Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

NERC CIP Compliance 101 Workshop - Smart Grid Security East 2011

5,434 views

Published on

This is the slide deck from the NERC CIP Compliance Workshop at Smart Grid Security East 2011 (www.smartgridsecurityeast.com)

Published in: Technology, Business
  • Be the first to comment

NERC CIP Compliance 101 Workshop - Smart Grid Security East 2011

  1. 2. NERC CIP Compliance Workshop <ul><li>Introductions </li></ul><ul><li>NERC CIP Compliance </li></ul><ul><li>Automating NERC CIP Compliance </li></ul><ul><li>Grid Operator Perspectives </li></ul><ul><li>Review/ Q&A </li></ul>
  2. 3. Presenters Gib Sorebo – Chief Security Engineer, SAIC Mike Echols – Critical Infrastructure Protection Manager, Salt River Project Jim Brenton – Regional Security Coordinator, ERCOT Joshua Axelrod – Director Of Professional Services, Alert Enterprise Lior Frenkel – CEO, Waterfall Security Solutions Steven Applegate – Cyber Security Threat and Vulnerability Program Manager, NERC
  3. 4. Agenda <ul><li>System Overview </li></ul><ul><li>Definition of a Critical Asset (CIP 002) </li></ul><ul><li>Systems as a Critical Asset </li></ul><ul><li>Applying NERC CIP to a System </li></ul><ul><li>Identifying Risks to the System </li></ul><ul><li>Managing Risks to the System beyond NERC CIP </li></ul>
  4. 5. DOE Modern Grid Strategy AMI = Advanced Metering Infrastructure DR = Demand Response ADO = Advanced Distribution Operations ATO = Advanced Transmission Operations AAM = Advanced Asset Management Source: Department of Energy
  5. 6. NERC CIP Overview
  6. 7. NERC CIP Compliance
  7. 8. Critical Assets
  8. 9. Control & Backup Control Centers <ul><li>Supervisory Control and Data Acquisition (SCADA) </li></ul><ul><ul><li>Monitor and control </li></ul></ul><ul><ul><li>Automatic generation control </li></ul></ul><ul><ul><li>Real-time power system modeling </li></ul></ul><ul><ul><li>Real-time inter-utility data exchange </li></ul></ul>
  9. 10. Transmission Substations <ul><li>Substations that provide bulk power </li></ul><ul><ul><li>Connects the bulk electric system </li></ul></ul><ul><ul><li>Usually 230Kv and up </li></ul></ul><ul><ul><li>Management of bulk power. </li></ul></ul>Kv = kilovolt
  10. 11. Automatic Load Shedding <ul><li>Automatic load shedding schemes </li></ul><ul><ul><li>Common control area </li></ul></ul><ul><ul><li>Demand response </li></ul></ul><ul><ul><ul><li>Increase in demand may require a utility to blackout a certain area in order to keep the system from coming down. </li></ul></ul></ul>
  11. 12. Special Protection System (SPS) <ul><li>Remedial Action Scheme (RAS) </li></ul>
  12. 13. System Restoration <ul><li>Regional and local blackstart </li></ul><ul><li>Low generation capacity </li></ul><ul><li>Emergencies </li></ul>
  13. 14. Generation Resources <ul><li>Distributed Control Systems (DCS) </li></ul>
  14. 15. Other Assets <ul><li>Advanced Metering Infrastructure (AMI) </li></ul><ul><li>Distribution substations </li></ul><ul><li>Distribution SCADA </li></ul><ul><li>Renewable energy resources </li></ul>
  15. 16. Critical Cyber Assets CCA = Critical Cyber Asset Cyber Asset Name Essential R3.1 R3.2 R3.3 Connectivity CCA Cyber.Asset.Name Yes Yes Yes No IP Yes Cyber.Asset.Name Yes Yes Yes No Disconnected No Cyber.Asset.Name Yes No No Yes Dial-up Yes Cyber.Asset.Name Yes No No No Serial No
  16. 17. <ul><li>CIP Standards Updated in response to FERC Order 706 </li></ul><ul><li>Federal Government concerns about sufficiency of CA Identification process of current CIP-002-3 </li></ul><ul><li>CIP-002-4 Applicability </li></ul><ul><ul><li>There have been no changes in CIP-002-4, “Responsible Entity” criteria </li></ul></ul><ul><ul><li>Following remain exempt from CIP Standards </li></ul></ul><ul><ul><ul><li>Facilities regulated by Canadian Nuclear Safety Commission </li></ul></ul></ul><ul><ul><ul><li>Cyber Assets associated with communication networks and data communication links </li></ul></ul></ul><ul><ul><li>Nuclear Plant Cyber Security remains under NRC </li></ul></ul><ul><ul><ul><ul><li>In nuclear plants, the systems, structures, and components that are regulated by the Nuclear Regulatory Commission will be exempt under 10 C.F. R. Section 73.54. </li></ul></ul></ul></ul><ul><li>Conformance changes for other CIP stds—change Version 3 to Version 4—administrivia </li></ul>CIP Standards Version 4 Update
  17. 18. <ul><li>Responsible Entity required to identify and document a Risk-Based Assessment Methodology (RBAM) to identify its CAs </li></ul><ul><li>Responsible Entity free to select any RBAM but had to consider following: </li></ul><ul><ul><li>Control centers and backup control centers </li></ul></ul><ul><ul><li>Transmission substations </li></ul></ul><ul><ul><li>Generation resources </li></ul></ul><ul><ul><li>Systems and facilities critical to system restoration </li></ul></ul><ul><ul><ul><li>Blackstart generators </li></ul></ul></ul><ul><ul><ul><li>Transmission Substations in the cranking path for initial restoration. </li></ul></ul></ul><ul><ul><li>Automatic Load Shedding capable of shedding 300 MW or more . </li></ul></ul><ul><ul><li>Special Protection Systems </li></ul></ul><ul><ul><li>Any additional assets that support reliable operation of BES that the Responsible Entity deems appropriate </li></ul></ul>Review: CIP-002-3 CA Identification
  18. 19. <ul><li>Risk-Based Assessment Methodology in Version 3 has been replaced by “Bright-Line Criteria” in CIP-002-4, Attachment 1 </li></ul><ul><li>Old R1 and R2 now combined into new R1 for “Bright-Line Criteria” </li></ul><ul><li>Responsible Entity shall develop a list of CAs through application of criteria in CIP-002-4 Attachment 1 – Critical Asset Criteria </li></ul><ul><li>Attachment 1 is the key to CA Identification </li></ul>New CIP-002-4 CA Identification Criteria
  19. 20. <ul><li>Develop a list of associated Critical Cyber Assets essential to the operation of designated Critical Assets </li></ul><ul><li>New 15 minute adverse Impact criteria for Generator units </li></ul><ul><ul><li>The only Cyber Assets that must be considered are those Cyber Assets that could, within 15 minutes, adversely impact the reliable operation of the unit </li></ul></ul>CIP-002-4/R2: Critical Cyber Asset Identification
  20. 21. <ul><li>Generating units (including Nucs) with an aggregate highest rated net Real Power capability equal to or exceeding 1500 MW in a single Interconnection </li></ul><ul><li>Reactive resources (excluding generation Facilities) that have aggregate net Reactive Power nameplate rating of 1000 MVAR or greater </li></ul><ul><li>Generation Facilities that Planning Coordinator or Transmission Planner designates as necessary to avoid BES Adverse Reliability Impacts in the long-term plan </li></ul>CIP-002-4 - Attachment 1: New Critical Asset Identification Criteria
  21. 22. <ul><li>Blackstart Resources identified in the Transmission Operator's restoration plan </li></ul><ul><li>Cranking Paths from the Blackstart Resource to the first interconnection point or up to the point on the Cranking Path where two or more path options exist </li></ul><ul><li>Transmission Facilities operated at 500 kV or higher </li></ul><ul><li>Transmission Facilities operated at 300 kV or higher or substations with interconnection to three or more other transmission stations </li></ul>CIP-002-4 - Attachment 1: New Critical Asset Identification Criteria
  22. 23. <ul><li>Transmission Facilities that are identified by the Reliability Coordinator, Planning Authority or Transmission Planner as critica l to the derivation of Interconnection Reliability Operating Limits (IROLs) </li></ul><ul><li>Flexible AC Transmission Systems (FACTS), that are identified by the Reliability Coordinator, Planning Authority or Transmission Planner as critical to the derivation of Interconnection Reliability Operating Limits (IROLs) </li></ul><ul><li>Transmission Facilities that, if destroyed, degraded, misused, or otherwise rendered unavailable, would result in the loss of the assets identified by any Generator Owner as CA through the application of Attachment 1, (Criterion 1 or 3 above) </li></ul>CIP-002-4 - Attachment 1: New Critical Asset Identification Criteria
  23. 24. <ul><li>Transmission Facilities identified as essential to meeting Nuclear Plant Interface Requirements </li></ul><ul><li>Special Protection System (SPS), Remedial Action Scheme (RAS) or automated switching systems that operate BES Elements that, if destroyed, degraded, misused or otherwise rendered unavailable, would cause one or more Interconnection Reliability Operating Limits (IROLs) violations </li></ul><ul><li>Automatic Load Shedding Facilities that perform load shedding, without human operator initiation, of 300 MW or more ( Under Voltage Load Shedding (UVLS) or Under Frequency Load Shedding (UFLS) </li></ul>CIP-002-4 - Attachment 1: New Critical Asset Identification Criteria
  24. 25. <ul><li>Reliability Coordinator control centers or backup control centers </li></ul><ul><li>Generation control centers or backup control centers used to control generation at multiple plant locations, for any generation Facility or group of generation Facilities identified in Criteria #1, 3 or 4 above. Generation control centers or backup control centers used to control generation equal to or exceeding 1500 MW in a single Interconnection. </li></ul><ul><li>Transmission Operator control centers or backup control centers used to control at least one asset identified in Criteria #2, 5, 6, 7, 8, 9, 10, 11 or 12 above </li></ul><ul><li>Balancing Authority control centers or backup control centers used to control at least one asset identified in Criteria 1, 3, 4, or 13 above . Balancing Authority control centers or backup control centers used to control generation equal to or greater than an aggregate of 1500 MW in a single Interconnection. </li></ul>CIP-002-4 - Attachment 1: New Critical Asset Identification Criteria
  25. 26. <ul><li>Approved by 80% Industry vote—Dec 2010 </li></ul><ul><li>Approved by NERC Board of Trustees—Jan 24 </li></ul><ul><li>Submitted to FERC—Feb 2011 (tentative) </li></ul><ul><li>Approval by FERC (3-6 months)—July 2011? </li></ul><ul><li>Implementation Date +24 months after FERC approval (July 2013? at the earliest) </li></ul><ul><li>Dates above affect Critical Assets newly identified under Version 4 </li></ul><ul><ul><li>CAs previously identified under CIP-002-3 must remain compliant per CIP-003-3 thru CIP-009-3 until CIP-004-4 becomes effective—Bookend documentation for audits of all CAs </li></ul></ul>Projected CIP-002-4 Time Lines
  26. 27. What’s next for CIP Standards
  27. 28. CIP 003 Security Policy <ul><li>CIP 003.R1 Security Policy </li></ul><ul><ul><li>You must develop a security policy which makes NERC CIP 002-009 required for your organization. </li></ul></ul><ul><ul><li>If your system does not meet the standards in CIP 002, then you do not have to apply the remainder of CIP. </li></ul></ul><ul><ul><li>Your organization policy should address each requirement in the NERC CIP standards. </li></ul></ul>NERC = North American Electric Reliability Corporation CIP = Critical Infrastructure Protection
  28. 29. CIP 003 Leadership CIP = Critical Infrastructure Protection
  29. 30. CIP 003 Exceptions <ul><li>Non-compliance issues </li></ul><ul><ul><li>The exceptions process serves to address non-compliance issues. </li></ul></ul><ul><li>Risk register </li></ul><ul><ul><li>The exceptions process serves as a risk register. </li></ul></ul><ul><li>Risk management </li></ul><ul><ul><li>The senior manager accepts risk for not complying with standards . </li></ul></ul>NERC = North American Electric Reliability Corporation CIP = Critical Infrastructure Protection
  30. 31. CIP 003 Information Protection CIP = Critical Infrastructure Protection <ul><li>Information Identification </li></ul><ul><li>Operational procedures </li></ul><ul><li>Lists as required in standard CIP-002-3 </li></ul><ul><li>Network topology or similar diagrams for critical cyber assets </li></ul><ul><li>Floor plans of computing centers that contain critical cyber assets </li></ul><ul><li>Equipment layouts of critical cyber assets </li></ul><ul><li>Disaster recovery plans for critical assets </li></ul><ul><li>Incident response plans for critical assets and </li></ul><ul><li>Security configuration information for critical cyber assets </li></ul>What Where Who What information is critical? Where is the critical information located? Who owns the critical information?
  31. 32. CIP 003 Change Control and Configuration Management CIP = Critical Infrastructure Protection I&A = Identification and Authentication DES = Data Encryption Standard PKI = Public Key Infrastructure
  32. 33. <ul><li>What are the control mechanisms present within the meter? </li></ul><ul><ul><li>How does the meter restrict access to data and functionality? </li></ul></ul><ul><ul><li>Does the meter log successful and unsuccessful access attempts to produce an audit trail? </li></ul></ul><ul><ul><li>Does the meter require user and system identification and authentication? </li></ul></ul><ul><ul><li>Does the meter implement strong authentication? </li></ul></ul>Make a checklist Do the same for databases, operating systems and network infrastructure devices. Defense Information Systems Agency (DISA) Security Technical Implementation Guides (STIG) and Center for Internet Security (CIS) benchmarks provide a starting point. CIP = Critical Infrastructure Protection I&A = Identification and Authentication DES = Data Encryption Standard PKI = Public Key Infrastructure CIP 003 Change Control and Configuration Management Access Audit Communication Protection I &A The meter restricts access based on token I&A The meter records when access is authorized The meter encrypts data commands issued on it The meter requires token-based authentication The meter only accepts inputs from collectors The meter records what functions that are initiated on it The meter uses DES encryption. The meter accepts tokens authorized by the PKI system
  33. 34. CIP 004 Awareness and Training <ul><li>Posters, Emails, Brochures </li></ul><ul><ul><li>Socialize your cyber security policy </li></ul></ul><ul><li>Provide general training on the major elements of NERC CIP. </li></ul><ul><li>Provide specialized training for your critical NERC CIP processes. </li></ul>
  34. 35. CIP 004 Access Control
  35. 36. CIP 005 Network Security Network Applications Databases Operating System Network Operating System Databases Applications Access Points Electronic Security Perimeters CIP = Critical Infrastructure Protection
  36. 37. CIP 005 Network Security CIP = Critical Infrastructure Protection
  37. 38. CIP 005 Network Security CIP = Critical Infrastructure Protection
  38. 39. CIP = Critical Infrastructure Protection CIP 005 Network Security Ports and Services System Security Password Security Community String Security Open firewall ports and protocols No default accounts At least six-character passwords No public strings Point-to-point rules (no any any) Strong passwords Complex passwords Rename community strings Deny by default No default community strings Password changes every 360 days
  39. 40. CIP 006 Physical Security
  40. 41. <ul><ul><li>CIP 007 Systems Security Management </li></ul></ul>Create Baseline Configuration
  41. 42. CIP 007 Systems Security CIP = Critical Infrastructure Protection
  42. 43. CIP 007 Systems Security CIP = Critical Infrastructure Protection Vendor releases security patch or update SME determines patch or update applicability (within 30 days of availability) SME creates plan (within same 30 days) for future deployment SME downloads patch or update and deploys in test environment SME tests security controls and functionality according to test plan SME securely deploys and tests in production environment (or TFE)
  43. 44. CIP = Critical Infrastructure Protection IDS = Intrusion Detection System ICS = Industrial Control System CIP 007 Systems Security
  44. 45. CIP 007 Systems Security CIP = Critical Infrastructure Protection
  45. 46. CIP 007 Systems Security CIP = Critical Infrastructure Protection
  46. 47. CIP 007 Systems Security CIP = Critical Infrastructure Protection
  47. 48. CIP 007 Systems Security CIP = Critical Infrastructure Protection Ports and Services System Security Password Security Community String Security Open firewall ports and protocols No default accounts At least 6 character passwords No public strings Point-to-point rules (no any any) Strong passwords Complex passwords Rename community strings Deny by default No default community strings Password changes every 360 days
  48. 49. CIP 008 Incident Response <ul><li>You must formally identify and declare an incident: </li></ul><ul><ul><li>Develop an incident response form that demonstrates an incident identification (this will help you document your problem to the Electricity Sector – Information Sharing and Analysis Center). </li></ul></ul><ul><ul><li>Categorize the incident according to your incident response plan (red, yellow or green). </li></ul></ul><ul><ul><li>Ensure the plant manager is notified of the incident and its categorization. </li></ul></ul>CIP = Critical Infrastructure Protection
  49. 50. CIP 008 Incident Response <ul><li>An incident response (CIP 008) practice needs to be developed and should include the four primary capabilities: </li></ul><ul><ul><li>Identification </li></ul></ul><ul><ul><li>Containment </li></ul></ul><ul><ul><li>Eradication </li></ul></ul><ul><ul><li>Recovery </li></ul></ul><ul><li>Incident response should use a decision tree in order to determine the scope of the incident. </li></ul>CIP = Critical Infrastructure Protection
  50. 51. CIP 009 Recovery CIP = Critical Infrastructure Protection
  51. 52. CIP = Critical Infrastructure Protection CIP 009 Recovery
  52. 53. Challenges Created by New CIP Requirements <ul><li>Certifications and Background Checks </li></ul><ul><li>ESP / Physical Security Perimeters </li></ul><ul><li>Terminated Employee Tracking </li></ul><ul><li>Enterprise level access control </li></ul><ul><li>User Access Reviews </li></ul>
  53. 54. NERC is Complex. NERC CIP is more Complex.. To meet all requirements you need to interface with: Applications – SAP, Oracle, HR, and Business Applications GRC, IAM, Change Management, Asset Management Directories, Network Security and IT Systems Physical Access Control Systems (PACS) Control Systems: EMS, DMS, HMI/SCADA Facilities / Building Management Video surveillance and other imaging sensors Situational Awareness and Geo-Spatial Mapping Incident Management Applications
  54. 55. Streamline On-Boarding/Off-Boarding & Close Security Gaps Enterprise Compliance Eliminate Overlaps Workplace Efficiency Simplify & automate onboarding & offboarding Human resources SCADA/ Network Physical security Governance risk & compliance Identity management IT/ERP security Assets Contractors Background Checks Certification Internal Control Policies Industry Specific Risk Library
  55. 56. A New Generation of Solutions Bridges the Gap, Removes the Silos
  56. 57. Active Policy Enforcement
  57. 58. Situational Awareness
  58. 59. Incident Response
  59. 60. NERC CIP Security and Compliance Posture
  60. 61. Compliance Solutions Tools: Features To Look For <ul><li>KRI Dashboard, Risk Scoring, Qualitative Risk (H, M, L) </li></ul><ul><li>Asset Discovery, Visualization and Criticality Rating </li></ul><ul><li>Situational Awareness and Geo-Spatial Mapping </li></ul><ul><li>Incident Management Module </li></ul><ul><li>User Access Reviews, role Lifecycle Management </li></ul><ul><li>Multiple simultaneous assessment projects </li></ul><ul><li>Common Controls and Risk Repository </li></ul><ul><li>Rules Engine to Automate Controls </li></ul><ul><li>Repository for Documentation and Evidence </li></ul><ul><li>Robust Integration with HR, ERP, GRC, IAM etc. </li></ul><ul><li>Physical Security Integration and Control Systems Integration </li></ul><ul><li>Integrated with Security Automation Tools (GCC) </li></ul><ul><li>Roles-based dashboards – display tiles </li></ul>
  61. 62. CIP 003 – 009 Takeaways CIP = Critical Infrastructure Protection
  62. 63. Beyond NERC-CIP: Perimeter Protection Issues Internet Critical Network Business Network Critical Cyber Asset Command And Control
  63. 64. Network Threats <ul><ul><li>Malware propagates via VPN or open firewall ports </li></ul></ul><ul><ul><li>Shared passwords, “temporary” contractor access, access management issues </li></ul></ul><ul><ul><li>Firewall zero-day attacks, take over firewall </li></ul></ul><ul><ul><li>Targeted emails – open attachments or visit compromised website </li></ul></ul>Routine Threats Advanced Threats
  64. 65. Remote Control <ul><ul><li>Modern malware contacts command and control servers on open internet </li></ul></ul><ul><ul><li>Usual remediation: forbid internet connections </li></ul></ul><ul><ul><li>Peer-to-peer network between compromised machines </li></ul></ul><ul><ul><li>C&C server controls CCA’s even when internet connections are forbidden </li></ul></ul>Routine Threats Advanced Threats
  65. 66. Advanced Perimeter Protection Unidirectional Communications Critical Network Business Network Critical Cyber Asset Enterprise Planning System One-Way Communications Hardware
  66. 67. Unidirectional Data Transfer <ul><ul><li>No attack possible from less-trusted network </li></ul></ul><ul><ul><li>But: modern businesses rely on access to real-time data </li></ul></ul><ul><ul><li>Transmits valuable real-time data to business systems </li></ul></ul><ul><ul><li>One-way hardware means data transfer back into critical network is impossible </li></ul></ul>Air Gap Unidirectional Data Transfer
  67. 68. Emulating Two Way Protocols One-Way Communications Hardware Emulation Agent Two-Way Protocol Two-Way Protocol Emulation Agent
  68. 69. Emulating Two-Way Protocols <ul><ul><li>One-way fiber-optic hardware </li></ul></ul><ul><ul><li>Proprietary high-speed, low-latency protocol </li></ul></ul><ul><ul><li>Sophisticated data integrity protections </li></ul></ul><ul><ul><li>Emulate wide variety of two-way protocols </li></ul></ul><ul><ul><li>Run on conventional Windows hosts </li></ul></ul><ul><ul><li>Ease of use, ease of management </li></ul></ul>Unidirectional Gateways Software Agents
  69. 70. Under the Hood WF-Packet preparation and sending (Sequencing, Redundancy, Error correction) High capacity and optimized receiving mechanism. Scheduler 3 rd Party API SDK Connectors Management Control and Conf. MMI Connectors SDK 3 rd Party API Scheduler Management Control and Conf. MMI Unidirectional Fiber optics ETH ETH
  70. 71. Mature Product Lines <ul><ul><li>High performance </li></ul></ul><ul><ul><li>High availability </li></ul></ul><ul><ul><li>High data integrity </li></ul></ul><ul><ul><li>Standard protocols, including: sftp, Modbus, ICCP, OPC, DNP3, SNMP, Syslog </li></ul></ul><ul><ul><li>Server replication applications, inclnuding: OSI PI, Siemens SINAULT, GE iFix </li></ul></ul><ul><ul><li>Remote screen viewing </li></ul></ul><ul><ul><li>Secure manual uplink </li></ul></ul>Broad Range of Features
  71. 72. Application: Generation Photo courtesy of wikimedia.org Critical Network Critical Cyber Assets Business Network Enterprise Historian (Replica) Plant Historian ICCP (to SO)
  72. 73. Application: Generation <ul><ul><li>Replica Historian on Business Network with real-time data only milliseconds old </li></ul></ul><ul><ul><li>End users interact with replica as if it were original </li></ul></ul><ul><ul><li>High load on replica has no effect critical historian </li></ul></ul><ul><ul><li>ICCP consumers on-site and off-site </li></ul></ul><ul><ul><li>Interact with one-way agent as if with original – no reconfiguration required </li></ul></ul>Historian Replication ICCP Communications
  73. 74. Application: Transmission Photo courtesy of: hydro station L'Ange-Gardien, QC Substation Network EMS Network Critical Cyber Assets DNP3 DNP3 EMS
  74. 75. Application: Transmission <ul><ul><li>Replica data is only milliseconds old </li></ul></ul><ul><ul><li>End users interact with replica as if it were original </li></ul></ul><ul><ul><li>High load on replica has no effect critical historian </li></ul></ul><ul><ul><li>ICCP consumers on-site and off-site interact with one-way agent as if with original </li></ul></ul><ul><ul><li>No reconfiguration required </li></ul></ul>Historian Replication ICCP Communications
  75. 76. NERC-CIP: Specific Benefits <ul><ul><li>Store protected information on unidirectionally protected networks </li></ul></ul><ul><ul><li>Unidirectional Gateways are only access points </li></ul></ul><ul><ul><li>No remote access attempts or logs to monitor </li></ul></ul><ul><ul><li>No open ports or services </li></ul></ul>Copyright © 2011 Waterfall Security Solutions Ltd <ul><ul><li>Simplified security test procedures </li></ul></ul>CIP-003: Security Management Controls CIP-005: Electronic Security Perimeters CIP-007: Security Systems Management
  76. 77. NERC-CIP: Systemic Benefits <ul><ul><li>No attacks possible from less-critical networks </li></ul></ul><ul><ul><li>Device configuration errors cannot compromise critical networks </li></ul></ul><ul><ul><li>No exposed ports or services </li></ul></ul><ul><ul><li>No VPN’s or remote access </li></ul></ul>Copyright © 2011 Waterfall Security Solutions Ltd <ul><ul><li>Simpler system security </li></ul></ul><ul><ul><li>Less Documentation </li></ul></ul><ul><ul><li>Fewer Logs to examine </li></ul></ul>Increased Security Reduced Program Documentation Reduced Audit and Assessment Costs
  77. 78. What CIP is Not <ul><li>CIP C ompliance I s P ainful </li></ul><ul><li>CIP C ongress- I nitiated P roblem </li></ul><ul><li>CIP C an I P unt? </li></ul><ul><li>CIP C ash I s P referred </li></ul><ul><li>NERC’s Brainchild </li></ul>
  78. 79. What if I’m Not Required To Comply?
  79. 80. Am I at Risk? <ul><li>Electromagnetic Weaponry </li></ul><ul><ul><li>http://www.sciencenews.org </li></ul></ul><ul><li>Summary of challenges recognized by DOE </li></ul><ul><ul><li>http://www.oe.energy.gov/DocumentsandMedia/roadmap.pdf </li></ul></ul><ul><li>Worm scenario (IOActive-discovered vulnerability with auto-disconnect) </li></ul><ul><li>Scenario for DDOS with meter BOTnet – </li></ul><ul><ul><li>http://www.muniwireless.com/2010/09/24/smart-grid-security-alert-malicious-worm-attacking-industrial-sites/ </li></ul></ul><ul><ul><li>http://www.theregister.co.uk/2009/06/12/smart_grid_security_risks/ </li></ul></ul><ul><li>Easter eggs already in existence </li></ul><ul><ul><li>http://online.wsj.com/article/SB123914805204099085.html </li></ul></ul><ul><li>Invasion of privacy through load signature analysis </li></ul><ul><ul><li>http://voices.washingtonpost.com/securityfix/2009/11/experts_smart_grid_poses_priva.html </li></ul></ul>Have a look for yourself
  80. 81. How far should I go?
  81. 82. How do I choose security controls? <ul><li>Think like you would for any other business asset </li></ul><ul><ul><li>Define constraints </li></ul></ul><ul><ul><li>Define the requirements </li></ul></ul><ul><ul><li>Create a weighted scale </li></ul></ul><ul><ul><li>Seek viable candidates </li></ul></ul><ul><ul><li>Compare empirically </li></ul></ul><ul><ul><li>Demo any and all contenders </li></ul></ul><ul><ul><li>Call references (and find your own) </li></ul></ul><ul><ul><li>Develop maintenance plan </li></ul></ul><ul><ul><li>Identify risks with controls/vendors </li></ul></ul><ul><ul><li>Seek a limited pilot </li></ul></ul>
  82. 83. Where can I go for help?
  83. 84. Culture of Compliance What Does It Look Like? How Do I Get There?

×