation (NERC) Cyber Security Standard

Verve Security Center

Supporting our customers with NERC CIP compliance. James McQuiggan, CISSP

How Much Cyber Security is Enough?

Network Security Guidelines. e-governance

Joe Andrews, MsIA, CISSP-ISSEP, ISSAP, ISSMP, CISA, PSP Sr. Compliance Auditor Cyber Security

Security Solutions to Meet NERC-CIP Requirements. Kevin Staggs, Honeywell Process Solutions

Injazat s Managed Services Portfolio

WAN Failover Scenarios Using Digi Wireless WAN Routers

Security for. Industrial. Automation. Considering the PROFINET Security Guideline

Workflow Guide. Establish Site-to-Site VPN Connection using RSA Keys. For Customers with Sophos Firewall Document Date: November 2015

State of New Mexico Statewide Architectural Configuration Requirements. Title: Network Security Standard S-STD Effective Date: April 7, 2005

Making the most out of substation IEDs in a secure, NERC compliant manner

The Protection Mission a constant endeavor

Honeywell Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Honeywell Process Solutions (HPS) June 4, 2014

Achieving PCI-Compliance through Cyberoam

Introduction to Cyber Security / Information Security

Voice over IP Technologies

PCN Cyber-security Considerations for Manufacturers. Based on Chevron Phillips Chemical Company PCN Architecture Design and Philosophy

LogRhythm and NERC CIP Compliance

Payment Card Industry Data Security Standard

APPENDIX 8 TO SCHEDULE 3.3

IT Networking and Security

Designing a security policy to protect your automation solution

Utility Telecom Forum. Robert Sill, CEO & President Aegis Technologies February 4, 2008

ADMINISTRATIVE POLICY # (2014) Remote Access. Policy Number: ADMINISTRATIVE POLICY # (2014) Remote Access

Introduction. An Overview of the DX Industrial Router Product Line. IP router and firewall. Integrated WAN, Serial and LAN interfaces

North American Electric Reliability Corporation: Critical Infrastructure Protection, Version 5 (NERC-CIP V5)

Smart Solutions for Network IP Migration

IP-VPN Architecture and Implementation O. Satty Joshua 13 December Abstract

A Better Way to Secure Utility IT Infrastructure NERC Compliance for Bulk Power Systems

Control System Integrity (CSI) Tools and Processes to Automate CIP Compliance for Control Systems

How To Configure Apple ipad for Cyberoam L2TP

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

SCADA SYSTEMS AND SECURITY WHITEPAPER

Recommended IP Telephony Architecture

Opengear Application Note

Securing Distribution Automation

VPN. Date: 4/15/2004 By: Heena Patel

APPENDIX 8 TO SCHEDULE 3.3

Fundamentals of Network Security Graphic Symbols

THE FUTURE OF SMART GRID COMMUNICATIONS

Cisco QuickVPN Installation Tips for Windows Operating Systems

Ovation Security Center Data Sheet

WAN Data Link Protocols

How Proactive Business Continuity Can Protect and Grow Your Business. A CenturyLink White Paper

JOB READY ASSESSMENT BLUEPRINT COMPUTER NETWORKING FUNDAMENTALS - PILOT. Test Code: 4514 Version: 01

CG Automation Solutions USA

MPLS/IP VPN Services Market Update, United States

Industrial Network Security for SCADA, Automation, Process Control and PLC Systems. Contents. 1 An Introduction to Industrial Network Security 1

Local Area Networks (LANs) Blueprint (May 2012 Release)

Secure Networking for Critical Infrastructure. Ilan Barda March 2014

CIP- 005 R2: Understanding the Security Requirements for Secure Remote Access to the Bulk Energy System

74% 96 Action Items. Compliance

Managed Services The. The Road to Revenue. Pravin Mahajan Session Number Presentation_ID

NovaTech NERC CIP Compliance Document and Product Description Updated June 2015

PC Proactive Solutions Technical View

Document ID. Cyber security for substation automation products and systems

PCI Requirements Coverage Summary Table

Solving the Desktop Dilemma

Network System Design Lesson Objectives

The Internet of Things (IoT) and Industrial Networks. Guy Denis Rockwell Automation Alliance Manager Europe 2015

GE Measurement & Control. Cyber Security for NERC CIP Compliance

Secure SCADA Network Technology and Methods

INCIDENT RESPONSE CHECKLIST

Network Security. Intertech Associates, Inc.

NERC Cyber Security. Compliance Consulting. Services. HCL Governance, Risk & Compliance Practice

Network Security: 30 Questions Every Manager Should Ask. Author: Dr. Eric Cole Chief Security Strategist Secure Anchor Consulting

Universal Network Access Policy

Transcription:

NERC CIP Substation Cyber Security Update John M Shaw Presentation to UTC Region 7 February 19, 2009 jshaw@garrettcom.com

It s February 19, 2009 132 project days left to compliance Do you know where (what) your Critical Cyber Assets are?

Electricity Sector Threat Advisory Levels Physical Cyber Significant Risk of Terrorist Attacks Significant Risk of Terrorist Attacks July 1, 2009 CIP compliance deadline approaching NERC audits and enforcement actions underway CIP (now) applies to Bulk Transmission System - Transmission substations and control centers Utility implementation activity accelerating

Approaches to NERC CIP A. Avoidance B. Basic Compliance C. Best Practices Cyber Champions

The Cyber Security Compliance Opportunity - User productivity - Network flexibility for new applications - Network reliability - Network and systems management - And security compliance

NERC CIP Avoidance Nothing critical today - Not part of bulk transmission system Nothing cyber today - No networked (cyber) assets involved with critical assets - No dial-up or IP routed connections Disconnect networks to remove cyber Network, but avoid Routable IP (cyber)

Non-routable CIP-002 Exemption Security perimeter SCADA Master Central Control Site Modem Bank Non-routable Serial Communications Private or Leased Analog Circuits No CCAs Modems Serial Devices Distributed Substations 7 7

Non-routable CIP-002 Exemption SCADA Master Central Control Site Security perimeter Serial FR/TDM Mux Non-routable Serial Communications Each connection is discrete PVC Digital circuit Frame Frame Relay Relay / / TDM TDM Network Network No CCAs. No cyber security perimeter. FR/TDM Mux FR/TDM Mux FR/TDM Mux Serial Devices Distributed Substations 8 8

NERC CIP Standards CIP-002 CIP-003 CIP-004 CIP-005 CIP-006 CIP-007 CIP-008 CIP-009 Critical Cyber Asset Identification Security Management Controls Personnel and Training Electronic Security Perimeters Physical Security of Critical Cyber Assets Systems Security Management Incident Reporting and Response Planning Recovery Plans for Critical Cyber Assets 9

NERC CIP Standards CIP-002 CIP-003 CIP-004 CIP-005 CIP-006 CIP-007 CIP-008 CIP-009 Critical Cyber Asset Identification Security Management Controls Personnel and Training Electronic Security Perimeters Physical Security of Critical Cyber Assets Systems Security Management Incident Reporting and Response Planning Recovery Plans for Critical Cyber Assets 10

Secure Access Manager Easy PC access to remote s from anywhere Secure Access Manager RSA Centralized security management: user profiles, authentication, session logging, reporting Secure networking via many WAN technologies, including dial-up Digital Network: Digital Network: IP, TDM, FR, Fiber IP, TDM, FR, Fiber PSTN PSTN Devices at substations or other critical sites

Easy-to-use Secure Access CrossBow Simple PC client Windows-like directory of authorized s Easy to organize, e.g., by location or type Friendly icons and descriptions Click through to access Transparent to routed or dial-up network One-time authentication to central server Individual password with central control Auto-launch local application for Easy to learn, update and use 12

Broad Device and Application Support Desktop, transparent access to almost any, from any target software application, e.g.,: Hyperterm, SEL-5010, WinECP, URPC, DisplayStation, Polycom 13

Secure Access Manager Architecture Intranet Intranet Control Center Engineering Access Secure Access Manager Internet Internet Router / FW Router / FW RSA Modems Digital Digital Network: Network: IP, IP, TDM, TDM, FR, FR, Fiber, Fiber, Mwv, Mwv, MPLS MPLS PSTN PSTN Router/FW Router / FW Communications Gateway Port Switch Substations or other Critical Sites

Administrative Features Central CCA and user profile administration One-click NERC CIP reporting facility - Includes inventory and reporting of CIP assets and users Leverages existing corporate security procedures - Tie to Active Directory and/or RSA SecurID Comprehensive logging facilitates forensic analysis and gateway password management Network software updates and patch management 15

Distributed Architecture Centralized: - Profile administration - Enterprise security integration - Log consolidation - Audits and reporting - Device management Control Center Engineering Access Router / FW RSA Secure Access Manager Digital Digital Network: Network: IP, IP, MPLS, MPLS, TDM, TDM, FR, FR, Fiber Fiber On-Site Access Station Access Controller Router/FW Distributed: - User authentication/authorization - Session communications path - Session detail logging Substations or other Critical Sites

Elements of Utility Cyber Security Enterprise Access Control Center 6-Wall Physical Security Intranet Intranet Partners/ Remote Access Internet Internet Firewalls AVP Network Network AMS CMS IDS Electronic Security Perimeter AVP: Anti-Virus Protection AMS: Access Mgt. System IDS: Intrusion Detection System CMS: Compliance Mgmt. Sys. Critical Substation Substation Non-critical Assets 17

End-to-end Layers of Security SSH / SSL SSH / SSL Server IP Network IPsec VPN Tunnel Stateful Firewall 18

Intranet Intranet Router / FW Control Center Engineering Access Secure Access Manager Internet Internet Router / FW RSA Modems Secure Secure IP-based IP-based WAN: WAN: IP, IP, MPLS, MPLS, TDM, TDM, FR, FR, Ethernet, Ethernet, Fiber Fiber PSTN PSTN SAC Router/FW Router/FW Router/FW Port Switch Substations or other Critical Sites

Integrated WAN Access Control Center Remote Site SCADA / EMS / DMS Metering DDS, T1/E1, Ethernet WAN IP, FR, TDM, Fiber-Ethernet MPLS-based IP, IP/PPP Remote Device Administration Security: Surveillance and Access Control Non-operational data collection 20

The Unified WAN Shared network High speed Secure Flexible Easy to add applications WAN WAN Fiber, Fiber, TDM, TDM, FR, FR, IP, IP, MPLS-IP, Dial Dial 6K 21

Ethernet-based Network Integration Management systems and HMI Remote Operations Centers Acc Video and access security Ethernet Core WAN Access Substation Wide Area Network Ethernetbased s Serial based s and consoles Station Bus 22

Northeastern US Power Company Control Center Engineering Access Secure Access Manager Router / FW RSA Modems IPsec IPsec VPN VPN over over Verizon Verizon MPLS MPLS Service Service w. w. DDS/T1 DDS/T1 PSTN PSTN Router/Fw Rtr/Fw SEL Comm. Processor Dialup Port Switch Substations

Northeastern US Power Company Control Center ID - SEM SCADA Engineering Access Secure Access Manager Back-up Router / FW RSA Modems IPsec IPsec VPN VPN over over Verizon Verizon MPLS MPLS Service Service w. w. DDS/T1 DDS/T1 PSTN PSTN Router/Fw Rtr/Fw Comm. Processor Port Switch Substations

Mid-Atlantic Power Company Control Center Engineering Access Secure Access Manager Private Private SONET SONET Fiber Fiber Network Network Mux Router / FW Mux RSA Modems PSTN PSTN Router/Fw Dial up Port Switch Substations

Mid-Atlantic Power Company Video Surveillance Center Control Center Engineering Access Secure Access Manager Back-up Video Server Mux Router / FW Mux RSA Modems Private Private SONET SONET Fiber Fiber Network Network Mux PSTN PSTN Router/Fw Eth Sw w POE Port Switch Video Surveillance Substations

NERC CIP Standards CIP-002 CIP-003 CIP-004 CIP-005 CIP-006 CIP-007 CIP-008 CIP-009 Critical Cyber Asset Identification Security Management Controls Personnel and Training Electronic Security Perimeters Physical Security of Critical Cyber Assets Systems Security Management Incident Reporting and Response Planning Recovery Plans for Critical Cyber Assets 27

Defense in Depth Critical Cyber Asset Malware screening (e.g., anti-virus) Intrusion Detection (pattern analysis) User Access Control ( AAA and personal profiles) Personnel Screening Port Security (disabling physical and logical ports) Electronic Perimeter Security (firewall) Physical Security Perimeter Security process management Security configuration management Patch management

Futures in CIP More pervasive cyber security More specifics on security technologies More onerous patch management More Intrusion Detection / Intrusion Prevention Protocol-specific firewall / IDS technologies No end

Opportunities in CIP More automation not less - Simplify remote access and productivity - Add applications easily via modern infrastructure Modernized networks - Higher performance - More reliability Improved system and network management - More proactive requirements - Less reactive crises

The Cyber Security Compliance Opportunity: Become a Cyber Champion

NERC CIP Substation Cyber Security Update John M Shaw Presentation to UTC Region 7 February 19, 2009 jshaw@garrettcom.com

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information