RADiFlow 3180 Security Appliance Review A NERC CIP version 5 Compliance Enabler

Similar documents
SecFlow Security Appliance Review

Summary of CIP Version 5 Standards

North American Electric Reliability Corporation: Critical Infrastructure Protection, Version 5 (NERC-CIP V5)

NERC CIP Whitepaper How Endian Solutions Can Help With Compliance

Company Co. Inc. LLC. LAN Domain Network Security Best Practices. An integrated approach to securing Company Co. Inc.

CIP Cyber Security Security Management Controls

NERC CIP VERSION 5 COMPLIANCE

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

SANS Top 20 Critical Controls for Effective Cyber Defense

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

NovaTech NERC CIP Compliance Document and Product Description Updated June 2015

The first step in protecting Critical Cyber Assets is identifying them. CIP-002 focuses on this identification process.

Alberta Reliability Standard Cyber Security System Security Management CIP-007-AB-5

74% 96 Action Items. Compliance

LogRhythm and NERC CIP Compliance

GE Oil & Gas. Cyber Security for NERC CIP Versions 5 & 6 Compliance

Cyber Security for NERC CIP Version 5 Compliance

Cyber Security Compliance (NERC CIP V5)

Best Practices for PCI DSS V3.0 Network Security Compliance

How To Secure Your System From Cyber Attacks

INTRUSION DETECTION SYSTEMS and Network Security

FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review.

Larry Wilson Version 1.0 November, University Cyber-security Program Critical Asset Mapping

RuggedCom Solutions for

CIP Cyber Security Configuration Change Management and Vulnerability Assessments

How To Manage Security On A Networked Computer System

Critical Controls for Cyber Security.

TRIPWIRE NERC SOLUTION SUITE

Security Solutions to Meet NERC-CIP Requirements. Kevin Staggs, Honeywell Process Solutions

North American Electric Reliability Corporation (NERC) Cyber Security Standard

i-pcgrid Workshop 2015 Cyber Security for Substation Automation The Jagged Line between Utility and Vendors

Defending Against Data Beaches: Internal Controls for Cybersecurity

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL

Facilitated Self-Evaluation v1.0

Payment Card Industry (PCI) Data Security Standard. Summary of Changes from PCI DSS Version 2.0 to 3.0

GE Measurement & Control. Cyber Security for NEI 08-09

¼ããÀ ããè¾ã ¹ãÆãä ã¼ãîãä ã ããõà ãäìããä ã½ã¾ã ºããñ à Securities and Exchange Board of India

Securing Modern Substations With an Open Standard Network Security Solution. Kevin Leech Schweitzer Engineering Laboratories, Inc.

Achieving PCI-Compliance through Cyberoam

Discussion Draft of the Preliminary Cybersecurity Framework Illustrative Examples

GE Measurement & Control. Top 10 Cyber Vulnerabilities for Control Systems

Information Shield Solution Matrix for CIP Security Standards

Honeywell Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Honeywell Process Solutions (HPS) June 4, 2014

Industrial Control Systems Security Guide

Patching & Malicious Software Prevention CIP-007 R3 & R4

TABLE OF CONTENT. Page 2 of 9 INTERNET FIREWALL POLICY

IBX Business Network Platform Information Security Controls Document Classification [Public]

ReliabilityFirst CIP Evidence List CIP-002 through CIP-009 are applicable to RC, BA, IA, TSP, TO, TOP, GO, GOP, LSE, NERC, & RE

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 6 Network Security

Recommended IP Telephony Architecture

March

Verve Security Center

Payment Card Industry Data Security Standard

Remote Services. Managing Open Systems with Remote Services

Network/Cyber Security

Cisco Advanced Services for Network Security

Basics of Internet Security

SCADA Compliance Tools For NERC-CIP. The Right Tools for Bringing Your Organization in Line with the Latest Standards

White Paper. Protecting Databases from Unauthorized Activities Using Imperva SecureSphere

Hands on, field experiences with BYOD. BYOD Seminar

Cybersecurity and internal audit. August 15, 2014

GE Measurement & Control. Cyber Security for NERC CIP Compliance

Secure Networking for Critical Infrastructure Using Service-aware switches for Defense-in-Depth deployment

DESIGNATED CONTRACT MARKET OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE

CIP- 005 R2: Understanding the Security Requirements for Secure Remote Access to the Bulk Energy System

Security Policy for External Customers

A Look at the New Converged Data Center

ForeScout CounterACT CONTINUOUS DIAGNOSTICS & MITIGATION (CDM)

1B1 SECURITY RESPONSIBILITY

Global Partner Management Notice

LOGIIC Remote Access. Final Public Report. June LOGIIC - APPROVED FOR PUBLIC DISTRIBUTION

IT Security and OT Security. Understanding the Challenges

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Network Access Control in Virtual Environments. Technical Note

CS 356 Lecture 25 and 26 Operating System Security. Spring 2013

Retention & Destruction

Continuous Compliance for Energy and Nuclear Facility Cyber Security Regulations

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS

PCI Compliance for Cloud Applications

Did you know your security solution can help with PCI compliance too?

Standard CIP 007 3a Cyber Security Systems Security Management

PCI Requirements Coverage Summary Table

Autodesk PLM 360 Security Whitepaper

Compliance Overview: FISMA / NIST SP800 53

Appendix. Key Areas of Concern. i. Inadequate coverage of cybersecurity risk assessment exercises

Completed. Document Name. NERC CIP Requirements CIP-002 Critical Cyber Asset Identification R1 Critical Asset Identifaction Method

State of Texas. TEX-AN Next Generation. NNI Plan

NERC CIP Tools and Techniques

Guideline on Auditing and Log Management

Bridging the gap between COTS tool alerting and raw data analysis

CIP Cyber Security Electronic Security Perimeter(s)

Chapter 9 Firewalls and Intrusion Prevention Systems

Ovation Security Center Data Sheet

TEMPLE UNIVERSITY POLICIES AND PROCEDURES MANUAL

Question Name C 1.1 Do all users and administrators have a unique ID and password? Yes

Security Controls for the Autodesk 360 Managed Services

PCI Requirements Coverage Summary Table

Top Three POS System Vulnerabilities Identified to Promote Data Security Awareness

Transcription:

0 P a g e DiFlow 3180 ecurity ppliance eview C CP version 5 Compliance nabler Performed by an ndependent Cybersecurity Consultant for DiFlow 12/1/2014 DiFlow 3180 uggedized ecure witch and i ecurity management software. he eview and eport was conducted by i2 nformation ecurity (i2), a Coloradobased cybersecurity vendor. i2 has expertise with ubject atter xpert participation in several cybersecurity standards for the energy sector.

1 P a g e he DiFlow nswer to emote ubstation ecurity, Compliance & esilience - C F DiFlow 3180 he Department of Homeland ecurity reports that of the growing number of cyber-attacks on critical infrastructure in 2012, more than 40 percent were made on energy-sector targets. his alarming increase of attacks poses new risk management challenges for utilities, and energy sector owners and operators of critical infrastructure. mong the most challenging responsibilities is improving security at remote substations. he physical attacks on remote substations in rkansas in the fall of 2013, causing downed transmission lines, sabotaged power poles, and substation control house fire, highlight the vulnerability of remote sites generally. cyber-attack on these sites is especially worrisome because of the inability of qualified cybersecurity and CD network expertise to respond in time. Fines from C CP noncompliance add further risk. he C ay 2012 Compliance nalysis eport shows that lectronic ecurity Perimeter ranks second in potential noncompliance under C CP. he top violation area is under ystems ecurity anagement. anaging compliance to remote sites is particularly burdensome. 2013 enforcement data from C shows that fines in excess of $100,000 are imposed regularly for these cybersecurity violations. DiFlow 3180 helps to solve the management challenge of providing resilient cybersecurity controls for emote ubstations. ts service - aware features enable CD managers to securely monitor and control devices within the remote perimeter. he ease of compliance under CP 005 and 007 is afforded from the coupling of the serviceaware 3180 secure communication appliance and the i management software. s a package, their features assure security managers of C CP compliance for emote ubstations especially for the 2 most problematic areas: lectronic ecurity Perimeter and ystems ecurity anagement.

2 P a g e emote ubstation ecure Communication he DiFlow 3180 is a multi-function hardware and security appliance with extensive capabilities and network applications that warrant a broader device characterization closer to a full-feature appliance-type device than the conservative ruggedized switch description of the manufacturer. anufactured and marketed by DiFlow as a Compact witch or a ervice-aware ndustrial thernet witch, DiFlow 3180 is actually an ll-in-ne CD security multiplier that offers the power industry many security and efficiency advantages, while also enabling C CP version 5 compliance. DiFlow 3180 offers a suite of mix-and-match security configurations so that security managers can remotely tailor device-specific security controls. ptions such as device-specific protocol white listing, physical and virtual port tailored access control configurations and a variety of other security features maximize security options. What if each CD device within a emote ubstation could be distinctly and remotely configured for security, with separate access controls, white listing, and a suite of other individualized security features? his is possible with the coupling of i anagement oftware and DiFlow 3180. hese tailored security controls make DiFlow 3180 highly suitable for remote sites. his analysis of DiFlow 3180, conducted by independent cybersecurity subject matter experts, focuses on a power sector se Case, particularly remote substation applications, analyzing how DiFlow 3180 can render a C CP esponsible ntity compliance ready.

3 P a g e DiFlow 3180 Product eview Distributed ervice-aware in the 3180 ruggedized switch with a CD-aware firewall embedded in the device nables dynamic configuration to detect and deeply analyze various CD protocols White isting configurability options (command types, C addresses, ports, protocol ) Configurable to drop and alert, alert, or simply drop traffic Configurable with sensors to detect CD traffic anomalies nomaly detection and heuristics: can detect traffic spikes nables automatic detection of normalcy baseline Fail-over communication redundancy through thernet and cellular Pec VP tunnels with X.509 certificates emote collection of logs for activity monitoring pace reduction through multi-functions in one device i anagement oftware dvantages of Coupling 3180 with i anagement oftware Full functionality of the 3180, as well as robust management of the CD network, is enabled from the DiFlow i software. his coupling of capabilities offers a suite of C CP compliance options, as well as greatly improved security. From a management console, i affords configuration and security options such as: egmentation of CD device control by port, C D, protocol, white listing, port disabling, command type, and user access ulti-dimension access control functionality that complicates device access to any would-be attacker Configuration management segmentation: Global and pplication; so that user access controls may be configured to limit access he suite of security controls offers substantial benefits to remote substations, and other security enclaves that require both remote continuous security monitoring and management controls. C CP Compliance (version 5)

4 P a g e C CP Compliance (version 5) Get eady for C CP Version 5 Compliance FC has indicated that C CP version 4 will be skipped in favor of version 5. Presidential Policy Directive PPD-21 is also causing increased focus on cybersecurity. hese emerging compliance mandates upon the ulk lectric ystem, as well as general consensus across the cybersecurity landscape that will influence Public tility Commissions (PC), indicate that a dynamic cyber risk management approach will become the standard and norm. uch an approach, which puts a premium on the capability to adjust controls to new threats, requires security managers to invest in highly adaptable security solutions. C CP 5 similarly aligns with such an approach. Planning for improved cybersecurity, and to align with C CP 5, should therefore involve assessment of capabilities that can adapt to heightened security requirements. oreover, increasing security to remote locations can strain already over-taxed staff. n an increasingly hostile cyber landscape, both efficiency and resilience is required. ecurity managers require solutions configured with a hardened security baseline for resilience, as well as ease of configuration modification and change management to increase efficiencies. DiFlow 3180, as an ll-in-ne device, coupled with i management software meets these needs emote ite Cybersecurity Control anagement C CP Version 5 Compliance apping he following pages provide a mapping of DiFlow 3180 and i features to C CP 5 standards. he ll-in-ne design of the 3180/i appliance enables compliance readiness across multiple C CP 5 focus areas. ccordingly, a one-for-one matching (feature to standard) does not effectively account for the broad swath of readiness enabled by the fullfeatured appliance, especially when coupled with i security management software. he following table therefore focuses on coupling of features to demonstrate the scope of compliance readiness afforded by the paired 3180/i security and resilience package.

5 P a g e C CP (version 5) equirements apping CP003-5 CY G C he purpose of CP003-5 (cybersecurity policy controls) is to provide a management and governance foundation for all requirements that apply to personnel who have authorized electronic access and/or authorized unescorted physical access to Cyber ystems. CP003-5 periodic review and approval of the cybersecurity policy ensures that the policy is kept up-to-date and periodically reaffirms management s commitment to the protection of its Cyber ystems. he approach of CP003-5 incorporates an objective of empowering and enabling the industry to identify, assess, and correct deficiencies in the implementation of CP003-5 requirements. ethods and evidence for ensuring compliance include policy documents, revision history, records of review, and workflow evidence from a document management system assuring review of each policy at least once every 15 calendar months. DiFlow 3180, when coupled with i management software, either provides features that directly comply with certain CP003-5 requirements, or together provide the data or capability that enables the esponsible ntity to demonstrate through processes and recordkeeping its compliance with a particular requirement. CP005-5 CC CY P() CP003-5 1 CP003-5 1 Part 1.7: Configuration change mgmt & V. enabled by emote ccess gent Parts 1.2, 1.4, 1.5, 1.6: i coupled with 3180 supports and enables security management plans and processes for Cyber ystems, including system and asset identification, event logging, access control, configuration change management, recovery plans, and network management. he purpose of CP005-5 (electronic security perimeter) is to manage electronic access to Cyber ystems by specifying a controlled lectronic ecurity Perimeter in support of protecting Cyber ystems against compromise that could lead to misoperation or instability in the. ethods and evidence for ensuring compliance include the documented processes and direct system or capability measures that address the requirement. DiFlow 3180, through its CD-aware firewall, offers a suite of configurable controls to address access control, authentication, remote access controls, configuration change management, event and audit logging, and other features. CP005-5 1 Part 1.3: nbound/utbound routable traffic at P access control by V, CD firewall per port, enable / disable port, Port access filter per C/P, Do protection Part 1.4: Dial-up authentication and documented processes by dual configuration systems both with local or remote authentication, plus audit trail.

6 P a g e CP005-5 CC CY P() DiFlow 3180, through its CD-aware firewall, offers a suite of configurable controls to address access control, authentication, remote access controls, configuration change management, event and audit logging, and other features. CP005-5 1 Part 1.3: nbound/utbound routable traffic at P access control by V, CD firewall per port, enable / disable port, Port access filter per C/P, Do protection CP005-5 2 Part 1.4: Dial-up authentication and documented processes by dual configuration systems both with local or remote authentication, plus audit trail. Part 1.5: alicious traffic detection a P by ervice aware firewall acting as P /D by validating protocol structure and session flow, checking code function against operator provided list for validity, abnormality detection of traffic bursts or abnormal command patterns, operator alerts on detection as well as optional abnormal packet drop. Part 2.1: nteractive emote ccess boundaries enabled by management interfaces physically separated from other interfaces, and logically via V, and with ingress and egress filtering to ensure traffic does not cross interfaces, H and PC tunneling (VP). - Physical host authentication in the internal network (C/P address or 802.1x) and validation of performed operations by that host. - ogical authentication for access over insecure interfaces including PC encryption keys and remote user credentials. Part 2.2: nteractive emote ccess encryption performed by H, and system integration provided via PC tunnels Part 2.3: uthentication: everse H sessions to defined remote console, with x.509 certificates as a transition pathway. CP005-7 Y CY G he focus of CP007-7 (systems security management) is on port control and access, patch management, malicious code detection and prevention, incident log capabilities, and access controls.

7 P a g e CP007-5 Y CY G DiFlow 3180, when coupled with i management software, either provides features that directly comply with certain CP007-5 requirements, or together provide the data or capability that enables the esponsible ntity to demonstrate through processes and record-keeping its compliance with a particular requirement. CP007-5 1 Part 1.1: ogical port disabling provided by full firewall capability, to include CD protocol awareness and port shutdown / C / P restrictions, alerting V capabilities, port shutdown and C capabilities Part 1.2: Physical port shutdown capability and C / P restrictions to ports CP007-5 2 Parts 2.1, 2.2, 2.3: i management software facilitates patch management through a variety of features, such as device identification, topology characterization and system categorization, device query, and inventory listing. CP007-5 3 CP007-5 4 CP007-5 5 Parts 3.1, 3.2, 3.3, 3.4, 3.5: i and 3180 together or individually provide malware detection and prevention capabilities through packet inspection (includes CD awareness with anomaly detection and alerting, operator control over allowed / disallowed commands with alerting and dropping capabilities), and audit logs at both the 3180 and i. Part 4.1: ncident logging provided by CD aware firewall and interfacing with i; allows for detection and reaction to potential malicious activity, audit trail logging provides for failed access and logins Parts 4.1, 4.2, 4.4, 4.5: CD-aware firewall is fully configurable to alert on anomalies; ystem is syslog and P capable as well as can send logs to i for retention Part 5.1, 5.2: ccess control, user authentication and privilege level associations via H for remote access, local / CC / adius capable; procedural system supports user level access controls CP009-5 CVY P F CY Y edundancy and ecovery enabled by multiple failover features. CP009-5 1 Part 1.5: 3180 supports multiple command interfaces to include cellular with support for two sim cards, allowing for +2 failover of communications channels (P, VP)

8 P a g e CP010-1 CFG G D VY DiFlow 3180, when coupled with i management software, either provides features that directly comply with certain CP010-1 requirements, or together provide the data or capability that enables the esponsible ntity to demonstrate through processes and recordkeeping its compliance with a particular requirement. CP010-1 1 CP010-1 2 Parts 1.1, 1.2, 1.3: aseline configuration baselining enabled by the CD-aware firewall, configurability options of 3180, and i management. 3180 provides anomaly detection of CD traffic with alerting capability. Part 2.1: 3180 enables internal baselining and anomaly detection of CD traffic with alerting capability, including bad / anomalous traffic and detection of configuration change, or failure of devices, and i management of 3180. CP011-1 F PC i management software provides features that enable the esponsible ntity to demonstrate through processes and recordkeeping its compliance with a particular requirement of CP011-1. CP011-1 1 i supports and enables information protection related to Cyber ystems, including system and asset identification, logging, change management, and network topology.

9 P a g e CP003-5 ecurity anagement Controls - 1 Cybersecurity Policy Controls - Part 1.2 lectronic ecurity Perimeter - Part 1.4 ystem ecurity anagement - Part 1.8 nformation Protection - 2 Cybersecurity Policy Controls - Part 2.3 xternal outable Protocol Connections - Part 2.4 Cyber ncident esponse CP005-5 lectronic ecurity Perimeter - 1 Comprehensive Process Controls - Part 1.1 Defined P for Cyber ssets - Part 1.2 Defined lectronic ccess Point - Part 1.3 ccess Control - Part 1.5 alicious raffic Detection - 2 nteractive emote ccess - Part 2.1 emote ccess arrier Control - Part 2.2 emote ccess ncryption - Part 2.3 ulti-factor uthentication CP007-5 ystems ecurity anagement - 1 Ports and ervices - Part 1.1 ogical Port nabling & Control - Part 1.2 Physical Port Control - 2 ecurity Patch anagement - Part 2.1 Configuration support for patch mgmt - Part 2.2 imely inspection (35 days) - 3 alicious Code Prevention - Part 3.1 Detect, deter, prevent method Part 3.2 itigation of malicious code Part 3.3 Process to meet Part 3.1 CP009-5 - 1 ecover pecifications - Part 1.5 Fail-over data preservation CP010-1 ecovery Plan for Cyber ystems Configuration Change anagement - 1 Change anagement Process Part 1.1 aseline Configuration Part 1.3 Cyber sset dentification Part 1.4 Change controls and documentation Part 1.5 Change testing and documentation - 2 nauthorized Change Detection Part 2.1 Detect nauthorized changes C CP version 5 apping ummary Compliance eady Contribution - Dynamic configurability meets 15 month review cycle; xtensive control options exceed requirements; emote access controls at device as a perimeter gateway. - i provides the dynamic control and G for human interface, management, and response to incidents. ntegrates with the embedded firewall to enable homestation management of 3180 and continuous monitoring. Compliance eady Contribution Comprehensive, compounding, and synergistic compliance and security multiplier for CP005-5 ables 1 and 2 requirements: access control to device level via white listing, protocol-aware access, C D-aware access, and layered authentication and H; two-way traffic control, detection, and alerting. i provides management of the 3180 to enable compliance with lectronic ecurity Perimeter requirements. he robust features of the 3180, especially at remote locations, are readily accessible and managed via i. Compliance eady Contribution Full embedded Firewall within 3180 ensures full compliance and exceeds all requirements: configurable, detect & prevent malicious code at the gateway; port control-enabled. i enables shutdown of physical and virtual ports; or, enabling device interface with the 3180 via specified ports. Patch management and continuous monitoring for malicious code are also enabled. Packet inspection includes CD awareness with anomaly detection and alerting, operator control over allowed / disallowed commands with alerting and dropping capabilities Compliance eady Contribution edundant fail-over communication pathways to ensure constant interface with management software and data retention: cellular with support for two sim cards, P, VP. i provides network topology and management; database backup for network administration; and multiple communication channels to 3180 for redundancy. mergency restoration via. Compliance eady Contribution Configurability includes device detection that facilitates baseline configuration, change management, and device management. CD-aware firewall enables baselining and anomaly detection of CD traffic with alerting capability; integrates with management software to enable unauthorized change detection and continuous monitoring. i provides activity logs, alarm logs, visibility into configuration changes, management, and unauthorized change logs. For more information about DiFlow products email: info@radiflow.com web: http://www.radiflow.com Copyright 2014, DiFlow td. Ver 1.0

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information