![NERC CIP Compliance Workshop ,[object Object],[object Object],[object Object],[object Object],[object Object]](data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7)
Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Viewers also liked
Viewers also liked (20)
Similar to NERC CIP Compliance 101 Workshop - Smart Grid Security East 2011
Similar to NERC CIP Compliance 101 Workshop - Smart Grid Security East 2011 (20)
Recently uploaded
Recently uploaded (20)
NERC CIP Compliance 101 Workshop - Smart Grid Security East 2011
- 3. Presenters Gib Sorebo – Chief Security Engineer, SAIC Mike Echols – Critical Infrastructure Protection Manager, Salt River Project Jim Brenton – Regional Security Coordinator, ERCOT Joshua Axelrod – Director Of Professional Services, Alert Enterprise Lior Frenkel – CEO, Waterfall Security Solutions Steven Applegate – Cyber Security Threat and Vulnerability Program Manager, NERC
- 5. DOE Modern Grid Strategy AMI = Advanced Metering Infrastructure DR = Demand Response ADO = Advanced Distribution Operations ATO = Advanced Transmission Operations AAM = Advanced Asset Management Source: Department of Energy
- 16. Critical Cyber Assets CCA = Critical Cyber Asset Cyber Asset Name Essential R3.1 R3.2 R3.3 Connectivity CCA Cyber.Asset.Name Yes Yes Yes No IP Yes Cyber.Asset.Name Yes Yes Yes No Disconnected No Cyber.Asset.Name Yes No No Yes Dial-up Yes Cyber.Asset.Name Yes No No No Serial No
- 27. What’s next for CIP Standards
- 29. CIP 003 Leadership CIP = Critical Infrastructure Protection
- 32. CIP 003 Change Control and Configuration Management CIP = Critical Infrastructure Protection I&A = Identification and Authentication DES = Data Encryption Standard PKI = Public Key Infrastructure
- 35. CIP 004 Access Control
- 36. CIP 005 Network Security Network Applications Databases Operating System Network Operating System Databases Applications Access Points Electronic Security Perimeters CIP = Critical Infrastructure Protection
- 37. CIP 005 Network Security CIP = Critical Infrastructure Protection
- 38. CIP 005 Network Security CIP = Critical Infrastructure Protection
- 39. CIP = Critical Infrastructure Protection CIP 005 Network Security Ports and Services System Security Password Security Community String Security Open firewall ports and protocols No default accounts At least six-character passwords No public strings Point-to-point rules (no any any) Strong passwords Complex passwords Rename community strings Deny by default No default community strings Password changes every 360 days
- 40. CIP 006 Physical Security
- 42. CIP 007 Systems Security CIP = Critical Infrastructure Protection
- 43. CIP 007 Systems Security CIP = Critical Infrastructure Protection Vendor releases security patch or update SME determines patch or update applicability (within 30 days of availability) SME creates plan (within same 30 days) for future deployment SME downloads patch or update and deploys in test environment SME tests security controls and functionality according to test plan SME securely deploys and tests in production environment (or TFE)
- 44. CIP = Critical Infrastructure Protection IDS = Intrusion Detection System ICS = Industrial Control System CIP 007 Systems Security
- 45. CIP 007 Systems Security CIP = Critical Infrastructure Protection
- 46. CIP 007 Systems Security CIP = Critical Infrastructure Protection
- 47. CIP 007 Systems Security CIP = Critical Infrastructure Protection
- 48. CIP 007 Systems Security CIP = Critical Infrastructure Protection Ports and Services System Security Password Security Community String Security Open firewall ports and protocols No default accounts At least 6 character passwords No public strings Point-to-point rules (no any any) Strong passwords Complex passwords Rename community strings Deny by default No default community strings Password changes every 360 days
- 51. CIP 009 Recovery CIP = Critical Infrastructure Protection
- 52. CIP = Critical Infrastructure Protection CIP 009 Recovery
- 54. NERC is Complex. NERC CIP is more Complex.. To meet all requirements you need to interface with: Applications – SAP, Oracle, HR, and Business Applications GRC, IAM, Change Management, Asset Management Directories, Network Security and IT Systems Physical Access Control Systems (PACS) Control Systems: EMS, DMS, HMI/SCADA Facilities / Building Management Video surveillance and other imaging sensors Situational Awareness and Geo-Spatial Mapping Incident Management Applications
- 55. Streamline On-Boarding/Off-Boarding & Close Security Gaps Enterprise Compliance Eliminate Overlaps Workplace Efficiency Simplify & automate onboarding & offboarding Human resources SCADA/ Network Physical security Governance risk & compliance Identity management IT/ERP security Assets Contractors Background Checks Certification Internal Control Policies Industry Specific Risk Library
- 56. A New Generation of Solutions Bridges the Gap, Removes the Silos
- 60. NERC CIP Security and Compliance Posture
- 62. CIP 003 – 009 Takeaways CIP = Critical Infrastructure Protection
- 63. Beyond NERC-CIP: Perimeter Protection Issues Internet Critical Network Business Network Critical Cyber Asset Command And Control
- 66. Advanced Perimeter Protection Unidirectional Communications Critical Network Business Network Critical Cyber Asset Enterprise Planning System One-Way Communications Hardware
- 68. Emulating Two Way Protocols One-Way Communications Hardware Emulation Agent Two-Way Protocol Two-Way Protocol Emulation Agent
- 70. Under the Hood WF-Packet preparation and sending (Sequencing, Redundancy, Error correction) High capacity and optimized receiving mechanism. Scheduler 3 rd Party API SDK Connectors Management Control and Conf. MMI Connectors SDK 3 rd Party API Scheduler Management Control and Conf. MMI Unidirectional Fiber optics ETH ETH
- 72. Application: Generation Photo courtesy of wikimedia.org Critical Network Critical Cyber Assets Business Network Enterprise Historian (Replica) Plant Historian ICCP (to SO)
- 74. Application: Transmission Photo courtesy of: hydro station L'Ange-Gardien, QC Substation Network EMS Network Critical Cyber Assets DNP3 DNP3 EMS
- 79. What if I’m Not Required To Comply?
- 81. How far should I go?
- 83. Where can I go for help?
- 84. Culture of Compliance What Does It Look Like? How Do I Get There?
Editor's Notes
- Reliability Coordinator. Balancing Authority. Interchange Authority. Transmission Service Provider. Transmission Owner. Transmission Operator. Generator Owner. Generator Operator. Load Serving Entity. NERC. Regional Entity.
- You can drill down into the detail and identify which NERC CIP compliance requirement is being violated. You can remediate or mitigate risk right from the same screen
- Via the SCADA interface the application detects unauthorized disabling of 2-levels of protection by disabling protective relays at a generation facility. The application delivers a geo-spatial view delivering situational awareness. In this slide we can view that an alert has been received and the user can confirm and initiate the remedial action scripts workflow.
- The application is pre-integrated with video surveillance and door locks from the building control system which can be tagged in the display and clicked on to access live video to confirm the incident. If needed the remote responder can initiate a lock down of the premises or the particular access point while automatically dispatching first responders.
- Compliance Is Painful - not necessarily. There is help available. Much of it is common sense. Paradigm shift and this becomes ingrained in the culture of your organization. Congress-Initiated Problem – two issues with this acronym: 1) congress initiated an order, but it was a response to a horrible blackout and subsequent studies done evidencing lack of participation in volunteer compliance. 2) not a problem, but one viable solution or remedy Can I punt? (No, this is everyone’s issue. If you have CCAs it is obvious. If not, think about doomsday scenarios… scary stats about BES outage scenarios. Cash Is Preferred – The preferred reaction to CIP within NERC is compliance, and hence, a more reliable BES. Not fines for noncompliance. NERC’S Brainchild – the process of creating and maintaining standards is currently an ANSI-certified process, where industry
- Reduced risk of noncompliance isn’t the goal… Reduced risk is the goal.
- Credible Threats to the Smart Grid. Elaborate on each. Talk about definition of risk and what you can do with it.
- Get real security and compliance is easy to attain Give scenarios where “ compliant ” is far from sufficient Talk about NERC sufficiency reviews Show CIA-NR model (possibly to organize threats?) Bad guys don’ t care if you ’ re compliant Standards are a moving target
- This is an area where people tend to get “feature fever.” Jumping into controls can waste money, derail your security projects, create an unstainable environment and even degrade your security posture.
- Mention the non-compliance parts of NERC (like my team) Warn of consultants who are not properly vetted
- Permeates organization from the top down Pragmatic: performance reviews, bonuses, quantify, ratings Benefits: Financial Benefits (litigation, retrofit, etc.) Can hit any “moving target” like CIP, NIST… Better to bake in vs. retrofit