Cyber Security for NERC CIP Version 5 Compliance



Similar documents
GE Oil & Gas. Cyber Security for NERC CIP Versions 5 & 6 Compliance

GE Measurement & Control. Cyber Security for Industrial Controls

GE Measurement & Control. Cyber Security for NERC CIP Compliance

GE Measurement & Control. Cyber Security for NEI 08-09

GE Measurement & Control. Top 10 Cyber Vulnerabilities for Control Systems

How To Secure Your System From Cyber Attacks

TRIPWIRE NERC SOLUTION SUITE

SCADA Compliance Tools For NERC-CIP. The Right Tools for Bringing Your Organization in Line with the Latest Standards

Honeywell Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Honeywell Process Solutions (HPS) June 4, 2014

Ovation Security Center Data Sheet

NERC CIP VERSION 5 COMPLIANCE

NovaTech NERC CIP Compliance Document and Product Description Updated June 2015

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

Ovation Security Center Data Sheet

North American Electric Reliability Corporation (NERC) Cyber Security Standard

Industrial Security Solutions

North American Electric Reliability Corporation: Critical Infrastructure Protection, Version 5 (NERC-CIP V5)

Company Co. Inc. LLC. LAN Domain Network Security Best Practices. An integrated approach to securing Company Co. Inc.

Cyber Security Compliance (NERC CIP V5)

Payment Card Industry Data Security Standard

Technology Solutions for NERC CIP Compliance June 25, 2015

Achieving PCI-Compliance through Cyberoam

PCI Requirements Coverage Summary Table

Summary of CIP Version 5 Standards

RuggedCom Solutions for

Verve Security Center

Critical Controls for Cyber Security.

NERC CIP Whitepaper How Endian Solutions Can Help With Compliance

Best Practices in ICS Security for System Operators. A Wurldtech White Paper

Industrial Security for Process Automation

LogRhythm and NERC CIP Compliance

LogRhythm and PCI Compliance

Supporting our customers with NERC CIP compliance. James McQuiggan, CISSP

Best Practices for PCI DSS V3.0 Network Security Compliance

Invensys Security Compliance Platform

CYBER SECURITY Is your Industrial Control System prepared? Presenter: Warwick Black Security Architect SCADA & MES Schneider-Electric

PCI Requirements Coverage Summary Table

Staying Secure After Microsoft Windows Server 2003 Reaches End of Life. Trevor Richmond, Sales Engineer Trend Micro

whitepaper 4 Best Practices for Building PCI DSS Compliant Networks

Completed. Document Name. NERC CIP Requirements CIP-002 Critical Cyber Asset Identification R1 Critical Asset Identifaction Method

Reclamation Manual Directives and Standards

Alcatel-Lucent Services

IT Security and OT Security. Understanding the Challenges

Retention & Destruction

Cybersecurity Health Check At A Glance

Lessons Learned CIP Reliability Standards

Protecting productivity with Plant Security Services

Oracle Maps Cloud Service Enterprise Hosting and Delivery Policies Effective Date: October 1, 2015 Version 1.0

Simplify Your Network Security with All-In-One Unified Threat Management

Security Solutions to Meet NERC-CIP Requirements. Kevin Staggs, Honeywell Process Solutions

SANS Top 20 Critical Controls for Effective Cyber Defense

Network Access Control in Virtual Environments. Technical Note

Document ID. Cyber security for substation automation products and systems

Alberta Reliability Standard Cyber Security System Security Management CIP-007-AB-5

Cautela Labs Cloud Agile. Secured. Threat Management Security Solutions at Work

Cyber Security. BDS PhantomWorks. Boeing Energy. Copyright 2011 Boeing. All rights reserved.

Network/Cyber Security

Using Monitoring, Logging, and Alerting to Improve ICS Security ICSJWG 2015 Fall Meeting October 27, 2015

Joe Andrews, MsIA, CISSP-ISSEP, ISSAP, ISSMP, CISA, PSP Sr. Compliance Auditor Cyber Security

Critical Security Controls

NERC Cyber Security. Compliance Consulting. Services. HCL Governance, Risk & Compliance Practice

Larry Wilson Version 1.0 November, University Cyber-security Program Critical Asset Mapping

Today s Topics. Protect - Detect - Respond A Security-First Strategy. HCCA Compliance Institute April 27, Concepts.

Operational Continuity

Supplier Information Security Addendum for GE Restricted Data

State of Texas. TEX-AN Next Generation. NNI Plan

ForeScout CounterACT CONTINUOUS DIAGNOSTICS & MITIGATION (CDM)

Cisco Advanced Services for Network Security

Protecting Your Organisation from Targeted Cyber Intrusion

Information Shield Solution Matrix for CIP Security Standards

ABB Automation Days, Madrid, May 25 th and 26 th, Patrik Boo What do you need to know about cyber security?

The Comprehensive Guide to PCI Security Standards Compliance

PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst Page 1 of 7

Assuria can help protectively monitor firewalls for PCI compliance. Assuria can also check the configurations of personal firewalls on host devices

Protecting the Palace: Cardholder Data Environments, PCI Standards and Wireless Security for Ecommerce Ecosystems

Seven Strategies to Defend ICSs

CYBER SECURITY. Is your Industrial Control System prepared?

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

SUPPLIER SECURITY STANDARD

74% 96 Action Items. Compliance

T46 - Integrated Architecture Tools for Securing Your Control System

Approved 12/14/11. FIREWALL POLICY INTERNAL USE ONLY Page 2

Olav Mo, Cyber Security Manager Oil, Gas & Chemicals, CASE: Implementation of Cyber Security for Yara Glomfjord

Security for. Industrial. Automation. Considering the PROFINET Security Guideline

BAE Systems PCI Essentail. PCI Requirements Coverage Summary Table

PICO Compliance Audit - A Quick Guide to Virtualization

Security Policy for External Customers

Firewalls. Securing Networks. Chapter 3 Part 1 of 4 CA M S Mehta, FCA

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

APPENDIX G ASP/SaaS SECURITY ASSESSMENT CHECKLIST

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL

The President s Critical Infrastructure Protection Board. Office of Energy Assurance U.S. Department of Energy 202/

PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP

Remote Services. Managing Open Systems with Remote Services

Windows Server 2003 End of Support. What does it mean? What are my options?

Building A Secure Microsoft Exchange Continuity Appliance

The Business Case for Security Information Management

FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review.

Transcription:

GE Measurement & Control Cyber Security for NERC CIP Version 5 Compliance imagination at work

Contents Cyber Security for NERC CIP Compliance... 5 Sabotage Reporting... 6 Security Management Controls... 6 Personnel & Training... 6 Electronic Security Perimeters... 6 Physical Security of BES Cyber Systems... 7 System Security Management... 7 Recovery Plans for BES Cyber Systems... 7 Configuration Change Management & Vulnerability Assessments... 8 Information Protection... 8 GE Proprietary Information: This document contains proprietary information of the General Electric Company and may not be used for purposes other than that for which it was originally furnished except with written permission of GE Oil & Gas. Copyright 2015 General Electric Company. All rights reserved.

Cyber Security for NERC CIP Version 5 Compliance Many U.S. electric utilities are now federally mandated to comply with NERC CIP requirements that dictate industrial security and remediation technology, including required compliance, by April 2016. To be considered in adapting operations to these regulations is the difficulty of patching industrial controls and the frequent attacks on the equipment. In addition, customers need to address known ICS vulnerabilities without disrupting operations. Because of these factors, electric utilities require a solution that is easy to implement and provides visibility into the industrial network and compliance. As a vendor of industrial controls, GE embraces its responsibilities to assist critical infrastructure owners as they improve their security postures and support compliance efforts related to GE-provided equipment throughout the 10 to 20 year lifecycle of the control system itself. Together with Wurldtech Security Technologies, GE is able to offer security support that spans from initial system design to commissioning, all the way through ongoing support and maintenance. GE offers professional security services and solutions designed and tested for the industrial controls environment. Wurldtech Security Technology s trained Operational Technology Security professionals can support in areas including design, assessments, policy development and training. Built to support best practices in security and facilitate more efficient compliance to NERC CIP 5, GE s Cyber Asset Protection (CAP) Software Update Subscription and Security ST appliance provide centralized patch management, anti-virus/host intrusion detection updates, centralized account management, logging and event management, intrusion detection, whitelisting and automated backup. The Achilles Industrial Next Gen Firewall (NGFW) is purpose-built technology to mitigate known industrial vulnerabilities between patching cycles, providing easy-to-apply controls network zoning and improved visualization of the Electronic Security Perimeter. SECURITY TRAINING Wurldtech Security Services General ICS security awareness training Program implementer training SECURITY TRAINING Wurldtech Security Services General ICS security awareness training Program implementer training MAINTENANCE SECURITY TRAINING Cyber Asset Protection SECURITY Wurldtech TRAINING Security Subscription Services of qualified and General Wurldtech ICS security Security tested awareness Services patches training and signature updates General ICS security Program awareness implementer Updated trainingpatch training applicability reporting Program implementer System Design, training MAINTENANCE Reliability and Configuration Cyber Baseline Asset Protection Documentation SECURITY TRAINING Subscription Change of qualified Control and Services Wurldtech Security tested Ports Services patches & services, and applications signature updates & protocols General ICS security awareness Updated training patch applicability MAINTENANCE Equipment reporting changes Program implementer System Design, training Reliability and Cyber Configuration Decommission Asset Protection plan MAINTENANCE Baseline Cyber Subscription Asset Documentation Protection of qualified and Subscription tested Change patches Control of qualified and signature Services and updates Ports tested & services, patches Updated applications and patch signature applicability & protocols updatesreporting Updated System patch Design, applicability Equipment Reliability and reporting changes Configuration System Design, Reliability MAINTENANCE Decommission and Baseline Configuration Documentation plan Cyber Baseline Asset Change Documentation Protection Control Services Ports Subscription & Change services, of qualified Control applications and Services & protocols tested patches and signature Ports & services, applications & Equipment updates protocols changes Updated patch applicability Equipment reporting Decommission changes plan System Design, Reliability and Configuration Decommission plan Baseline Documentation Change Control Services Ports & services, applications & protocols Equipment changes Decommission plan SECURITY DESIGN Wurldtech Security Services Best Practice specifications Reference Architecture Inventory, ESP + PSP drawing SECURITY DESIGN Wurldtech Security Services ASSESS CONTROLS Best Practice specifications Wurldtech Security Service Reference Architecture Create / review policy Inventory, SECURITY ESP + PSP drawing Gap Assessments DESIGN SECURITY Wurldtech DESIGN Security Services ASSESS (CVA) CONTROLS Cyber Vulnerability Assessments Wurldtech Best Security Practice Services specifications Wurldtech Security Service Best Practice Reference specifications Architecture Create / review policy Reference Inventory, Architecture ESP + PSP drawing Gap Assessments Inventory, ESP + PSP drawing Cyber Vulnerability ASSESS Assessments CONTROLS ASSESS (CVA) Wurldtech CONTROLS Security Service CONTROLS Wurldtech Create Security / review SECURITY Service policy Create LIFECYCLE / review Gap Assessments policy Gap SecurityST Assessments Cyber Vulnerability Assessments Cyber Firewall/Network Vulnerability (CVA) Assessments intrusion detection SECURITY DESIGN Wurldtech Security Services Best Practice specifications Reference Architecture Inventory, ESP + PSP drawing ASSESS (CVA) defining CONTROLS the ESP CONTROLS Wurldtech Access Security Management SECURITY Service Create / review policy LIFECYCLE Centralized Patch Management Gap SecurityST Security Assessments Information & Event Management (SIEM) Cyber Firewall/Network Automated Vulnerability Back-up Assessments intrusion & detection Recovery (CVA) defining Achilles CONTROLS the Industrial ESP Next SECURITY Gen Firewall CONTROLS Access Stateful LIFECYCLE Management Firewall SECURITY Centralized Network SecurityST Patch Segmentation Management defining the ESP LIFECYCLE Security ICS Information Firewall/Network vulnerability & mitigation Event intrusion Management between detection patch (SIEM) cycles SecurityST Automated Network defining Back-up Intrusion the & Recovery ESP Detection/Prevention System Firewall/Network intrusion detection Achilles Application Industrial Access Management Visibility Next Gen and Firewall Control (AVC) CONTROLS defining the ESP Access Stateful Security Management Firewall Centralized Factory SECURITY Patch Acceptance Management Testing (FAT) LIFECYCLE Centralized Network Multi Security Segmentation vendor Patch Information Management testing defining & Event the ESP Management (SIEM) SecurityST Security ICS vulnerability Information Automated mitigation & Back-up Event between Management & Recovery patch (SIEM) cycles Firewall/Network Automated Achilles Intrusion Back-up intrusion Industrial Detection/Prevention & Recovery detection Next Gen Firewall System Achilles defining Application Industrial the Stateful ESP Visibility Next Firewall and Gen Control Firewall (AVC) Access Security Management Stateful Factory Firewall Network Acceptance Segmentation Testing defining (FAT) the ESP Centralized Network Multi vendor Segmentation ICS Patch vulnerability testing Management defining mitigation the between ESP patch cycles Security Information ICS vulnerability Network mitigation Intrusion & Event Management between Detection/Prevention (SIEM) patch cycles System Automated Network Intrusion Application Back-up & Recovery Detection/Prevention Visibility and Control System (AVC) Achilles Application Industrial Security Visibility Next Factory and Gen Control Acceptance Firewall (AVC) Testing (FAT) Stateful Firewall Security Factory Multi vendor Acceptance testingtesting (FAT) Network Segmentation defining the ESP Multi vendor testing ICS vulnerability mitigation between patch cycles Network Intrusion Detection/Prevention System Application Visibility and Control (AVC) Cyber Security for NERC CIP Version 5 Compliance 5 Security Factory Acceptance Testing (FAT) Multi vendor testing

The following matrix provides more details on GE Oil & Gas recommended solutions and software to support security best practices and facilitate NERC CIP compliance efforts for Mark VIe and EX2100e control families. NERC CIP V5 Standards GE Support for Security and Compliance CIP Standards Sabotage Reporting CIP-001-5 GE support for security and NERC CIP 5 compliance GE s Incident Response policy and procedure includes 3rd party researchers, ICS-CERT, and GE s internal Product Security Incident Response Team (PSIRT). Throughout the controls lifecycle, GE customers receive Technical Instruction Letters that detail known vulnerabilities and associated remediation/ mitigation. The Security Incident Event Management (SIEM) system centralizes and correlates cyber security event data. This reporting can be used to support forensics and event reporting. Access Control CIP-003-5 R5 Access controls are managed through centralized Role Based Access Control. GE supports individual accounts in all of our controls applications. All passwords are changed from defaults and handed over to the Responsible Entity. GE supports complete NERC password parameter requirements including: length, complexity, required password changes, limits to unsuccessful authentication attempts and setting attempt thresholds. Access controls are centrally applied to GE HMIs, routers, switches, firewalls, Network Intrusion Detection Systems and our latest controllers. The Security ST Appliance includes a Certificate Authority Server (CAS) for two-factor operator authentication between GE Controllers (with ControlST 4.7 or greater) and the GE HMIs. The CAS puts GE controllers in Secure Mode, maintaining session authenticity between GE provided controllers & the Authenticated User on domain controlled HMIs. When in secure mode, all controller access is encrypted. This enables only users with the necessary certificate on authorized HMIs to access the controller. The SecurityST Appliance includes a password management program that extends Microsoft Active Directory capabilities and supports NERC CIP compliant password configuration. Personnel & Training CIP-004-5.1 R1-R5 Wurldtech has a comprehensive portfolio of security training courses for critical infrastructure and Industrial Control Systems (ICS). The training is developed and delivered by Wurldtech s security experts, people who analyze and implement real-world security solutions at operating facilities. They bring vast experience, examples and stories to provide applicable, actionable instruction. Service engineers supporting your operation receive routine NERC CIP training and background checks before accessing your site s controls. Electronic Security Perimeter CIP-005-5 R1-R2 GE s Electronic Access Point (EAP) solutions support technical and procedural mechanisms for control of electronic access to the Electronic Security Perimeter. Operationally validate router and switch configurations Unified Threat Management firewalls protect against IT vulnerabilities OT protocol aware firewalls support operational zones, reinforcing permitted commands between zones and access points Network Intrusion Detection Systems inspect inbound and outbound traffic as well as capture baseline traffic Application whitelisting to protect computers from harmful applications Cyber Security for NERC CIP Version 5 Compliance 6

CIP Standards Physical Security of BES Cyber Systems CIP-006-5 R1 System Security Management CIP-007-5 R1-R5 GE support for security and NERC CIP 5 compliance Hardware options include a secure physical network rack. This rack can include a key lock and/or keycard access, including electronic contact switches alerting security personnel when the rack is opened. Secure and documented Chain of Custody in development and throughout the lifecycle, including ongoing delivery of cyber security updates. These updates are transmitted to site via secure sealed shipping envelope. In addition, the CD/DVD includes a hash file to validate the CD/DVD contents have not been altered. GE provides and maintains a list of required listening ports and services for both normal and emergency operations. GE provides hardened switch and HMI configurations to disable unused ports and services. Through GE s CAP subscription service, the Responsible Entity receives a complete Baseline Configuration Report for all items in our scope of supply. Each month any baseline configuration changes (for example, by security update) are reported to the Responsible Entity. The CAP Program includes: Monthly validated patch lists, including any workarounds System Design, Reliability, and Configuration Baseline Documentation When applicable, Cyber Security Technical Information Letter (TIL) Review of impacts to Ports and Services CAP Security Subscription validated testing procedures certificate Patch applicability reporting showing impact, and vulnerability assessment procedures CAP includes ongoing monthly updates for Malicious Code Preventions including Antivirus, Operating System updates, Host Intrusion Detection and Network Intrusion Detection signatures and switch updates. All updates are tested in a representative controls environment Industrial NGFW provides protection profile updates that include IDS/IPS signatures for vulnerabilities. SIEM provides real-time capability that centrally alerts, logs and detects cyber security events, allowing operators to monitor unauthorized activity. Recovery Plans for BES Cyber Systems CIP-009-5 R1-R2 Backup/recovery support: Centralized dashboard for backup and recovery includes backup status, recovery tasks and alerts for backup errors. Redundant set of MS Active Directory Domain Controllers include one as a virtual machine and the other as a physical instance. If the primary or backup domain controller were to fail, the other instance would continue to authenticate authorized users. Use of Virtual Machines (VM) support expedited backup and recovery when backups are executed per best practice. GE Latest Network Design includes complete redundant information flows through redundant ethernet and fiber cabling and hardware. All HMIs and controllers support redundant network connections. Centralized configuration backup and restoration of network devices includes alerting to the Alerting via SIEM when switch configurations change. Switches include stacking technology enabling a stacked pair to act as one switch, providing local built-in failover and recovery in the event of a switch failure. An unconfigured switch can be used to replace a failed switch in the stack, automatically uploading the running configuration from the surviving switch. GE switch configuration includes enhanced Quality of Service ensuring controls traffic (GE Unit Data Highway) has the highest priority. Cyber Security for NERC CIP Version 5 Compliance 7

CIP Standards Configuration Change Management & Vulnerability Assessments CIP-010-1 R1, R3 GE support for security and NERC CIP 5 compliance GE s CAP software update subscription supports patch change management compliance documentation by generating a report that shows the following: Listing of applicable updates to your system Status of the update (applied or missing) Updated reference information, including patch number, bulletin ID and bulletin title US Computer Emergency Readiness Team (US CERT) level of severity associated with update Time required to apply update in the representative operational test environment and whether or not a reboot is required Achilles Industrial NGFW can monitor or block OT-specific protocols and commands not included in the baseline configuration which will issue an alert to the SIEM. GE provides several options with regards to Passive and Active Vulnerability Assessments: Wurldtech provides expertise needed to perform a NERC CIP Vulnerability Assessment at Responsible Entity site. Wurldtech follows a proven methodology tailored to industrial control, automation and other real-time systems. The result is a comprehensive assessment that will enable the Responsible Entity to mitigate immediate risks, while developing and implementing an effective long-term security strategy that will improve the overall security posture. Performing an Active Vulnerability Assessment during Factory Acceptance Testing (FAT), before commissioning to Responsible Entity. Includes network discovery, port and service identification, vulnerability identification and remediation. Included with the CAP monthly patch and signature updates is an applicability report that shows which updates are applicable, their status (applied or unapplied), the severity ranking of the vulnerability and the time the update took to apply in a test environment. The CAP program also provides the Responsible Entity a paper listing of ports and services identification. Information Protection CIP-011-1 R1-R2 During the Secure Factory Acceptance Test (FAT), GE can provide the Responsible Entity complete information flows enforcement the identification of the security of each information flow, why it is permitted or denied, including the configuration of flow enforcement polices via firewalls, switches and routers. During and after commissioning, GE uses a trusted delivery path with tamper evident seals on all packaging. After commissioning, the CAP Update Subscription Program includes tamper evident seals and an encrypted hash file. The hash file is used by Responsible Entity to validate the CD/DVD electronic contents are un-altered. Cyber Security for NERC CIP Version 5 Compliance 8

GE Measurement & Control 1800 Nelson Road Longmont, CO 80501 (540) 387-8726 (888) 943-2272 GE4Service@ge.com http://www.ge-mcs.com/controlsolutions Controls Connect customer portal: ge-controlsconnect.com *Denotes a trademark of the General Electric Company. Copyright 2015 General Electric Company. All rights reserved.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information