Essential Power, LLC, founded in 2008 and headquartered in Princeton, NJ, operates five generation facilities with a total capacity of over 2,000 megawatts, primarily using natural gas. The company faced significant cybersecurity challenges during the implementation of Critical Infrastructure Protection (CIP) regulations, necessitating retrofits and the adoption of a Security Information and Event Management (SIEM) system for log management and monitoring. To prepare for CIP version 5, Essential Power is updating documentation, conducting gap analyses, and leveraging enhanced vendor support and technologies to bolster their cybersecurity posture.

1. Stephen Theodos, CISSP
Essential Power, LLC

2.  Founded in 2008
 Own and operate five generation facilities throughout the Northeast
 Our fleet is primarily peaking power fueled predominantly by natural gas
 Just over 2,000 megawatts of total generation capacity
 Headquartered in Princeton, NJ
Essential Power, LLC ~ Proprietary & Confidential
2

3.  What did we start with?
 What hurdles did we face as our company developed and as
enforcement dates loomed for CIP?
 How were we able to overcome these challenges?
 What are some potential hurdles coming up regarding future
risk and CIP 5?
Essential Power, LLC ~ Proprietary & Confidential
3

4. Essential Power, LLC ~ Proprietary & Confidential
4

5.  Inherited our generation networks
 Lacked thoughtful design
 Used overlapping IP address subnets
 Lacked “intelligent hardware”
 Minimal Security
 No Logging
 No backup plan
Essential Power, LLC ~ Proprietary & Confidential
5

6.  Retrofit security as much as possible to existing networks
 A complete redesign from scratch was not possible at the time
 Our time frame was incredibly short
 A new mindset - not just generation of energy, but securely
 Defense In Depth
 Deter, Delay, Detect, Defend
Essential Power, LLC ~ Proprietary & Confidential
6

7.  Perform our GAP analysis
 Secure all devices
 Manage and document all user accounts
 Create ESPs and PSPs
 Enable logging on all devices
 Monitor these logs for any unexpected behavior
 Make sure we are meeting our CIP requirements
Essential Power, LLC ~ Proprietary & Confidential
7

8. Essential Power, LLC ~ Proprietary & Confidential
8

9.  CIP-005 and CIP-007 require reviewing of log samples from Critical
Cyber Assets and Access Control and Monitoring devices and requires
us to have an auditable log of user activity
 It was determined a Security Information and Event Management (SIEM)
system that would collect and correlate system logs in a centralized
server location would be required
 A centralized SIEM would mean convergence of existing segregated
networks
 Network Address Translation was required due to the overlapping networks
Essential Power, LLC ~ Proprietary & Confidential
9

10. Cyberthreat Gaps
The CyberThreat Kill Chain
-Lockheed Martin
LEVEL OF EXPOSURE
CHANCEOFDETECTION
Recon Weaponiza
tion &
Delivery
Exploitation C2-Command
& Control
Malicious Action
(Exfiltration and
Business Disruption)

11. MEGASCAN
required to
reassess
Periodic
Assessment
Continuous Security Configuration Mgmt
 Understands Changes in the Environment
 The Goal is Security, not Audit
 Lower Costs, Greater Efficiency
 Continual Risk Reduction
 Measurable, Sustainable Security
Configuration Changes Occur Constantly
Manual
Assessment

12.  We reviewed three different SIEM vendors during our RFP / review
process
 Ultimately chose Tripwire, due to a combination of factors
 At the time, they were one of the few vendors that had predetermined CIP
rules
 Offered solid value for the overall cost compared to other competitors
 Their support team was willing and able to assist us throughout the
deployment
 Interface was simple, intuitive, and provided exactly what we needed to see
 We opted for both Tripwire Log Center and Tripwire Enterprise
Essential Power, LLC ~ Proprietary & Confidential
12

13.  CIP-005 R3.2. Alerting for Cyber Security Incidents for access control
and monitoring devices
 CIP-005 R5.3. Retain and review electronic access logs for at least
ninety calendar days for Access Control and Monitoring devices
 CIP-007 R6.2 Alerting for Cyber Security Incidents for critical cyber
assets
 CIP-007 R6.3 Logs of system events related to cyber security for critical
cyber assets
 CIP-007 R6.4 Retain Logs of critical cyber assets for 90 days
 CIP-007 R6.5 Reviewing Logs of for critical cyber assets at least every
90 days
 CIP-008 R3 Logs related to reportable incidents shall be kept for 3 years
Essential Power, LLC ~ Proprietary & Confidential
13

14.  CIP-003 R5 requires Responsible Entities to “document and implement a
program for managing access to protected Critical Cyber Asset
information.”
 CIP-003 R6 requires change control and configuration management
processes to be established and documented
 CIP-007 R3 Security Patch Management. The file integrity monitoring
reports unauthorized modifications or changes and provides
documentation of authorized changes
 CIP-007 R5 Account Management requires technical and procedural
controls that enforce access authentication and accountability for all user
activity
Essential Power, LLC ~ Proprietary & Confidential
14

15.  Easy to use GUI allows for easy modification of rules and alerts
 Daily and weekly traffic reports to set baseline traffic patterns and easily
analyze any anomalies
Essential Power, LLC ~ Proprietary & Confidential
15
 Daily change reports let us know immediately if and when any changes
occur to the file system

16.  Instant notification of cyber security related events
 Advanced correlation of system logs which saves many hours of log
review
Essential Power, LLC ~ Proprietary & Confidential
16

17.  Practical and useful search criteria for audits and investigations
 The data is easily available for forensic analysis if necessary
Essential Power, LLC ~ Proprietary & Confidential
17

18.  “The concern over cybersecurity risks to critical infrastructure, of which
power generation is a significant element, is unlikely to wane in the
foreseeable future.” – Steven Parker, President of EnergySec
Essential Power, LLC ~ Proprietary & Confidential
18

19.  How are we preparing for CIP 5?
 Updating and cleaning up current CIP document repository
 Verifying and updating documentation of all electronic devices as necessary
 Using a 3rd party to perform a GAP analysis of where we may be lacking when
it comes to CIPv5 preparation
 Scheduling mock audits internally
 Attempting to allocate resources accordingly
Essential Power, LLC ~ Proprietary & Confidential
19

20.  Vendors have increased their support of CIP compliance initiatives
 SIEMs are smarter and more capable than in the past
 Newer technologies constantly available to make our lives easier
 Better “whitelist” capabilities
 Improved patch management
 Improved port scanning and confirmation
 Ability to tie in physical security logging and alerts
 Easier access to compliance reports and audit results
Essential Power, LLC ~ Proprietary & Confidential
20

21. Essential Power, LLC ~ Proprietary & Confidential
21

22.  Provide appropriate security controls to your SIEM
 Spend time tuning it! The system can only run as well as it is configured
 Don’t be afraid to contact the vendor directly for support
 Use it frequently! Hands on is the best way to learn
Essential Power, LLC ~ Proprietary & Confidential
22

23. Questions? Comments?
Essential Power, LLC ~ Proprietary & Confidential
23

24. Essential Power, LLC ~ Confidential
24