Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

NERC Critical Infrastructure Protection (CIP) and Security for Field Devices

1,455 views

Published on

The North American Electric Reliability Corporation (NERC) maintains a set of Critical Infrastructure Protection (CIP) guidelines that address a broad range of critical cyber asset and cyber security issues. These guidelines describe the security-focused procedures that, in combination with compliant technology, enable secure electric grid operations. The CIP guidelines do not specify the technologies that must be deployed. Instead, they describe the technology design necessary to build an information management architecture that complies with security goals.
These goals include the minimizing of administrative authorization needed for operational functions. Rights and privileges are to be assigned to a functional role, not a named individual. Audit trails of field data device and substation activity, similar to control room auditability, must be maintained to assure comprehensive confidence in data and controls.
The six CIP guidelines summarized in the paper speak to the procedures and policies that are vital to critical cyber asset security – personnel authorizations; personnel training; security of the information management system’s electronic perimeter; security of the information management system’s physical assets; operational security; and incident reporting and response planning.
The utility builds its CIP-compliant program with defined procedures addressing these guidelines, coupled with the hardware and software that enable full implementation of these procedures. Training of all personnel is necessary for effective and efficient compliance.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

NERC Critical Infrastructure Protection (CIP) and Security for Field Devices

  1. 1. NERC Critical InfrastructureProtection (CIP) and Security forField DevicesCompliance principles and requirementsMake the most of your energy SM
  2. 2. SummaryExecutive Summary . ................................................................................... p 1Introduction ................................................................................................. p 2Understanding CIP objectives ...................................................................... p 4Core Security Principles . ............................................................................. p 5NERC CIP technical control guidelines . ....................................................... p 6Finding your compliance solution.................................................................. p 10Conclusion................................................................................................... p 11
  3. 3. NERC Critical Infrastructure Protection (CIP) and Security for Field DevicesExecutive summaryThe North American Electric Reliability Corporation (NERC) maintains a set ofCritical Infrastructure Protection (CIP) guidelines that address a broad range ofcritical cyber asset and cyber security issues. These guidelines describe thesecurity-focused procedures that, in combination with compliant technology,enable secure electric grid operations. The CIP guidelines do not specify thetechnologies that must be deployed. Instead, they describe the technology designnecessary to build an information management architecture that complies withsecurity goals.These goals include the minimizing of administrative authorization needed foroperational functions. Rights and privileges are to be assigned to a functional role,not a named individual. Audit trails of field data device and substation activity,similar to control room auditability, must be maintained to assure comprehensiveconfidence in data and controls.The six CIP guidelines summarized in the paper speak to the procedures andpolicies that are vital to critical cyber asset security – personnel authorizations;personnel training; security of the information management system’s electronicperimeter; security of the information management system’s physical assets;operational security; and incident reporting and response planning.The utility builds its CIP-compliant program with defined procedures addressingthese guidelines, coupled with the hardware and software that enable fullimplementation of these procedures. Training of all personnel is necessary foreffective and efficient compliance. White paper | 01
  4. 4. NERC Critical Infrastructure Protection (CIP) and Security for Field DevicesIntroductionIn this paper, we target ‘the myth of compliance.’While the term ‘compliant’ most often refers to products – the software anddevices deployed in daily field operations of the electric grid – we at Telvent seesecurity compliance as a ‘process.’ Through our extensive experience workingwith critical infrastructure asset owners, vendors and regulatory agencies, weknow full compliance is achieved only when compliant hardware and software iscomplemented by information management procedures reflecting strong securityprinciples.Here, we discuss in general how consistent NERC Critical Infrastructure Protection(CIP) compliance reflects best security practices combining:• Core security principles• Technical controls defined by CIP guidelines• strong level of discipline within the user organization and its vendor A organizations White paper | 02
  5. 5. NERC Critical InfrastructureProtection (CIP) and Securityfor Field Devices
  6. 6. NERC Critical Infrastructure Protection (CIP) and Security for Field DevicesUnderstanding CIP objectivesWhat CIP does. CIP provides general security CIP covers both technical and operationalguidance toward achieving the minimal level of compliance. It is the combination of compliantsecurity required for safe and secure operations. technology and security-focused procedures that enable CIP-compliant operations; see Figure 1.What CIP does not do. CIP does not prescribe orspecify the technologies to be deployed to meet In this way, CIP challenges asset owners tosecure operational goals. It defines objectives, consider security a ‘holistic’ issue that actively targetsnot how the user must achieve them. With the not only system design and installation but alsoresponsibility of meeting secure operations objectives, daily processes. Compliant technology establishesthe user also has the choice of which technology will a minimal level of authentication, authorization andbest serve its needs in meeting those objectives. audit ability. The asset owner must actively build on that compliance foundation to realize a strong security culture within the organization. Compliance- Secure CIP Compliant Capable Hardware Configuration Devices CIP Compliant Operations CIP Compliant Training ProcessesFigure 1. Technology, in and of itself, does not impart CIP compliance. Rather, the usermust build a program that assures its compliant technology is deployed and operated tocreate the level of security required to achieve compliance. White paper | 04
  7. 7. NERC Critical Infrastructure Protection (CIP) and Security for Field DevicesCore Security PrinciplesLet’s review the security principles that arefundamental in molding a CIP-compliant information Information management key formanagement architecture: security – and morePrinciple of Least Privilege (PoLP). This principle Reliable information management servesdescribes the technology design – the design critical infrastructure security by –of applications and field devices – that allows • aintaining infrastructure availability – Moperation with the minimum amount of administrative preventing acts, intentional or accidental,authorization. A granular-access approach to from interrupting operationsoperational control limits authority to each employee’sfunctions; any control authorized beyond defined • reserving data integrity – to support the Poperational functions invites errors that could have quality of operational decision-making as wellinadvertent, far-reaching impact – and even invite as meet regulatory/auditing scrutinymalicious abuse. The robust information management system also can enforce data confidentiality, allowing itWhile many legacy systems might not accommodate to be used for:highly granular access, newer technology is beingdesigned to meet this criterion. • Accounting purposesRole-based Access Controls (RbAC). Rights and • Business-critical processesprivileges associated with any network device areassigned to an administrative role or job duty, rather • Customer consumptionthan to a named individual. This approach allowsindividuals to move in and out of roles within the With compliant information management architecture,organization without complicated re-definition of the asset owner will:that person’s authorization, supporting continuouscompliance and limiting authorization errors. It also • Know and control who is allowed to access thesupports the centralized management essential in an systemefficient, integrated network. • Know and control what each individual is allowed toAudit trails. While maintaining audit trail capability do on the systemis familiar in the control room, CIP complianceextends this concept to operation of field devices. • Know and control what can be done by anBy maintaining an awareness of field data activity individual based on where the individual is accessingand changes at the device and substation level, the the systemuser can integrate that data into centralized controlwith confidence. The intent is to not only provide the • Know what each individual has done on the systemmeans for documenting system management in therecent past but to also enable real-time assessment • Prevent access to critical assets from any locationof whether the CIP controls in place are appropriate – where any of the above situations is not truedoing their job and meeting compliance goals. White paper | 05
  8. 8. NERC Critical Infrastructure Protection (CIP) and Security for Field DevicesNERC CIP technical controlguidelinesThe NERC CIP document addresses a broad rangeof Critical Cyber Asset (CCA) and Cyber Security About NERCissues; here, we very briefly review six of the CIPguidelines that apply to operation of electric network The North American Electric Reliability Corporation (NERC) is an internationalfield devices; also see Table 1. The full text of the regulatory authority established to evaluateNERC CIP standard can be found at http://www. reliability of the bulk power system in Northnerc.com. America. NERC develops and enforces Reliability Standards; assesses adequacyCIP-003 Security Management Controls describes annually via ten-year forecasts and winter andthe development of a cyber security policy and summer forecasts; monitors the bulk powerdocumentation of that policy in a way that it can system; and educates, trains, and certifies industry personnel. NERC is the electricbe updated and that all staff is aware of the policy. reliability organization for North America,It discusses management of personnel who have subject to oversight by the U.S. Federalaccess to the CCAs and identification of users with Energy Regulatory Commission (FERC) anddifferent privileges, roles and responsibilities. governmental authorities in Canada. For more information, visit http://www.nerc.com• he user will want to look for hardware that can be T configured to allow a specific ID for each user and CIP guideline uses vaguely worded phrases such for addition and deletion of privileged users and for as “where technically feasible”; this wording makes users with different levels of access. Hardware that it difficult for the organization to fully understand documents not only access but also documents requirements. details of functions performed during the access is a big advantage; this downloadable User Log will While encryption is not identified specifically as a provide an audit trail for CIP compliance. guideline for ESP access, CIP-005 does speak to:CIP-004 Personnel and Training identifies the • ecurity of dial-up access – unclear if having a Spersonnel training and awareness recommended password and User Name to access constitutesfor supporting security-related operations and ‘secure.’ Use of a ‘call back’ modem or a SCADA-procedures. It cites CCA user identification lists that controlled relay that is closed for access andare reviewed periodically and can be modified to opened when not needed provides adequatechange both users and user privileges. security.• evices that accept addition or deletion of users D - n alternative to dial-up connection is the A and/or privileges remotely allow updates quickly Ethernet strategy, providing the IT tunnel that and keep functionalities accurately maintained. eliminates a dial-up channel. Another plus: with employees equipped with cell phones, replacingCIP-005 Electronic Security Perimeter(s) deals dial-up access also eliminates any need for awith identification and protection of ESP access phone line into the substation.points and communications. In some places, this White paper | 06
  9. 9. NERC Critical Infrastructure Protection (CIP) and Security for Field Devices• ccess denied by default – access requires A TABLE 1 password, and password changeability Summary of CIP Issues• nabling and disabling ports or functions deemed E Requirement NERC CIP Compliant hardware capabilities not needed – at the most basic level, a firewall Standard capability serves this purpose User Access CIP-004 • ndividual user accounts/ I CIP-005 passwords CIP-007 • rivileges defined on a per- P• ppropriate-use banner – in our opinion, most likely A user basis a legal shield • Strong passwords supported • asswords hidden when P• onitoring, logging and warnings for user access or M entered attempted access – simple if the device has alarm Access Control CIP-003 • Passwords can be managed generation and logging ability, most useful if alarm CIP-005 from central location CIP-004 • ultiple admin-type accounts M alert is in real time can be configured • User Log, IP Filter list - onsider hardware that generates an alarm each C Electronic Security CIP-005 • limination of dial-up access E time a user logs in to initiate automatic user Perimeter CIP-003 with use of IP tunnel validation by SCADA or other means. IP Tunnel CIP-007 • Appropriate banner usage • lectronic access logged; can E capability eliminates dial-up access, and IP filter be monitored and alarmed capability adds an additional layer of security. • Port data paths configurable • SSL / SSH LANCIP-006 Physical Security discusses physical Logging of CIP-003 • Every access attempt loggedaccessibility to equipment, including: Access and Usage CIP-004 • Resets logged CIP-007 • User changes logged CIP-008 • Time-tagged events logged• Mounting equipment in lockable enclosures Personnel termination/ CIP-004 • ser accounts revocable by U privilege changes CIP-007 administrator• Remote control of locks • ser accounts ‘downgradable’ U to lower level of authority• Access alarms indicating a door or gate is open Security Software CIP-007 • ll software upgrades available A Management for real-time updates• Card keys, video cameras, etc. • Non-Windows-based OS Alerts and CIP-005 • Every access attempt logged• User logged in and failed login attempts Notifications CIP-007 • ccess notification alarms A CIP-008 available to SCADA - evices that can integrate card keys and/or video D initiation with access alarms enhance security of the physical perimeter. White paper | 07
  10. 10. NERC Critical Infrastructure Protection (CIP) and Security for Field DevicesCIP-007 Systems Security Management dealswith operating issues such as security patches, The Electronic Security Perimetervirus protection, vendor releases and event logging.References to device security reinforce CIP-005 The majority of ‘surface area of the ESP’ involves field device hardware; see Figure 2.concepts: For this reason, the technical security controls defined by CIP focus on control of access and• bility to enable or disable unused or unneeded A communication of field devices. ports and services – or compensating factor that will mitigate risk, such as physical security• Security patches and firmware upgrades ESP• nti-virus and malware protection – driven by the A Field Devices operating system - erely due to the widespread deployment of M Data Gathering/ Security Risk/Surface Area the Windows® operating system, the use of a Substations non-Windows OS might reduce the possibility of targeted attack. Devices that operate on a Comms non-Windows OS might be inherently immune to typical virus and malware threats and less likely to be targeted by hackers or persons intent on causing harm. In any case, user login monitors and alarms and use of discrete passwords Control System minimize risk.• ndividual, not shared, accounts – as mentioned in I Business Support CIP-003 controls, privileges should be defined on a per-role basis Enterprise Infrastructure - Logs and audit trails – - ogin and failed login attempts generate mapable L Figure 2. Proper device configuration is a key step in CIP alarm indications compliance.• Any access requires valid, strong password - evices that support centralized password D management facilitate the requirement for password control. White paper | 08
  11. 11. NERC Critical Infrastructure Protection (CIP) and Security for Field Devices• sers can be assigned different levels of access U based on need - View Only - Other levels/privileges - dministrator who can control access by other A users• All passwords are stored, hidden or encrypted• quipment should be wiped on disposal, either E by memory erase or physically destroying the microchip if necessary - f a device fails, it might be difficult to effectively I erase memory. Look for devices that have removable media.CIP-008 Incident Reporting and ResponsePlanning relates to the managing and handling ofreports and logs. While collecting and storing logs forhistorical reference is necessary, how that retentionis done is determined by the hardware and theorganization’s capabilities.• emote electronic download of user logs, SOE R log, system log and control log facilitates data documentation for reports and compliance audit trail, compared to collection via a physical tap. White paper | 09
  12. 12. NERC Critical Infrastructure Protection (CIP) and Security for Field DevicesFinding your compliance solutionCIP guidelines are drawn to identify the desired goal; of patches and updates that are anticipated to beit is up to the organization to institute the hardware, needed for substation devices, the organizationsoftware and processes that best allow it to meet might consider segregating the router and substationthese goals. controller, excluding the Substation Controller, from the electronic security perimeter. This mightFor example, the utility can determine where its reduce point-to-point testing time and effort due tophysical and electronic security perimeters begin application of patches and upgrades.and end. Figure 3 shows a typical substation wherethe control house, in essence, is the physical Bottom line: the organization is responsible forsecurity perimeter. Electronic security perimeters are writing the procedures that make compliance to CIPeffectively constructed around the devices such as guidelines efficient and effective.router and dial-up control that are communicationend points. Depending on the number and frequency Pole top/ remote IEDs SCADA Pole top/ Phone Electronic security Master remote IEDs Pole top/ perimeter remote IEDs Pole top/ remote IEDs Wireless Dial up Router comms Substation DMS/HMI controller Discrete I/Os IEDs Cap IEDs Other smart legacy LTCs relays bank meters devices/IEDs RTU Physical security perimeterFigure 3. The utility should keep the ESP as small as possible. White paper | 10
  13. 13. NERC Critical Infrastructure Protection (CIP) and Security for Field DevicesConclusionOne requirement CIP guidelines don’t spell out is the need for adaptability and intra-organization cooperation. Security is an arms race, and the electric utility requiresconsiderable cooperation and integration within the organization to stay agile enoughto adapt to changing challenges and still meet compliance.Careful consideration of hardware and software choices will help the utility institutethe continual modifications that are needed to meet the moving target of criticalinfrastructure protection. Flexible asset access controls are a must to mitigatechanging risks. Above all, dedicated intra-organization communications and trainingthat emphasize security make every employee part of the solution – and assure thatsecurity is a successful process. White paper | 11
  14. 14. ©2012 Schneider Electric. All rights reserved.Schneider Electric USA, Inc. 4701 Royal Vista Circle Fort Collins, CO 80528 Phone: -866-537-1091 1 + (34) 9-17-14-70-02 Fax: 1-970-223-5577 www.schneider-electric.com/us June 2012

×