Essential Power Case Study: Protecting Critical Infrastructure From Cyber Attacks
Upcoming SlideShare
Loading in...5
×
 

Like this? Share it with your network

Share

Essential Power Case Study: Protecting Critical Infrastructure From Cyber Attacks

on

  • 94 views

In May, 2014 the US Department of Homeland Security and its Industrial Control Systems Cyber Emergency Response Team, or ICS-CERT, issued a report confirming several recent attacks on public utilities ...

In May, 2014 the US Department of Homeland Security and its Industrial Control Systems Cyber Emergency Response Team, or ICS-CERT, issued a report confirming several recent attacks on public utilities from the first quarter of 2014. DHS confirmed that a sophisticated threat actor gained unauthorized access to an unnamed public utility’s control system network.

Incidents of this type haven’t been as widely publicized as recent retail breaches, but it is believed by many that there are far more incidents occurring within the Energy Sector than are heard about in the press. Lack of enforced and implemented policy and compliance, poor capability for early detection of threat indicators, and lack of visibility and automation may all be contributing to failure in rapidly detecting attacks and breaches.

Essential Power™ (formerly known as North American Energy Alliance) is a wholesale power generator and marketer providing electric energy and located in the North Eastern United States. Essential Power will share a case study on its own journey towards achieving NERC CIP compliance within a very short five-month timeline, and how they did it.

Statistics

Views

Total Views
94
Views on SlideShare
93
Embed Views
1

Actions

Likes
0
Downloads
10
Comments
0

1 Embed 1

http://www.slideee.com 1

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • Version 3 -- As many of you know, manual log review is both cumbersome and generally extremely time consuming. <br />
  • Of course the ideal solution is to prevent breaches from occurring by employee good security controls. <br /> <br /> During the Recon phase detection is very difficult but having good security practives such as hardening security configurations and minimizing vulnerabilities will make you an unattractive target for attackers. (Can we include a quote from Jane XXX at the CSC?) <br /> <br /> The best opportunity for detection before a loss has occurred is during the Exploitation phase. Because the attacker has now successfully entered the network, most likely undetected, they are now executing activities on the host systems and are leaving digital fingerprints which can be detected by looking for changes to the host systems. <br /> Detection is also likely during the Malicious Action phase using various Malware detection products, however at this point detection is after some level of loss or damage has occurred.. <br /> <br /> <br />

Essential Power Case Study: Protecting Critical Infrastructure From Cyber Attacks Presentation Transcript

  • 1. Stephen Theodos, CISSP Essential Power, LLC
  • 2.  Founded in 2008  Own and operate five generation facilities throughout the Northeast  Our fleet is primarily peaking power fueled predominantly by natural gas  Just over 2,000 megawatts of total generation capacity  Headquartered in Princeton, NJ Essential Power, LLC ~ Proprietary & Confidential 2
  • 3.  What did we start with?  What hurdles did we face as our company developed and as enforcement dates loomed for CIP?  How were we able to overcome these challenges?  What are some potential hurdles coming up regarding future risk and CIP 5? Essential Power, LLC ~ Proprietary & Confidential 3
  • 4. Essential Power, LLC ~ Proprietary & Confidential 4
  • 5.  Inherited our generation networks  Lacked thoughtful design  Used overlapping IP address subnets  Lacked “intelligent hardware”  Minimal Security  No Logging  No backup plan Essential Power, LLC ~ Proprietary & Confidential 5
  • 6.  Retrofit security as much as possible to existing networks  A complete redesign from scratch was not possible at the time  Our time frame was incredibly short  A new mindset - not just generation of energy, but securely  Defense In Depth  Deter, Delay, Detect, Defend Essential Power, LLC ~ Proprietary & Confidential 6
  • 7.  Perform our GAP analysis  Secure all devices  Manage and document all user accounts  Create ESPs and PSPs  Enable logging on all devices  Monitor these logs for any unexpected behavior  Make sure we are meeting our CIP requirements Essential Power, LLC ~ Proprietary & Confidential 7
  • 8. Essential Power, LLC ~ Proprietary & Confidential 8
  • 9.  CIP-005 and CIP-007 require reviewing of log samples from Critical Cyber Assets and Access Control and Monitoring devices and requires us to have an auditable log of user activity  It was determined a Security Information and Event Management (SIEM) system that would collect and correlate system logs in a centralized server location would be required  A centralized SIEM would mean convergence of existing segregated networks  Network Address Translation was required due to the overlapping networks Essential Power, LLC ~ Proprietary & Confidential 9
  • 10. Cyberthreat Gaps The CyberThreat Kill Chain -Lockheed Martin LEVEL OF EXPOSURE CHANCEOFDETECTION Recon Weaponiza tion & Delivery Exploitation C2-Command & Control Malicious Action (Exfiltration and Business Disruption)
  • 11. MEGASCAN required to reassess Periodic Assessment Continuous Security Configuration Mgmt  Understands Changes in the Environment  The Goal is Security, not Audit  Lower Costs, Greater Efficiency  Continual Risk Reduction  Measurable, Sustainable Security Configuration Changes Occur Constantly Manual Assessment
  • 12.  We reviewed three different SIEM vendors during our RFP / review process  Ultimately chose Tripwire, due to a combination of factors  At the time, they were one of the few vendors that had predetermined CIP rules  Offered solid value for the overall cost compared to other competitors  Their support team was willing and able to assist us throughout the deployment  Interface was simple, intuitive, and provided exactly what we needed to see  We opted for both Tripwire Log Center and Tripwire Enterprise Essential Power, LLC ~ Proprietary & Confidential 12
  • 13.  CIP-005 R3.2. Alerting for Cyber Security Incidents for access control and monitoring devices  CIP-005 R5.3. Retain and review electronic access logs for at least ninety calendar days for Access Control and Monitoring devices  CIP-007 R6.2 Alerting for Cyber Security Incidents for critical cyber assets  CIP-007 R6.3 Logs of system events related to cyber security for critical cyber assets  CIP-007 R6.4 Retain Logs of critical cyber assets for 90 days  CIP-007 R6.5 Reviewing Logs of for critical cyber assets at least every 90 days  CIP-008 R3 Logs related to reportable incidents shall be kept for 3 years Essential Power, LLC ~ Proprietary & Confidential 13
  • 14.  CIP-003 R5 requires Responsible Entities to “document and implement a program for managing access to protected Critical Cyber Asset information.”  CIP-003 R6 requires change control and configuration management processes to be established and documented  CIP-007 R3 Security Patch Management. The file integrity monitoring reports unauthorized modifications or changes and provides documentation of authorized changes  CIP-007 R5 Account Management requires technical and procedural controls that enforce access authentication and accountability for all user activity Essential Power, LLC ~ Proprietary & Confidential 14
  • 15.  Easy to use GUI allows for easy modification of rules and alerts  Daily and weekly traffic reports to set baseline traffic patterns and easily analyze any anomalies Essential Power, LLC ~ Proprietary & Confidential 15  Daily change reports let us know immediately if and when any changes occur to the file system
  • 16.  Instant notification of cyber security related events  Advanced correlation of system logs which saves many hours of log review Essential Power, LLC ~ Proprietary & Confidential 16
  • 17.  Practical and useful search criteria for audits and investigations  The data is easily available for forensic analysis if necessary Essential Power, LLC ~ Proprietary & Confidential 17
  • 18.  “The concern over cybersecurity risks to critical infrastructure, of which power generation is a significant element, is unlikely to wane in the foreseeable future.” – Steven Parker, President of EnergySec Essential Power, LLC ~ Proprietary & Confidential 18
  • 19.  How are we preparing for CIP 5?  Updating and cleaning up current CIP document repository  Verifying and updating documentation of all electronic devices as necessary  Using a 3rd party to perform a GAP analysis of where we may be lacking when it comes to CIPv5 preparation  Scheduling mock audits internally  Attempting to allocate resources accordingly Essential Power, LLC ~ Proprietary & Confidential 19
  • 20.  Vendors have increased their support of CIP compliance initiatives  SIEMs are smarter and more capable than in the past  Newer technologies constantly available to make our lives easier  Better “whitelist” capabilities  Improved patch management  Improved port scanning and confirmation  Ability to tie in physical security logging and alerts  Easier access to compliance reports and audit results Essential Power, LLC ~ Proprietary & Confidential 20
  • 21. Essential Power, LLC ~ Proprietary & Confidential 21
  • 22.  Provide appropriate security controls to your SIEM  Spend time tuning it! The system can only run as well as it is configured  Don’t be afraid to contact the vendor directly for support  Use it frequently! Hands on is the best way to learn Essential Power, LLC ~ Proprietary & Confidential 22
  • 23. Questions? Comments? Essential Power, LLC ~ Proprietary & Confidential 23
  • 24. Essential Power, LLC ~ Confidential 24