SlideShare a Scribd company logo
NERC Critical Infrastructure
Protection (CIP) and Security for
Field Devices
Compliance principles and requirements




Make the most of your energy        SM
Summary

Executive Summary . ................................................................................... p	 1

Introduction ................................................................................................. p 	2

Understanding CIP objectives ...................................................................... p 	4

Core Security Principles . ............................................................................. p 	5

NERC CIP technical control guidelines . ....................................................... p 	6

Finding your compliance solution.................................................................. p 	10

Conclusion................................................................................................... p 11
NERC Critical Infrastructure Protection (CIP) and Security for Field Devices




Executive summary

The North American Electric Reliability Corporation (NERC) maintains a set of
Critical Infrastructure Protection (CIP) guidelines that address a broad range of
critical cyber asset and cyber security issues. These guidelines describe the
security-focused procedures that, in combination with compliant technology,
enable secure electric grid operations. The CIP guidelines do not specify the
technologies that must be deployed. Instead, they describe the technology design
necessary to build an information management architecture that complies with
security goals.


These goals include the minimizing of administrative authorization needed for
operational functions. Rights and privileges are to be assigned to a functional role,
not a named individual. Audit trails of field data device and substation activity,
similar to control room auditability, must be maintained to assure comprehensive
confidence in data and controls.


The six CIP guidelines summarized in the paper speak to the procedures and
policies that are vital to critical cyber asset security – personnel authorizations;
personnel training; security of the information management system’s electronic
perimeter; security of the information management system’s physical assets;
operational security; and incident reporting and response planning.


The utility builds its CIP-compliant program with defined procedures addressing
these guidelines, coupled with the hardware and software that enable full
implementation of these procedures. Training of all personnel is necessary for
effective and efficient compliance.




                                                                                                                                                 White paper | 01
NERC Critical Infrastructure Protection (CIP) and Security for Field Devices




Introduction

In this paper, we target ‘the myth of compliance.’


While the term ‘compliant’ most often refers to products – the software and
devices deployed in daily field operations of the electric grid – we at Telvent see
security compliance as a ‘process.’ Through our extensive experience working
with critical infrastructure asset owners, vendors and regulatory agencies, we
know full compliance is achieved only when compliant hardware and software is
complemented by information management procedures reflecting strong security
principles.


Here, we discuss in general how consistent NERC Critical Infrastructure Protection
(CIP) compliance reflects best security practices combining:


• Core security principles


• Technical controls defined by CIP guidelines


•  strong level of discipline within the user organization and its vendor
  A
 organizations




                                                                                                                                           White paper | 02
NERC Critical Infrastructure
Protection (CIP) and Security
for Field Devices
NERC Critical Infrastructure Protection (CIP) and Security for Field Devices




Understanding CIP objectives

What CIP does. CIP provides general security                  CIP covers both technical and operational
guidance toward achieving the minimal level of                compliance. It is the combination of compliant
security required for safe and secure operations.             technology and security-focused procedures that
                                                              enable CIP-compliant operations; see Figure 1.
What CIP does not do. CIP does not prescribe or
specify the technologies to be deployed to meet               In this way, CIP challenges asset owners to
secure operational goals. It defines objectives,              consider security a ‘holistic’ issue that actively targets
not how the user must achieve them. With the                  not only system design and installation but also
responsibility of meeting secure operations objectives,       daily processes. Compliant technology establishes
the user also has the choice of which technology will         a minimal level of authentication, authorization and
best serve its needs in meeting those objectives.             audit ability. The asset owner must actively build
                                                              on that compliance foundation to realize a strong
                                                              security culture within the organization.




   Compliance-               Secure              CIP Compliant
 Capable Hardware         Configuration             Devices
                                                                         CIP Compliant
                                                                          Operations
                                                 CIP Compliant
      Training                                     Processes


Figure 1. Technology, in and of itself, does not impart CIP compliance. Rather, the user
must build a program that assures its compliant technology is deployed and operated to
create the level of security required to achieve compliance.




                                                                                                                                               White paper | 04
NERC Critical Infrastructure Protection (CIP) and Security for Field Devices




Core Security Principles

Let’s review the security principles that are
fundamental in molding a CIP-compliant information
                                                             Information management key for
management architecture:                                     security – and more

Principle of Least Privilege (PoLP). This principle          Reliable information management serves
describes the technology design – the design                 critical infrastructure security by –
of applications and field devices – that allows
                                                             •  aintaining infrastructure availability –
                                                               M
operation with the minimum amount of administrative
                                                               preventing acts, intentional or accidental,
authorization. A granular-access approach to                   from interrupting operations
operational control limits authority to each employee’s
functions; any control authorized beyond defined             •  reserving data integrity – to support the
                                                               P
operational functions invites errors that could have           quality of operational decision-making as well
inadvertent, far-reaching impact – and even invite             as meet regulatory/auditing scrutiny
malicious abuse.
                                                             The robust information management system
                                                             also can enforce data confidentiality, allowing it
While many legacy systems might not accommodate
                                                             to be used for:
highly granular access, newer technology is being
designed to meet this criterion.                             • Accounting purposes

Role-based Access Controls (RbAC). Rights and                • Business-critical processes
privileges associated with any network device are
assigned to an administrative role or job duty, rather       • Customer consumption
than to a named individual. This approach allows
individuals to move in and out of roles within the        With compliant information management architecture,
organization without complicated re-definition of         the asset owner will:
that person’s authorization, supporting continuous
compliance and limiting authorization errors. It also     • Know and control who is allowed to access the
supports the centralized management essential in an       system
efficient, integrated network.
                                                          • Know and control what each individual is allowed to
Audit trails. While maintaining audit trail capability    do on the system
is familiar in the control room, CIP compliance
extends this concept to operation of field devices.       • Know and control what can be done by an
By maintaining an awareness of field data activity        individual based on where the individual is accessing
and changes at the device and substation level, the       the system
user can integrate that data into centralized control
with confidence. The intent is to not only provide the    • Know what each individual has done on the system
means for documenting system management in the
recent past but to also enable real-time assessment       • Prevent access to critical assets from any location
of whether the CIP controls in place are appropriate –    where any of the above situations is not true
doing their job and meeting compliance goals.




                                                                                                                                           White paper | 05
NERC Critical Infrastructure Protection (CIP) and Security for Field Devices




NERC CIP technical control
guidelines
The NERC CIP document addresses a broad range
of Critical Cyber Asset (CCA) and Cyber Security
                                                             About NERC
issues; here, we very briefly review six of the CIP
guidelines that apply to operation of electric network       The North American Electric Reliability
                                                             Corporation (NERC) is an international
field devices; also see Table 1. The full text of the
                                                             regulatory authority established to evaluate
NERC CIP standard can be found at http://www.
                                                             reliability of the bulk power system in North
nerc.com.                                                    America. NERC develops and enforces
                                                             Reliability Standards; assesses adequacy
CIP-003 Security Management Controls describes               annually via ten-year forecasts and winter and
the development of a cyber security policy and               summer forecasts; monitors the bulk power
documentation of that policy in a way that it can            system; and educates, trains, and certifies
                                                             industry personnel. NERC is the electric
be updated and that all staff is aware of the policy.
                                                             reliability organization for North America,
It discusses management of personnel who have                subject to oversight by the U.S. Federal
access to the CCAs and identification of users with          Energy Regulatory Commission (FERC) and
different privileges, roles and responsibilities.            governmental authorities in Canada. For more
                                                             information, visit http://www.nerc.com
•  he user will want to look for hardware that can be
  T
  configured to allow a specific ID for each user and     CIP guideline uses vaguely worded phrases such
  for addition and deletion of privileged users and for   as “where technically feasible”; this wording makes
  users with different levels of access. Hardware that    it difficult for the organization to fully understand
  documents not only access but also documents            requirements.
  details of functions performed during the access is
  a big advantage; this downloadable User Log will        While encryption is not identified specifically as a
  provide an audit trail for CIP compliance.              guideline for ESP access, CIP-005 does speak to:

CIP-004 Personnel and Training identifies the             •  ecurity of dial-up access – unclear if having a
                                                            S
personnel training and awareness recommended                password and User Name to access constitutes
for supporting security-related operations and              ‘secure.’ Use of a ‘call back’ modem or a SCADA-
procedures. It cites CCA user identification lists that     controlled relay that is closed for access and
are reviewed periodically and can be modified to            opened when not needed provides adequate
change both users and user privileges.                      security.

•  evices that accept addition or deletion of users
  D                                                         -  n alternative to dial-up connection is the
                                                              A
  and/or privileges remotely allow updates quickly            Ethernet strategy, providing the IT tunnel that
  and keep functionalities accurately maintained.             eliminates a dial-up channel. Another plus: with
                                                              employees equipped with cell phones, replacing
CIP-005 Electronic Security Perimeter(s) deals                dial-up access also eliminates any need for a
with identification and protection of ESP access              phone line into the substation.
points and communications. In some places, this




                                                                                                                                          White paper | 06
NERC Critical Infrastructure Protection (CIP) and Security for Field Devices




•  ccess denied by default – access requires
  A                                                                                                    TABLE 1
 password, and password changeability
                                                                                      Summary of CIP Issues
•  nabling and disabling ports or functions deemed
  E                                                       Requirement                  NERC CIP          Compliant hardware capabilities
 not needed – at the most basic level, a firewall                                      Standard
 capability serves this purpose                           User Access                  CIP-004           • ndividual user accounts/
                                                                                                           I
                                                                                       CIP-005             passwords
                                                                                       CIP-007           •  rivileges defined on a per-
                                                                                                           P
•  ppropriate-use banner – in our opinion, most likely
  A
                                                                                                           user basis
 a legal shield                                                                                          • Strong passwords supported
                                                                                                         •  asswords hidden when
                                                                                                           P
•  onitoring, logging and warnings for user access or
  M                                                                                                        entered
 attempted access – simple if the device has alarm        Access Control               CIP-003           • 
                                                                                                           Passwords can be managed
 generation and logging ability, most useful if alarm                                  CIP-005             from central location
                                                                                       CIP-004           •  ultiple admin-type accounts
                                                                                                           M
 alert is in real time                                                                                     can be configured
                                                                                                         • User Log, IP Filter list
  -  onsider hardware that generates an alarm each
    C                                                     Electronic Security          CIP-005           •  limination of dial-up access
                                                                                                           E
   time a user logs in to initiate automatic user         Perimeter                    CIP-003             with use of IP tunnel
   validation by SCADA or other means. IP Tunnel                                       CIP-007           • Appropriate banner usage
                                                                                                         •  lectronic access logged; can
                                                                                                           E
   capability eliminates dial-up access, and IP filter
                                                                                                           be monitored and alarmed
   capability adds an additional layer of security.                                                      • Port data paths configurable
                                                                                                         • SSL / SSH LAN
CIP-006 Physical Security discusses physical              Logging of                   CIP-003           •   Every access attempt logged
accessibility to equipment, including:                    Access and Usage             CIP-004           •   Resets logged
                                                                                       CIP-007           •   User changes logged
                                                                                       CIP-008           •   Time-tagged events logged
• Mounting equipment in lockable enclosures
                                                          Personnel termination/       CIP-004           •  ser accounts revocable by
                                                                                                           U
                                                          privilege changes            CIP-007             administrator
• Remote control of locks                                                                                •  ser accounts ‘downgradable’
                                                                                                           U
                                                                                                           to lower level of authority
• Access alarms indicating a door or gate is open         Security Software            CIP-007           •  ll software upgrades available
                                                                                                           A
                                                          Management                                       for real-time updates
• Card keys, video cameras, etc.                                                                         • Non-Windows-based OS
                                                          Alerts and                   CIP-005           • Every access attempt logged
• User logged in and failed login attempts                Notifications                CIP-007           •  ccess notification alarms
                                                                                                           A
                                                                                       CIP-008             available to SCADA

  -  evices that can integrate card keys and/or video
    D
   initiation with access alarms enhance security of
   the physical perimeter.




                                                                                                                                       White paper | 07
NERC Critical Infrastructure Protection (CIP) and Security for Field Devices




CIP-007 Systems Security Management deals
with operating issues such as security patches,
                                                           The Electronic Security Perimeter
virus protection, vendor releases and event logging.
References to device security reinforce CIP-005            The majority of ‘surface area of the ESP’
                                                           involves field device hardware; see Figure 2.
concepts:
                                                           For this reason, the technical security controls
                                                           defined by CIP focus on control of access and
•  bility to enable or disable unused or unneeded
  A                                                        communication of field devices.
 ports and services – or compensating factor that
 will mitigate risk, such as physical security


• Security patches and firmware upgrades                                         ESP


•  nti-virus and malware protection – driven by the
  A
                                                                            Field Devices
 operating system


  -  erely due to the widespread deployment of
    M                                                                     Data Gathering/




                                                                                                           Security Risk/Surface Area
   the Windows® operating system, the use of a                             Substations

   non-Windows OS might reduce the possibility
   of targeted attack. Devices that operate on a                               Comms
   non-Windows OS might be inherently immune to
   typical virus and malware threats and less likely
   to be targeted by hackers or persons intent on
   causing harm. In any case, user login monitors
   and alarms and use of discrete passwords                                    Control
                                                                               System
   minimize risk.


• ndividual, not shared, accounts – as mentioned in
  I                                                                      Business Support
 CIP-003 controls, privileges should be defined on a
 per-role basis
                                                                    Enterprise Infrastructure
  - Logs and audit trails –


  -  ogin and failed login attempts generate mapable
    L                                                   Figure 2. Proper device configuration is a key step in CIP
   alarm indications                                    compliance.


• Any access requires valid, strong password


  -  evices that support centralized password
    D
   management facilitate the requirement for
   password control.




                                                                                                                                         White paper | 08
NERC Critical Infrastructure Protection (CIP) and Security for Field Devices




•  sers can be assigned different levels of access
  U
 based on need


  - View Only


  - Other levels/privileges


  -  dministrator who can control access by other
    A
    users


• All passwords are stored, hidden or encrypted


•  quipment should be wiped on disposal, either
  E
 by memory erase or physically destroying the
 microchip if necessary


  - f a device fails, it might be difficult to effectively
    I
    erase memory. Look for devices that have
    removable media.


CIP-008 Incident Reporting and Response
Planning relates to the managing and handling of
reports and logs. While collecting and storing logs for
historical reference is necessary, how that retention
is done is determined by the hardware and the
organization’s capabilities.


•  emote electronic download of user logs, SOE
  R
 log, system log and control log facilitates data
 documentation for reports and compliance audit
 trail, compared to collection via a physical tap.




                                                                                                                       White paper | 09
NERC Critical Infrastructure Protection (CIP) and Security for Field Devices




Finding your compliance solution

CIP guidelines are drawn to identify the desired goal;             of patches and updates that are anticipated to be
it is up to the organization to institute the hardware,            needed for substation devices, the organization
software and processes that best allow it to meet                  might consider segregating the router and substation
these goals.                                                       controller, excluding the Substation Controller,
                                                                   from the electronic security perimeter. This might
For example, the utility can determine where its                   reduce point-to-point testing time and effort due to
physical and electronic security perimeters begin                  application of patches and upgrades.
and end. Figure 3 shows a typical substation where
the control house, in essence, is the physical                     Bottom line: the organization is responsible for
security perimeter. Electronic security perimeters are             writing the procedures that make compliance to CIP
effectively constructed around the devices such as                 guidelines efficient and effective.
router and dial-up control that are communication
end points. Depending on the number and frequency




                                                                                                           Pole top/
                                                                                                         remote IEDs
                                                      SCADA                                                   Pole top/
                                 Phone
  Electronic security                                 Master                                                remote IEDs
                                                                                                                 Pole top/
  perimeter                                                                                                    remote IEDs
                                                                                                                     Pole top/
                                                                                                                   remote IEDs
                                                                            Wireless
                                 Dial up               Router
                                                                            comms




                                                     Substation
                                DMS/HMI
                                                     controller




                      Discrete I/Os
         IEDs                                               Cap               IEDs         Other smart
                         legacy            LTCs
        relays                                              bank             meters        devices/IEDs
                           RTU

                                      Physical security perimeter

Figure 3. The utility should keep the ESP as small as possible.




                                                                                                                                                   White paper | 10
NERC Critical Infrastructure Protection (CIP) and Security for Field Devices




Conclusion

One requirement CIP guidelines don’t spell out is the need for adaptability and intra-
organization cooperation. Security is an arms race, and the electric utility requires
considerable cooperation and integration within the organization to stay agile enough
to adapt to changing challenges and still meet compliance.


Careful consideration of hardware and software choices will help the utility institute
the continual modifications that are needed to meet the moving target of critical
infrastructure protection. Flexible asset access controls are a must to mitigate
changing risks. Above all, dedicated intra-organization communications and training
that emphasize security make every employee part of the solution – and assure that
security is a successful process.




                                                                                                                                            White paper | 11
©2012 Schneider Electric. All rights reserved.




Schneider Electric USA, Inc.
   4701 Royal Vista Circle
   Fort Collins, CO 80528
   Phone:  -866-537-1091
           1
   	      + (34) 9-17-14-70-02
   Fax: 1-970-223-5577
   www.schneider-electric.com/us
                                   June 2012

More Related Content

What's hot

Iso 27001 awareness
Iso 27001 awarenessIso 27001 awareness
Iso 27001 awareness
Ãsħâr Ãâlâm
 
ISO 27001 - Information security user awareness training presentation - part 3
ISO 27001 - Information security user awareness training presentation - part 3ISO 27001 - Information security user awareness training presentation - part 3
ISO 27001 - Information security user awareness training presentation - part 3
Tanmay Shinde
 
What the auditor need to know about cloud computing
What the auditor need to know about cloud computingWhat the auditor need to know about cloud computing
What the auditor need to know about cloud computing
Moshe Ferber
 
Rothke rsa 2012 building a security operations center (soc)
Rothke rsa 2012  building a security operations center (soc)Rothke rsa 2012  building a security operations center (soc)
Rothke rsa 2012 building a security operations center (soc)
Ben Rothke
 
ISO 27001 Benefits
ISO 27001 BenefitsISO 27001 Benefits
ISO 27001 Benefits
Dejan Kosutic
 
TOGAF 9 - Security Architecture Ver1 0
TOGAF 9 -  Security Architecture Ver1 0TOGAF 9 -  Security Architecture Ver1 0
TOGAF 9 - Security Architecture Ver1 0
Maganathin Veeraragaloo
 
Nist.sp.800 61r2
Nist.sp.800 61r2Nist.sp.800 61r2
Nist.sp.800 61r2
Jesús Yustas Romo
 
How to determine a proper scope selection based on ISO 27001?
How to determine a proper scope selection based on ISO 27001?How to determine a proper scope selection based on ISO 27001?
How to determine a proper scope selection based on ISO 27001?
PECB
 
Cybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your OrganizationCybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your Organization
McKonly & Asbury, LLP
 
Iso 27001 isms presentation
Iso 27001 isms presentationIso 27001 isms presentation
Iso 27001 isms presentation
Midhun Nirmal
 
Overview of ISO 27001 ISMS
Overview of ISO 27001 ISMSOverview of ISO 27001 ISMS
Overview of ISO 27001 ISMS
Akhil Garg
 
ISO 27001 2013 isms final overview
ISO 27001 2013 isms final overviewISO 27001 2013 isms final overview
ISO 27001 2013 isms final overview
Naresh Rao
 
Behavior based safety how thinking safe leads to acting safe
Behavior based safety   how thinking safe leads to acting safeBehavior based safety   how thinking safe leads to acting safe
Behavior based safety how thinking safe leads to acting safeHNI Risk Services
 
Risk Assessment Workshop
Risk Assessment WorkshopRisk Assessment Workshop
Risk Assessment Workshop
Bozward0901
 
Intro to Security in SDLC
Intro to Security in SDLCIntro to Security in SDLC
Intro to Security in SDLCTjylen Veselyj
 
Active Directory in ICS: Lessons Learned From The Field
Active Directory in ICS: Lessons Learned From The FieldActive Directory in ICS: Lessons Learned From The Field
Active Directory in ICS: Lessons Learned From The Field
Digital Bond
 
NIST cybersecurity framework
NIST cybersecurity frameworkNIST cybersecurity framework
NIST cybersecurity framework
Shriya Rai
 
Introduction to Kaspersky Endpoint Security for Businesss
Introduction to Kaspersky Endpoint Security for BusinesssIntroduction to Kaspersky Endpoint Security for Businesss
Introduction to Kaspersky Endpoint Security for Businesss
Andrew Wong
 
What is business continuity planning-bcp
What is business continuity planning-bcpWhat is business continuity planning-bcp
What is business continuity planning-bcp
Adv Prashant Mali
 

What's hot (20)

Iso 27001 awareness
Iso 27001 awarenessIso 27001 awareness
Iso 27001 awareness
 
ISO 27001 - Information security user awareness training presentation - part 3
ISO 27001 - Information security user awareness training presentation - part 3ISO 27001 - Information security user awareness training presentation - part 3
ISO 27001 - Information security user awareness training presentation - part 3
 
What the auditor need to know about cloud computing
What the auditor need to know about cloud computingWhat the auditor need to know about cloud computing
What the auditor need to know about cloud computing
 
Rothke rsa 2012 building a security operations center (soc)
Rothke rsa 2012  building a security operations center (soc)Rothke rsa 2012  building a security operations center (soc)
Rothke rsa 2012 building a security operations center (soc)
 
ISO 27001 Benefits
ISO 27001 BenefitsISO 27001 Benefits
ISO 27001 Benefits
 
TOGAF 9 - Security Architecture Ver1 0
TOGAF 9 -  Security Architecture Ver1 0TOGAF 9 -  Security Architecture Ver1 0
TOGAF 9 - Security Architecture Ver1 0
 
It Audit
It AuditIt Audit
It Audit
 
Nist.sp.800 61r2
Nist.sp.800 61r2Nist.sp.800 61r2
Nist.sp.800 61r2
 
How to determine a proper scope selection based on ISO 27001?
How to determine a proper scope selection based on ISO 27001?How to determine a proper scope selection based on ISO 27001?
How to determine a proper scope selection based on ISO 27001?
 
Cybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your OrganizationCybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your Organization
 
Iso 27001 isms presentation
Iso 27001 isms presentationIso 27001 isms presentation
Iso 27001 isms presentation
 
Overview of ISO 27001 ISMS
Overview of ISO 27001 ISMSOverview of ISO 27001 ISMS
Overview of ISO 27001 ISMS
 
ISO 27001 2013 isms final overview
ISO 27001 2013 isms final overviewISO 27001 2013 isms final overview
ISO 27001 2013 isms final overview
 
Behavior based safety how thinking safe leads to acting safe
Behavior based safety   how thinking safe leads to acting safeBehavior based safety   how thinking safe leads to acting safe
Behavior based safety how thinking safe leads to acting safe
 
Risk Assessment Workshop
Risk Assessment WorkshopRisk Assessment Workshop
Risk Assessment Workshop
 
Intro to Security in SDLC
Intro to Security in SDLCIntro to Security in SDLC
Intro to Security in SDLC
 
Active Directory in ICS: Lessons Learned From The Field
Active Directory in ICS: Lessons Learned From The FieldActive Directory in ICS: Lessons Learned From The Field
Active Directory in ICS: Lessons Learned From The Field
 
NIST cybersecurity framework
NIST cybersecurity frameworkNIST cybersecurity framework
NIST cybersecurity framework
 
Introduction to Kaspersky Endpoint Security for Businesss
Introduction to Kaspersky Endpoint Security for BusinesssIntroduction to Kaspersky Endpoint Security for Businesss
Introduction to Kaspersky Endpoint Security for Businesss
 
What is business continuity planning-bcp
What is business continuity planning-bcpWhat is business continuity planning-bcp
What is business continuity planning-bcp
 

Viewers also liked

NERC CIP Version 5 and Beyond – Compliance and the Vendor’s Role
NERC CIP Version 5 and Beyond – Compliance and the Vendor’s RoleNERC CIP Version 5 and Beyond – Compliance and the Vendor’s Role
NERC CIP Version 5 and Beyond – Compliance and the Vendor’s Role
EnergySec
 
Structured NERC CIP Process Improvement Using Six Sigma
Structured NERC CIP Process Improvement Using Six SigmaStructured NERC CIP Process Improvement Using Six Sigma
Structured NERC CIP Process Improvement Using Six Sigma
EnergySec
 
Security of the Electric Grid: It's more than just NERC CIP
Security of the Electric Grid: It's more than just NERC CIPSecurity of the Electric Grid: It's more than just NERC CIP
Security of the Electric Grid: It's more than just NERC CIP
EnergySec
 
Explore the Implicit Requirements of the NERC CIP RSAWs
Explore the Implicit Requirements of the NERC CIP RSAWsExplore the Implicit Requirements of the NERC CIP RSAWs
Explore the Implicit Requirements of the NERC CIP RSAWs
EnergySec
 
The Path to Confident Compliance and the Transition to NERC CIP Version 5 – A...
The Path to Confident Compliance and the Transition to NERC CIP Version 5 – A...The Path to Confident Compliance and the Transition to NERC CIP Version 5 – A...
The Path to Confident Compliance and the Transition to NERC CIP Version 5 – A...
EnergySec
 
Annotated Version: EU Safer Internet Forum - Rethinking Responses to Young Pe...
Annotated Version: EU Safer Internet Forum - Rethinking Responses to Young Pe...Annotated Version: EU Safer Internet Forum - Rethinking Responses to Young Pe...
Annotated Version: EU Safer Internet Forum - Rethinking Responses to Young Pe...
Tim Davies
 
COBIT 5 IT Governance Model: an Introduction
COBIT 5 IT Governance Model: an IntroductionCOBIT 5 IT Governance Model: an Introduction
COBIT 5 IT Governance Model: an Introduction
aqel aqel
 

Viewers also liked (7)

NERC CIP Version 5 and Beyond – Compliance and the Vendor’s Role
NERC CIP Version 5 and Beyond – Compliance and the Vendor’s RoleNERC CIP Version 5 and Beyond – Compliance and the Vendor’s Role
NERC CIP Version 5 and Beyond – Compliance and the Vendor’s Role
 
Structured NERC CIP Process Improvement Using Six Sigma
Structured NERC CIP Process Improvement Using Six SigmaStructured NERC CIP Process Improvement Using Six Sigma
Structured NERC CIP Process Improvement Using Six Sigma
 
Security of the Electric Grid: It's more than just NERC CIP
Security of the Electric Grid: It's more than just NERC CIPSecurity of the Electric Grid: It's more than just NERC CIP
Security of the Electric Grid: It's more than just NERC CIP
 
Explore the Implicit Requirements of the NERC CIP RSAWs
Explore the Implicit Requirements of the NERC CIP RSAWsExplore the Implicit Requirements of the NERC CIP RSAWs
Explore the Implicit Requirements of the NERC CIP RSAWs
 
The Path to Confident Compliance and the Transition to NERC CIP Version 5 – A...
The Path to Confident Compliance and the Transition to NERC CIP Version 5 – A...The Path to Confident Compliance and the Transition to NERC CIP Version 5 – A...
The Path to Confident Compliance and the Transition to NERC CIP Version 5 – A...
 
Annotated Version: EU Safer Internet Forum - Rethinking Responses to Young Pe...
Annotated Version: EU Safer Internet Forum - Rethinking Responses to Young Pe...Annotated Version: EU Safer Internet Forum - Rethinking Responses to Young Pe...
Annotated Version: EU Safer Internet Forum - Rethinking Responses to Young Pe...
 
COBIT 5 IT Governance Model: an Introduction
COBIT 5 IT Governance Model: an IntroductionCOBIT 5 IT Governance Model: an Introduction
COBIT 5 IT Governance Model: an Introduction
 

Similar to NERC Critical Infrastructure Protection (CIP) and Security for Field Devices

White paper scada (2)
White paper scada (2)White paper scada (2)
White paper scada (2)
Ivan Carmona
 
Information Security and the SDLC
Information Security and the SDLCInformation Security and the SDLC
Cybersecurity Assurance at CloudSec 2015 Kuala Lumpur
Cybersecurity Assurance  at CloudSec 2015 Kuala LumpurCybersecurity Assurance  at CloudSec 2015 Kuala Lumpur
Cybersecurity Assurance at CloudSec 2015 Kuala Lumpur
Alan Yau Ti Dun
 
Security in the cloud planning guide
Security in the cloud planning guideSecurity in the cloud planning guide
Security in the cloud planning guideYury Chemerkin
 
Standards based security for energy utilities
Standards based security for energy utilitiesStandards based security for energy utilities
Standards based security for energy utilities
Nirmal Thaliyil
 
Centralizing security on the mainframe
Centralizing security on the mainframeCentralizing security on the mainframe
Centralizing security on the mainframeArun Gopinath
 
Managing Compliance
Managing ComplianceManaging Compliance
Managing Compliance
SecPod Technologies
 
SLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting   itweb workshopSLVA - Security monitoring and reporting   itweb workshop
SLVA - Security monitoring and reporting itweb workshop
SLVA Information Security
 
Fortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxFortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptx
YoisRoberthTapiadeLa
 
Fortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxFortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptx
VictoriaChavesta
 
Managed firewall service.
Managed firewall service.Managed firewall service.
Managed firewall service.
Mindtree Ltd.
 
Zero trust model for cloud computing.pptx
Zero trust model for cloud computing.pptxZero trust model for cloud computing.pptx
Zero trust model for cloud computing.pptx
kkhhusshi
 
White Paper: Six-Step Competitive Device Evaluation
White Paper: Six-Step Competitive Device EvaluationWhite Paper: Six-Step Competitive Device Evaluation
White Paper: Six-Step Competitive Device Evaluation
Ixia
 
Webinar: Critical Steps For NIST Compliance
Webinar: Critical Steps For NIST ComplianceWebinar: Critical Steps For NIST Compliance
Webinar: Critical Steps For NIST Compliance
Withum
 
Controls in Audit.pptx
Controls in Audit.pptxControls in Audit.pptx
Controls in Audit.pptx
HardikKundra
 
Cyber_Management_Issues.pdf
Cyber_Management_Issues.pdfCyber_Management_Issues.pdf
Cyber_Management_Issues.pdf
AliAhmed675993
 
Enhancing-Server-Security-in-hardware-side-Dec-23-2023-2.pptx
Enhancing-Server-Security-in-hardware-side-Dec-23-2023-2.pptxEnhancing-Server-Security-in-hardware-side-Dec-23-2023-2.pptx
Enhancing-Server-Security-in-hardware-side-Dec-23-2023-2.pptx
erickxandergarin
 
Virtual security is no less real
Virtual security is no less realVirtual security is no less real
Virtual security is no less real
guest24ab95c
 
Performing One Audit Using Zero Trust Principles
Performing One Audit Using Zero Trust PrinciplesPerforming One Audit Using Zero Trust Principles
Performing One Audit Using Zero Trust Principles
ControlCase
 

Similar to NERC Critical Infrastructure Protection (CIP) and Security for Field Devices (20)

White paper scada (2)
White paper scada (2)White paper scada (2)
White paper scada (2)
 
Information Security and the SDLC
Information Security and the SDLCInformation Security and the SDLC
Information Security and the SDLC
 
Cybersecurity Assurance at CloudSec 2015 Kuala Lumpur
Cybersecurity Assurance  at CloudSec 2015 Kuala LumpurCybersecurity Assurance  at CloudSec 2015 Kuala Lumpur
Cybersecurity Assurance at CloudSec 2015 Kuala Lumpur
 
Security in the cloud planning guide
Security in the cloud planning guideSecurity in the cloud planning guide
Security in the cloud planning guide
 
Standards based security for energy utilities
Standards based security for energy utilitiesStandards based security for energy utilities
Standards based security for energy utilities
 
Centralizing security on the mainframe
Centralizing security on the mainframeCentralizing security on the mainframe
Centralizing security on the mainframe
 
Managing Compliance
Managing ComplianceManaging Compliance
Managing Compliance
 
SLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting   itweb workshopSLVA - Security monitoring and reporting   itweb workshop
SLVA - Security monitoring and reporting itweb workshop
 
Fortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxFortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptx
 
Fortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxFortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptx
 
Managed firewall service.
Managed firewall service.Managed firewall service.
Managed firewall service.
 
Zero trust model for cloud computing.pptx
Zero trust model for cloud computing.pptxZero trust model for cloud computing.pptx
Zero trust model for cloud computing.pptx
 
White Paper: Six-Step Competitive Device Evaluation
White Paper: Six-Step Competitive Device EvaluationWhite Paper: Six-Step Competitive Device Evaluation
White Paper: Six-Step Competitive Device Evaluation
 
Webinar: Critical Steps For NIST Compliance
Webinar: Critical Steps For NIST ComplianceWebinar: Critical Steps For NIST Compliance
Webinar: Critical Steps For NIST Compliance
 
Controls in Audit.pptx
Controls in Audit.pptxControls in Audit.pptx
Controls in Audit.pptx
 
Cyber_Management_Issues.pdf
Cyber_Management_Issues.pdfCyber_Management_Issues.pdf
Cyber_Management_Issues.pdf
 
Enhancing-Server-Security-in-hardware-side-Dec-23-2023-2.pptx
Enhancing-Server-Security-in-hardware-side-Dec-23-2023-2.pptxEnhancing-Server-Security-in-hardware-side-Dec-23-2023-2.pptx
Enhancing-Server-Security-in-hardware-side-Dec-23-2023-2.pptx
 
Virtual security is no less real
Virtual security is no less realVirtual security is no less real
Virtual security is no less real
 
CCSK.pptx
CCSK.pptxCCSK.pptx
CCSK.pptx
 
Performing One Audit Using Zero Trust Principles
Performing One Audit Using Zero Trust PrinciplesPerforming One Audit Using Zero Trust Principles
Performing One Audit Using Zero Trust Principles
 

More from Schneider Electric

Secure Power Design Considerations
Secure Power Design ConsiderationsSecure Power Design Considerations
Secure Power Design Considerations
Schneider Electric
 
Digital International Colo Club: Attracting Investors
Digital International Colo Club: Attracting InvestorsDigital International Colo Club: Attracting Investors
Digital International Colo Club: Attracting Investors
Schneider Electric
 
32 phaseo power supplies and transformers briefing
32 phaseo power supplies and transformers briefing 32 phaseo power supplies and transformers briefing
32 phaseo power supplies and transformers briefing
Schneider Electric
 
Key Industry Trends, M&A Valuation Trends
Key Industry Trends, M&A Valuation TrendsKey Industry Trends, M&A Valuation Trends
Key Industry Trends, M&A Valuation Trends
Schneider Electric
 
EcoStruxure™ for Cloud & Service Providers
 EcoStruxure™ for Cloud & Service Providers EcoStruxure™ for Cloud & Service Providers
EcoStruxure™ for Cloud & Service Providers
Schneider Electric
 
Magelis Basic HMI Briefing
Magelis Basic HMI Briefing Magelis Basic HMI Briefing
Magelis Basic HMI Briefing
Schneider Electric
 
Zelio Time Electronic Relay Briefing
Zelio Time Electronic Relay BriefingZelio Time Electronic Relay Briefing
Zelio Time Electronic Relay Briefing
Schneider Electric
 
Spacial, Thalassa, ClimaSys Universal enclosures Briefing
Spacial, Thalassa, ClimaSys Universal enclosures BriefingSpacial, Thalassa, ClimaSys Universal enclosures Briefing
Spacial, Thalassa, ClimaSys Universal enclosures Briefing
Schneider Electric
 
Relay Control Zelio SSR Briefing
Relay Control Zelio SSR BriefingRelay Control Zelio SSR Briefing
Relay Control Zelio SSR Briefing
Schneider Electric
 
Magelis HMI, iPC and software Briefing
Magelis HMI, iPC and software BriefingMagelis HMI, iPC and software Briefing
Magelis HMI, iPC and software Briefing
Schneider Electric
 
Where will the next 80% improvement in data center performance come from?
Where will the next 80% improvement in data center performance come from?Where will the next 80% improvement in data center performance come from?
Where will the next 80% improvement in data center performance come from?
Schneider Electric
 
EcoStruxure for Intuitive Industries
EcoStruxure for Intuitive IndustriesEcoStruxure for Intuitive Industries
EcoStruxure for Intuitive Industries
Schneider Electric
 
Systems Integrator Alliance Program 2017
Systems Integrator Alliance Program 2017Systems Integrator Alliance Program 2017
Systems Integrator Alliance Program 2017
Schneider Electric
 
EcoStruxure, IIoT-enabled architecture, delivering value in key segments.
EcoStruxure, IIoT-enabled architecture, delivering value in key segments.EcoStruxure, IIoT-enabled architecture, delivering value in key segments.
EcoStruxure, IIoT-enabled architecture, delivering value in key segments.
Schneider Electric
 
It's time to modernize your industrial controls with Modicon M580
It's time to modernize your industrial controls with Modicon M580It's time to modernize your industrial controls with Modicon M580
It's time to modernize your industrial controls with Modicon M580
Schneider Electric
 
A Practical Guide to Ensuring Business Continuity and High Performance in Hea...
A Practical Guide to Ensuring Business Continuity and High Performance in Hea...A Practical Guide to Ensuring Business Continuity and High Performance in Hea...
A Practical Guide to Ensuring Business Continuity and High Performance in Hea...
Schneider Electric
 
Connected Services Study – Facility Managers Respond to IoT
Connected Services Study – Facility Managers Respond to IoTConnected Services Study – Facility Managers Respond to IoT
Connected Services Study – Facility Managers Respond to IoT
Schneider Electric
 
Telemecanqiue Cabling and Accessories Briefing
Telemecanqiue Cabling and Accessories BriefingTelemecanqiue Cabling and Accessories Briefing
Telemecanqiue Cabling and Accessories Briefing
Schneider Electric
 
Telemecanique Photoelectric Sensors Briefing
Telemecanique Photoelectric Sensors BriefingTelemecanique Photoelectric Sensors Briefing
Telemecanique Photoelectric Sensors Briefing
Schneider Electric
 
Telemecanique Limit Switches Briefing
Telemecanique Limit Switches BriefingTelemecanique Limit Switches Briefing
Telemecanique Limit Switches Briefing
Schneider Electric
 

More from Schneider Electric (20)

Secure Power Design Considerations
Secure Power Design ConsiderationsSecure Power Design Considerations
Secure Power Design Considerations
 
Digital International Colo Club: Attracting Investors
Digital International Colo Club: Attracting InvestorsDigital International Colo Club: Attracting Investors
Digital International Colo Club: Attracting Investors
 
32 phaseo power supplies and transformers briefing
32 phaseo power supplies and transformers briefing 32 phaseo power supplies and transformers briefing
32 phaseo power supplies and transformers briefing
 
Key Industry Trends, M&A Valuation Trends
Key Industry Trends, M&A Valuation TrendsKey Industry Trends, M&A Valuation Trends
Key Industry Trends, M&A Valuation Trends
 
EcoStruxure™ for Cloud & Service Providers
 EcoStruxure™ for Cloud & Service Providers EcoStruxure™ for Cloud & Service Providers
EcoStruxure™ for Cloud & Service Providers
 
Magelis Basic HMI Briefing
Magelis Basic HMI Briefing Magelis Basic HMI Briefing
Magelis Basic HMI Briefing
 
Zelio Time Electronic Relay Briefing
Zelio Time Electronic Relay BriefingZelio Time Electronic Relay Briefing
Zelio Time Electronic Relay Briefing
 
Spacial, Thalassa, ClimaSys Universal enclosures Briefing
Spacial, Thalassa, ClimaSys Universal enclosures BriefingSpacial, Thalassa, ClimaSys Universal enclosures Briefing
Spacial, Thalassa, ClimaSys Universal enclosures Briefing
 
Relay Control Zelio SSR Briefing
Relay Control Zelio SSR BriefingRelay Control Zelio SSR Briefing
Relay Control Zelio SSR Briefing
 
Magelis HMI, iPC and software Briefing
Magelis HMI, iPC and software BriefingMagelis HMI, iPC and software Briefing
Magelis HMI, iPC and software Briefing
 
Where will the next 80% improvement in data center performance come from?
Where will the next 80% improvement in data center performance come from?Where will the next 80% improvement in data center performance come from?
Where will the next 80% improvement in data center performance come from?
 
EcoStruxure for Intuitive Industries
EcoStruxure for Intuitive IndustriesEcoStruxure for Intuitive Industries
EcoStruxure for Intuitive Industries
 
Systems Integrator Alliance Program 2017
Systems Integrator Alliance Program 2017Systems Integrator Alliance Program 2017
Systems Integrator Alliance Program 2017
 
EcoStruxure, IIoT-enabled architecture, delivering value in key segments.
EcoStruxure, IIoT-enabled architecture, delivering value in key segments.EcoStruxure, IIoT-enabled architecture, delivering value in key segments.
EcoStruxure, IIoT-enabled architecture, delivering value in key segments.
 
It's time to modernize your industrial controls with Modicon M580
It's time to modernize your industrial controls with Modicon M580It's time to modernize your industrial controls with Modicon M580
It's time to modernize your industrial controls with Modicon M580
 
A Practical Guide to Ensuring Business Continuity and High Performance in Hea...
A Practical Guide to Ensuring Business Continuity and High Performance in Hea...A Practical Guide to Ensuring Business Continuity and High Performance in Hea...
A Practical Guide to Ensuring Business Continuity and High Performance in Hea...
 
Connected Services Study – Facility Managers Respond to IoT
Connected Services Study – Facility Managers Respond to IoTConnected Services Study – Facility Managers Respond to IoT
Connected Services Study – Facility Managers Respond to IoT
 
Telemecanqiue Cabling and Accessories Briefing
Telemecanqiue Cabling and Accessories BriefingTelemecanqiue Cabling and Accessories Briefing
Telemecanqiue Cabling and Accessories Briefing
 
Telemecanique Photoelectric Sensors Briefing
Telemecanique Photoelectric Sensors BriefingTelemecanique Photoelectric Sensors Briefing
Telemecanique Photoelectric Sensors Briefing
 
Telemecanique Limit Switches Briefing
Telemecanique Limit Switches BriefingTelemecanique Limit Switches Briefing
Telemecanique Limit Switches Briefing
 

Recently uploaded

PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)
Ralf Eggert
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
91mobiles
 
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
Neo4j
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
DanBrown980551
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance
 
20240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 202420240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 2024
Matthew Sinclair
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
Alpen-Adria-Universität
 
Free Complete Python - A step towards Data Science
Free Complete Python - A step towards Data ScienceFree Complete Python - A step towards Data Science
Free Complete Python - A step towards Data Science
RinaMondal9
 
Microsoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdfMicrosoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdf
Uni Systems S.M.S.A.
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
Quotidiano Piemontese
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
Safe Software
 
A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...
sonjaschweigert1
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
DianaGray10
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
Jemma Hussein Allen
 
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptxSecstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
nkrafacyberclub
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance
 
Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
Kari Kakkonen
 
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
SOFTTECHHUB
 
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
Neo4j
 

Recently uploaded (20)

PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
 
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
 
20240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 202420240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 2024
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
 
Free Complete Python - A step towards Data Science
Free Complete Python - A step towards Data ScienceFree Complete Python - A step towards Data Science
Free Complete Python - A step towards Data Science
 
Microsoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdfMicrosoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdf
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
 
A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
 
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptxSecstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
 
Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
 
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
 
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
 

NERC Critical Infrastructure Protection (CIP) and Security for Field Devices

  • 1. NERC Critical Infrastructure Protection (CIP) and Security for Field Devices Compliance principles and requirements Make the most of your energy SM
  • 2. Summary Executive Summary . ................................................................................... p 1 Introduction ................................................................................................. p 2 Understanding CIP objectives ...................................................................... p 4 Core Security Principles . ............................................................................. p 5 NERC CIP technical control guidelines . ....................................................... p 6 Finding your compliance solution.................................................................. p 10 Conclusion................................................................................................... p 11
  • 3. NERC Critical Infrastructure Protection (CIP) and Security for Field Devices Executive summary The North American Electric Reliability Corporation (NERC) maintains a set of Critical Infrastructure Protection (CIP) guidelines that address a broad range of critical cyber asset and cyber security issues. These guidelines describe the security-focused procedures that, in combination with compliant technology, enable secure electric grid operations. The CIP guidelines do not specify the technologies that must be deployed. Instead, they describe the technology design necessary to build an information management architecture that complies with security goals. These goals include the minimizing of administrative authorization needed for operational functions. Rights and privileges are to be assigned to a functional role, not a named individual. Audit trails of field data device and substation activity, similar to control room auditability, must be maintained to assure comprehensive confidence in data and controls. The six CIP guidelines summarized in the paper speak to the procedures and policies that are vital to critical cyber asset security – personnel authorizations; personnel training; security of the information management system’s electronic perimeter; security of the information management system’s physical assets; operational security; and incident reporting and response planning. The utility builds its CIP-compliant program with defined procedures addressing these guidelines, coupled with the hardware and software that enable full implementation of these procedures. Training of all personnel is necessary for effective and efficient compliance. White paper | 01
  • 4. NERC Critical Infrastructure Protection (CIP) and Security for Field Devices Introduction In this paper, we target ‘the myth of compliance.’ While the term ‘compliant’ most often refers to products – the software and devices deployed in daily field operations of the electric grid – we at Telvent see security compliance as a ‘process.’ Through our extensive experience working with critical infrastructure asset owners, vendors and regulatory agencies, we know full compliance is achieved only when compliant hardware and software is complemented by information management procedures reflecting strong security principles. Here, we discuss in general how consistent NERC Critical Infrastructure Protection (CIP) compliance reflects best security practices combining: • Core security principles • Technical controls defined by CIP guidelines • strong level of discipline within the user organization and its vendor A organizations White paper | 02
  • 5. NERC Critical Infrastructure Protection (CIP) and Security for Field Devices
  • 6. NERC Critical Infrastructure Protection (CIP) and Security for Field Devices Understanding CIP objectives What CIP does. CIP provides general security CIP covers both technical and operational guidance toward achieving the minimal level of compliance. It is the combination of compliant security required for safe and secure operations. technology and security-focused procedures that enable CIP-compliant operations; see Figure 1. What CIP does not do. CIP does not prescribe or specify the technologies to be deployed to meet In this way, CIP challenges asset owners to secure operational goals. It defines objectives, consider security a ‘holistic’ issue that actively targets not how the user must achieve them. With the not only system design and installation but also responsibility of meeting secure operations objectives, daily processes. Compliant technology establishes the user also has the choice of which technology will a minimal level of authentication, authorization and best serve its needs in meeting those objectives. audit ability. The asset owner must actively build on that compliance foundation to realize a strong security culture within the organization. Compliance- Secure CIP Compliant Capable Hardware Configuration Devices CIP Compliant Operations CIP Compliant Training Processes Figure 1. Technology, in and of itself, does not impart CIP compliance. Rather, the user must build a program that assures its compliant technology is deployed and operated to create the level of security required to achieve compliance. White paper | 04
  • 7. NERC Critical Infrastructure Protection (CIP) and Security for Field Devices Core Security Principles Let’s review the security principles that are fundamental in molding a CIP-compliant information Information management key for management architecture: security – and more Principle of Least Privilege (PoLP). This principle Reliable information management serves describes the technology design – the design critical infrastructure security by – of applications and field devices – that allows • aintaining infrastructure availability – M operation with the minimum amount of administrative preventing acts, intentional or accidental, authorization. A granular-access approach to from interrupting operations operational control limits authority to each employee’s functions; any control authorized beyond defined • reserving data integrity – to support the P operational functions invites errors that could have quality of operational decision-making as well inadvertent, far-reaching impact – and even invite as meet regulatory/auditing scrutiny malicious abuse. The robust information management system also can enforce data confidentiality, allowing it While many legacy systems might not accommodate to be used for: highly granular access, newer technology is being designed to meet this criterion. • Accounting purposes Role-based Access Controls (RbAC). Rights and • Business-critical processes privileges associated with any network device are assigned to an administrative role or job duty, rather • Customer consumption than to a named individual. This approach allows individuals to move in and out of roles within the With compliant information management architecture, organization without complicated re-definition of the asset owner will: that person’s authorization, supporting continuous compliance and limiting authorization errors. It also • Know and control who is allowed to access the supports the centralized management essential in an system efficient, integrated network. • Know and control what each individual is allowed to Audit trails. While maintaining audit trail capability do on the system is familiar in the control room, CIP compliance extends this concept to operation of field devices. • Know and control what can be done by an By maintaining an awareness of field data activity individual based on where the individual is accessing and changes at the device and substation level, the the system user can integrate that data into centralized control with confidence. The intent is to not only provide the • Know what each individual has done on the system means for documenting system management in the recent past but to also enable real-time assessment • Prevent access to critical assets from any location of whether the CIP controls in place are appropriate – where any of the above situations is not true doing their job and meeting compliance goals. White paper | 05
  • 8. NERC Critical Infrastructure Protection (CIP) and Security for Field Devices NERC CIP technical control guidelines The NERC CIP document addresses a broad range of Critical Cyber Asset (CCA) and Cyber Security About NERC issues; here, we very briefly review six of the CIP guidelines that apply to operation of electric network The North American Electric Reliability Corporation (NERC) is an international field devices; also see Table 1. The full text of the regulatory authority established to evaluate NERC CIP standard can be found at http://www. reliability of the bulk power system in North nerc.com. America. NERC develops and enforces Reliability Standards; assesses adequacy CIP-003 Security Management Controls describes annually via ten-year forecasts and winter and the development of a cyber security policy and summer forecasts; monitors the bulk power documentation of that policy in a way that it can system; and educates, trains, and certifies industry personnel. NERC is the electric be updated and that all staff is aware of the policy. reliability organization for North America, It discusses management of personnel who have subject to oversight by the U.S. Federal access to the CCAs and identification of users with Energy Regulatory Commission (FERC) and different privileges, roles and responsibilities. governmental authorities in Canada. For more information, visit http://www.nerc.com • he user will want to look for hardware that can be T configured to allow a specific ID for each user and CIP guideline uses vaguely worded phrases such for addition and deletion of privileged users and for as “where technically feasible”; this wording makes users with different levels of access. Hardware that it difficult for the organization to fully understand documents not only access but also documents requirements. details of functions performed during the access is a big advantage; this downloadable User Log will While encryption is not identified specifically as a provide an audit trail for CIP compliance. guideline for ESP access, CIP-005 does speak to: CIP-004 Personnel and Training identifies the • ecurity of dial-up access – unclear if having a S personnel training and awareness recommended password and User Name to access constitutes for supporting security-related operations and ‘secure.’ Use of a ‘call back’ modem or a SCADA- procedures. It cites CCA user identification lists that controlled relay that is closed for access and are reviewed periodically and can be modified to opened when not needed provides adequate change both users and user privileges. security. • evices that accept addition or deletion of users D - n alternative to dial-up connection is the A and/or privileges remotely allow updates quickly Ethernet strategy, providing the IT tunnel that and keep functionalities accurately maintained. eliminates a dial-up channel. Another plus: with employees equipped with cell phones, replacing CIP-005 Electronic Security Perimeter(s) deals dial-up access also eliminates any need for a with identification and protection of ESP access phone line into the substation. points and communications. In some places, this White paper | 06
  • 9. NERC Critical Infrastructure Protection (CIP) and Security for Field Devices • ccess denied by default – access requires A TABLE 1 password, and password changeability Summary of CIP Issues • nabling and disabling ports or functions deemed E Requirement NERC CIP Compliant hardware capabilities not needed – at the most basic level, a firewall Standard capability serves this purpose User Access CIP-004 • ndividual user accounts/ I CIP-005 passwords CIP-007 • rivileges defined on a per- P • ppropriate-use banner – in our opinion, most likely A user basis a legal shield • Strong passwords supported • asswords hidden when P • onitoring, logging and warnings for user access or M entered attempted access – simple if the device has alarm Access Control CIP-003 • Passwords can be managed generation and logging ability, most useful if alarm CIP-005 from central location CIP-004 • ultiple admin-type accounts M alert is in real time can be configured • User Log, IP Filter list - onsider hardware that generates an alarm each C Electronic Security CIP-005 • limination of dial-up access E time a user logs in to initiate automatic user Perimeter CIP-003 with use of IP tunnel validation by SCADA or other means. IP Tunnel CIP-007 • Appropriate banner usage • lectronic access logged; can E capability eliminates dial-up access, and IP filter be monitored and alarmed capability adds an additional layer of security. • Port data paths configurable • SSL / SSH LAN CIP-006 Physical Security discusses physical Logging of CIP-003 • Every access attempt logged accessibility to equipment, including: Access and Usage CIP-004 • Resets logged CIP-007 • User changes logged CIP-008 • Time-tagged events logged • Mounting equipment in lockable enclosures Personnel termination/ CIP-004 • ser accounts revocable by U privilege changes CIP-007 administrator • Remote control of locks • ser accounts ‘downgradable’ U to lower level of authority • Access alarms indicating a door or gate is open Security Software CIP-007 • ll software upgrades available A Management for real-time updates • Card keys, video cameras, etc. • Non-Windows-based OS Alerts and CIP-005 • Every access attempt logged • User logged in and failed login attempts Notifications CIP-007 • ccess notification alarms A CIP-008 available to SCADA - evices that can integrate card keys and/or video D initiation with access alarms enhance security of the physical perimeter. White paper | 07
  • 10. NERC Critical Infrastructure Protection (CIP) and Security for Field Devices CIP-007 Systems Security Management deals with operating issues such as security patches, The Electronic Security Perimeter virus protection, vendor releases and event logging. References to device security reinforce CIP-005 The majority of ‘surface area of the ESP’ involves field device hardware; see Figure 2. concepts: For this reason, the technical security controls defined by CIP focus on control of access and • bility to enable or disable unused or unneeded A communication of field devices. ports and services – or compensating factor that will mitigate risk, such as physical security • Security patches and firmware upgrades ESP • nti-virus and malware protection – driven by the A Field Devices operating system - erely due to the widespread deployment of M Data Gathering/ Security Risk/Surface Area the Windows® operating system, the use of a Substations non-Windows OS might reduce the possibility of targeted attack. Devices that operate on a Comms non-Windows OS might be inherently immune to typical virus and malware threats and less likely to be targeted by hackers or persons intent on causing harm. In any case, user login monitors and alarms and use of discrete passwords Control System minimize risk. • ndividual, not shared, accounts – as mentioned in I Business Support CIP-003 controls, privileges should be defined on a per-role basis Enterprise Infrastructure - Logs and audit trails – - ogin and failed login attempts generate mapable L Figure 2. Proper device configuration is a key step in CIP alarm indications compliance. • Any access requires valid, strong password - evices that support centralized password D management facilitate the requirement for password control. White paper | 08
  • 11. NERC Critical Infrastructure Protection (CIP) and Security for Field Devices • sers can be assigned different levels of access U based on need - View Only - Other levels/privileges - dministrator who can control access by other A users • All passwords are stored, hidden or encrypted • quipment should be wiped on disposal, either E by memory erase or physically destroying the microchip if necessary - f a device fails, it might be difficult to effectively I erase memory. Look for devices that have removable media. CIP-008 Incident Reporting and Response Planning relates to the managing and handling of reports and logs. While collecting and storing logs for historical reference is necessary, how that retention is done is determined by the hardware and the organization’s capabilities. • emote electronic download of user logs, SOE R log, system log and control log facilitates data documentation for reports and compliance audit trail, compared to collection via a physical tap. White paper | 09
  • 12. NERC Critical Infrastructure Protection (CIP) and Security for Field Devices Finding your compliance solution CIP guidelines are drawn to identify the desired goal; of patches and updates that are anticipated to be it is up to the organization to institute the hardware, needed for substation devices, the organization software and processes that best allow it to meet might consider segregating the router and substation these goals. controller, excluding the Substation Controller, from the electronic security perimeter. This might For example, the utility can determine where its reduce point-to-point testing time and effort due to physical and electronic security perimeters begin application of patches and upgrades. and end. Figure 3 shows a typical substation where the control house, in essence, is the physical Bottom line: the organization is responsible for security perimeter. Electronic security perimeters are writing the procedures that make compliance to CIP effectively constructed around the devices such as guidelines efficient and effective. router and dial-up control that are communication end points. Depending on the number and frequency Pole top/ remote IEDs SCADA Pole top/ Phone Electronic security Master remote IEDs Pole top/ perimeter remote IEDs Pole top/ remote IEDs Wireless Dial up Router comms Substation DMS/HMI controller Discrete I/Os IEDs Cap IEDs Other smart legacy LTCs relays bank meters devices/IEDs RTU Physical security perimeter Figure 3. The utility should keep the ESP as small as possible. White paper | 10
  • 13. NERC Critical Infrastructure Protection (CIP) and Security for Field Devices Conclusion One requirement CIP guidelines don’t spell out is the need for adaptability and intra- organization cooperation. Security is an arms race, and the electric utility requires considerable cooperation and integration within the organization to stay agile enough to adapt to changing challenges and still meet compliance. Careful consideration of hardware and software choices will help the utility institute the continual modifications that are needed to meet the moving target of critical infrastructure protection. Flexible asset access controls are a must to mitigate changing risks. Above all, dedicated intra-organization communications and training that emphasize security make every employee part of the solution – and assure that security is a successful process. White paper | 11
  • 14. ©2012 Schneider Electric. All rights reserved. Schneider Electric USA, Inc. 4701 Royal Vista Circle Fort Collins, CO 80528 Phone: -866-537-1091 1 + (34) 9-17-14-70-02 Fax: 1-970-223-5577 www.schneider-electric.com/us June 2012