The document discusses NERC CIP guidelines for securing critical infrastructure devices in the electric grid. It provides an overview of the six main CIP guidelines regarding personnel authorization, training, security of the electronic perimeter, physical security, operations security, and incident reporting. The document emphasizes that compliance requires both compliant technologies and security-focused procedures. It also outlines key security principles like least privilege and role-based access controls. Overall, the summary provides a high-level view of the document's coverage of NERC CIP compliance objectives and guidelines.
70% of data center outages are directly attributable to human error according to the Uptime Institute’s analysis of their “abnormal incident” reporting (AIR) database1. This figure highlights the critical importance of having an effective operations and maintenance (O&M) program. This paper describes unique management principles and provides a comprehensive, high-level overview of the necessary program elements for operating a mission critical facility efficiently and reliably throughout its life cycle. Practical management tips and advice are also given.
ISO 27001 Training | ISMS Awareness Traininghimalya sharma
ISMS Awareness Taining on ISO 27001 done by Industry Experts,customized for you & connected with relevance to your Industry, products,services & Processes
LTS Secure Security Information and Event Management (SIEM), is a technology that provides real-time analysis of security alerts generated by network hardware and applications.
70% of data center outages are directly attributable to human error according to the Uptime Institute’s analysis of their “abnormal incident” reporting (AIR) database1. This figure highlights the critical importance of having an effective operations and maintenance (O&M) program. This paper describes unique management principles and provides a comprehensive, high-level overview of the necessary program elements for operating a mission critical facility efficiently and reliably throughout its life cycle. Practical management tips and advice are also given.
ISO 27001 Training | ISMS Awareness Traininghimalya sharma
ISMS Awareness Taining on ISO 27001 done by Industry Experts,customized for you & connected with relevance to your Industry, products,services & Processes
LTS Secure Security Information and Event Management (SIEM), is a technology that provides real-time analysis of security alerts generated by network hardware and applications.
The security of information systems and business-critical information needs constant managing to ensure your operational continuity and data protection. ISO 27001 Information Security Management Systems certification allows you to stand out from the competition through strong information security measurement.
What the auditor need to know about cloud computingMoshe Ferber
As more and more workloads moving to the cloud , more practices need to be developed. ISACA and CSA launched the CCAK certification for auditors, in this presentation I will elaborate on highlight of auditor knowledge in Cloud.
How to determine a proper scope selection based on ISO 27001?PECB
Meeting Clause 4 - Context of the Organization "generic" requirements of ISO 27001 in order to determine a proper Documented Scope statement that meets business requirements and gives value to products and/or services.
Main points that have been covered are:
• Interested Parties
• Interfaces & Dependencies
• Legal / Regulatory & Contractual Obligations (Risk of Non-Compliance)
• Documented Scope Statement (including locations within Scope)
Presenter:
Mr. David Anders has worked more than 20+ years in the risk management field managing a broad spectrum of consulting services and product solutions. David has worked in the consulting field for 16 years and is the founder / CEO of SecuraStar, LLC, a niche ISO 27001 consulting firm in the United States and founder / CEO of ISMS Manager Software, LLC.
Link of the recorded session published on YouTube: https://youtu.be/hSaAvKgAC2c
In today’s business environment, organizations have a responsibility to their employees, clients, and customers to ensure the confidentiality, integrity and availability of the critical data that is entrusted to them. Every network is vulnerable to some form of attack. However it is not enough to simply confirm that a technical vulnerability exists and implement countermeasures; it is critical to repeatedly verify that the countermeasures are in place and working properly throughout the secured network. During this webinar, David Hammarberg, Principal, IT Director, and leader of McKonly & Asbury’s Cybersecurity Practice will be joined by Partner, Michael Hoffner and they will lead a discussion on a Cybersecurity Risk Management Program including what it is and how it can prepare your organization for the future.
Active Directory in ICS: Lessons Learned From The FieldDigital Bond
Donovan Tindall of Honeywell at the S4x15 Operations Technology Day (OTDay). A meaty, but practical technical session on how to use Active Directory to help manage and secure your ICS.
NERC CIP Version 5 and Beyond – Compliance and the Vendor’s RoleEnergySec
Presenter: Joseph Loomis, Southwest Research Institute (SwRI)
Asset Owners face challenges as they strive towards implementing the NERC-CIP V5 requirements. Meeting the requirements often require documentation and technical knowledge of how an asset operates that can only be provided by a Vendor. Vendors, likewise, may be unclear about how the NERC-CIP requirements affect them, and are unsure about how to meet the technical requirements. In this presentation we detail the lessons learned from a recent project where SwRI worked with a Vendor to determine how the requirements apply to them and what the Vendor needs to have to help support an Asset Owner in an audit.
Structured NERC CIP Process Improvement Using Six SigmaEnergySec
Presented by: Chris Unton, Midwest ISO (MISO)
Abstract: MISO embarked on a structured, comprehensive process improvement program to make advancements in cyber security risk reduction as well as CIP compliance. The program utilizes the Six Sigma framework to reduce process defects and gain efficiencies. The 13 month effort comprises process level health checks; assignment of functional roles, responsibilities, and oversight; cross-functional process improvement events; and training/awareness curriculums to lock in the improvements. As a result, MISO not only is strengthening its cyber security and compliance posture, but also positioning the company for a smoother adoption of controls based audits when applicable. In this presentation, Mr. Unton will walk through the process and show how this has been instrumental in greatly enhancing MISO’s security and compliance environment.
The security of information systems and business-critical information needs constant managing to ensure your operational continuity and data protection. ISO 27001 Information Security Management Systems certification allows you to stand out from the competition through strong information security measurement.
What the auditor need to know about cloud computingMoshe Ferber
As more and more workloads moving to the cloud , more practices need to be developed. ISACA and CSA launched the CCAK certification for auditors, in this presentation I will elaborate on highlight of auditor knowledge in Cloud.
How to determine a proper scope selection based on ISO 27001?PECB
Meeting Clause 4 - Context of the Organization "generic" requirements of ISO 27001 in order to determine a proper Documented Scope statement that meets business requirements and gives value to products and/or services.
Main points that have been covered are:
• Interested Parties
• Interfaces & Dependencies
• Legal / Regulatory & Contractual Obligations (Risk of Non-Compliance)
• Documented Scope Statement (including locations within Scope)
Presenter:
Mr. David Anders has worked more than 20+ years in the risk management field managing a broad spectrum of consulting services and product solutions. David has worked in the consulting field for 16 years and is the founder / CEO of SecuraStar, LLC, a niche ISO 27001 consulting firm in the United States and founder / CEO of ISMS Manager Software, LLC.
Link of the recorded session published on YouTube: https://youtu.be/hSaAvKgAC2c
In today’s business environment, organizations have a responsibility to their employees, clients, and customers to ensure the confidentiality, integrity and availability of the critical data that is entrusted to them. Every network is vulnerable to some form of attack. However it is not enough to simply confirm that a technical vulnerability exists and implement countermeasures; it is critical to repeatedly verify that the countermeasures are in place and working properly throughout the secured network. During this webinar, David Hammarberg, Principal, IT Director, and leader of McKonly & Asbury’s Cybersecurity Practice will be joined by Partner, Michael Hoffner and they will lead a discussion on a Cybersecurity Risk Management Program including what it is and how it can prepare your organization for the future.
Active Directory in ICS: Lessons Learned From The FieldDigital Bond
Donovan Tindall of Honeywell at the S4x15 Operations Technology Day (OTDay). A meaty, but practical technical session on how to use Active Directory to help manage and secure your ICS.
NERC CIP Version 5 and Beyond – Compliance and the Vendor’s RoleEnergySec
Presenter: Joseph Loomis, Southwest Research Institute (SwRI)
Asset Owners face challenges as they strive towards implementing the NERC-CIP V5 requirements. Meeting the requirements often require documentation and technical knowledge of how an asset operates that can only be provided by a Vendor. Vendors, likewise, may be unclear about how the NERC-CIP requirements affect them, and are unsure about how to meet the technical requirements. In this presentation we detail the lessons learned from a recent project where SwRI worked with a Vendor to determine how the requirements apply to them and what the Vendor needs to have to help support an Asset Owner in an audit.
Structured NERC CIP Process Improvement Using Six SigmaEnergySec
Presented by: Chris Unton, Midwest ISO (MISO)
Abstract: MISO embarked on a structured, comprehensive process improvement program to make advancements in cyber security risk reduction as well as CIP compliance. The program utilizes the Six Sigma framework to reduce process defects and gain efficiencies. The 13 month effort comprises process level health checks; assignment of functional roles, responsibilities, and oversight; cross-functional process improvement events; and training/awareness curriculums to lock in the improvements. As a result, MISO not only is strengthening its cyber security and compliance posture, but also positioning the company for a smoother adoption of controls based audits when applicable. In this presentation, Mr. Unton will walk through the process and show how this has been instrumental in greatly enhancing MISO’s security and compliance environment.
Security of the Electric Grid: It's more than just NERC CIPEnergySec
The availability of spectrum for utility communications networks, heightened consumer protection and privacy concerns, cloud computing and its application to the smart grid, supply chain security – these are just some of the policy and regulatory issues that could have a significant impact on utilities as they integrate millions of data points for more efficient control of the modernized grid. Attention has been focused on compliance with NERC-CIP mandates and passing audits, but what is their place in the broader security picture? Will other policy developments change the landscape of grid security?
Explore the Implicit Requirements of the NERC CIP RSAWsEnergySec
Regulated entities should consider the RSAW templates when preparing evidence of compliance with the NERC CIP Standards. There are a number of implicit requirements in CIP v5 which an entity needs to fulfill to be compliant, which are not specifically identified in the actual requirements.
In this webinar, our experts will discuss such implicit requirements. Key learning's from this session would be:
RSAW format
Implicit requirements of CIP RSAWs
Leveraging technology for RSAW management
The Path to Confident Compliance and the Transition to NERC CIP Version 5 – A...EnergySec
Presenters: Robert Landavazo, PNM Resources and Katherine Brocklehurst, Tripwire
With countless hours of work to go, PNM was far from ready for its coming audit in just 18 months. Confidence levels in its existing manual, and incomplete security controls, were at an all-time low; and the visibility into control center environments for quantifying its status and progress towards compliance was immeasurable.
With Tripwire, PNM’s preparation of the looming CIPv3 audit noticeably improved. With efficient reporting and automation, PNM’s now positioned to hold itself accountable for CIP auditable compliance of more than 3,500 explicit and supporting control points, satisfying CIP-002-3, CIP-004-3, CIP-005-3, CIP-007-3 and CIP-009-3. In addition, enhanced visibility and better control gave PNM the ability to effectively communicate meaningful and measurable initiatives to executive teams – resulting in increased support for their funding needs.
In this session, PNM – New Mexico’s largest electricity provider – will share a case study on its journey towards achieving continuous NERC CIP compliance despite a highly limited headcount, how it saved countless hours of labor-intensive manual effort, and the essential role that automation played in its success.
COBIT 5 IT Governance Model: an Introductionaqel aqel
This lecture provides quick and direct insight about Information technologies governance using COBIT 5 framework. COBIT 5 in its fifth edition released by information systems audit and control association (www.isaca.org) in 2012 to supersede the version 4.1 / 2007. It also included ISACA’s VAL-IT model that aimed to manage the financial perspective of IT as well as RISK-IT framework.
The lecture was part of ISACA- Riyadh chapter activities in April 2015 under the sponsorship of Al-Fisal University.
Cybersecurity Assurance at CloudSec 2015 Kuala LumpurAlan Yau Ti Dun
"Like any information security processes, there should be an adequate and"
"reasonable level of assurance for cyber security, which completes the security perspective when combined with governance and management processes. Cyber security assurance requires a comprehensive set of controls that covers risk as well as management processes."
"These controls are supported by appropriate metrics and indicators for"
"security goals and factual security risk. This session will share the cybesecurity self assessment program in carrying out an audit or self- assessment review on cyber security controls and practices in a typical organisation. This assurance program will leverage on COBIT 5 framework"
"and COBIT 5 for Information Security as a baseline."
For an organization to function efficiently it is important to have security controls to ensure the protection of confidentiality, integrity and availability of information and systems. Compliance is the process of ensuring all systems in an organization met a set of predefined specific rules.
In this article we will address the need for compliance automation and how SecPod’s Saner provides enterprises the ability to automate compliance while minimizing time spent on non-compliant state.
Mindtree's managed firewall service has been carefully designed to fit the diverse requirements of today's connected enterprises. From large scale global deployments to small and remote offices, Mindtree has a managed firewall service designed to align with each individual organization's security initiatives and budgetary requirements.
White Paper: Six-Step Competitive Device EvaluationIxia
This paper presents a six-step methodology for conducting competitive product evaluations that provide advance insight into the performance, security, and stability of devices within production network and data center environments.
In January 2020, the Department of Defense released the initial version of Cybersecurity Maturity Model Certification (CMMC) standard. Certifications will begin for new and existing defense contractors this year. As you are preparing for the CMMC now by becoming NIST 800-171 compliant, it is critical to ensure you can continue bidding on RFPs. Any type of cybersecurity audit takes time and getting compliant to NIST 800-171 ahead of an audit is no different.
Whether your organization’s security and compliance are 80% of the way there, or you think your infrastructure needs a complete overhaul, get tips and insights to get you closer to compliance.
We Share:
- An overview of the compliance requirements,
- Tips for analyzing current cyber security measures and processes,
- How the Microsoft 365 Cloud helps ensure compliance
- Measures you can put in place to help you meet NIST 800-171 compliance
Performing One Audit Using Zero Trust PrinciplesControlCase
In this 45 minute webinar ControlCase, TAG Cyber & Evolve MGA cover the following:
- Introductions – ControlCase, Tag Cyber & Evolve MGA
- What has current cyber security research uncovered so far?
- What are Zero Trust Principles?
- How can Zero Trust Principles be implemented in remote working environments?
- Cyber insurance for modern day exposures
Similar to NERC Critical Infrastructure Protection (CIP) and Security for Field Devices (20)
More Electric:
Our world is becoming More Electric. Almost everything we interact with today is either already electric or becoming electric. Think about it. From the time you start your day in the morning to the time you finish your day – your home, your car, your work, your devices, your entertainment – almost everything is electric. Imagine the energy needed to power this. Electricity consumption will increase by 80% in next 25 years
More Connected: Our lives are also becoming more connected. The Internet has already transformed the way we live, work and play. Now the Connected Things is going to take this to a brand new level. 50 billion things connected in the next 5 years.
More Distributed: With such a widespread electrification and connectivity, energy models need rethinking as well. Which is why the generation of power needs to be closer to users. Distributed Energy is rapidly evolving globally. This is positive energy – renewable. In 2014 , Renewables overtook fossil fuels in investment value, with $295bn invested in renewables compared to $289bn invested in fossil fuels. And it is getting cheaper to do this.
More Efficient: When our world is more electric, more connected and more distributed, new opportunities emerge and allows us to tap into even more efficiency – in industrial processes, in the energy value chain, in buildings, in transportation, in the global supply chain and even in the comfort and peace-of-mind of our homes.
With more than $18 billion in M&A activity in the first half of last year alone, the colocation industry is riding the bubble of rapid growth. Colocation data center providers are being evaluated by a wide range of investors, with varying experience and perspectives. Understanding the evaluation criteria is a critical competency for attracting the right type of investor and financial commitment for your colocation business and this is why we have invited today’s speaker to present.
Steve Wallage Steve Wallage is Managing Director of BroadGroup Consulting. Steve brings 25 years of industry experience, holding senior roles at Gartner Group, IDC, CGI and IBM before joining BroadGroup 10 years ago. In his responsibilities at BroadGroup Steve has led many due diligence projects for investors evaluating colocation companies.
In this briefing we explore the Phaseo power supplies and transformers offer presentation and application samples.
For more details:
Industrial%20Automation%20and%20Control&parent-category-id=4500&parent-subcategory-id=4510
We’ve all been hearing about how robust the market for data center space is, but a presentation by an investment banker who has his finger on the pulse on the market day in and day out gave me a new appreciation for how great the opportunity really is.
Herb May is a partner and managing director with DH Capital, an investment bank founded 15 years ago in New York that is focused on the Internet infrastructure space. His company has been involved in close to 100 deals, representing almost $20 billion in value. Most of DH Capital’s work is as a mergers and acquisitions advisor, but raising capital is a growing percentage of its business. The point is, the company understands the financials behind data centers and colocation companies inside and out.
At Schneider Electric, in the IT Division, our core business has always been focused on delivering the highest level of availability to critical technologies, systems and processes. We’ve done this through our award winning, industry-leading and highest quality products and solutions, including UPS, Cooling, Rack Systems, DCIM and Services.
In this new digital era, we see a world that is always-on.
Always on to meet the needs of the highest notion of “access” to goods and services
Always on to be the solid, reliable foundation of digital transformation for businesses
Our mission is: To empower the digital transformation of our customers by ensuring their critical network, systems and processes are highly available and resilient.
In this briefing we explore the Magelis Basic HMI offer presentation and application samples.
For more details:
https://www.schneider-electric.com/en/product-range/61054-magelis#search
In this briefing, we explore the Zelio time relay offer presentation and application samples.
For more details:
http://www.schneider-electric.com/en/product-range/529-zelio-time?parent-category-id=2800&parent-subcategory-id=2810&filter=business-1-industrial-automation-and-control
Spacial, Thalassa, ClimaSys Universal enclosures BriefingSchneider Electric
Discover more about Universal Enclosures and how to select the one you need.
For more information:
http://www.schneider-electric.com/en/product-category/5800-enclosures-and-accessories/?filter=business-1-industrial-automation-and-control
Learn more about "what is a solid state relay", key features and targeted applications.
For more details:
http://www.schneider-electric.com/en/product-range/60278-zelio-relays?parent-category-id=2800&filter=business-1-Industrial%20Automation%20and%20Control
Learn more about what an HMI does and the main components and a look at a typical HMI.
Further details:
http://www.schneider-electric.com/en/product-category/2100-HMI%20(Terminals%20and%20Industrial%20PC)?filter=business-1-Industrial%20Automation%20and%20Control
Where will the next 80% improvement in data center performance come from?Schneider Electric
Rick Puskar, Head of Marketing for Schneider Electric's IT Division presents at the Gartner Symposium in Barcelona November 8th, 2017. In this presentation Rick discusses where the next 80% improvement in data center performance will come from with a focus on the speed, availability and reliability of data. Learn how a cloud-based data center infrastructure management as a service architecture like Schneider Electric's EcoStruxure IT can drive such aggressive goals around data center performance.
Learn how EcoStruxure is digitizing industry with IIoT to increase end-to-end operational efficiency with more dynamic control for better business results.
Learn more about our System Integrator Alliance Program - A global partnership transforming industry and infrastructure by helping them make the most of their processes, the most of their assets and the most of their energy.
EcoStruxure, IIoT-enabled architecture, delivering value in key segments.Schneider Electric
As presented during the Alliance 2017 event, learn how to deliver integrated solutions based on EcoStruxure, our IIoT-enabled architecture for Wastewater, Food and Beverage and Mining, Minerals and Metals.
A Practical Guide to Ensuring Business Continuity and High Performance in Hea...Schneider Electric
Within healthcare facilities, high availability of systems is a key influencer of revenue and patient safety and satisfaction. Three important critical success factors need to be addressed in order to achieve safety and availability goals. These include exceeding the facility’s level of regulatory compliance, a linking of business benefits to the maintenance of a safe and an “always on” power and ventilation environment, and a sensible approach to technology upgrades that includes new strategies for “selling” technological improvements to executives. This reference guide offers recommendations for identifying and addressing each of these issues.
Connected Services Study – Facility Managers Respond to IoTSchneider Electric
According to a new 2017 study commissioned by Schneider Electric, facility managers are increasingly looking to leverage the Internet of Things (IoT) by implementing new digital technologies like intelligent analytics to improve maintenance decisions and operations. Explore the full results on how facility managers are reacting to IoT when it comes to facility maintenance.
Learn more about cabling and accessories and the complete ranges available featuring 3 types of cable to suit the envirionment. For more details: http://www.schneider-electric.com/en/product-subcategory/88035-cordset-and-connectors/?filter=business-1-industrial-automation-and-control&parent-category-id=4900
This briefing will look at the general purpose of Photoelectric sensors and Photoelectric fork and frame sensors. For more details: http://www.tesensors.com/global/en/product/photoelectric/xu/?filter=business-1-automation-and-control&parent-category-id=4900/
A world-class global brand offering a comprehensive line of Limit Switches complying with international standards: IEC, UL, CSA, CCC, GOST. For more details: http://www.tesensors.com/global/en/product/limit-switches/xc-standard/?cat_id=BU_AUT_520_L4&conf=sensors&el_typ=node&nod_id=0000000002&prev_nod_id=0000000001&scp_id=Z000
PHP Frameworks: I want to break free (IPC Berlin 2024)Ralf Eggert
In this presentation, we examine the challenges and limitations of relying too heavily on PHP frameworks in web development. We discuss the history of PHP and its frameworks to understand how this dependence has evolved. The focus will be on providing concrete tips and strategies to reduce reliance on these frameworks, based on real-world examples and practical considerations. The goal is to equip developers with the skills and knowledge to create more flexible and future-proof web applications. We'll explore the importance of maintaining autonomy in a rapidly changing tech landscape and how to make informed decisions in PHP development.
This talk is aimed at encouraging a more independent approach to using PHP frameworks, moving towards a more flexible and future-proof approach to PHP development.
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...Neo4j
Leonard Jayamohan, Partner & Generative AI Lead, Deloitte
This keynote will reveal how Deloitte leverages Neo4j’s graph power for groundbreaking digital twin solutions, achieving a staggering 100x performance boost. Discover the essential role knowledge graphs play in successful generative AI implementations. Plus, get an exclusive look at an innovative Neo4j + Generative AI solution Deloitte is developing in-house.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
In his public lecture, Christian Timmerer provides insights into the fascinating history of video streaming, starting from its humble beginnings before YouTube to the groundbreaking technologies that now dominate platforms like Netflix and ORF ON. Timmerer also presents provocative contributions of his own that have significantly influenced the industry. He concludes by looking at future challenges and invites the audience to join in a discussion.
Threats to mobile devices are more prevalent and increasing in scope and complexity. Users of mobile devices desire to take full advantage of the features
available on those devices, but many of the features provide convenience and capability but sacrifice security. This best practices guide outlines steps the users can take to better protect personal devices and information.
Essentials of Automations: The Art of Triggers and Actions in FMESafe Software
In this second installment of our Essentials of Automations webinar series, we’ll explore the landscape of triggers and actions, guiding you through the nuances of authoring and adapting workspaces for seamless automations. Gain an understanding of the full spectrum of triggers and actions available in FME, empowering you to enhance your workspaces for efficient automation.
We’ll kick things off by showcasing the most commonly used event-based triggers, introducing you to various automation workflows like manual triggers, schedules, directory watchers, and more. Plus, see how these elements play out in real scenarios.
Whether you’re tweaking your current setup or building from the ground up, this session will arm you with the tools and insights needed to transform your FME usage into a powerhouse of productivity. Join us to discover effective strategies that simplify complex processes, enhancing your productivity and transforming your data management practices with FME. Let’s turn complexity into clarity and make your workspaces work wonders!
A tale of scale & speed: How the US Navy is enabling software delivery from l...sonjaschweigert1
Rapid and secure feature delivery is a goal across every application team and every branch of the DoD. The Navy’s DevSecOps platform, Party Barge, has achieved:
- Reduction in onboarding time from 5 weeks to 1 day
- Improved developer experience and productivity through actionable findings and reduction of false positives
- Maintenance of superior security standards and inherent policy enforcement with Authorization to Operate (ATO)
Development teams can ship efficiently and ensure applications are cyber ready for Navy Authorizing Officials (AOs). In this webinar, Sigma Defense and Anchore will give attendees a look behind the scenes and demo secure pipeline automation and security artifacts that speed up application ATO and time to production.
We will cover:
- How to remove silos in DevSecOps
- How to build efficient development pipeline roles and component templates
- How to deliver security artifacts that matter for ATO’s (SBOMs, vulnerability reports, and policy evidence)
- How to streamline operations with automated policy checks on container images
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Climate Impact of Software Testing at Nordic Testing DaysKari Kakkonen
My slides at Nordic Testing Days 6.6.2024
Climate impact / sustainability of software testing discussed on the talk. ICT and testing must carry their part of global responsibility to help with the climat warming. We can minimize the carbon footprint but we can also have a carbon handprint, a positive impact on the climate. Quality characteristics can be added with sustainability, and then measured continuously. Test environments can be used less, and in smaller scale and on demand. Test techniques can be used in optimizing or minimizing number of tests. Test automation can be used to speed up testing.
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...SOFTTECHHUB
The choice of an operating system plays a pivotal role in shaping our computing experience. For decades, Microsoft's Windows has dominated the market, offering a familiar and widely adopted platform for personal and professional use. However, as technological advancements continue to push the boundaries of innovation, alternative operating systems have emerged, challenging the status quo and offering users a fresh perspective on computing.
One such alternative that has garnered significant attention and acclaim is Nitrux Linux 3.5.0, a sleek, powerful, and user-friendly Linux distribution that promises to redefine the way we interact with our devices. With its focus on performance, security, and customization, Nitrux Linux presents a compelling case for those seeking to break free from the constraints of proprietary software and embrace the freedom and flexibility of open-source computing.
Dr. Sean Tan, Head of Data Science, Changi Airport Group
Discover how Changi Airport Group (CAG) leverages graph technologies and generative AI to revolutionize their search capabilities. This session delves into the unique search needs of CAG’s diverse passengers and customers, showcasing how graph data structures enhance the accuracy and relevance of AI-generated search results, mitigating the risk of “hallucinations” and improving the overall customer journey.
2. Summary
Executive Summary . ................................................................................... p 1
Introduction ................................................................................................. p 2
Understanding CIP objectives ...................................................................... p 4
Core Security Principles . ............................................................................. p 5
NERC CIP technical control guidelines . ....................................................... p 6
Finding your compliance solution.................................................................. p 10
Conclusion................................................................................................... p 11
3. NERC Critical Infrastructure Protection (CIP) and Security for Field Devices
Executive summary
The North American Electric Reliability Corporation (NERC) maintains a set of
Critical Infrastructure Protection (CIP) guidelines that address a broad range of
critical cyber asset and cyber security issues. These guidelines describe the
security-focused procedures that, in combination with compliant technology,
enable secure electric grid operations. The CIP guidelines do not specify the
technologies that must be deployed. Instead, they describe the technology design
necessary to build an information management architecture that complies with
security goals.
These goals include the minimizing of administrative authorization needed for
operational functions. Rights and privileges are to be assigned to a functional role,
not a named individual. Audit trails of field data device and substation activity,
similar to control room auditability, must be maintained to assure comprehensive
confidence in data and controls.
The six CIP guidelines summarized in the paper speak to the procedures and
policies that are vital to critical cyber asset security – personnel authorizations;
personnel training; security of the information management system’s electronic
perimeter; security of the information management system’s physical assets;
operational security; and incident reporting and response planning.
The utility builds its CIP-compliant program with defined procedures addressing
these guidelines, coupled with the hardware and software that enable full
implementation of these procedures. Training of all personnel is necessary for
effective and efficient compliance.
White paper | 01
4. NERC Critical Infrastructure Protection (CIP) and Security for Field Devices
Introduction
In this paper, we target ‘the myth of compliance.’
While the term ‘compliant’ most often refers to products – the software and
devices deployed in daily field operations of the electric grid – we at Telvent see
security compliance as a ‘process.’ Through our extensive experience working
with critical infrastructure asset owners, vendors and regulatory agencies, we
know full compliance is achieved only when compliant hardware and software is
complemented by information management procedures reflecting strong security
principles.
Here, we discuss in general how consistent NERC Critical Infrastructure Protection
(CIP) compliance reflects best security practices combining:
• Core security principles
• Technical controls defined by CIP guidelines
• strong level of discipline within the user organization and its vendor
A
organizations
White paper | 02
6. NERC Critical Infrastructure Protection (CIP) and Security for Field Devices
Understanding CIP objectives
What CIP does. CIP provides general security CIP covers both technical and operational
guidance toward achieving the minimal level of compliance. It is the combination of compliant
security required for safe and secure operations. technology and security-focused procedures that
enable CIP-compliant operations; see Figure 1.
What CIP does not do. CIP does not prescribe or
specify the technologies to be deployed to meet In this way, CIP challenges asset owners to
secure operational goals. It defines objectives, consider security a ‘holistic’ issue that actively targets
not how the user must achieve them. With the not only system design and installation but also
responsibility of meeting secure operations objectives, daily processes. Compliant technology establishes
the user also has the choice of which technology will a minimal level of authentication, authorization and
best serve its needs in meeting those objectives. audit ability. The asset owner must actively build
on that compliance foundation to realize a strong
security culture within the organization.
Compliance- Secure CIP Compliant
Capable Hardware Configuration Devices
CIP Compliant
Operations
CIP Compliant
Training Processes
Figure 1. Technology, in and of itself, does not impart CIP compliance. Rather, the user
must build a program that assures its compliant technology is deployed and operated to
create the level of security required to achieve compliance.
White paper | 04
7. NERC Critical Infrastructure Protection (CIP) and Security for Field Devices
Core Security Principles
Let’s review the security principles that are
fundamental in molding a CIP-compliant information
Information management key for
management architecture: security – and more
Principle of Least Privilege (PoLP). This principle Reliable information management serves
describes the technology design – the design critical infrastructure security by –
of applications and field devices – that allows
• aintaining infrastructure availability –
M
operation with the minimum amount of administrative
preventing acts, intentional or accidental,
authorization. A granular-access approach to from interrupting operations
operational control limits authority to each employee’s
functions; any control authorized beyond defined • reserving data integrity – to support the
P
operational functions invites errors that could have quality of operational decision-making as well
inadvertent, far-reaching impact – and even invite as meet regulatory/auditing scrutiny
malicious abuse.
The robust information management system
also can enforce data confidentiality, allowing it
While many legacy systems might not accommodate
to be used for:
highly granular access, newer technology is being
designed to meet this criterion. • Accounting purposes
Role-based Access Controls (RbAC). Rights and • Business-critical processes
privileges associated with any network device are
assigned to an administrative role or job duty, rather • Customer consumption
than to a named individual. This approach allows
individuals to move in and out of roles within the With compliant information management architecture,
organization without complicated re-definition of the asset owner will:
that person’s authorization, supporting continuous
compliance and limiting authorization errors. It also • Know and control who is allowed to access the
supports the centralized management essential in an system
efficient, integrated network.
• Know and control what each individual is allowed to
Audit trails. While maintaining audit trail capability do on the system
is familiar in the control room, CIP compliance
extends this concept to operation of field devices. • Know and control what can be done by an
By maintaining an awareness of field data activity individual based on where the individual is accessing
and changes at the device and substation level, the the system
user can integrate that data into centralized control
with confidence. The intent is to not only provide the • Know what each individual has done on the system
means for documenting system management in the
recent past but to also enable real-time assessment • Prevent access to critical assets from any location
of whether the CIP controls in place are appropriate – where any of the above situations is not true
doing their job and meeting compliance goals.
White paper | 05
8. NERC Critical Infrastructure Protection (CIP) and Security for Field Devices
NERC CIP technical control
guidelines
The NERC CIP document addresses a broad range
of Critical Cyber Asset (CCA) and Cyber Security
About NERC
issues; here, we very briefly review six of the CIP
guidelines that apply to operation of electric network The North American Electric Reliability
Corporation (NERC) is an international
field devices; also see Table 1. The full text of the
regulatory authority established to evaluate
NERC CIP standard can be found at http://www.
reliability of the bulk power system in North
nerc.com. America. NERC develops and enforces
Reliability Standards; assesses adequacy
CIP-003 Security Management Controls describes annually via ten-year forecasts and winter and
the development of a cyber security policy and summer forecasts; monitors the bulk power
documentation of that policy in a way that it can system; and educates, trains, and certifies
industry personnel. NERC is the electric
be updated and that all staff is aware of the policy.
reliability organization for North America,
It discusses management of personnel who have subject to oversight by the U.S. Federal
access to the CCAs and identification of users with Energy Regulatory Commission (FERC) and
different privileges, roles and responsibilities. governmental authorities in Canada. For more
information, visit http://www.nerc.com
• he user will want to look for hardware that can be
T
configured to allow a specific ID for each user and CIP guideline uses vaguely worded phrases such
for addition and deletion of privileged users and for as “where technically feasible”; this wording makes
users with different levels of access. Hardware that it difficult for the organization to fully understand
documents not only access but also documents requirements.
details of functions performed during the access is
a big advantage; this downloadable User Log will While encryption is not identified specifically as a
provide an audit trail for CIP compliance. guideline for ESP access, CIP-005 does speak to:
CIP-004 Personnel and Training identifies the • ecurity of dial-up access – unclear if having a
S
personnel training and awareness recommended password and User Name to access constitutes
for supporting security-related operations and ‘secure.’ Use of a ‘call back’ modem or a SCADA-
procedures. It cites CCA user identification lists that controlled relay that is closed for access and
are reviewed periodically and can be modified to opened when not needed provides adequate
change both users and user privileges. security.
• evices that accept addition or deletion of users
D - n alternative to dial-up connection is the
A
and/or privileges remotely allow updates quickly Ethernet strategy, providing the IT tunnel that
and keep functionalities accurately maintained. eliminates a dial-up channel. Another plus: with
employees equipped with cell phones, replacing
CIP-005 Electronic Security Perimeter(s) deals dial-up access also eliminates any need for a
with identification and protection of ESP access phone line into the substation.
points and communications. In some places, this
White paper | 06
9. NERC Critical Infrastructure Protection (CIP) and Security for Field Devices
• ccess denied by default – access requires
A TABLE 1
password, and password changeability
Summary of CIP Issues
• nabling and disabling ports or functions deemed
E Requirement NERC CIP Compliant hardware capabilities
not needed – at the most basic level, a firewall Standard
capability serves this purpose User Access CIP-004 • ndividual user accounts/
I
CIP-005 passwords
CIP-007 • rivileges defined on a per-
P
• ppropriate-use banner – in our opinion, most likely
A
user basis
a legal shield • Strong passwords supported
• asswords hidden when
P
• onitoring, logging and warnings for user access or
M entered
attempted access – simple if the device has alarm Access Control CIP-003 •
Passwords can be managed
generation and logging ability, most useful if alarm CIP-005 from central location
CIP-004 • ultiple admin-type accounts
M
alert is in real time can be configured
• User Log, IP Filter list
- onsider hardware that generates an alarm each
C Electronic Security CIP-005 • limination of dial-up access
E
time a user logs in to initiate automatic user Perimeter CIP-003 with use of IP tunnel
validation by SCADA or other means. IP Tunnel CIP-007 • Appropriate banner usage
• lectronic access logged; can
E
capability eliminates dial-up access, and IP filter
be monitored and alarmed
capability adds an additional layer of security. • Port data paths configurable
• SSL / SSH LAN
CIP-006 Physical Security discusses physical Logging of CIP-003 • Every access attempt logged
accessibility to equipment, including: Access and Usage CIP-004 • Resets logged
CIP-007 • User changes logged
CIP-008 • Time-tagged events logged
• Mounting equipment in lockable enclosures
Personnel termination/ CIP-004 • ser accounts revocable by
U
privilege changes CIP-007 administrator
• Remote control of locks • ser accounts ‘downgradable’
U
to lower level of authority
• Access alarms indicating a door or gate is open Security Software CIP-007 • ll software upgrades available
A
Management for real-time updates
• Card keys, video cameras, etc. • Non-Windows-based OS
Alerts and CIP-005 • Every access attempt logged
• User logged in and failed login attempts Notifications CIP-007 • ccess notification alarms
A
CIP-008 available to SCADA
- evices that can integrate card keys and/or video
D
initiation with access alarms enhance security of
the physical perimeter.
White paper | 07
10. NERC Critical Infrastructure Protection (CIP) and Security for Field Devices
CIP-007 Systems Security Management deals
with operating issues such as security patches,
The Electronic Security Perimeter
virus protection, vendor releases and event logging.
References to device security reinforce CIP-005 The majority of ‘surface area of the ESP’
involves field device hardware; see Figure 2.
concepts:
For this reason, the technical security controls
defined by CIP focus on control of access and
• bility to enable or disable unused or unneeded
A communication of field devices.
ports and services – or compensating factor that
will mitigate risk, such as physical security
• Security patches and firmware upgrades ESP
• nti-virus and malware protection – driven by the
A
Field Devices
operating system
- erely due to the widespread deployment of
M Data Gathering/
Security Risk/Surface Area
the Windows® operating system, the use of a Substations
non-Windows OS might reduce the possibility
of targeted attack. Devices that operate on a Comms
non-Windows OS might be inherently immune to
typical virus and malware threats and less likely
to be targeted by hackers or persons intent on
causing harm. In any case, user login monitors
and alarms and use of discrete passwords Control
System
minimize risk.
• ndividual, not shared, accounts – as mentioned in
I Business Support
CIP-003 controls, privileges should be defined on a
per-role basis
Enterprise Infrastructure
- Logs and audit trails –
- ogin and failed login attempts generate mapable
L Figure 2. Proper device configuration is a key step in CIP
alarm indications compliance.
• Any access requires valid, strong password
- evices that support centralized password
D
management facilitate the requirement for
password control.
White paper | 08
11. NERC Critical Infrastructure Protection (CIP) and Security for Field Devices
• sers can be assigned different levels of access
U
based on need
- View Only
- Other levels/privileges
- dministrator who can control access by other
A
users
• All passwords are stored, hidden or encrypted
• quipment should be wiped on disposal, either
E
by memory erase or physically destroying the
microchip if necessary
- f a device fails, it might be difficult to effectively
I
erase memory. Look for devices that have
removable media.
CIP-008 Incident Reporting and Response
Planning relates to the managing and handling of
reports and logs. While collecting and storing logs for
historical reference is necessary, how that retention
is done is determined by the hardware and the
organization’s capabilities.
• emote electronic download of user logs, SOE
R
log, system log and control log facilitates data
documentation for reports and compliance audit
trail, compared to collection via a physical tap.
White paper | 09
12. NERC Critical Infrastructure Protection (CIP) and Security for Field Devices
Finding your compliance solution
CIP guidelines are drawn to identify the desired goal; of patches and updates that are anticipated to be
it is up to the organization to institute the hardware, needed for substation devices, the organization
software and processes that best allow it to meet might consider segregating the router and substation
these goals. controller, excluding the Substation Controller,
from the electronic security perimeter. This might
For example, the utility can determine where its reduce point-to-point testing time and effort due to
physical and electronic security perimeters begin application of patches and upgrades.
and end. Figure 3 shows a typical substation where
the control house, in essence, is the physical Bottom line: the organization is responsible for
security perimeter. Electronic security perimeters are writing the procedures that make compliance to CIP
effectively constructed around the devices such as guidelines efficient and effective.
router and dial-up control that are communication
end points. Depending on the number and frequency
Pole top/
remote IEDs
SCADA Pole top/
Phone
Electronic security Master remote IEDs
Pole top/
perimeter remote IEDs
Pole top/
remote IEDs
Wireless
Dial up Router
comms
Substation
DMS/HMI
controller
Discrete I/Os
IEDs Cap IEDs Other smart
legacy LTCs
relays bank meters devices/IEDs
RTU
Physical security perimeter
Figure 3. The utility should keep the ESP as small as possible.
White paper | 10
13. NERC Critical Infrastructure Protection (CIP) and Security for Field Devices
Conclusion
One requirement CIP guidelines don’t spell out is the need for adaptability and intra-
organization cooperation. Security is an arms race, and the electric utility requires
considerable cooperation and integration within the organization to stay agile enough
to adapt to changing challenges and still meet compliance.
Careful consideration of hardware and software choices will help the utility institute
the continual modifications that are needed to meet the moving target of critical
infrastructure protection. Flexible asset access controls are a must to mitigate
changing risks. Above all, dedicated intra-organization communications and training
that emphasize security make every employee part of the solution – and assure that
security is a successful process.
White paper | 11