The Federal Energy Regulatory Commission (FERC) will likely soon approve version 4 of the North American Electricity Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) Cyber Security Standards. The new standards replace the traditional risk-based approach of identifying critical cyber assets with more prescriptive Bright Line criteria. How can those subject to the NERC CIPs comply with these new criteria and adopt them in a way that balances their business needs and risks? In addition, how does the adoption and spread of the smart grid impact business practices, privacy issues, threats, vulnerabilities and the need for security controls?
In this webcast, Paul Reymann, security and compliance expert and CEO of ReymanGroup joins Jim Stanton, Senior Energy Consultant at ReymannGroup to address those questions, and specifically discuss:
How operational characteristics of each asset help determine the security and reliability controls required.
The potential risk of adopting a prescriptive controls model that is tied to the bright-line criteria.
The current struggles between FERC, NERC, and the industry around updating the standards.
Possible future scenarios and legal implications of a new regulatory structure that might improve the process.
The pros and cons of the evolution of the smart grid.
So tune in and learn how to prepare for the latest version of the NERC CIP standards, and discover what changes may be coming for the complex regulatory structure that surrounds it.
NERC CIP Cyber Security Standards V4 – Is it getting better or worse?
1. NERC CIP Cyber
Security Standards V4:
Is it getting better or
worse?
Join the conversation:
#CIPv4Webcast
2. NERC CIP Cyber Security Standards
V4 – Is it getting better or worse?
Join the conversation:
#CIPv4Webcast
3. We will cover…
The New Prescriptive Bright-line Criteria
Struggles between FERC, NERC, & Industry
Practices for Security, Reliability, and Compliance
Smart Grid Evolution Benefits & Challenges
Visibility, Intelligence, and Automation are Key
Join the conversation:
#CIPv4Webcast
4. Energy’s Inverted Security Model
One Big
Network
Open to Cyber-Threats
Join the conversation:
#CIPv4Webcast
6. CIP Version 4 Vetting Process
Industry • Majority vote of the Ballot Pool of Registered Ballot
Body participants.
Approval
NERC • NERC Board of Trustees.
• Dissenting & minority positions highlighted with the
Approval drafting. team’s and NERC staff’s comments.
FERC • Elect to approve as written;
• Approve conditionally; or
Approval • Reject the standards.
• Opportunity for industry to file comments.
FERC NOPR • Comments addressed in the Final Rule.
Join the conversation:
6 #CIPv4Webcast
7. Potential FERC Timeline Scenario
Final Order
NOPR in Industry
Published in Effective
Federal Comments
Federal Date
Register Due
Register
120 150
0 Days 30 Days
Days Days
+ 24 months per
NERC proposed
implementation
plan
Join the conversation:
#CIPv4Webcast
8. CIP Version 4 Bright-line Criteria
Bright-line
• Risk-based Examples • Required.
Assessment is Out. • Identify Compliance
• Prescriptive Criteria to • 1500 MW Generators. Milestones.
Define Criticality of • Transmission Facilities • Follow Specific Criteria.
Assets is In. at 500kv or Higher.
• Reliability Coordinator
Control Centers.
Bright-line Implementation
Criteria Plan
Join the conversation:
8 #CIPv4Webcast
9. Next Practices for Security, Reliability, & Compliance
Categorize All
Prescriptive
Identify All Assets with
Risk
Assets Bright-line
Assessment
Criteria
Business
Prescriptive Validate
Decision: “How
Controls: “What Security
to implement
to do” Controls
controls”
Collect & Retain
Document All
Continuously Data to Identify &
Steps &
Manage & Respond to
Corrective
Monitor Security
Actions
Incidents
Join the conversation:
9 #CIPv4Webcast
10. Smart Grid Evolution – Benefits & Challenges
Rethink:
Consumer
Participation Business Practices
Privacy Issues
Enables New Optimize
Products, Se Asset Threats
rvices, & Utilization &
Markets Efficiency
Vulnerabilities
Security Controls
Provides
Proactive
Quality
Response to
Power for
System
Digital
Disturbances
Economy
Accommodate
s all generation
& storage
options
Join the conversation:
10 #CIPv4Webcast
11. How do you get started?
Visibility Intelligence Automation
•
•
•
•
Join the conversation:
#CIPv4Webcast
14. What Needs To Change?
Join the conversation:
#CIPv4Webcast
14
15. Tripwire Solutions for NERC
change auditing, configuration control log
management
SCADA and other mission critical systems
monitor and review logs
on a number of different platforms:
AIX PowerPC 5.3 systems Windows 2003 servers
HP-UX (PA-RSIC) v11 systems Win XP Desktops
Red Hat Linux Windows 2003 and Active
Solaris SPARC Directory domain controllers
SuSE Linux systems
Join the conversation:
Windows Server 2000
#CIPv4Webcast
16. Tripwire and Relevant CIPs
Critical Cyber Asset Identification
Security Management Controls
Electronic Security Perimeters
Systems Security Management
Join the conversation:
#CIPv4Webcast
21. • Summarizes key points
• Describes the affect of CIP
compliance vs. noncompliance
• Offers a Due Diligence Checklist
• Complimentary copy
Join the conversation:
#CIPv4Webcast
22. Questions
Paul Reymann James Stanton
(410) 956-7336 (410) 956 7334
paul@reymanngroup.com jim@reymanngroup.com
Cindy Valladares
cvalladares@tripwire.com
Twitter: @cindyv
Join the conversation:
#CIPv4Webcast
Because companies are still having so many problems, more prescriptive guidance and stronger compliance ensues.
Attacks are more real than everStuxnet as an exampleIndustry is running as fast as possible to “hardened shell” strategy.Blind side not working – it’s the server and the data2 problems – The technical solution – harden from the inside outGetting people to acknowledge this as a better way and begin to adopt this new approachWhere are we?Battle between configurations and events+perimeterDavid vs. GoliathSecurity industry: events and perimeterEmerging compliance mandates: ConfigurationsCompliance: ConfigurationsVerizon: ConfigurationsSANs: ConfigurationsFederal government: Configurations and monitoringOrganizations are getting a false sense of security, because they are investing in reactive controls but not getting the benefit of their investment.At an inflection point. Our focus is on hardening and defending the server.Standards can’t evolve fast enough and no single compliance requirement will be enough.Hardened shell – embrace and extendEmbrace and extend the hard shellHard shell is necessary but not sufficientInside-out strategy
Leverage compliance to proactively get ahead of threatsDeliver context others cannotDemonstrate the value of your compliance and security investmentSimply Compliant. More Secure.Simplify IT compliance and securityShorten the time to detect IT RiskReduce our customers’ costs
Tripwire VIA delivers intelligent threat control by providing…Visibility across your infrastructure to know what is happening at all times.Intelligence to know which changes or events are suspect and may put your infrastructure and data at risk of compromise.Automation to help you to categorize high risk changes and events, remediate certain conditions, and automate compliance requirements such as reporting.
Tripwire VIA delivers intelligent threat control by providing…Visibility across your infrastructure to know what is happening at all times.Intelligence to know which changes or events are suspect and may put your infrastructure and data at risk of compromise.Automation to help you to categorize high risk changes and events, remediate certain conditions, and automate compliance requirements such as reporting.
Tripwire VIA delivers intelligent threat control by providing…Visibility across your infrastructure to know what is happening at all times.Intelligence to know which changes or events are suspect and may put your infrastructure and data at risk of compromise.Automation to help you to categorize high risk changes and events, remediate certain conditions, and automate compliance requirements such as reporting.