This is the slide deck from the NERC CIP Compliance Workshop at Smart Grid Security East 2011 (www.smartgridsecurityeast.com)

3. Presenters Gib Sorebo – Chief Security Engineer, SAIC Mike Echols – Critical Infrastructure Protection Manager, Salt River Project Jim Brenton – Regional Security Coordinator, ERCOT Joshua Axelrod – Director Of Professional Services, Alert Enterprise Lior Frenkel – CEO, Waterfall Security Solutions Steven Applegate – Cyber Security Threat and Vulnerability Program Manager, NERC

5. DOE Modern Grid Strategy AMI = Advanced Metering Infrastructure DR = Demand Response ADO = Advanced Distribution Operations ATO = Advanced Transmission Operations AAM = Advanced Asset Management Source: Department of Energy

6. NERC CIP Overview

7. NERC CIP Compliance

8. Critical Assets

16. Critical Cyber Assets CCA = Critical Cyber Asset Cyber Asset Name Essential R3.1 R3.2 R3.3 Connectivity CCA Cyber.Asset.Name Yes Yes Yes No IP Yes Cyber.Asset.Name Yes Yes Yes No Disconnected No Cyber.Asset.Name Yes No No Yes Dial-up Yes Cyber.Asset.Name Yes No No No Serial No

27. What’s next for CIP Standards

29. CIP 003 Leadership CIP = Critical Infrastructure Protection

32. CIP 003 Change Control and Configuration Management CIP = Critical Infrastructure Protection I&A = Identification and Authentication DES = Data Encryption Standard PKI = Public Key Infrastructure

35. CIP 004 Access Control

36. CIP 005 Network Security Network Applications Databases Operating System Network Operating System Databases Applications Access Points Electronic Security Perimeters CIP = Critical Infrastructure Protection

37. CIP 005 Network Security CIP = Critical Infrastructure Protection

38. CIP 005 Network Security CIP = Critical Infrastructure Protection

39. CIP = Critical Infrastructure Protection CIP 005 Network Security Ports and Services System Security Password Security Community String Security Open firewall ports and protocols No default accounts At least six-character passwords No public strings Point-to-point rules (no any any) Strong passwords Complex passwords Rename community strings Deny by default No default community strings Password changes every 360 days

40. CIP 006 Physical Security

42. CIP 007 Systems Security CIP = Critical Infrastructure Protection

43. CIP 007 Systems Security CIP = Critical Infrastructure Protection Vendor releases security patch or update SME determines patch or update applicability (within 30 days of availability) SME creates plan (within same 30 days) for future deployment SME downloads patch or update and deploys in test environment SME tests security controls and functionality according to test plan SME securely deploys and tests in production environment (or TFE)

44. CIP = Critical Infrastructure Protection IDS = Intrusion Detection System ICS = Industrial Control System CIP 007 Systems Security

45. CIP 007 Systems Security CIP = Critical Infrastructure Protection

46. CIP 007 Systems Security CIP = Critical Infrastructure Protection

47. CIP 007 Systems Security CIP = Critical Infrastructure Protection

48. CIP 007 Systems Security CIP = Critical Infrastructure Protection Ports and Services System Security Password Security Community String Security Open firewall ports and protocols No default accounts At least 6 character passwords No public strings Point-to-point rules (no any any) Strong passwords Complex passwords Rename community strings Deny by default No default community strings Password changes every 360 days

51. CIP 009 Recovery CIP = Critical Infrastructure Protection

52. CIP = Critical Infrastructure Protection CIP 009 Recovery

54. NERC is Complex. NERC CIP is more Complex.. To meet all requirements you need to interface with: Applications – SAP, Oracle, HR, and Business Applications GRC, IAM, Change Management, Asset Management Directories, Network Security and IT Systems Physical Access Control Systems (PACS) Control Systems: EMS, DMS, HMI/SCADA Facilities / Building Management Video surveillance and other imaging sensors Situational Awareness and Geo-Spatial Mapping Incident Management Applications

55. Streamline On-Boarding/Off-Boarding & Close Security Gaps Enterprise Compliance Eliminate Overlaps Workplace Efficiency Simplify & automate onboarding & offboarding Human resources SCADA/ Network Physical security Governance risk & compliance Identity management IT/ERP security Assets Contractors Background Checks Certification Internal Control Policies Industry Specific Risk Library

56. A New Generation of Solutions Bridges the Gap, Removes the Silos

57. Active Policy Enforcement

58. Situational Awareness

59. Incident Response

60. NERC CIP Security and Compliance Posture

62. CIP 003 – 009 Takeaways CIP = Critical Infrastructure Protection

63. Beyond NERC-CIP: Perimeter Protection Issues Internet Critical Network Business Network Critical Cyber Asset Command And Control

66. Advanced Perimeter Protection Unidirectional Communications Critical Network Business Network Critical Cyber Asset Enterprise Planning System One-Way Communications Hardware

68. Emulating Two Way Protocols One-Way Communications Hardware Emulation Agent Two-Way Protocol Two-Way Protocol Emulation Agent

70. Under the Hood WF-Packet preparation and sending (Sequencing, Redundancy, Error correction) High capacity and optimized receiving mechanism. Scheduler 3 rd Party API SDK Connectors Management Control and Conf. MMI Connectors SDK 3 rd Party API Scheduler Management Control and Conf. MMI Unidirectional Fiber optics ETH ETH

72. Application: Generation Photo courtesy of wikimedia.org Critical Network Critical Cyber Assets Business Network Enterprise Historian (Replica) Plant Historian ICCP (to SO)

74. Application: Transmission Photo courtesy of: hydro station L'Ange-Gardien, QC Substation Network EMS Network Critical Cyber Assets DNP3 DNP3 EMS

79. What if I’m Not Required To Comply?

81. How far should I go?

83. Where can I go for help?

84. Culture of Compliance What Does It Look Like? How Do I Get There?