3. Presenters Gib Sorebo – Chief Security Engineer, SAIC Mike Echols – Critical Infrastructure Protection Manager, Salt River Project Jim Brenton – Regional Security Coordinator, ERCOT Joshua Axelrod – Director Of Professional Services, Alert Enterprise Lior Frenkel – CEO, Waterfall Security Solutions Steven Applegate – Cyber Security Threat and Vulnerability Program Manager, NERC
4.
5. DOE Modern Grid Strategy AMI = Advanced Metering Infrastructure DR = Demand Response ADO = Advanced Distribution Operations ATO = Advanced Transmission Operations AAM = Advanced Asset Management Source: Department of Energy
16. Critical Cyber Assets CCA = Critical Cyber Asset Cyber Asset Name Essential R3.1 R3.2 R3.3 Connectivity CCA Cyber.Asset.Name Yes Yes Yes No IP Yes Cyber.Asset.Name Yes Yes Yes No Disconnected No Cyber.Asset.Name Yes No No Yes Dial-up Yes Cyber.Asset.Name Yes No No No Serial No
32. CIP 003 Change Control and Configuration Management CIP = Critical Infrastructure Protection I&A = Identification and Authentication DES = Data Encryption Standard PKI = Public Key Infrastructure
39. CIP = Critical Infrastructure Protection CIP 005 Network Security Ports and Services System Security Password Security Community String Security Open firewall ports and protocols No default accounts At least six-character passwords No public strings Point-to-point rules (no any any) Strong passwords Complex passwords Rename community strings Deny by default No default community strings Password changes every 360 days
42. CIP 007 Systems Security CIP = Critical Infrastructure Protection
43. CIP 007 Systems Security CIP = Critical Infrastructure Protection Vendor releases security patch or update SME determines patch or update applicability (within 30 days of availability) SME creates plan (within same 30 days) for future deployment SME downloads patch or update and deploys in test environment SME tests security controls and functionality according to test plan SME securely deploys and tests in production environment (or TFE)
44. CIP = Critical Infrastructure Protection IDS = Intrusion Detection System ICS = Industrial Control System CIP 007 Systems Security
45. CIP 007 Systems Security CIP = Critical Infrastructure Protection
46. CIP 007 Systems Security CIP = Critical Infrastructure Protection
47. CIP 007 Systems Security CIP = Critical Infrastructure Protection
48. CIP 007 Systems Security CIP = Critical Infrastructure Protection Ports and Services System Security Password Security Community String Security Open firewall ports and protocols No default accounts At least 6 character passwords No public strings Point-to-point rules (no any any) Strong passwords Complex passwords Rename community strings Deny by default No default community strings Password changes every 360 days
54. NERC is Complex. NERC CIP is more Complex.. To meet all requirements you need to interface with: Applications – SAP, Oracle, HR, and Business Applications GRC, IAM, Change Management, Asset Management Directories, Network Security and IT Systems Physical Access Control Systems (PACS) Control Systems: EMS, DMS, HMI/SCADA Facilities / Building Management Video surveillance and other imaging sensors Situational Awareness and Geo-Spatial Mapping Incident Management Applications
55. Streamline On-Boarding/Off-Boarding & Close Security Gaps Enterprise Compliance Eliminate Overlaps Workplace Efficiency Simplify & automate onboarding & offboarding Human resources SCADA/ Network Physical security Governance risk & compliance Identity management IT/ERP security Assets Contractors Background Checks Certification Internal Control Policies Industry Specific Risk Library
56. A New Generation of Solutions Bridges the Gap, Removes the Silos
63. Beyond NERC-CIP: Perimeter Protection Issues Internet Critical Network Business Network Critical Cyber Asset Command And Control
64.
65.
66. Advanced Perimeter Protection Unidirectional Communications Critical Network Business Network Critical Cyber Asset Enterprise Planning System One-Way Communications Hardware
67.
68. Emulating Two Way Protocols One-Way Communications Hardware Emulation Agent Two-Way Protocol Two-Way Protocol Emulation Agent
69.
70. Under the Hood WF-Packet preparation and sending (Sequencing, Redundancy, Error correction) High capacity and optimized receiving mechanism. Scheduler 3 rd Party API SDK Connectors Management Control and Conf. MMI Connectors SDK 3 rd Party API Scheduler Management Control and Conf. MMI Unidirectional Fiber optics ETH ETH
71.
72. Application: Generation Photo courtesy of wikimedia.org Critical Network Critical Cyber Assets Business Network Enterprise Historian (Replica) Plant Historian ICCP (to SO)
You can drill down into the detail and identify which NERC CIP compliance requirement is being violated. You can remediate or mitigate risk right from the same screen
Via the SCADA interface the application detects unauthorized disabling of 2-levels of protection by disabling protective relays at a generation facility. The application delivers a geo-spatial view delivering situational awareness. In this slide we can view that an alert has been received and the user can confirm and initiate the remedial action scripts workflow.
The application is pre-integrated with video surveillance and door locks from the building control system which can be tagged in the display and clicked on to access live video to confirm the incident. If needed the remote responder can initiate a lock down of the premises or the particular access point while automatically dispatching first responders.
Compliance Is Painful - not necessarily. There is help available. Much of it is common sense. Paradigm shift and this becomes ingrained in the culture of your organization. Congress-Initiated Problem – two issues with this acronym: 1) congress initiated an order, but it was a response to a horrible blackout and subsequent studies done evidencing lack of participation in volunteer compliance. 2) not a problem, but one viable solution or remedy Can I punt? (No, this is everyone’s issue. If you have CCAs it is obvious. If not, think about doomsday scenarios… scary stats about BES outage scenarios. Cash Is Preferred – The preferred reaction to CIP within NERC is compliance, and hence, a more reliable BES. Not fines for noncompliance. NERC’S Brainchild – the process of creating and maintaining standards is currently an ANSI-certified process, where industry
Reduced risk of noncompliance isn’t the goal… Reduced risk is the goal.
Credible Threats to the Smart Grid. Elaborate on each. Talk about definition of risk and what you can do with it.
Get real security and compliance is easy to attain Give scenarios where “ compliant ” is far from sufficient Talk about NERC sufficiency reviews Show CIA-NR model (possibly to organize threats?) Bad guys don’ t care if you ’ re compliant Standards are a moving target
This is an area where people tend to get “feature fever.” Jumping into controls can waste money, derail your security projects, create an unstainable environment and even degrade your security posture.
Mention the non-compliance parts of NERC (like my team) Warn of consultants who are not properly vetted
Permeates organization from the top down Pragmatic: performance reviews, bonuses, quantify, ratings Benefits: Financial Benefits (litigation, retrofit, etc.) Can hit any “moving target” like CIP, NIST… Better to bake in vs. retrofit