The document addresses the challenges and requirements for utilities in securing critical infrastructure and achieving NERC compliance amidst increasing demands for accountability and sustainability. It outlines six key elements—agility, consistency, efficiency, transparency, accountability, and security—that utilities need to implement for effective compliance management. The discussion emphasizes the need for integrated processes, automation, and a proactive approach to risk assessment and compliance monitoring.

1. Six Keys to Securing Critical Infrastructure and NERC Compliance

2. Today’s Agenda Healthcare IT Security & Compliance Issues Six Keys to Cost-Effective IT Security & Compliance Applying the Critical Elements Q&A and Conclusion Security and Compliance Challenges Related to Protecting Critical Infrastructure Six Critical Elements to Achieve Economies in Securing Critical Infrastructure and Compliance Panel Discussion and Q&A

3. Today’s Speakers Chris Merritt Director of Solution Marketing Lumension Michael Rasmussen Risk & Compliance Advisor Corporate Integrity, LLC Paul Henry Security & Forensics Analyst MCP+I, MCSE, CCSA, CCSE, CFSA, CFSO, CISSP,-ISSAP, CISM, CISA, CIFI, CCE

4. Critical Infrastructure: Security and Compliance Demands

5. Utilities Burdened by Critical Infrastructure Protection (CIP) Demands Increasing pressure for accountability bearing down from several angles, forcing them to rethink the approach to CIP. An increasingly interconnected world means utilities must consider Emissions and global warming concerns, Corporate social responsibility, Capacity and future sustainability of power, and Protection of critical infrastructure. Supervisory Control and Data Acquisition (SCADA) and Distribution Automation (DA) systems have been in operation for years. These systems were not designed with security in mind. As utilities interconnect to the Internet and other systems, exposure grows exponentially.

6. CIP & Compliance Mandates on Utilities NERC established eight CIP reliability standards, containing 160+ requirements to protect the critical infrastructure of electric utilities. Compliance includes regular management & monitoring, with preparedness audits. As of July 1, 2010 these utilities face the next step in being auditably compliant. Other related and often overlapping security requirements impact utilities (even for those not facing NERC CIP compliance), such as: FTC Red Flags Rule Payment Card Industry Data Security Standard (PCI DSS) State Mandatory Disclosure Laws (for example, in Massachusetts and California) Sarbanes-Oxley (SOX) Achieving economies requires implementation of an infrastructure for managing and monitoring compliance that crosses multiple mandates.

7. A Grim View of the Current State… Source: Open Compliance & Ethics Group

8. Critical Elements to Achieve Economies in CIP & Compliance CIP requirements and other compliance mandates are not trivial. Utilities are burdened because of: Increased connectivity of critical infrastructure Non-stop operations in a dynamic business environment Standardized technology architecture Shortage of resources Best practices require that utilities approach compliance and the protection of critical infrastructure as related processes and controls. Economical approach to NERC CIP and other mandates requires: Centralized visibility across controls in IT systems and processes, Automation of enforcement and monitoring, Collaboration across IT roles and the business, and Adoption of an integrated risk-based view of compliance.

9. Big Picture of Compliance OBJECTIVES strategic, operational, customer, process, compliance objectives BUSINESS MODEL strategy, people, process, technology and infrastructure in place to drive toward objectives MANDATED BOUNDARY boundary established by external forces including laws, government regulation and other mandates. VOLUNTARY BOUNDARY boundary defined by management including public commitments, organizational values, contractual obligations, and other voluntary policies. OPPORTUNITIES OPPORTUNITIES OPPORTUNITIES Source: Open Compliance & Ethics Group OBSTACLES

10. Components of Compliance & CIP Source: Open Compliance & Ethics Group INFORM & INTEGRATE DETECT & DISCERN ORGANIZE & OVERSEE ASSESS & ALIGN MONITOR & MEASURE PREVENT & PROMOTE RESPOND & RESOLVE

11. Efficient, Effective & Responsive CIP

12. 6 Key Elements to Achieve Economies in CIP & Compliance

13. 6 Keys to Economical CIP

14. 1 - Agility Utilities need a sustainable process and infrastructure for protection of critical infrastructure and related processes, including: Full discovery of the utility’s IT environment, critical infrastructure, and technology assets, including: Automatic assessment of the environment and devices that connect to it, to maintain the asset inventory required for compliance. Automated IT risk assessment that provides structure around the process of collecting scores and evidence for compliance controls, so utilities can demonstrate auditable compliance at any point in time. Policy enforcement of software updates, security patches, and standardized configurations to maintain adequate protection of critical infrastructure. Flexibility to handle the unique needs and requirements common in utilities and their IT environment. The ability to track access to critical infrastructure cyber assets — who accessed it, when, and where.

15. 2 - Consistency Utilities need a consistent approach to security and compliance, which can be achieved via streamlined workflows and process management capabilities that ensure: Comprehensive inventory and management of regulated systems (such as critical infrastructure), to: Deliver visibility of both physical and IT environments from one consolidated console. Manage an IT asset repository to include all resource types, including applications, databases, servers, networks, data centers, people, and processes across the utility. Continuously monitored compliance and IT risk postures to establish a mandatory baseline policy that all systems must meet. Established policies based on best practices, with pre-configured checks and elements that can be added and modified based on specific security needs. The ability to add, create, define, edit and import/export security configurations and checklists. Cross-referenced and normalized common controls for various regulations and mandates that impact the utility into a single control.

16. 3 - Efficiency Ensuring the protection of critical infrastructure and compliance with mandates can be burdensome, requiring a process and solution to manage documentation, tasks, reporting, and monitoring of requirements. Operational efficiency can be achieved by: Addressing multiple compliance reporting needs through a single solution. Maximum policy flexibility with automated enforcement, saving time and effort by IT staff. The combination of standard configuration checklists from vetted utility industry sources, with a repository of software vulnerabilities that deliver information with context to properly remediate errors. Automatic risk profile analysis that saves time over manual risk analysis practices.

17. 4 - Transparency Compliance within utilities requires transparency in reporting across enterprise systems, IT networks, and extended business relationships. This includes: Providing harmonization of compliance controls across a range of mandates (such as NERC CIP, PCI DSS, Red Flags Rule, and SOX). Viewing IT risk holistically across multiple information systems, processes, and departments, to: Collecting device, security and configuration information to provide consolidated visibility for system owners. Providing a global view of vulnerability status for all utility cyber assets with an at-a-glance understanding of risk and system status. Documenting changes and demonstrate progress toward audit and compliance requirements.

18. 5 - Accountability The utility is ultimately accountable for compliance and security of critical infrastructure, even across extended business relationships, communications, and systems. Accountability requires: Complete CIP status and visibility, which includes: A complete view of overall compliance that drills down into specific assets, requirements, and organization systems and processes. Constant audit readiness through automated collection and centralization of security configuration and vulnerability assessment results. Workflow-based surveys to ensure understanding, training, and assessment of CIP controls. Stakeholder surveys to determine the business impact of a risk scenario that compromises the confidentiality, integrity, or availability of critical infrastructure. Risk-based analysis of the IT posture that enables the organization to drill down on suspicious behavior for further investigation. Information system and role-based reporting and administration. Comprehensive reporting to organization management and authorities at a moment’s notice.

19. 6 - Security A primary concern for utilities today is protection of critical infrastructure. Security oversight aims to understand and model various unauthorized or inadvertent CIP exposure, and their likelihoods and impacts. Specific security economies are achieved through: Identification of controls that enhance CIP while meeting compliance requirements. Security policy enforcement: In-depth assessment of vulnerabilities, patch status, security configurations, installed software, and hardware inventory. Vulnerability audits and remediation across software and endpoints. Automated enforcement of malware protection, endpoint control and security. Timely response to issues and visibility across the organization’s information systems environment. Continuous monitoring and enforcement of security — particularly when new people (access), information, processes, and technology assets are added.

20. Utility Infrastructure Security & Compliance Platform Requirements Utilities should implement processes and corresponding technologies that bring economies and efficiency to CIP, including: Discovering, inventorying, and categorizing information systems Monitoring vulnerability exposure and the state of CIP Remediating and maintaining compliance to CIP requirements Managing security configurations and critical infrastructure protection across all endpoints Controlling removable device use and enforcing data encryption Streamlining overlapping technical and procedural controls across CIP requirements Maintaining trusted application use of critical infrastructure assets Enforcing compliance with evolving requirements Enabling reporting and monitoring of CIP

21. Panel Discussion and Q&A

22. Today’s Speakers Chris Merritt Director of Solution Marketing Lumension Michael Rasmussen Risk & Compliance Advisor Corporate Integrity, LLC Paul Henry Security & Forensics Analyst MCP+I, MCSE, CCSA, CCSE, CFSA, CFSO, CISSP,-ISSAP, CISM, CISA, CIFI, CCE

23. Conclusion

24. Resources and Tools Whitepapers 6 Critical Elements to Achieving Economical NERC CIP Compliance Enterprise Security: Moving Beyond AV Shift Happens: The Evolution of Application Whitelisting and a host of other whitepapers Other Resources Podcasts, Videos, Webcasts On-Demand Demos eBooks Premium Security Tools Scanners Product Software Evaluations Virtual Environment Full Software Download

25. Global Headquarters 8660 East Hartford Drive Suite 300 Scottsdale, AZ 85255 1.888.725.7828 [email_address] blog.lumension.com