SlideShare a Scribd company logo

Advanced Solutions for Critical Infrastructure Protection

Entrust Datacard
Entrust Datacard

The document discusses how utilities can comply with NERC CIP standards for critical infrastructure protection. It recommends using multifactor authentication, such as smart cards with PINs, for physical and logical access to critical systems. An authentication platform should support revoking access quickly, migrating between authenticators, and auditing credential issuance. FIPS 201 smart cards combined with workflow management can help utilities simplify NERC CIP compliance. Entrust offers an integrated platform to issue various authenticators and manage physical and logical access control according to the standards.

TechnologyBusiness
1 of 18
Download to read offline
Advanced Solutions for Critical Infrastructure Protection Complying with the North American Electric Reliability Corporation Critical Infrastructure Protection standards Get this White Paper © Entrust Inc. All Rights Reserved. Entrust Inc. All Rights Reserved. 1 1
Contents Introduction ............................................................................................. 3 NERC Critical Infrastructure Protection ............................................... 4 Multifactor Authentication for Physical & Logical Access Control....................................................................... 6 Proven Authentication Solutions for NERC CIP Compliance ...................................................................... 7 Compliance Summary .......................................................................... 12 Entrust — Simplifying NERC CIP Compliance ................................... 14 A Single Integrated Platform ................................................................ 15 Entrust & You ........................................................................................ 18 © Entrust Inc. All Rights Reserved. 2 2
Introduction “ An attack on a utility — either through a cyberattack or physical entry to the facility — will have serious ramifications to citizens, causing severe economic damages and life-threatening situations. It is estimated that the destruction from a single wave In fact, recent evidence from the FBI indicates that terrorists are planning of cyberattacks on U.S. critical for such an attack. According to a news release by the U.S. Senate infrastructures could exceed Committee on Homeland Security & Governmental Affairs, “An Al Qaeda $700 billion — the equivalent video calling upon the ‘covert Mujahidin’ to commit ‘electronic jihad’ of 50 major hurricanes hitting demonstrates the rapidly increasing threat of cyber-attack and U.S. soil at once. ” underscores the pressing need for cybersecurity standards for the 1 nation’s most critical networks.” — U.S. Cyber Consequence Unit The committee went on to confirm that terrorist objectives targeting critical infrastructure. “This is the clearest evidence we’ve seen that Al Qaeda and other terrorist groups want to attack the cyber systems of our critical infrastructure,” Homeland Security and Governmental Affairs Committee Chairman Joe Lieberman, ID-Conn., said. “Congress needs to act now to protect the American public from a possible devastating attack on our electric grid, water delivery systems, or financial networks, for example.” This is clear, undeniable evidence for the immediate and ongoing need for advanced security solutions that protect the critical infrastructure managed by both private and government entities. 1 “Senators say video urging electronic jihad underscores need for cybersecurity standards,” U.S. Senate Committee on Homeland Security & Governmental Affairs, May 22, 2012 © Entrust Inc. All Rights Reserved. 3 3
NERC Critical Infrastructure Protection Critical Infrastructure In North America, the North American Electric Reliability Corporation Protection: A Global (NERC) created the Critical Infrastructure Protection standards that each Requirement organization must comply with or face fines of up to $1 million per day. While the policies for There are eight individual NERC CIP standards: protection vary around the world, the basic needs  CIP-002 Critical Cyber Assets remain the same: ensure  CIP-003 Security Management Controls only authorized, trusted  CIP-004 Personnel & Training  CIP-005 Electronic Security users are granted access to  CIP-006 Physical Security electronic and physical  CIP-007 Systems Security Management perimeters. We recommend  CIP-008 Incident Reporting & Response Planning a vendor that can take the  CIP-009 Recovery Plans best practices from the NERC CIP standard and apply them to a specific Compliance Definitions critical infrastructure as it makes sense. The compliance process starts with a facilities-wide assessment addressing the requirements outlined in NERC CIP-002 Critical Cyber Asset Identification. CIP-002 outlines definitions and a methodology to be used in defining Critical Assets (CA) and Critical Cyber Assets (CCA). NERC Standard CIP-002 requires that each facility develop a list of CCAs that are essential to the operation of its CA. The NERC CIP Definition for Critical Assets (CA):  “Facilities, systems, and equipment which, if destroyed, degraded, or otherwise rendered unavailable, would affect the reliability or operability of the Bulk Electric System.” The NERC CIP Definition for Critical Cyber Assets (CCA):  “Cyber Assets essential to the reliable operation of Critical Assets.”  The Cyber Asset uses a routable protocol to communicate outside the Electronic Security Perimeter (typically TCP/IP). © Entrust Inc. All Rights Reserved. 4 4
The NERC CIP Definition for Electronic Security Perimeter:  CIP-005 defines the Electronic Security Perimeter as the logical border surrounding a network to which Critical Cyber Assets are connected and for which access is controlled. An access point, as defined by the NERC FAQ, is “any place where electronic traffic crosses the Electronic Security Perimeter.” The NERC CIP Definition for Physical Security Perimeter:  CIP-006 defines the Physical Security Perimeter as the physical, completely enclosed, border surrounding computer rooms, telecommunication rooms, operations centers and other locations in which Critical Cyber Asset are housed and for which access is controlled. “ London 2012 authorities got cyber-attack warning on eve of Games; Security services warned of possible threat against Olympic power supply days before opening ceremony. — The Guardian, August 2012 ” © Entrust Inc. All Rights Reserved. 5 5
Multifactor Authentication for Physical & Logical Access Control The Critical Infrastructure Protection standards require that the network be segmented to prevent an attack on one network being spread to the next network, and that strong two-factor authentication be used to ensure only authorized individuals may have physical and logical access to the critical assets. Strong two-factor authentication is utilized for:  Remote access to the networks  Access to the Physical Security Perimeter  Access to the Electronic Security Perimeter  Access to specific Critical Assets Figure 1 A high-level view of secure enterprise and control networks working to protect critical assets. © Entrust Inc. All Rights Reserved. 6 6
Proven Authentication Solutions for NERC CIP Compliance Not every authentication solution can help organizations properly comply with NERC CIP standards. Outlined below is how a capable authentication platform should align with the CIP requirements. CIP-004 Revoke Access to CCAs within 24 Hours for Personnel Terminated for Cause, and within 7 Days for Personnel who no Longer Require Access to CCAs When a smart credential is issued or revoked using a strong authentication solution, the Certificate Revocation List (CRL) is instantly updated to deny access to Windows, Macintosh or Unix systems employing smartcard login, or FIPS-201 (PIV) systems using the PKI authentication option. All other authenticators issued, such as OTPs, passwords or grid cards, are also denied any future authentications by sharing a common authentication platform and administration. These approaches are used for situations where the CCA is not smartcard-capable. The authentication platform should be integrated into the enterprise’s human resources system so any change to employee status is automatically acted on to avoid delays and mistakes. CIP-005 The authentication platform should meet the following requirements:  Provide for a range of authenticators, as not all applications support all authenticators  The cost of the strongest authenticator may be too expensive for less-critical systems  If an authenticator should be compromised by a future attack, the switch to the new authenticator needs to occur quickly  The platform should support grid cards and one-time passcodes (OTP), which meet the needs of remote access at a low cost © Entrust Inc. All Rights Reserved. 7 7
With the introduction of CIP-007 version 5, the complexity of passwords standardizes on a range between15 to 25 characters, depending on the type of account. Coupled with the need for random characters and frequent password changes, the enterprise should consider the usage of smartcards. This would eliminate the need for passwords and costly password resets. Combining physical access, Microsoft Windows login access and remote access simplifies logistics, management and auditing for the enterprise. For the employee, it means just a single authenticator to carry and a simple PIN to remember. The authentication platform should allow for multiple authenticators for the following purposes.  Easy migration from one authenticator to another, such as one- time passcodes (OTP) to smartcards, at a pace the enterprise can support.  The enterprise applications may only support specific authenticators.  Allow the flexibility of using the best security for a low cost of a specific application. A capable security vendor will use the modern FIPS-201 smartcard standard that allows for interoperability with a wide range of third-party products also compliant to the standard, such as Microsoft Windows 7 and several physical access systems. This approach also ensures the solution is certified by the NIST so the organization is sure the implementation does not have poor quality, security and privacy. Smartcards, when utilized with a secure PIN entry device, is resistant to malware loaded onto the machine. A key-logger cannot steal the PIN to use in a future fraudulent authentication. (Any compromised machine, however, should be immediately removed from the network. In addition, the use of a layered security approach will help defend against attacks that defeat a single solution.) When the card (employee) is not present, access will be denied. Placing the FIPS-201 application on a smartphone allows the range before denying access to be extended up to 80 feet. This is achieved by using near-field communication (NFC) or Bluetooth found on modern smartphones. © Entrust Inc. All Rights Reserved. 8 8
CIP-005 Only Authorized Machines Can Access the Electronic Security Perimeter A compliant authentication solution should be able to issue digital certificates to laptops, desktops, servers and mobile devices so that only authorized devices can connect to the network. CIP-006 Physical Access Controls The authentication solution should support physical security in depth by combining the card authentication with a PIN or biometric for high-impact cyber systems, while simultaneously allowing for quick access to low- impact cyber systems. Many of the existing physical access solutions have been compromised over the years, with easy-to-follow, low-cost instructions on the Web. Entrust suggests the migration to more secure physical access standards such as FIPS-201. The NIST FIPS-201 standard is designed specifically for this type of deployment with four types of authentication: 1. Card Holder Unique ID (CHUID) A numerical value representing the employee is digitally signed by the enterprise that issued the card, then stored on the card and transmitted to the reader when the card is energized by the reader. The digital signature prevents an attacker from making their own card from scratch — if they know a valid employee number — because the attacker does not possess the enterprise’s key to sign the CHUID. Any attempt to modify the CHUID will invalidate the signature when checked by the reader. © Entrust Inc. All Rights Reserved. 9 9
2. Card Authentication Key (CAK) The reader will send the card a random challenge. The card digitally signs the challenge with its CAK private key and returns the challenge to the reader. As the private key cannot be taken from the card, the card cannot be cloned. The key cannot be extracted as defined by the FIPS-201 standard and enforced by the chip hardware. The CAK private key is paired with a digital certificate that contains the identity. This certificate states the identity is an anonymous employee of the company. Since there is no privacy to protect, the PIN does not need to be entered. CAK should be used for fast access (no PIN) to a secure location where a specific person’s identity is not required. 3. PKI User This approach uses the same challenge-response process as CAK, but in this case the digital certificate has the employee name in it. As such, to protect privacy and to allow the employee to approve the authentication, the PIN must be entered before the challenge is signed and returned. This approach is used when high security is required, and the enterprise needs to know the specific employee identity. 4. Biometrics The FIPS-201 standard supports two types — IRIS and the more popular fingerprint. The physical access reader requests the previously stored fingerprint from the card. And because it contains private data, the employee must enter their PIN. The biometric is compared within the reader, and if they match the employee is allowed to enter. To prevent the threat of a fraudulent fingerprint, the fingerprint is digitally signed during issuance by the enterprise. The highest security is when the PKI user and the biometric are both required. © Entrust Inc. All Rights Reserved. 10 10
CIP-007 Establish an Auditable Workflow for Credential Issuance A proper authentication solution will come with a workflow engine with multiple roles, allowing for independent groups with differing policy requirements and approvals. In the case of a smartcard, an employee can be enrolled by Role_A, the issuance be approved by the senior manager as Role_B, and then the smartcard printed and distributed by Role_C. This separation of duty prevents the issuance of fraudulent authenticators. The authentication solution should have the same workflow regardless of the authenticator type (e.g., a one-time passcode shares the same approvals as a smartcard). Proper workflow allows for the step to perform a background check to be easily added prior to authenticator issuance. To satisfy periodic audits, an advanced solution will issue reports on all issued authenticators, as well as those that are active, along with the archived approvals. No other authenticators will have access to the physical or logical system. The vendor of the authentication solution should proactively provide bulletins of any compromises of the technology put in place as the sophistication of attackers improves over time. This will support the annual NERC compliance audits while protecting assets from attack. © Entrust Inc. All Rights Reserved. 11 11
Compliance Summary A capable security vendor should provide an integrated solution for both physical and logical access control, while also allowing for the easy migration from less-secure legacy systems to modern solutions — all without impacting the productivity and uptime of the entire system. The smartcard should simultaneously support both the legacy and modern systems. Figure 2: A cost-effective solution to meet the requirements of CIP-005, CIP-006 and CIP-007 offers a multifunction smartcard with a single platform for issuance, management and revocation. The platform also should allow for quick migration from a compromised authenticator. The solution should be tied into an HR system to control who is issued a credential and what they are authorized to access. © Entrust Inc. All Rights Reserved. 12 12
Employees need access to enterprise systems, but not all are smartcard-capable. As such, utility companies require a platform that supports a wide range of authenticators — often with one employee using more than one authenticator. Implement a central location to issue all authenticators and set consistent policies to meet CIP standards. Historically, smartcards were cost-effective, but the logistics of card issuance proved to be complicated. Evolution in technology and critical security investment has made advanced smartcard solutions more realistic — and affordable. Look for a vendor that has the capability to quickly issue temporary credentials that do not negatively affect employee productivity or compromise security. For example, this is important for the situation where the employee has left their credential at home. “ Historically, smartcards were cost-effective, but the logistics of card issuance proved to be complicated. Evolution in technology and critical security investment has made advanced smartcard solutions more realistic — and affordable. ” © Entrust Inc. All Rights Reserved. 13 13
Entrust — Simplifying NERC CIP Compliance Entrust's comprehensive management framework serves as an organization's single software-based security platform that bridges emerging technologies for strong mobility, cloud and smart credentialing offerings. By seamlessly integrating co-deployment measures, federation security, advanced APIs and self-service management tools, Entrust strengthens security, maximizes staff efficiency and reduces overall costs. Entrust's flagship authentication solution, Entrust IdentityGuard, continues to lead the industry as one of the most robust software authentication platforms, delivering an unmatched breadth of capabilities and flexibility to meet the most demanding security environments. The solution enables organizations to layer security — according to access requirements or the risk of a given transaction — across diverse users and applications. Entrust's authentication capabilities include smartcards and USB tokens, soft tokens, grid cards and eGrids, IP-geolocation, questions and answers, mobile smart credentials, out-of-band one-time passcode (delivered via voice, SMS or email), biometrics, and a range of one-time- passcode tokens. © Entrust Inc. All Rights Reserved. 14 14
A Single Integrated Platform Compliance to NERC CIP calls for a truly integrated physical and logical solution that’s compatible with both legacy and modern systems. Entrust IdentityGuard may be deployed as an easy-to-use, fully integrated in-house solution, or as a managed service where card issuance is managed offsite and delivered to the utility organization as a service. Entrust IdentityGuard issuance-approval workflow, along with the related logs, will serve as evidence for CIP audits to prove compliance. Secure Remote Access Aligning with Entrust’s aforementioned suggestions for CIP compliance, Entrust IdentityGuard issues both one-time passcodes and smartcards for authentication. Entrust smartcards are FIPS 201-compliant, allowing for seamless interoperability with the most popular third-party products also compliant to the standard. Using an optional CodeBench ID-Sync module, all Entrust IdentityGuard physical access systems are instantly notified of card revocation, which stops any further access. Optionally, the Entrust IdentityGuard credential creation/revocation capability may be integrated with the corporate identity management solution through an easy-to-use Web services API. When a person joins or leaves the enterprise, all systems are instantly and automatically made aware, meeting the 24-hour CIP requirement, and removing the chance of human error. © Entrust Inc. All Rights Reserved. 15 15
Smartcard Issuance & Interoperability Entrust IdentityGuard not only integrates with both card-issuance and physical access control, but Entrust tests a wide variety of physical access equipment to ensure expertise in what systems are more secure, and which systems are interoperable with each other. Unlike an OTP, the private key representing the employee is only stored on the Entrust IdentityGuard-issued smartcard and cannot be stolen off the device and used to create a duplicate or cloned identity card. It is protected by sophisticated hardware controls. Figure 3: Entrust IdentityGuard serves as a utility company’s comprehensive smartcard issuance and management solution for NERC CIP compliance. © Entrust Inc. All Rights Reserved. 16 16
Entrust IdentityGuard also leverages near-field communication (NFC) or Bluetooth standards found on modern smartphones. This capability only requires each employee carry one device, enables remote issuance of a strong authenticator, and allows control over the distance an employee must be from a cyber-asset before being logged off. The Entrust solution makes compliance as simple as printing a card then distributing it to an employee. The smartcard is ready to use by simply inserting it into the computer. For more sensitive assets, the Entrust solution can require a biometric (in addition to the card itself) and a PIN. Authorizing Machines & Devices Entrust IdentityGuard issues digital certificates to laptops, desktops, servers, machines and mobile devices so that only authorized devices may connect to the network. Entrust IdentityGuard also possess an authentication API that may be integrated with cyber-asset systems. The API utilizes industry standards, Web services, SAML and Radius protocols. Figure 4: An overview outlining how Entrust IdentityGuard authenticates users while concurrently serving as a comprehensive card management solution. © Entrust Inc. All Rights Reserved. 17 17
Entrust & You More than ever, Entrust understands your organization’s security pain Company Facts points. Whether it’s the protection of information, securing online Website: www.entrust.com customers, regulatory compliance or large-scale government projects, Employees: 359 Customers: 5,000 Entrust provides identity-based security solutions that are not only Offices: 10 Globally proven in real-world environments, but cost-effective in today’s uncertain economic climate. Headquarters Entrust secures governments, enterprises and financial institutions in Three Lincoln Centre more than 5,000 organizations spanning 85 countries. Entrust’s award- 5430 LBJ Freeway, Suite 1250 Dallas, Texas 75240 winning software authentication platforms manage today’s most secure identity credentials, addressing customer pain points for cloud and Sales mobile security, physical and logical access, citizen eID initiatives, certificate management and SSL. North America: 1-888-690-2424 EMEA: +44 (0) 118 953 3000 For more information about Entrust products and services, call Email: entrust@entrust.com 888-690-2424, email entrust@entrust.com or visit entrust.com. 24588/8-12 © Entrust Inc. All Rights Reserved. 18 18

Recommended

Counterfeit Risk & New Defense Regulations
Counterfeit Risk & New Defense RegulationsCounterfeit Risk & New Defense Regulations
Counterfeit Risk & New Defense RegulationsIHS
 
CS5032 L19 cybersecurity 1
CS5032 L19 cybersecurity 1CS5032 L19 cybersecurity 1
CS5032 L19 cybersecurity 1Ian Sommerville
 
Security assessment for financial institutions
Security assessment for financial institutionsSecurity assessment for financial institutions
Security assessment for financial institutionsZsolt Nemeth
 
Industrial cyber threat landscape
Industrial cyber threat landscapeIndustrial cyber threat landscape
Industrial cyber threat landscapebayshorenet
 
The Top 20 Cyberattacks on Industrial Control Systems
The Top 20 Cyberattacks on Industrial Control SystemsThe Top 20 Cyberattacks on Industrial Control Systems
The Top 20 Cyberattacks on Industrial Control SystemsMuhammad FAHAD
 
Moving target-defense
Moving target-defenseMoving target-defense
Moving target-defenseZsolt Nemeth
 
CS5032 L20 cybersecurity 2
CS5032 L20 cybersecurity 2CS5032 L20 cybersecurity 2
CS5032 L20 cybersecurity 2Ian Sommerville
 
SCIT Labs - intrusion tolerant systems
SCIT Labs - intrusion tolerant systemsSCIT Labs - intrusion tolerant systems
SCIT Labs - intrusion tolerant systemsZsolt Nemeth
 

Recommended

Counterfeit Risk & New Defense Regulations
Counterfeit Risk & New Defense RegulationsCounterfeit Risk & New Defense Regulations
Counterfeit Risk & New Defense RegulationsIHS
 
CS5032 L19 cybersecurity 1
CS5032 L19 cybersecurity 1CS5032 L19 cybersecurity 1
CS5032 L19 cybersecurity 1Ian Sommerville
 
Security assessment for financial institutions
Security assessment for financial institutionsSecurity assessment for financial institutions
Security assessment for financial institutionsZsolt Nemeth
 
Industrial cyber threat landscape
Industrial cyber threat landscapeIndustrial cyber threat landscape
Industrial cyber threat landscapebayshorenet
 
The Top 20 Cyberattacks on Industrial Control Systems
The Top 20 Cyberattacks on Industrial Control SystemsThe Top 20 Cyberattacks on Industrial Control Systems
The Top 20 Cyberattacks on Industrial Control SystemsMuhammad FAHAD
 
Moving target-defense
Moving target-defenseMoving target-defense
Moving target-defenseZsolt Nemeth
 
CS5032 L20 cybersecurity 2
CS5032 L20 cybersecurity 2CS5032 L20 cybersecurity 2
CS5032 L20 cybersecurity 2Ian Sommerville
 
SCIT Labs - intrusion tolerant systems
SCIT Labs - intrusion tolerant systemsSCIT Labs - intrusion tolerant systems
SCIT Labs - intrusion tolerant systemsZsolt Nemeth
 
IT Security for Oil and Gas Companies
IT Security for Oil and Gas CompaniesIT Security for Oil and Gas Companies
IT Security for Oil and Gas CompaniesRichard Cole
 
RSAC 2021 Spelunking Through the Steps of a Control System Hack
RSAC 2021 Spelunking Through the Steps of a Control System HackRSAC 2021 Spelunking Through the Steps of a Control System Hack
RSAC 2021 Spelunking Through the Steps of a Control System HackDan Gunter
 
Cybersecurity infographic
Cybersecurity infographicCybersecurity infographic
Cybersecurity infographicCSC Australia
 
NEtwork Security Admin Portal
NEtwork Security Admin PortalNEtwork Security Admin Portal
NEtwork Security Admin PortalBhadreshsinh Gohil
 
WR Paper: Security for Videoconferencing
WR Paper: Security for VideoconferencingWR Paper: Security for Videoconferencing
WR Paper: Security for VideoconferencingVideoguy
 
Dragos 2019 ICS Year in Review
Dragos 2019 ICS Year in ReviewDragos 2019 ICS Year in Review
Dragos 2019 ICS Year in ReviewDragos, Inc.
 
CSIRS ICS BCS 2.2
CSIRS ICS BCS 2.2CSIRS ICS BCS 2.2
CSIRS ICS BCS 2.2David Spinks
 
Bryan Singer S4 Presentation
Bryan Singer S4 PresentationBryan Singer S4 Presentation
Bryan Singer S4 Presentationbsinger74
 
SMi Group's Oil & Gas Cyber Security conference & exhibition
SMi Group's Oil & Gas Cyber Security conference & exhibitionSMi Group's Oil & Gas Cyber Security conference & exhibition
SMi Group's Oil & Gas Cyber Security conference & exhibitionDale Butler
 
360-Degree Approach to DR / BC
360-Degree Approach to DR / BC360-Degree Approach to DR / BC
360-Degree Approach to DR / BCAISDC
 
CCNA Security 02- fundamentals of network security
CCNA Security 02- fundamentals of network securityCCNA Security 02- fundamentals of network security
CCNA Security 02- fundamentals of network securityAhmed Habib
 
Cio ciso security_strategyv1.1
Cio ciso security_strategyv1.1Cio ciso security_strategyv1.1
Cio ciso security_strategyv1.1Anindya Ghosh,
 
Addressing CIP
Addressing CIPAddressing CIP
Addressing CIPNarinrit Prem-apiwathanokul
 
Securing Public Web Servers
Securing Public Web ServersSecuring Public Web Servers
Securing Public Web Serverswebhostingguy
 
Cisco ccna security
Cisco ccna securityCisco ccna security
Cisco ccna securityMt Mostafa
 
Enterprise Mobile Security
Enterprise Mobile SecurityEnterprise Mobile Security
Enterprise Mobile Securitytbeckwith
 
Net motion wireless-and_frost-sullivan_a-new-mobilty_ps
Net motion wireless-and_frost-sullivan_a-new-mobilty_psNet motion wireless-and_frost-sullivan_a-new-mobilty_ps
Net motion wireless-and_frost-sullivan_a-new-mobilty_psAccenture
 
GCC eGov Cyberwar, Cybercrime Risks and Defences 2010
GCC eGov Cyberwar, Cybercrime Risks and Defences 2010GCC eGov Cyberwar, Cybercrime Risks and Defences 2010
GCC eGov Cyberwar, Cybercrime Risks and Defences 2010Jorge Sebastiao
 
DSS ITSEC Conference 2012 - Lumension Intelligent Application Whitelisting & ...
DSS ITSEC Conference 2012 - Lumension Intelligent Application Whitelisting & ...DSS ITSEC Conference 2012 - Lumension Intelligent Application Whitelisting & ...
DSS ITSEC Conference 2012 - Lumension Intelligent Application Whitelisting & ...Andris Soroka
 
Critical Infrastructure and Cyber Threat
Critical Infrastructure and Cyber ThreatCritical Infrastructure and Cyber Threat
Critical Infrastructure and Cyber ThreatMotorola Solutions
 
Feldman-Encari: Malicious Software Prevention For NERC CIP-007 Compliance
Feldman-Encari: Malicious Software Prevention For NERC CIP-007 ComplianceFeldman-Encari: Malicious Software Prevention For NERC CIP-007 Compliance
Feldman-Encari: Malicious Software Prevention For NERC CIP-007 ComplianceCoreTrace Corporation
 
Malicious Software Prevention for NERC CIP-007 Compliance:
Malicious Software Prevention for NERC CIP-007 Compliance:Malicious Software Prevention for NERC CIP-007 Compliance:
Malicious Software Prevention for NERC CIP-007 Compliance:CoreTrace Corporation
 

More Related Content

What's hot

IT Security for Oil and Gas Companies
IT Security for Oil and Gas CompaniesIT Security for Oil and Gas Companies
IT Security for Oil and Gas CompaniesRichard Cole
 
RSAC 2021 Spelunking Through the Steps of a Control System Hack
RSAC 2021 Spelunking Through the Steps of a Control System HackRSAC 2021 Spelunking Through the Steps of a Control System Hack
RSAC 2021 Spelunking Through the Steps of a Control System HackDan Gunter
 
Cybersecurity infographic
Cybersecurity infographicCybersecurity infographic
Cybersecurity infographicCSC Australia
 
WR Paper: Security for Videoconferencing
WR Paper: Security for VideoconferencingWR Paper: Security for Videoconferencing
WR Paper: Security for VideoconferencingVideoguy
 
Dragos 2019 ICS Year in Review
Dragos 2019 ICS Year in ReviewDragos 2019 ICS Year in Review
Dragos 2019 ICS Year in ReviewDragos, Inc.
 
Bryan Singer S4 Presentation
Bryan Singer S4 PresentationBryan Singer S4 Presentation
Bryan Singer S4 Presentationbsinger74
 
SMi Group's Oil & Gas Cyber Security conference & exhibition
SMi Group's Oil & Gas Cyber Security conference & exhibitionSMi Group's Oil & Gas Cyber Security conference & exhibition
SMi Group's Oil & Gas Cyber Security conference & exhibitionDale Butler
 
360-Degree Approach to DR / BC
360-Degree Approach to DR / BC360-Degree Approach to DR / BC
360-Degree Approach to DR / BCAISDC
 
CCNA Security 02- fundamentals of network security
CCNA Security 02- fundamentals of network securityCCNA Security 02- fundamentals of network security
CCNA Security 02- fundamentals of network securityAhmed Habib
 
Cio ciso security_strategyv1.1
Cio ciso security_strategyv1.1Cio ciso security_strategyv1.1
Cio ciso security_strategyv1.1Anindya Ghosh,
 
Securing Public Web Servers
Securing Public Web ServersSecuring Public Web Servers
Securing Public Web Serverswebhostingguy
 
Cisco ccna security
Cisco ccna securityCisco ccna security
Cisco ccna securityMt Mostafa
 
Enterprise Mobile Security
Enterprise Mobile SecurityEnterprise Mobile Security
Enterprise Mobile Securitytbeckwith
 
Net motion wireless-and_frost-sullivan_a-new-mobilty_ps
Net motion wireless-and_frost-sullivan_a-new-mobilty_psNet motion wireless-and_frost-sullivan_a-new-mobilty_ps
Net motion wireless-and_frost-sullivan_a-new-mobilty_psAccenture
 
GCC eGov Cyberwar, Cybercrime Risks and Defences 2010
GCC eGov Cyberwar, Cybercrime Risks and Defences 2010GCC eGov Cyberwar, Cybercrime Risks and Defences 2010
GCC eGov Cyberwar, Cybercrime Risks and Defences 2010Jorge Sebastiao
 
DSS ITSEC Conference 2012 - Lumension Intelligent Application Whitelisting & ...
DSS ITSEC Conference 2012 - Lumension Intelligent Application Whitelisting & ...DSS ITSEC Conference 2012 - Lumension Intelligent Application Whitelisting & ...
DSS ITSEC Conference 2012 - Lumension Intelligent Application Whitelisting & ...Andris Soroka
 
Critical Infrastructure and Cyber Threat
Critical Infrastructure and Cyber ThreatCritical Infrastructure and Cyber Threat
Critical Infrastructure and Cyber ThreatMotorola Solutions
 

What's hot (20)

IT Security for Oil and Gas Companies
IT Security for Oil and Gas CompaniesIT Security for Oil and Gas Companies
IT Security for Oil and Gas Companies
 
RSAC 2021 Spelunking Through the Steps of a Control System Hack
RSAC 2021 Spelunking Through the Steps of a Control System HackRSAC 2021 Spelunking Through the Steps of a Control System Hack
RSAC 2021 Spelunking Through the Steps of a Control System Hack
 
Cybersecurity infographic
Cybersecurity infographicCybersecurity infographic
Cybersecurity infographic
 
NEtwork Security Admin Portal
NEtwork Security Admin PortalNEtwork Security Admin Portal
NEtwork Security Admin Portal
 
WR Paper: Security for Videoconferencing
WR Paper: Security for VideoconferencingWR Paper: Security for Videoconferencing
WR Paper: Security for Videoconferencing
 
Dragos 2019 ICS Year in Review
Dragos 2019 ICS Year in ReviewDragos 2019 ICS Year in Review
Dragos 2019 ICS Year in Review
 
CSIRS ICS BCS 2.2
CSIRS ICS BCS 2.2CSIRS ICS BCS 2.2
CSIRS ICS BCS 2.2
 
Bryan Singer S4 Presentation
Bryan Singer S4 PresentationBryan Singer S4 Presentation
Bryan Singer S4 Presentation
 
SMi Group's Oil & Gas Cyber Security conference & exhibition
SMi Group's Oil & Gas Cyber Security conference & exhibitionSMi Group's Oil & Gas Cyber Security conference & exhibition
SMi Group's Oil & Gas Cyber Security conference & exhibition
 
360-Degree Approach to DR / BC
360-Degree Approach to DR / BC360-Degree Approach to DR / BC
360-Degree Approach to DR / BC
 
CCNA Security 02- fundamentals of network security
CCNA Security 02- fundamentals of network securityCCNA Security 02- fundamentals of network security
CCNA Security 02- fundamentals of network security
 
Cio ciso security_strategyv1.1
Cio ciso security_strategyv1.1Cio ciso security_strategyv1.1
Cio ciso security_strategyv1.1
 
Addressing CIP
Addressing CIPAddressing CIP
Addressing CIP
 
Securing Public Web Servers
Securing Public Web ServersSecuring Public Web Servers
Securing Public Web Servers
 
Cisco ccna security
Cisco ccna securityCisco ccna security
Cisco ccna security
 
Enterprise Mobile Security
Enterprise Mobile SecurityEnterprise Mobile Security
Enterprise Mobile Security
 
Net motion wireless-and_frost-sullivan_a-new-mobilty_ps
Net motion wireless-and_frost-sullivan_a-new-mobilty_psNet motion wireless-and_frost-sullivan_a-new-mobilty_ps
Net motion wireless-and_frost-sullivan_a-new-mobilty_ps
 
GCC eGov Cyberwar, Cybercrime Risks and Defences 2010
GCC eGov Cyberwar, Cybercrime Risks and Defences 2010GCC eGov Cyberwar, Cybercrime Risks and Defences 2010
GCC eGov Cyberwar, Cybercrime Risks and Defences 2010
 
DSS ITSEC Conference 2012 - Lumension Intelligent Application Whitelisting & ...
DSS ITSEC Conference 2012 - Lumension Intelligent Application Whitelisting & ...DSS ITSEC Conference 2012 - Lumension Intelligent Application Whitelisting & ...
DSS ITSEC Conference 2012 - Lumension Intelligent Application Whitelisting & ...
 
Critical Infrastructure and Cyber Threat
Critical Infrastructure and Cyber ThreatCritical Infrastructure and Cyber Threat
Critical Infrastructure and Cyber Threat
 

Similar to Advanced Solutions for Critical Infrastructure Protection

Feldman-Encari: Malicious Software Prevention For NERC CIP-007 Compliance
Feldman-Encari: Malicious Software Prevention For NERC CIP-007 ComplianceFeldman-Encari: Malicious Software Prevention For NERC CIP-007 Compliance
Feldman-Encari: Malicious Software Prevention For NERC CIP-007 ComplianceCoreTrace Corporation
 
Malicious Software Prevention for NERC CIP-007 Compliance:
Malicious Software Prevention for NERC CIP-007 Compliance:Malicious Software Prevention for NERC CIP-007 Compliance:
Malicious Software Prevention for NERC CIP-007 Compliance:CoreTrace Corporation
 
White paper scada (2)
White paper scada (2)White paper scada (2)
White paper scada (2)Ivan Carmona
 
Cyber Security Lecture at Rah Rah 7
Cyber Security Lecture at Rah Rah 7Cyber Security Lecture at Rah Rah 7
Cyber Security Lecture at Rah Rah 7Filip Maertens
 
The Expanding Web of Cybersecurity Requirements
The Expanding Web of Cybersecurity RequirementsThe Expanding Web of Cybersecurity Requirements
The Expanding Web of Cybersecurity RequirementsEnergySec
 
国际物联网安全标准与认证大解析
国际物联网安全标准与认证大解析国际物联网安全标准与认证大解析
国际物联网安全标准与认证大解析Onward Security
 
WHITE PAPER - The Importance of CIP in the Energy Sector v2.0.pdf
WHITE PAPER - The Importance of CIP in the Energy Sector v2.0.pdfWHITE PAPER - The Importance of CIP in the Energy Sector v2.0.pdf
WHITE PAPER - The Importance of CIP in the Energy Sector v2.0.pdfFas (Feisal) Mosleh
 
An Approach to Closing the Gaps between Physical, Process Control, and Cybers...
An Approach to Closing the Gaps between Physical, Process Control, and Cybers...An Approach to Closing the Gaps between Physical, Process Control, and Cybers...
An Approach to Closing the Gaps between Physical, Process Control, and Cybers...EnergySec
 
NERC v6.0 for ESM Solution Guide
NERC v6.0 for ESM Solution GuideNERC v6.0 for ESM Solution Guide
NERC v6.0 for ESM Solution Guideprotect724rkeer
 
Supply Chain Threats to the US Energy Sector
Supply Chain Threats to the US Energy SectorSupply Chain Threats to the US Energy Sector
Supply Chain Threats to the US Energy SectorKaspersky
 
The Future of Cybersecurity in Energy Sector
The Future of Cybersecurity in Energy Sector The Future of Cybersecurity in Energy Sector
The Future of Cybersecurity in Energy Sectoracinfotec
 
American Bar Assoc. ISC 2009
American Bar Assoc. ISC 2009American Bar Assoc. ISC 2009
American Bar Assoc. ISC 2009infracritical
 
Integrating disaster recovery metrics into the NIST EO 13636 Cybersecurity Fr...
Integrating disaster recovery metrics into the NIST EO 13636 Cybersecurity Fr...Integrating disaster recovery metrics into the NIST EO 13636 Cybersecurity Fr...
Integrating disaster recovery metrics into the NIST EO 13636 Cybersecurity Fr...David Sweigert
 
2012 Reenergize the Americas 3B: Ralph Martinez
2012 Reenergize the Americas 3B: Ralph Martinez2012 Reenergize the Americas 3B: Ralph Martinez
2012 Reenergize the Americas 3B: Ralph MartinezReenergize
 
CSO Magazine Confab 2013 Atlanta - Cyber Security
CSO Magazine Confab 2013 Atlanta - Cyber SecurityCSO Magazine Confab 2013 Atlanta - Cyber Security
CSO Magazine Confab 2013 Atlanta - Cyber SecurityPhil Agcaoili
 
Ncma saguaro cyber security 2016 law & regulations asis phoenix dely fina...
Ncma saguaro cyber security 2016 law & regulations asis phoenix dely fina...Ncma saguaro cyber security 2016 law & regulations asis phoenix dely fina...
Ncma saguaro cyber security 2016 law & regulations asis phoenix dely fina...John Hamilton, DAHC,EHC,CFDAI, CPP, PSPO
 
Standards based security for energy utilities
Standards based security for energy utilitiesStandards based security for energy utilities
Standards based security for energy utilitiesNirmal Thaliyil
 
Cybersecurity for Energy: Moving Beyond Compliance
Cybersecurity for Energy: Moving Beyond ComplianceCybersecurity for Energy: Moving Beyond Compliance
Cybersecurity for Energy: Moving Beyond ComplianceEnergySec
 
Top Cyber News Magazine Daniel Ehrenreich
Top Cyber News Magazine Daniel Ehrenreich Top Cyber News Magazine Daniel Ehrenreich
Top Cyber News Magazine Daniel Ehrenreich TopCyberNewsMAGAZINE
 
Brian Isle: The Internet of Things: Manufacturing Panacea - or - Hacker's Dream?
Brian Isle: The Internet of Things: Manufacturing Panacea - or - Hacker's Dream?Brian Isle: The Internet of Things: Manufacturing Panacea - or - Hacker's Dream?
Brian Isle: The Internet of Things: Manufacturing Panacea - or - Hacker's Dream?360mnbsu
 

Similar to Advanced Solutions for Critical Infrastructure Protection (20)

Feldman-Encari: Malicious Software Prevention For NERC CIP-007 Compliance
Feldman-Encari: Malicious Software Prevention For NERC CIP-007 ComplianceFeldman-Encari: Malicious Software Prevention For NERC CIP-007 Compliance
Feldman-Encari: Malicious Software Prevention For NERC CIP-007 Compliance
 
Malicious Software Prevention for NERC CIP-007 Compliance:
Malicious Software Prevention for NERC CIP-007 Compliance:Malicious Software Prevention for NERC CIP-007 Compliance:
Malicious Software Prevention for NERC CIP-007 Compliance:
 
White paper scada (2)
White paper scada (2)White paper scada (2)
White paper scada (2)
 
Cyber Security Lecture at Rah Rah 7
Cyber Security Lecture at Rah Rah 7Cyber Security Lecture at Rah Rah 7
Cyber Security Lecture at Rah Rah 7
 
The Expanding Web of Cybersecurity Requirements
The Expanding Web of Cybersecurity RequirementsThe Expanding Web of Cybersecurity Requirements
The Expanding Web of Cybersecurity Requirements
 
国际物联网安全标准与认证大解析
国际物联网安全标准与认证大解析国际物联网安全标准与认证大解析
国际物联网安全标准与认证大解析
 
WHITE PAPER - The Importance of CIP in the Energy Sector v2.0.pdf
WHITE PAPER - The Importance of CIP in the Energy Sector v2.0.pdfWHITE PAPER - The Importance of CIP in the Energy Sector v2.0.pdf
WHITE PAPER - The Importance of CIP in the Energy Sector v2.0.pdf
 
An Approach to Closing the Gaps between Physical, Process Control, and Cybers...
An Approach to Closing the Gaps between Physical, Process Control, and Cybers...An Approach to Closing the Gaps between Physical, Process Control, and Cybers...
An Approach to Closing the Gaps between Physical, Process Control, and Cybers...
 
NERC v6.0 for ESM Solution Guide
NERC v6.0 for ESM Solution GuideNERC v6.0 for ESM Solution Guide
NERC v6.0 for ESM Solution Guide
 
Supply Chain Threats to the US Energy Sector
Supply Chain Threats to the US Energy SectorSupply Chain Threats to the US Energy Sector
Supply Chain Threats to the US Energy Sector
 
The Future of Cybersecurity in Energy Sector
The Future of Cybersecurity in Energy Sector The Future of Cybersecurity in Energy Sector
The Future of Cybersecurity in Energy Sector
 
American Bar Assoc. ISC 2009
American Bar Assoc. ISC 2009American Bar Assoc. ISC 2009
American Bar Assoc. ISC 2009
 
Integrating disaster recovery metrics into the NIST EO 13636 Cybersecurity Fr...
Integrating disaster recovery metrics into the NIST EO 13636 Cybersecurity Fr...Integrating disaster recovery metrics into the NIST EO 13636 Cybersecurity Fr...
Integrating disaster recovery metrics into the NIST EO 13636 Cybersecurity Fr...
 
2012 Reenergize the Americas 3B: Ralph Martinez
2012 Reenergize the Americas 3B: Ralph Martinez2012 Reenergize the Americas 3B: Ralph Martinez
2012 Reenergize the Americas 3B: Ralph Martinez
 
CSO Magazine Confab 2013 Atlanta - Cyber Security
CSO Magazine Confab 2013 Atlanta - Cyber SecurityCSO Magazine Confab 2013 Atlanta - Cyber Security
CSO Magazine Confab 2013 Atlanta - Cyber Security
 
Ncma saguaro cyber security 2016 law & regulations asis phoenix dely fina...
Ncma saguaro cyber security 2016 law & regulations asis phoenix dely fina...Ncma saguaro cyber security 2016 law & regulations asis phoenix dely fina...
Ncma saguaro cyber security 2016 law & regulations asis phoenix dely fina...
 
Standards based security for energy utilities
Standards based security for energy utilitiesStandards based security for energy utilities
Standards based security for energy utilities
 
Cybersecurity for Energy: Moving Beyond Compliance
Cybersecurity for Energy: Moving Beyond ComplianceCybersecurity for Energy: Moving Beyond Compliance
Cybersecurity for Energy: Moving Beyond Compliance
 
Top Cyber News Magazine Daniel Ehrenreich
Top Cyber News Magazine Daniel Ehrenreich Top Cyber News Magazine Daniel Ehrenreich
Top Cyber News Magazine Daniel Ehrenreich
 
Brian Isle: The Internet of Things: Manufacturing Panacea - or - Hacker's Dream?
Brian Isle: The Internet of Things: Manufacturing Panacea - or - Hacker's Dream?Brian Isle: The Internet of Things: Manufacturing Panacea - or - Hacker's Dream?
Brian Isle: The Internet of Things: Manufacturing Panacea - or - Hacker's Dream?
 

More from Entrust Datacard

INFOGRAPHIC: Switch to SHA-2 SSL Certificates
INFOGRAPHIC: Switch to SHA-2 SSL CertificatesINFOGRAPHIC: Switch to SHA-2 SSL Certificates
INFOGRAPHIC: Switch to SHA-2 SSL CertificatesEntrust Datacard
 
Switch to SHA-2 SSL - A Step-by-Step Migration Guide
Switch to SHA-2 SSL - A Step-by-Step Migration GuideSwitch to SHA-2 SSL - A Step-by-Step Migration Guide
Switch to SHA-2 SSL - A Step-by-Step Migration GuideEntrust Datacard
 
INFOGRAPHIC: Securing the Internet of Things
INFOGRAPHIC: Securing the Internet of ThingsINFOGRAPHIC: Securing the Internet of Things
INFOGRAPHIC: Securing the Internet of ThingsEntrust Datacard
 
IDENTITY PLATFORMS: How central, flexible, deployment of multiple authenticat...
IDENTITY PLATFORMS: How central, flexible, deployment of multiple authenticat...IDENTITY PLATFORMS: How central, flexible, deployment of multiple authenticat...
IDENTITY PLATFORMS: How central, flexible, deployment of multiple authenticat...Entrust Datacard
 
Defeating Man-in-the-Browser Malware
Defeating Man-in-the-Browser MalwareDefeating Man-in-the-Browser Malware
Defeating Man-in-the-Browser MalwareEntrust Datacard
 
Zero to ECC in 30 Minutes: A primer on Elliptic Curve Cryptography (ECC)
Zero to ECC in 30 Minutes: A primer on Elliptic Curve Cryptography (ECC)Zero to ECC in 30 Minutes: A primer on Elliptic Curve Cryptography (ECC)
Zero to ECC in 30 Minutes: A primer on Elliptic Curve Cryptography (ECC)Entrust Datacard
 
INFOGRAPHIC: Why Did Datacard Group Acquire Security Expert Entrust?
INFOGRAPHIC: Why Did Datacard Group Acquire Security Expert Entrust? INFOGRAPHIC: Why Did Datacard Group Acquire Security Expert Entrust?
INFOGRAPHIC: Why Did Datacard Group Acquire Security Expert Entrust? Entrust Datacard
 
Zero to Dual_EC_DRBG in 30 minutes
Zero to Dual_EC_DRBG in 30 minutesZero to Dual_EC_DRBG in 30 minutes
Zero to Dual_EC_DRBG in 30 minutesEntrust Datacard
 
Easing the Pains of Certificate Management
Easing the Pains of Certificate ManagementEasing the Pains of Certificate Management
Easing the Pains of Certificate ManagementEntrust Datacard
 
Entrust Solutions Portfolio
Entrust Solutions PortfolioEntrust Solutions Portfolio
Entrust Solutions PortfolioEntrust Datacard
 
Entrust Physical & Logical Access Solutions
Entrust Physical & Logical Access SolutionsEntrust Physical & Logical Access Solutions
Entrust Physical & Logical Access SolutionsEntrust Datacard
 
Entrust IdentityGuard Mobile
Entrust IdentityGuard MobileEntrust IdentityGuard Mobile
Entrust IdentityGuard MobileEntrust Datacard
 
Entrust Mobile Security Solutions
Entrust Mobile Security SolutionsEntrust Mobile Security Solutions
Entrust Mobile Security SolutionsEntrust Datacard
 
Entrust Enterprise Authentication
Entrust Enterprise AuthenticationEntrust Enterprise Authentication
Entrust Enterprise AuthenticationEntrust Datacard
 

More from Entrust Datacard (14)

INFOGRAPHIC: Switch to SHA-2 SSL Certificates
INFOGRAPHIC: Switch to SHA-2 SSL CertificatesINFOGRAPHIC: Switch to SHA-2 SSL Certificates
INFOGRAPHIC: Switch to SHA-2 SSL Certificates
 
Switch to SHA-2 SSL - A Step-by-Step Migration Guide
Switch to SHA-2 SSL - A Step-by-Step Migration GuideSwitch to SHA-2 SSL - A Step-by-Step Migration Guide
Switch to SHA-2 SSL - A Step-by-Step Migration Guide
 
INFOGRAPHIC: Securing the Internet of Things
INFOGRAPHIC: Securing the Internet of ThingsINFOGRAPHIC: Securing the Internet of Things
INFOGRAPHIC: Securing the Internet of Things
 
IDENTITY PLATFORMS: How central, flexible, deployment of multiple authenticat...
IDENTITY PLATFORMS: How central, flexible, deployment of multiple authenticat...IDENTITY PLATFORMS: How central, flexible, deployment of multiple authenticat...
IDENTITY PLATFORMS: How central, flexible, deployment of multiple authenticat...
 
Defeating Man-in-the-Browser Malware
Defeating Man-in-the-Browser MalwareDefeating Man-in-the-Browser Malware
Defeating Man-in-the-Browser Malware
 
Zero to ECC in 30 Minutes: A primer on Elliptic Curve Cryptography (ECC)
Zero to ECC in 30 Minutes: A primer on Elliptic Curve Cryptography (ECC)Zero to ECC in 30 Minutes: A primer on Elliptic Curve Cryptography (ECC)
Zero to ECC in 30 Minutes: A primer on Elliptic Curve Cryptography (ECC)
 
INFOGRAPHIC: Why Did Datacard Group Acquire Security Expert Entrust?
INFOGRAPHIC: Why Did Datacard Group Acquire Security Expert Entrust? INFOGRAPHIC: Why Did Datacard Group Acquire Security Expert Entrust?
INFOGRAPHIC: Why Did Datacard Group Acquire Security Expert Entrust?
 
Zero to Dual_EC_DRBG in 30 minutes
Zero to Dual_EC_DRBG in 30 minutesZero to Dual_EC_DRBG in 30 minutes
Zero to Dual_EC_DRBG in 30 minutes
 
Easing the Pains of Certificate Management
Easing the Pains of Certificate ManagementEasing the Pains of Certificate Management
Easing the Pains of Certificate Management
 
Entrust Solutions Portfolio
Entrust Solutions PortfolioEntrust Solutions Portfolio
Entrust Solutions Portfolio
 
Entrust Physical & Logical Access Solutions
Entrust Physical & Logical Access SolutionsEntrust Physical & Logical Access Solutions
Entrust Physical & Logical Access Solutions
 
Entrust IdentityGuard Mobile
Entrust IdentityGuard MobileEntrust IdentityGuard Mobile
Entrust IdentityGuard Mobile
 
Entrust Mobile Security Solutions
Entrust Mobile Security SolutionsEntrust Mobile Security Solutions
Entrust Mobile Security Solutions
 
Entrust Enterprise Authentication
Entrust Enterprise AuthenticationEntrust Enterprise Authentication
Entrust Enterprise Authentication
 

Recently uploaded

Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 

Recently uploaded (20)

Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 

Advanced Solutions for Critical Infrastructure Protection

  • 1. Advanced Solutions for Critical Infrastructure Protection Complying with the North American Electric Reliability Corporation Critical Infrastructure Protection standards Get this White Paper © Entrust Inc. All Rights Reserved. Entrust Inc. All Rights Reserved. 1 1
  • 2. Contents Introduction ............................................................................................. 3 NERC Critical Infrastructure Protection ............................................... 4 Multifactor Authentication for Physical & Logical Access Control....................................................................... 6 Proven Authentication Solutions for NERC CIP Compliance ...................................................................... 7 Compliance Summary .......................................................................... 12 Entrust — Simplifying NERC CIP Compliance ................................... 14 A Single Integrated Platform ................................................................ 15 Entrust & You ........................................................................................ 18 © Entrust Inc. All Rights Reserved. 2 2
  • 3. Introduction “ An attack on a utility — either through a cyberattack or physical entry to the facility — will have serious ramifications to citizens, causing severe economic damages and life-threatening situations. It is estimated that the destruction from a single wave In fact, recent evidence from the FBI indicates that terrorists are planning of cyberattacks on U.S. critical for such an attack. According to a news release by the U.S. Senate infrastructures could exceed Committee on Homeland Security & Governmental Affairs, “An Al Qaeda $700 billion — the equivalent video calling upon the ‘covert Mujahidin’ to commit ‘electronic jihad’ of 50 major hurricanes hitting demonstrates the rapidly increasing threat of cyber-attack and U.S. soil at once. ” underscores the pressing need for cybersecurity standards for the 1 nation’s most critical networks.” — U.S. Cyber Consequence Unit The committee went on to confirm that terrorist objectives targeting critical infrastructure. “This is the clearest evidence we’ve seen that Al Qaeda and other terrorist groups want to attack the cyber systems of our critical infrastructure,” Homeland Security and Governmental Affairs Committee Chairman Joe Lieberman, ID-Conn., said. “Congress needs to act now to protect the American public from a possible devastating attack on our electric grid, water delivery systems, or financial networks, for example.” This is clear, undeniable evidence for the immediate and ongoing need for advanced security solutions that protect the critical infrastructure managed by both private and government entities. 1 “Senators say video urging electronic jihad underscores need for cybersecurity standards,” U.S. Senate Committee on Homeland Security & Governmental Affairs, May 22, 2012 © Entrust Inc. All Rights Reserved. 3 3
  • 4. NERC Critical Infrastructure Protection Critical Infrastructure In North America, the North American Electric Reliability Corporation Protection: A Global (NERC) created the Critical Infrastructure Protection standards that each Requirement organization must comply with or face fines of up to $1 million per day. While the policies for There are eight individual NERC CIP standards: protection vary around the world, the basic needs  CIP-002 Critical Cyber Assets remain the same: ensure  CIP-003 Security Management Controls only authorized, trusted  CIP-004 Personnel & Training  CIP-005 Electronic Security users are granted access to  CIP-006 Physical Security electronic and physical  CIP-007 Systems Security Management perimeters. We recommend  CIP-008 Incident Reporting & Response Planning a vendor that can take the  CIP-009 Recovery Plans best practices from the NERC CIP standard and apply them to a specific Compliance Definitions critical infrastructure as it makes sense. The compliance process starts with a facilities-wide assessment addressing the requirements outlined in NERC CIP-002 Critical Cyber Asset Identification. CIP-002 outlines definitions and a methodology to be used in defining Critical Assets (CA) and Critical Cyber Assets (CCA). NERC Standard CIP-002 requires that each facility develop a list of CCAs that are essential to the operation of its CA. The NERC CIP Definition for Critical Assets (CA):  “Facilities, systems, and equipment which, if destroyed, degraded, or otherwise rendered unavailable, would affect the reliability or operability of the Bulk Electric System.” The NERC CIP Definition for Critical Cyber Assets (CCA):  “Cyber Assets essential to the reliable operation of Critical Assets.”  The Cyber Asset uses a routable protocol to communicate outside the Electronic Security Perimeter (typically TCP/IP). © Entrust Inc. All Rights Reserved. 4 4
  • 5. The NERC CIP Definition for Electronic Security Perimeter:  CIP-005 defines the Electronic Security Perimeter as the logical border surrounding a network to which Critical Cyber Assets are connected and for which access is controlled. An access point, as defined by the NERC FAQ, is “any place where electronic traffic crosses the Electronic Security Perimeter.” The NERC CIP Definition for Physical Security Perimeter:  CIP-006 defines the Physical Security Perimeter as the physical, completely enclosed, border surrounding computer rooms, telecommunication rooms, operations centers and other locations in which Critical Cyber Asset are housed and for which access is controlled. “ London 2012 authorities got cyber-attack warning on eve of Games; Security services warned of possible threat against Olympic power supply days before opening ceremony. — The Guardian, August 2012 ” © Entrust Inc. All Rights Reserved. 5 5
  • 6. Multifactor Authentication for Physical & Logical Access Control The Critical Infrastructure Protection standards require that the network be segmented to prevent an attack on one network being spread to the next network, and that strong two-factor authentication be used to ensure only authorized individuals may have physical and logical access to the critical assets. Strong two-factor authentication is utilized for:  Remote access to the networks  Access to the Physical Security Perimeter  Access to the Electronic Security Perimeter  Access to specific Critical Assets Figure 1 A high-level view of secure enterprise and control networks working to protect critical assets. © Entrust Inc. All Rights Reserved. 6 6
  • 7. Proven Authentication Solutions for NERC CIP Compliance Not every authentication solution can help organizations properly comply with NERC CIP standards. Outlined below is how a capable authentication platform should align with the CIP requirements. CIP-004 Revoke Access to CCAs within 24 Hours for Personnel Terminated for Cause, and within 7 Days for Personnel who no Longer Require Access to CCAs When a smart credential is issued or revoked using a strong authentication solution, the Certificate Revocation List (CRL) is instantly updated to deny access to Windows, Macintosh or Unix systems employing smartcard login, or FIPS-201 (PIV) systems using the PKI authentication option. All other authenticators issued, such as OTPs, passwords or grid cards, are also denied any future authentications by sharing a common authentication platform and administration. These approaches are used for situations where the CCA is not smartcard-capable. The authentication platform should be integrated into the enterprise’s human resources system so any change to employee status is automatically acted on to avoid delays and mistakes. CIP-005 The authentication platform should meet the following requirements:  Provide for a range of authenticators, as not all applications support all authenticators  The cost of the strongest authenticator may be too expensive for less-critical systems  If an authenticator should be compromised by a future attack, the switch to the new authenticator needs to occur quickly  The platform should support grid cards and one-time passcodes (OTP), which meet the needs of remote access at a low cost © Entrust Inc. All Rights Reserved. 7 7
  • 8. With the introduction of CIP-007 version 5, the complexity of passwords standardizes on a range between15 to 25 characters, depending on the type of account. Coupled with the need for random characters and frequent password changes, the enterprise should consider the usage of smartcards. This would eliminate the need for passwords and costly password resets. Combining physical access, Microsoft Windows login access and remote access simplifies logistics, management and auditing for the enterprise. For the employee, it means just a single authenticator to carry and a simple PIN to remember. The authentication platform should allow for multiple authenticators for the following purposes.  Easy migration from one authenticator to another, such as one- time passcodes (OTP) to smartcards, at a pace the enterprise can support.  The enterprise applications may only support specific authenticators.  Allow the flexibility of using the best security for a low cost of a specific application. A capable security vendor will use the modern FIPS-201 smartcard standard that allows for interoperability with a wide range of third-party products also compliant to the standard, such as Microsoft Windows 7 and several physical access systems. This approach also ensures the solution is certified by the NIST so the organization is sure the implementation does not have poor quality, security and privacy. Smartcards, when utilized with a secure PIN entry device, is resistant to malware loaded onto the machine. A key-logger cannot steal the PIN to use in a future fraudulent authentication. (Any compromised machine, however, should be immediately removed from the network. In addition, the use of a layered security approach will help defend against attacks that defeat a single solution.) When the card (employee) is not present, access will be denied. Placing the FIPS-201 application on a smartphone allows the range before denying access to be extended up to 80 feet. This is achieved by using near-field communication (NFC) or Bluetooth found on modern smartphones. © Entrust Inc. All Rights Reserved. 8 8
  • 9. CIP-005 Only Authorized Machines Can Access the Electronic Security Perimeter A compliant authentication solution should be able to issue digital certificates to laptops, desktops, servers and mobile devices so that only authorized devices can connect to the network. CIP-006 Physical Access Controls The authentication solution should support physical security in depth by combining the card authentication with a PIN or biometric for high-impact cyber systems, while simultaneously allowing for quick access to low- impact cyber systems. Many of the existing physical access solutions have been compromised over the years, with easy-to-follow, low-cost instructions on the Web. Entrust suggests the migration to more secure physical access standards such as FIPS-201. The NIST FIPS-201 standard is designed specifically for this type of deployment with four types of authentication: 1. Card Holder Unique ID (CHUID) A numerical value representing the employee is digitally signed by the enterprise that issued the card, then stored on the card and transmitted to the reader when the card is energized by the reader. The digital signature prevents an attacker from making their own card from scratch — if they know a valid employee number — because the attacker does not possess the enterprise’s key to sign the CHUID. Any attempt to modify the CHUID will invalidate the signature when checked by the reader. © Entrust Inc. All Rights Reserved. 9 9
  • 10. 2. Card Authentication Key (CAK) The reader will send the card a random challenge. The card digitally signs the challenge with its CAK private key and returns the challenge to the reader. As the private key cannot be taken from the card, the card cannot be cloned. The key cannot be extracted as defined by the FIPS-201 standard and enforced by the chip hardware. The CAK private key is paired with a digital certificate that contains the identity. This certificate states the identity is an anonymous employee of the company. Since there is no privacy to protect, the PIN does not need to be entered. CAK should be used for fast access (no PIN) to a secure location where a specific person’s identity is not required. 3. PKI User This approach uses the same challenge-response process as CAK, but in this case the digital certificate has the employee name in it. As such, to protect privacy and to allow the employee to approve the authentication, the PIN must be entered before the challenge is signed and returned. This approach is used when high security is required, and the enterprise needs to know the specific employee identity. 4. Biometrics The FIPS-201 standard supports two types — IRIS and the more popular fingerprint. The physical access reader requests the previously stored fingerprint from the card. And because it contains private data, the employee must enter their PIN. The biometric is compared within the reader, and if they match the employee is allowed to enter. To prevent the threat of a fraudulent fingerprint, the fingerprint is digitally signed during issuance by the enterprise. The highest security is when the PKI user and the biometric are both required. © Entrust Inc. All Rights Reserved. 10 10
  • 11. CIP-007 Establish an Auditable Workflow for Credential Issuance A proper authentication solution will come with a workflow engine with multiple roles, allowing for independent groups with differing policy requirements and approvals. In the case of a smartcard, an employee can be enrolled by Role_A, the issuance be approved by the senior manager as Role_B, and then the smartcard printed and distributed by Role_C. This separation of duty prevents the issuance of fraudulent authenticators. The authentication solution should have the same workflow regardless of the authenticator type (e.g., a one-time passcode shares the same approvals as a smartcard). Proper workflow allows for the step to perform a background check to be easily added prior to authenticator issuance. To satisfy periodic audits, an advanced solution will issue reports on all issued authenticators, as well as those that are active, along with the archived approvals. No other authenticators will have access to the physical or logical system. The vendor of the authentication solution should proactively provide bulletins of any compromises of the technology put in place as the sophistication of attackers improves over time. This will support the annual NERC compliance audits while protecting assets from attack. © Entrust Inc. All Rights Reserved. 11 11
  • 12. Compliance Summary A capable security vendor should provide an integrated solution for both physical and logical access control, while also allowing for the easy migration from less-secure legacy systems to modern solutions — all without impacting the productivity and uptime of the entire system. The smartcard should simultaneously support both the legacy and modern systems. Figure 2: A cost-effective solution to meet the requirements of CIP-005, CIP-006 and CIP-007 offers a multifunction smartcard with a single platform for issuance, management and revocation. The platform also should allow for quick migration from a compromised authenticator. The solution should be tied into an HR system to control who is issued a credential and what they are authorized to access. © Entrust Inc. All Rights Reserved. 12 12
  • 13. Employees need access to enterprise systems, but not all are smartcard-capable. As such, utility companies require a platform that supports a wide range of authenticators — often with one employee using more than one authenticator. Implement a central location to issue all authenticators and set consistent policies to meet CIP standards. Historically, smartcards were cost-effective, but the logistics of card issuance proved to be complicated. Evolution in technology and critical security investment has made advanced smartcard solutions more realistic — and affordable. Look for a vendor that has the capability to quickly issue temporary credentials that do not negatively affect employee productivity or compromise security. For example, this is important for the situation where the employee has left their credential at home. “ Historically, smartcards were cost-effective, but the logistics of card issuance proved to be complicated. Evolution in technology and critical security investment has made advanced smartcard solutions more realistic — and affordable. ” © Entrust Inc. All Rights Reserved. 13 13
  • 14. Entrust — Simplifying NERC CIP Compliance Entrust's comprehensive management framework serves as an organization's single software-based security platform that bridges emerging technologies for strong mobility, cloud and smart credentialing offerings. By seamlessly integrating co-deployment measures, federation security, advanced APIs and self-service management tools, Entrust strengthens security, maximizes staff efficiency and reduces overall costs. Entrust's flagship authentication solution, Entrust IdentityGuard, continues to lead the industry as one of the most robust software authentication platforms, delivering an unmatched breadth of capabilities and flexibility to meet the most demanding security environments. The solution enables organizations to layer security — according to access requirements or the risk of a given transaction — across diverse users and applications. Entrust's authentication capabilities include smartcards and USB tokens, soft tokens, grid cards and eGrids, IP-geolocation, questions and answers, mobile smart credentials, out-of-band one-time passcode (delivered via voice, SMS or email), biometrics, and a range of one-time- passcode tokens. © Entrust Inc. All Rights Reserved. 14 14
  • 15. A Single Integrated Platform Compliance to NERC CIP calls for a truly integrated physical and logical solution that’s compatible with both legacy and modern systems. Entrust IdentityGuard may be deployed as an easy-to-use, fully integrated in-house solution, or as a managed service where card issuance is managed offsite and delivered to the utility organization as a service. Entrust IdentityGuard issuance-approval workflow, along with the related logs, will serve as evidence for CIP audits to prove compliance. Secure Remote Access Aligning with Entrust’s aforementioned suggestions for CIP compliance, Entrust IdentityGuard issues both one-time passcodes and smartcards for authentication. Entrust smartcards are FIPS 201-compliant, allowing for seamless interoperability with the most popular third-party products also compliant to the standard. Using an optional CodeBench ID-Sync module, all Entrust IdentityGuard physical access systems are instantly notified of card revocation, which stops any further access. Optionally, the Entrust IdentityGuard credential creation/revocation capability may be integrated with the corporate identity management solution through an easy-to-use Web services API. When a person joins or leaves the enterprise, all systems are instantly and automatically made aware, meeting the 24-hour CIP requirement, and removing the chance of human error. © Entrust Inc. All Rights Reserved. 15 15
  • 16. Smartcard Issuance & Interoperability Entrust IdentityGuard not only integrates with both card-issuance and physical access control, but Entrust tests a wide variety of physical access equipment to ensure expertise in what systems are more secure, and which systems are interoperable with each other. Unlike an OTP, the private key representing the employee is only stored on the Entrust IdentityGuard-issued smartcard and cannot be stolen off the device and used to create a duplicate or cloned identity card. It is protected by sophisticated hardware controls. Figure 3: Entrust IdentityGuard serves as a utility company’s comprehensive smartcard issuance and management solution for NERC CIP compliance. © Entrust Inc. All Rights Reserved. 16 16
  • 17. Entrust IdentityGuard also leverages near-field communication (NFC) or Bluetooth standards found on modern smartphones. This capability only requires each employee carry one device, enables remote issuance of a strong authenticator, and allows control over the distance an employee must be from a cyber-asset before being logged off. The Entrust solution makes compliance as simple as printing a card then distributing it to an employee. The smartcard is ready to use by simply inserting it into the computer. For more sensitive assets, the Entrust solution can require a biometric (in addition to the card itself) and a PIN. Authorizing Machines & Devices Entrust IdentityGuard issues digital certificates to laptops, desktops, servers, machines and mobile devices so that only authorized devices may connect to the network. Entrust IdentityGuard also possess an authentication API that may be integrated with cyber-asset systems. The API utilizes industry standards, Web services, SAML and Radius protocols. Figure 4: An overview outlining how Entrust IdentityGuard authenticates users while concurrently serving as a comprehensive card management solution. © Entrust Inc. All Rights Reserved. 17 17
  • 18. Entrust & You More than ever, Entrust understands your organization’s security pain Company Facts points. Whether it’s the protection of information, securing online Website: www.entrust.com customers, regulatory compliance or large-scale government projects, Employees: 359 Customers: 5,000 Entrust provides identity-based security solutions that are not only Offices: 10 Globally proven in real-world environments, but cost-effective in today’s uncertain economic climate. Headquarters Entrust secures governments, enterprises and financial institutions in Three Lincoln Centre more than 5,000 organizations spanning 85 countries. Entrust’s award- 5430 LBJ Freeway, Suite 1250 Dallas, Texas 75240 winning software authentication platforms manage today’s most secure identity credentials, addressing customer pain points for cloud and Sales mobile security, physical and logical access, citizen eID initiatives, certificate management and SSL. North America: 1-888-690-2424 EMEA: +44 (0) 118 953 3000 For more information about Entrust products and services, call Email: entrust@entrust.com 888-690-2424, email entrust@entrust.com or visit entrust.com. 24588/8-12 © Entrust Inc. All Rights Reserved. 18 18