Six Keys to Securing Critical Infrastructure and NERC Compliance


Published on

With the computer systems and networks of electric, natural gas, and water distribution systems now connected to the Internet, the nation’s critical infrastructure is more vulnerable to attack. A recent Wall Street Journal article stated that many utility IT environments have already been breached by spies, terrorists, and hostile countries, often leaving bits of code behind that could be used against critical infrastructure during times of hostility. The U.S. Cyber Consequence Unit declared that the cost of such an attack could be substantial: “It is estimated that the destruction from a single wave of cyber attacks on U.S. critical infrastructures could exceed $700 billion USD - the equivalent of 50 major hurricanes hitting U.S. soil at once.”

Vulnerability and exposure of utilities’ critical infrastructures originate from the Supervisory Control and Data Acquisition (SCADA) and Distribution Automation (DA) systems that communicate and control devices on utility grids and distribution systems. Many of these systems have been in operation for years (sometimes for decades), and are not designed with security in mind. Regulatory bodies have recognized the many security issues to critical infrastructure and have begun to establish and enforce requirements in an attempt to shore up potential exposures. One such regulation is NERC CIP, which includes eight reliability standards consisting of 160 requirements for electric and power companies to address. And as of July 1, 2010, these companies must be “auditably compliant” or else they risk getting slapped with a $1 million per day, per CIP violation.

In this roundtable discussion, we will highlight:
• The security challenges facing utilities today
• The six critical elements to achieving economical NERC CIP compliance
• How utilities can secure critical infrastructure in today’s networked environment

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • © Copyright 2008 - Lumension Security
  • Open Compliance & Ethics Group ( 06/28/10 (c) 2007, OCEG
  • Six Keys to Securing Critical Infrastructure and NERC Compliance

    1. 1. Six Keys to Securing Critical Infrastructure and NERC Compliance
    2. 2. Today’s Agenda Healthcare IT Security & Compliance Issues Six Keys to Cost-Effective IT Security & Compliance Applying the Critical Elements Q&A and Conclusion <ul><li>Security and Compliance Challenges Related to Protecting Critical Infrastructure </li></ul><ul><li>Six Critical Elements to Achieve Economies in Securing Critical Infrastructure and Compliance </li></ul><ul><li>Panel Discussion and Q&A </li></ul>
    3. 3. Today’s Speakers Chris Merritt Director of Solution Marketing Lumension Michael Rasmussen Risk & Compliance Advisor Corporate Integrity, LLC Paul Henry Security & Forensics Analyst MCP+I, MCSE, CCSA, CCSE, CFSA, CFSO, CISSP,-ISSAP, CISM, CISA, CIFI, CCE
    4. 4. Critical Infrastructure: Security and Compliance Demands
    5. 5. Utilities Burdened by Critical Infrastructure Protection (CIP) Demands <ul><li>Increasing pressure for accountability bearing down from several angles, forcing them to rethink the approach to CIP. </li></ul><ul><li>An increasingly interconnected world means utilities must consider </li></ul><ul><ul><li>Emissions and global warming concerns, </li></ul></ul><ul><ul><li>Corporate social responsibility, </li></ul></ul><ul><ul><li>Capacity and future sustainability of power, and </li></ul></ul><ul><ul><li>Protection of critical infrastructure. </li></ul></ul><ul><li>Supervisory Control and Data Acquisition (SCADA) and Distribution Automation (DA) systems have been in operation for years. </li></ul><ul><ul><li>These systems were not designed with security in mind. </li></ul></ul><ul><ul><li>As utilities interconnect to the Internet and other systems, exposure grows exponentially. </li></ul></ul>
    6. 6. CIP & Compliance Mandates on Utilities <ul><li>NERC established eight CIP reliability standards, containing 160+ requirements to protect the critical infrastructure of electric utilities. </li></ul><ul><ul><li>Compliance includes regular management & monitoring, with preparedness audits. </li></ul></ul><ul><ul><li>As of July 1, 2010 these utilities face the next step in being auditably compliant. </li></ul></ul><ul><li>Other related and often overlapping security requirements impact utilities (even for those not facing NERC CIP compliance), such as: </li></ul><ul><ul><li>FTC Red Flags Rule </li></ul></ul><ul><ul><li>Payment Card Industry Data Security Standard (PCI DSS) </li></ul></ul><ul><ul><li>State Mandatory Disclosure Laws (for example, in Massachusetts and California) </li></ul></ul><ul><ul><li>Sarbanes-Oxley (SOX) </li></ul></ul><ul><li>Achieving economies requires implementation of an infrastructure for managing and monitoring compliance that crosses multiple mandates. </li></ul>
    7. 7. A Grim View of the Current State… Source: Open Compliance & Ethics Group
    8. 8. Critical Elements to Achieve Economies in CIP & Compliance <ul><li>CIP requirements and other compliance mandates are not trivial. Utilities are burdened because of: </li></ul><ul><ul><li>Increased connectivity of critical infrastructure </li></ul></ul><ul><ul><li>Non-stop operations in a dynamic business environment </li></ul></ul><ul><ul><li>Standardized technology architecture </li></ul></ul><ul><ul><li>Shortage of resources </li></ul></ul><ul><li>Best practices require that utilities approach compliance and the protection of critical infrastructure as related processes and controls. </li></ul><ul><li>Economical approach to NERC CIP and other mandates requires: </li></ul><ul><ul><li>Centralized visibility across controls in IT systems and processes, </li></ul></ul><ul><ul><li>Automation of enforcement and monitoring, </li></ul></ul><ul><ul><li>Collaboration across IT roles and the business, and </li></ul></ul><ul><ul><li>Adoption of an integrated risk-based view of compliance. </li></ul></ul>
    9. 9. Big Picture of Compliance OBJECTIVES strategic, operational, customer, process, compliance objectives BUSINESS MODEL strategy, people, process, technology and infrastructure in place to drive toward objectives MANDATED BOUNDARY boundary established by external forces including laws, government regulation and other mandates. VOLUNTARY BOUNDARY boundary defined by management including public commitments, organizational values, contractual obligations, and other voluntary policies. OPPORTUNITIES OPPORTUNITIES OPPORTUNITIES Source: Open Compliance & Ethics Group OBSTACLES
    11. 11. Efficient, Effective & Responsive CIP
    12. 12. 6 Key Elements to Achieve Economies in CIP & Compliance
    13. 13. 6 Keys to Economical CIP
    14. 14. 1 - Agility <ul><li>Utilities need a sustainable process and infrastructure for protection of critical infrastructure and related processes, including: </li></ul><ul><ul><li>Full discovery of the utility’s IT environment, critical infrastructure, and technology assets, including: </li></ul></ul><ul><ul><ul><li>Automatic assessment of the environment and devices that connect to it, to maintain the asset inventory required for compliance. </li></ul></ul></ul><ul><ul><ul><li>Automated IT risk assessment that provides structure around the process of collecting scores and evidence for compliance controls, so utilities can demonstrate auditable compliance at any point in time. </li></ul></ul></ul><ul><ul><ul><li>Policy enforcement of software updates, security patches, and standardized configurations to maintain adequate protection of critical infrastructure. </li></ul></ul></ul><ul><ul><ul><li>Flexibility to handle the unique needs and requirements common in utilities and their IT environment. </li></ul></ul></ul><ul><ul><ul><li>The ability to track access to critical infrastructure cyber assets — who accessed it, when, and where. </li></ul></ul></ul>
    15. 15. 2 - Consistency <ul><li>Utilities need a consistent approach to security and compliance, which can be achieved via streamlined workflows and process management capabilities that ensure: </li></ul><ul><ul><li>Comprehensive inventory and management of regulated systems (such as critical infrastructure), to: </li></ul></ul><ul><ul><ul><li>Deliver visibility of both physical and IT environments from one consolidated console. </li></ul></ul></ul><ul><ul><ul><li>Manage an IT asset repository to include all resource types, including applications, databases, servers, networks, data centers, people, and processes across the utility. </li></ul></ul></ul><ul><ul><li>Continuously monitored compliance and IT risk postures to establish a mandatory baseline policy that all systems must meet. </li></ul></ul><ul><ul><li>Established policies based on best practices, with pre-configured checks and elements that can be added and modified based on specific security needs. </li></ul></ul><ul><ul><li>The ability to add, create, define, edit and import/export security configurations and checklists. </li></ul></ul><ul><ul><li>Cross-referenced and normalized common controls for various regulations and mandates that impact the utility into a single control. </li></ul></ul>
    16. 16. 3 - Efficiency <ul><li>Ensuring the protection of critical infrastructure and compliance with mandates can be burdensome, requiring a process and solution to manage documentation, tasks, reporting, and monitoring of requirements. Operational efficiency can be achieved by: </li></ul><ul><ul><li>Addressing multiple compliance reporting needs through a single solution. </li></ul></ul><ul><ul><li>Maximum policy flexibility with automated enforcement, saving time and effort by IT staff. </li></ul></ul><ul><ul><li>The combination of standard configuration checklists from vetted utility industry sources, with a repository of software vulnerabilities that deliver information with context to properly remediate errors. </li></ul></ul><ul><ul><li>Automatic risk profile analysis that saves time over manual risk analysis practices. </li></ul></ul>
    17. 17. 4 - Transparency <ul><li>Compliance within utilities requires transparency in reporting across enterprise systems, IT networks, and extended business relationships. This includes: </li></ul><ul><ul><li>Providing harmonization of compliance controls across a range of mandates (such as NERC CIP, PCI DSS, Red Flags Rule, and SOX). </li></ul></ul><ul><ul><li>Viewing IT risk holistically across multiple information systems, processes, and departments, to: </li></ul></ul><ul><ul><ul><li>Collecting device, security and configuration information to provide consolidated visibility for system owners. </li></ul></ul></ul><ul><ul><ul><li>Providing a global view of vulnerability status for all utility cyber assets with an at-a-glance understanding of risk and system status. </li></ul></ul></ul><ul><ul><li>Documenting changes and demonstrate progress toward audit and compliance requirements. </li></ul></ul>
    18. 18. 5 - Accountability <ul><li>The utility is ultimately accountable for compliance and security of critical infrastructure, even across extended business relationships, communications, and systems. Accountability requires: </li></ul><ul><ul><li>Complete CIP status and visibility, which includes: </li></ul></ul><ul><ul><ul><li>A complete view of overall compliance that drills down into specific assets, requirements, and organization systems and processes. </li></ul></ul></ul><ul><ul><ul><li>Constant audit readiness through automated collection and centralization of security configuration and vulnerability assessment results. </li></ul></ul></ul><ul><ul><ul><li>Workflow-based surveys to ensure understanding, training, and assessment of CIP controls. </li></ul></ul></ul><ul><ul><ul><li>Stakeholder surveys to determine the business impact of a risk scenario that compromises the confidentiality, integrity, or availability of critical infrastructure. </li></ul></ul></ul><ul><ul><ul><li>Risk-based analysis of the IT posture that enables the organization to drill down on suspicious behavior for further investigation. </li></ul></ul></ul><ul><ul><ul><li>Information system and role-based reporting and administration. </li></ul></ul></ul><ul><ul><li>Comprehensive reporting to organization management and authorities at a moment’s notice. </li></ul></ul>
    19. 19. 6 - Security <ul><li>A primary concern for utilities today is protection of critical infrastructure. Security oversight aims to understand and model various unauthorized or inadvertent CIP exposure, and their likelihoods and impacts. Specific security economies are achieved through: </li></ul><ul><ul><li>Identification of controls that enhance CIP while meeting compliance requirements. </li></ul></ul><ul><ul><li>Security policy enforcement: </li></ul></ul><ul><ul><ul><li>In-depth assessment of vulnerabilities, patch status, security configurations, installed software, and hardware inventory. </li></ul></ul></ul><ul><ul><ul><li>Vulnerability audits and remediation across software and endpoints. </li></ul></ul></ul><ul><ul><ul><li>Automated enforcement of malware protection, endpoint control and security. </li></ul></ul></ul><ul><ul><ul><li>Timely response to issues and visibility across the organization’s information systems environment. </li></ul></ul></ul><ul><ul><li>Continuous monitoring and enforcement of security — particularly when new people (access), information, processes, and technology assets are added. </li></ul></ul>
    20. 20. Utility Infrastructure Security & Compliance Platform Requirements <ul><li>Utilities should implement processes and corresponding technologies that bring economies and efficiency to CIP, including: </li></ul><ul><li>  </li></ul><ul><ul><li>Discovering, inventorying, and categorizing information systems </li></ul></ul><ul><ul><li>Monitoring vulnerability exposure and the state of CIP </li></ul></ul><ul><ul><li>Remediating and maintaining compliance to CIP requirements </li></ul></ul><ul><ul><li>Managing security configurations and critical infrastructure protection across all endpoints </li></ul></ul><ul><ul><li>Controlling removable device use and enforcing data encryption </li></ul></ul><ul><ul><li>Streamlining overlapping technical and procedural controls across CIP requirements </li></ul></ul><ul><ul><li>Maintaining trusted application use of critical infrastructure assets </li></ul></ul><ul><ul><li>Enforcing compliance with evolving requirements </li></ul></ul><ul><ul><li>Enabling reporting and monitoring of CIP </li></ul></ul>
    21. 21. Panel Discussion and Q&A
    22. 22. Today’s Speakers Chris Merritt Director of Solution Marketing Lumension Michael Rasmussen Risk & Compliance Advisor Corporate Integrity, LLC Paul Henry Security & Forensics Analyst MCP+I, MCSE, CCSA, CCSE, CFSA, CFSO, CISSP,-ISSAP, CISM, CISA, CIFI, CCE
    23. 23. Conclusion
    24. 24. Resources and Tools <ul><li>Whitepapers </li></ul><ul><ul><li>6 Critical Elements to Achieving Economical NERC CIP Compliance </li></ul></ul><ul><ul><li>Enterprise Security: Moving Beyond AV </li></ul></ul><ul><ul><li>Shift Happens: The Evolution of Application Whitelisting </li></ul></ul><ul><ul><li>and a host of other whitepapers </li></ul></ul><ul><li>Other Resources </li></ul><ul><ul><li>Podcasts, Videos, Webcasts </li></ul></ul><ul><ul><li>On-Demand Demos </li></ul></ul><ul><ul><li>eBooks </li></ul></ul><ul><li>Premium Security Tools </li></ul><ul><ul><li>Scanners </li></ul></ul><ul><li>Product Software Evaluations </li></ul><ul><ul><li>Virtual Environment </li></ul></ul><ul><ul><li>Full Software Download </li></ul></ul>
    25. 25. <ul><li>Global Headquarters </li></ul><ul><li>8660 East Hartford Drive </li></ul><ul><li>Suite 300 </li></ul><ul><li>Scottsdale, AZ 85255 </li></ul><ul><li>1.888.725.7828 </li></ul><ul><li>[email_address] </li></ul><ul><li> </li></ul>