SCADA Compliance Tools For NERC-CIP. The Right Tools for Bringing Your Organization in Line with the Latest Standards



Similar documents
CG Automation Solutions USA

Document ID. Cyber security for substation automation products and systems

Cyber Security for NERC CIP Version 5 Compliance

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

The first step in protecting Critical Cyber Assets is identifying them. CIP-002 focuses on this identification process.

Summary of CIP Version 5 Standards

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

Completed. Document Name. NERC CIP Requirements CIP-002 Critical Cyber Asset Identification R1 Critical Asset Identifaction Method

NovaTech NERC CIP Compliance Document and Product Description Updated June 2015

LogRhythm and NERC CIP Compliance

Client Security Risk Assessment Questionnaire

Symphony Plus Cyber security for the power and water industries

TECHNICAL AND ORGANIZATIONAL DATA SECURITY MEASURES

GE Oil & Gas. Cyber Security for NERC CIP Versions 5 & 6 Compliance

North American Electric Reliability Corporation: Critical Infrastructure Protection, Version 5 (NERC-CIP V5)

GE Measurement & Control. Cyber Security for NEI 08-09

Security Solutions to Meet NERC-CIP Requirements. Kevin Staggs, Honeywell Process Solutions

Question Name C 1.1 Do all users and administrators have a unique ID and password? Yes

Standard CIP 007 3a Cyber Security Systems Security Management

Supporting our customers with NERC CIP compliance. James McQuiggan, CISSP

Cyber Security Compliance (NERC CIP V5)

NERC CIP Whitepaper How Endian Solutions Can Help With Compliance

FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review.

Standard CIP Cyber Security Systems Security Management

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

PCI Requirements Coverage Summary Table

Verve Security Center

TOP 10 WAYS TO ADDRESS PCI DSS COMPLIANCE. ebook Series

TRIPWIRE NERC SOLUTION SUITE

Ovation Security Center Data Sheet

E-Commerce Security Perimeter (ESP) Identification and Access Control Process

Hosted Exchange. Security Overview. Learn More: Call us at

TABLE OF CONTENT. Page 2 of 9 INTERNET FIREWALL POLICY

6. AUDIT CHECKLIST FOR NETWORK ADMINISTRATION AND SECURITY AUDITING

Industrial Security Solutions

Industrial Security for Process Automation

74% 96 Action Items. Compliance

GE Measurement & Control. Top 10 Cyber Vulnerabilities for Control Systems

MSSTAN 1504: Supplier Security Requirements and Expectations (SSRE) Web Applications For Externally Facing (Public) Data

Network & Information Security Policy

North American Electric Reliability Corporation (NERC) Cyber Security Standard

BAE Systems PCI Essentail. PCI Requirements Coverage Summary Table

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

CYBER SECURITY POLICY For Managers of Drinking Water Systems

Information Shield Solution Matrix for CIP Security Standards

Server Security Checklist (2009 Standard)

Security Controls for the Autodesk 360 Managed Services

Retention & Destruction

INFORMATION SECURITY GOVERNANCE ASSESSMENT TOOL FOR HIGHER EDUCATION

BKDconnect Security Overview

PCI Requirements Coverage Summary Table

Information Technology Engineers Examination. Information Security Specialist Examination. (Level 4) Syllabus

AutoSave. Achieving Part 11 Compliance. A White Paper

INTEGRATING SUBSTATION IT AND OT DEVICE ACCESS AND MANAGEMENT

Supplier Information Security Addendum for GE Restricted Data

APPENDIX G ASP/SaaS SECURITY ASSESSMENT CHECKLIST

BSM for IT Governance, Risk and Compliance: NERC CIP

Name: Position held: Company Name: Is your organisation ISO27001 accredited:

Ovation Security Center Data Sheet

The Impact of 21 CFR Part 11 on Product Development

Achieving PCI-Compliance through Cyberoam

The President s Critical Infrastructure Protection Board. Office of Energy Assurance U.S. Department of Energy 202/

Supplement to the Guidance for Electronic Data Capture in Clinical Trials

Print4 Solutions fully comply with all HIPAA regulations

Write up on PSIM PHYSICAL SECURITY INFORMATION MANAGEMENT

How to Integrate NERC s Requirements in an Ongoing Automation and Integration Project Framework

RuggedCom Solutions for

Small Business IT Risk Assessment

INFORMATION TECHNOLOGY CONTROLS

CONTROL SYSTEM VENDOR CYBER SECURITY TRENDS INTERIM REPORT

CIP- 005 R2: Understanding the Security Requirements for Secure Remote Access to the Bulk Energy System

Cisco Advanced Services for Network Security

SRA International Managed Information Systems Internal Audit Report

OCR LEVEL 3 CAMBRIDGE TECHNICAL

GE Measurement & Control. Cyber Security for NERC CIP Compliance

IT General Controls Domain COBIT Domain Control Objective Control Activity Test Plan Test of Controls Results

ReliabilityFirst CIP Evidence List CIP-002 through CIP-009 are applicable to RC, BA, IA, TSP, TO, TOP, GO, GOP, LSE, NERC, & RE

DeltaV Capabilities for Electronic Records Management

GE Measurement & Control. Cyber Security for Industrial Controls

PCI DSS Requirements - Security Controls and Processes

Cybersecurity Health Check At A Glance

How To Control Vcloud Air From A Microsoft Vcloud (Vcloud)

GE Intelligent Platforms. Meeting NERC Change Control Requirements for HMI/SCADA and Control Systems

How To Protect A Hampden County Hmis From Being Hacked

DeltaV Capabilities for Electronic Records Management

Information Technology General Controls Review (ITGC) Audit Program Prepared by:

Course: Information Security Management in e-governance. Day 1. Session 5: Securing Data and Operating systems

Information Technology Security Procedures

Designing a security policy to protect your automation solution

OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE

Network Security Guidelines. e-governance

Protecting Official Records as Evidence in the Cloud Environment. Anne Thurston

SCADA and Security Are they Mutually Exclusive? Terry M. Draper, PE, PMP

Information System Audit. Arkansas Administrative Statewide Information System (AASIS) General Controls

MAXIMUM DATA SECURITY with ideals TM Virtual Data Room

CIP Cyber Security Security Management Controls

NACS/PCATS WeCare Data Security Program Overview

Security Standard: Servers, Server-based Applications and Databases

Approved 12/14/11. FIREWALL POLICY INTERNAL USE ONLY Page 2

CIP Cyber Security Configuration Change Management and Vulnerability Assessments

Transcription:

SCADA Compliance Tools For NERC-CIP The Right Tools for Bringing Your Organization in Line with the Latest Standards

OVERVIEW Electrical utilities are responsible for defining critical cyber assets which are vital to their continuing operation. These assets are then systematically protected through welldefined processes, methods, and procedures outlined in a federal government standard for Critical Infrastructure Protection (CIP). The procedures for compliance follow a standard developmental road map created by the North American Electric Reliability Corporation (NERC) and are contained in the NERC CIP standard 002-009. The standard itself is divided into eight sections with each section addressing different areas. CIP 002 Critical Asset Identification CIP 003 Security Management Controls CIP 004 Cyber Security Personnel and Training CIP 005 Electronic Security Perimeter CIP 006 Physical Security CIP 007 System Security Management CIP 008 Incident Reporting and Response Planning CIP 009 Recovery Plan for Critical Cyber Assets The Critical Cyber Assets to be protected are defined as all "programmable electronic devices and communication networks including hardware, software, and data". In broad terms, compliance for organization includes: * defining critical cyber assets, all access points, and interconnected cyber assets. * defining, and maintaining a critical infrastructure protection program. * implementing access control for all critical cyber assets. * continuously monitoring and logging all access to the secure electronic perimeter. * establish a continuing training program for extension of these initial efforts. * putting management policies in place for protection of critical cyber assets. * defining and documenting the organization s response to incidents and having these responses specifically assigned to individuals and job functions. * putting management policies in place for the periodic evaluation and update of all definitions and procedures. * establishing procedures for assessing changes to the CIP standard and implementing these changes. * become auditably compliant with the standard and remaining so. UTILITY RESPONSIBILITIES Utilities designated as Responsible Entities are responsible for being auditably compliant with the NERC CIP standard in accordance with the released timetable. In addition to formal requirements, the NERC CIP standard is quickly becoming a best practice guidelines for the industry. Even if not formally required to be compliant, a utility would ignore these guidelines only at a risk to their own liability. No SCADA vendor (or anyone else) other than the utility can be audited and certified as NERC CIP compliant. 2

The SCADA vendor, however, can provide the following assistance to the utility and support of their efforts by: * modifying SCADA software provided to comply with NERC CIP guidelines. * creating additional software or services to aid in compliance efforts. * evaluating third party hardware or software which may be useful for user compliance efforts. * implementing and documenting sound internal procedures for supporting compliance with NERC CIP guidelines. CRITICAL INFRASTRUCTURE PROTECTION ELEMENTS AND SOLUTIONS The following paragraphs outline the basics of NERC-CIP requirements and the assets that can be supplied by CG AUTOMATION in support of your efforts. This listing cannot be a comprehensive summary of NERC- CIP requirements. You are strongly encouraged to obtain the entire NERC-CIP standard for charting your own compliance path. assets networked via routable protocols to critical assets within the perimeter. CG AUTOMATION will analyze equipment provided and generate a listing of items that internally or externally meet the criteria for Critical Cyber Asset. This list will be created by CG AUTOMATION and will be incorporated into the program configuration as part of CG AUTOMATION s supply documentation. CIP-003 Security Management Controls Under CIP 003, the responsible entity will ensure that management policies and controls are designed and adequate for implementing the guidelines of the standard. These policies and controls would include: * development of a formal cyber security policy. * formulating formal managerial assignments and responsibilities. * establishing firm lines of responsibility and authority for compliance to the cyber security policy. * clearly documenting responsibility for any exceptions to the established policy. CIP-002 Cyber Asset Identification NERC CIP-002 addresses the need to develop criteria and procedures for identifying Critical Assets. Once critical assets are identified, the utility s Critical Cyber Assets are formally defined. Once defined, these cyber assets are designated and the listing must be periodically updated. * defining procedures and control of access to the electronic security perimeter. * documenting all access to all critical cyber assets. * implementing a program of change and configuration control. Critical cyber assets are defined and then placed within an Electronic Security Parameter. This would also include 3

CG AUTOMATION Support Solution TDMS-Plus system access is controlled by unique usernames and passwords. Additionally, CG AUTOMATION will generate comprehensive security reports and change logs for the SCADA system provided and any access made available through CG AUTOMATION products. You will be able to easily add supplemental information (from non-cg AUTOMATION equipment, software or services) such that the management controls may be implemented and properly documented. Standard database management tools will be made available for generating the necessary logs and reports regarding access, changes, etc. These solutions will be incorporated into the standard CG AUTOMATION TDMS plus SCADA system software and/or accompanying software. CIP-004 Personnel & Training As effective cyber security requires Situational Awareness for all personnel. Training of your staff is extremely important and must be ongoing. Ongoing training concerning cyber security issues will be designed, approved, implemented and documented. As personnel issues are ongoing, any persons having access to critical cyber assets will be subject to criminal background checks and security clearances. Any personnel changes will be handled in a timely manner to prevent unauthorized access to any critical cyber assets. CG AUTOMATION will incorporate relevant information concerning security threats and solutions into periodically published CG AUTOMATION newsletters and other vehicles (web site, manuals, technical bulletins, specifications, etc.). The effect of this will be to raise security awareness among user personnel. Separate annotations highlighting the security features of CG AUTOMATION equipment and systems will be featured in the standard CG AUTOMATION training courses. Additional, targeted, security feature training will be optionally available. All CG AUTOMATION personnel having physical or cyber access to customer equipment will maintain a current (within seven years) criminal background check. CG AUTOMATION users will be notified within the prescribed period of time of any personnel changes among those with physical or cyber access to customers equipment or systems. CIP-005 Electronic Security Perimeter The utility is responsible for insuring every critical cyber asset resides within an Electronic Security Parameter and all points of access to the perimeter are identified, controlled, monitored, and documented. Electronic access through the security perimeter is of particular interest to the NERC-CIP standards. Access will require explicit permissions and the procedure for authorizing access, authentication methods, authorization rights (for permanent and dial-in connections) are to be rigidly defined and controlled. Where external interactive access into the electronic security perimeter has been enabled, the responsible entity shall implement strong procedural or technical control of those access points to insure the authenticity of the accessing party. Appropriate Use Banners will be incorporated into all system access. In order to implement access control, appropriate monitoring and reporting mechanisms must be in place for all remote access. 4

CG AUTOMATION Support Solution CG AUTOMATION will supply systems and equipment that ensure only needed ports are open and will document these by both function and by need. CG AUTOMATION will provide secure dial in and VPN solutions using secure two factor authentication technology. Strong access controls will be made available at entry points to include strong passwords requirements, certificates, or hardware keys. CG AUTOMATION equipment will display an appropriate use banner upon all interactive connections. The software provided by CG AUTOMATION will generate the detailed security logs, port scans, and intrusion alarms/events data necessary for assisting the user in achieving NERC CIP compliance. These security logs and data records will be accessible with common, open, relational database tools for easy management, report generation, and update. CIP-006 Physical Security This portion of the standard requires the responsible entity to create and maintain a physical security plan which is approved and then updated on a periodic basis. Six sided security will be provided for critical cyber assets and all access will be controlled and monitored 24/7. Potential physical access controls could include: * card key access. * special locks (restricted he, magnetic locks, multi door man trap systems). * security personnel for controlling and monitoring access. * other authentication devices (bio-metric, keypad, token, etc.). All physical access will be monitored by alarm systems or by human observation of access points and logged by video recording, handwritten log, computerized logging or other similar means. This physical access control, monitoring, and logging will be subject to periodic testing to re-confirm viability. While physical security is outside the scope of supply for CG AUTOMATION equipment and services, CG AUTOMATION can provide interfaces to commercially available systems to streamline this physical security requirement. These would include interfaces to user selected key, smart card, bio-metric, or video monitoring systems. These subsystems can help reduce the SCADA system attack surface and allow easier management of physical or cyber access. CIP-007 Systems Security Management The responsible entity shall ensure that any new cyber assets and any significant change to existing cyber assets within the electronics security perimeter do not adversely affect existing cyber security controls or policies. Ports and services allowed to the electronic security parameter will be only those required for normal and emergency operations. All unnecessary ports and services, including those for testing purposes will be disabled. One of the most critical factors for cyber security is nonexistent or poor patch management for the SCADA server operating system and antivirus updates. NERC CIP 007 mandates that all operating system patches and antivirus updates be tested, installed, and documented in a timely manner. Procedures will be implemented for controlling all access through the electronic security perimeter to include: * procedures for implementing and documenting access authentication. 5

* reducing all system access to a need to know basis. * require access controls and procedures to support strong passwords. * an formal password management program * automated tools for controlling, monitoring, and logging all access to cyber assets within any security perimeter. CG AUTOMATION has multiple solutions to address the requirements of NERC CIP 007 to include: * Password protection for all master station and remote terminal or gateway configuration changes. * the comprehensive security reports available from CG AUTOMATION SCADA systems (see response to NERC CIP 003 of this document) will address the monitoring of available system ports to insure only necessary ports are enabled. A security ports scan can be made to run at any time to confirm this ongoing configuration control. * CG AUTOMATION will provide a security patch management service. This service will provide the environment and procedure for testing all operating system security patches. This is an important feature as most users do not have a duplicate, non-production system available to safely evaluate all patch affects. Users also do not have the necessary source code or expertise needed to do formal patch evaluation. document where it is not needed. CG AUTOMATION, will also, in concert with the patch testing of the previous bullet item, test signatures and certify them for use on CG AUTOMATION provided equipment. * Individual user names and passwords, used for access to the system will carry additional strength features. Minimum standards of password length and complexity are enforceable. Role-based user privileges are implemented. Account expiration and invalid attempt lockout features are available for use with the CG AUTOMATION system. Forced password expiration and change is also available. To aid in the access review process required by this standard, the information about the system is available to the comprehensive security reporting mentioned in the response in this document to NERC CIP section 003. * CG AUTOMATION TDMS-Plus provides for alarm and event notification and storage. Detailed security logs, including the secure storage thereof, provides the audit trail needed for this paragraph s requirements. Intrusion alarms and events are generated when attempts are made and these are available to the data warehouse and subsequent reporting. * Using the comprehensive security reports, including information about users, hardware, access attempts, and access points, a cyber security vulnerability assessment can be easily reviewed at any time. * CG AUTOMATION will provide antivirus software on all CG AUTOMATION provided equipment, as appropriate and 6

CIP-008 Incident Reporting and Response Planning The responsible entity must formalize and implement procedures for handling severe security incidents and possible responses. This would include defining cyber security incidents, and reporting them in a standardized fashion. This would also include the formal assignment of roles, responsibilities, procedure and authority for members of all incident response teams. In addition to initial implementation, the cyber security incident and response plan must be periodically reviewed and tested. The retention of documentation for all incidents is established in this portion of the standard. As covered in this document response to NERC CIP 003 and 007, all events, alarms, access, port assignments, configuration changes, etc. necessary for reporting and archiving of incidence and security events will be available in the form of a data warehouse using standard relational database tools. This approach will insure any necessary reports and archives are available and properly maintained. CIP-009 Recovery Plans for Critical Cyber Assets The responsible entity shall create and annually review disaster recovery plans for critical cyber assets. Recovery plans will cover varying intensities of problems and response plans will be periodically exercise. Disaster Recovery A formal backup and restore procedure will be implemented for critical cyber assets to include provisions for off-site backup storage, replacement hardware, etc. Standard CG AUTOMATION failover architecture allows for up to quad redundancy. These redundant servers may be co-located or dispersed as cost and recovery plans dictate. The standard CG AUTOMATION backup/ restore procedure is well documented and automatically verifies the integrity of the media during the backup phase as required by the standard. As the CG AUTOMATION master station servers are members of the user s enterprise network, the TDMS SCADA database can also be copied to the corporate servers for later restoration. In addition to the standardized backup and restore procedure, the latest versions of CG AUTOMATION s Worldview HMI, TDMS Plus Editors and Configuration Wizard editing software allows a user to easily transfer all displays, point definitions, communication configuration parameters, IED configurations, reports, closed loop control algorithms, etc. to ordinary CD/DVDs for easy to offsite storage and later system restoration. CG AUTOMATION also offers a media verify, restore and off-site storage service. This service, if procured as part of a system support, allows for the testing of backup media by the restoration to a similar machine at the CG AUTOMATION factory. The restored data is then checked by factory trained personnel to assure that it is a proper backup containing all of the appropriate data sets and that media itself is completely readable. This is done in a nonproduction environment to prevent corrupting the users operational system, should the backup media prove faulty. On site storage and verification at the CG AUTOMATION facility of a users backup is also available at a small additional cost. The testing of backup procedures, to include testing of backup media will be accomplished. 7

In Summary CG AUTOMATION provides a wide variety of Automation Products and services to the Electric Utility Industry. CG AUTOMATION customers are a mixture of major utilities, government and military agencies as well as global Electrical Transmission and Distribution OEM's. To unify our global focus, all CG facilities across the world have taken actions to ensure that customers receive consistent "One World Quality", for all CG products and solutions in all parts of the world. For additional information about how CG AUTOMATION can support your cyber security efforts contact your local representative or sales@qeiinc.com All brand or product designations, names or trademarks mentioned in this document remain the property of the original owner All characteristics subject to change without notice. Contact CG AUTOMATION Sales department for details concerning your particular system. Copyright 2011, CG AUTOMATION Revision 3, Sept, 2011 8

CG Automation Solutions USA Inc Automation Systems 60 Fadem Road Springfield, NJ USA T: +973-379-7400 F: +973-379-2138 E: Sales@qeiinc.com http://www.cgautomationusa.com/ 9

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information