NERC CIPv6’s deadline has come and gone and yet there are many organizations still struggling to stay compliant. While maintaining continuous compliance is a daunting task, compliance does not equal security. Assuring your environment is not compromised with a security breach that brings critical infrastructure down is a top priority. Over 295 incidents on Industrial Control Systems (ICS) were cited in 2015 (ICS-CERT) and most were in energy and manufacturing sectors.

1. Keep Your Guard: Stay Compliant
and Be Secure
September 14th, 2016

2. Presenters
Director, Product Management
IT Security and Risk Strategist
Twitter: @terlin
terlin@tripwire.com
Vice President, Services
Tim Erlin Karl Perman Bill Kearson
Director, Information Security

3. 3
Current State of Industry
Tripwire Research: http://www.tripwire.com/company/research
Could a cyberattack on operational technology in your organization cause physical damage?
* November, 2015, 150 IT professionals in energy, utilities and oil & gas

4. 4
Current State of Industry
Tripwire Research: http://www.tripwire.com/company/research
Does your organization have the ability to accurately track all the threats targeting your OT
networks?
* November, 2015, 150 IT professionals in energy, utilities and oil & gas

5. 5
Current State of Industry
Tripwire Research: http://www.tripwire.com/company/research
What compliance requirements are the biggest driver for your purchase of cyber
security products?
* November, 2015, 150 IT professionals in energy, utilities and oil & gas

6. Compliance Challenge: Baselines
• What does NERC CIP require:
– CIP-010 R1: Develop configuraLon baselines, authorize and document
changes to baselines (OS including firmware, soQware, ports, security
patches)
– CIP-010 R2: Monitor and invesLgate changes to baselines
• Tips for Achieving and Maintaining Compliance
– AutomaLon; reducing manual effort can dramaLcally reduce audit
burden.
– Define baseline process for your organizaLon
– Have a configuraLon change management system including change
authorizaLon process

7. Compliance Challenge: Logging
• What does NERC CIP require:
– CIP-007 R4: Log security events, generate alerts, retain and review logs
– CIP-006 R2.2: Logging of visitor access
– CIP-009 R1.5: Data preservaLon for determining cause of Cyber Security Incident
– CIP-005 R1.5: DetecLng malicious communicaLons
• Tips for Achieving and Maintaining Compliance
– NormalizaLon rules; choose a product that can normalize logs from systems in your
environment.
– Don’t pay for log storage; choose a tool that licenses by asset, not by events per
second or data stored.
– Implement a logging process including clearly defined roles and responsibiliLes

8. Compliance is Not Security

9. Security: Secure ConfiguraLons
• What gaps does CIP compliance leave open:
– Frequency of review; 35 days is not oQen enough!
– Use of configuraLon informaLon
– Remember offense as well as defense
• Tips for going beyond NERC CIP compliance to security
– Use a configuraLon baseline tool that can monitor in real Lme.
– Expand the baseline configuraLon items promulgated by CIP
– Fuse configuraLon data with threat intelligence

10. Security: Security Event
Management
• What gaps does CIP compliance leave open:
– Stateful correlaLon of events; 5 failed logins followed by
success
– Track events that mafer to your organizaLon in addiLon to CIP
requirements
• Tips for going beyond NERC CIP compliance to security
– Use a log management tool that can track state across events
– Use key performance indicators to measure effecLveness
– Event analysis correlated with threat intelligence

11. Conclusion
• CIP is only a baseline; go further for security
• Good CIP compliance may not protect you from all of
the current security threats
• A process driven approach should make compliance
less burdensome in the long run (defined and
repeatable processes)
• Automate where you can as manual processes are
fraught with resource constraints and errors

12. TRIPWIRE PROPRIETARY & CONFIDENTIAL. NOT FOR DISTRIBUTION. INTERNAL USE ONLY.
Questions