Cyber Security A Program to Meet NERC CIP Requirements May 17, 2010 Rick Dakin Coalfire systems CEO and Co-founder

Agenda The fastest 30 minutes in cyber security history Introductions The Threat NERC CIP Requirements CIP Program Rollout Cyber Security Program Strategy Questions

Coalfire Overview 3 Clients include Fortune 100, retail, government, education, financial, healthcare, and utilities Offices in Denver, Seattle, NYC, Dallas and San Diego) with over 40 full-time IT auditors Security, governance, compliance management, Audit – GLBA, SOX, PCI, HIPAA, SAS 70 & NERC CIP Application security: PA-DSS certification, code audits, penetration testing, SDL development Solutions: policy development, data classification, control management, incident response, etc. Practice areas: risk and vulnerability assessment, e-discovery and forensic analysis IT Audit and Compliance Management

4 Regulatory Backdrop Computer Security Act of EU Data Protection HIPAA FDA 21CFR Part 11 C6-Canada GLBA 2000 to Present COPPA USA Patriot Act 2001 EC Data Privacy Directive CLERP 9 CAN-SPAM Act FISMA Sarbanes Oxley (SOX) CIPA 2002 Basel II NERC CIP HITECH Payment Card Industry (PCI) California Individual Privacy SB1386 Other State Privacy Laws Regulatory Environment is a New Challenge for IT Professionals

Why Protect Infrastructure? 5

Strategic Barriers 'Smart Grid' may be vulnerable to hackers By Jeanne Meserve CNN Homeland Security Correspondent UPDATED: 08:44 PM EDT WASHINGTON (CNN) Is it really so smart to forge ahead with the high technology, digitally based electricity distribution and transmission system known as the "Smart Grid"? Tests have shown that a hacker can break into the system, and cyber security experts said a massive blackout could result. Until the United States eliminates the Smart Grid's vulnerabilities, some experts said, deployment should proceed slowly. "I think we are putting the cart before the horse here to get this stuff rolled out very fast," said Ed Skoudis, a co-founder of InGuardians, a network security research and consulting firm.

Trends – The Risk is Growing Cyber attacks are increasing The deployment of IP networks in critical infrastructure is growing Legacy systems deployed in critical systems only change every 5 – 12 years ….. and, were never designed to be secure The workforce is aging and will require re-training to modify processes and controls Control vendors are late contributors to cyber security plans. There are not industry standards for secure systems development for Critical Infrastructure

CIP Overview The North American Reliability Corporation (NERC) Standards CIP- 002 through CIP-009 provide a cyber security framework for the identification and protection of Critical Cyber Assets to support reliable operation of the Bulk Electric System. Effective December 2009, most operators must comply with the following requirements. CIP RequirementControls CIP 002Cyber Asset Identification CIP 003Security Management Controls CIP 004Personnel Security and Training CIP 005Electronic Security Perimeter CIP 006Physical Security CIP 007Systems Security Management CIP 008Incident Reporting and Response Planning CIP 009Recovery Plans for Critical Cyber Assets

9 CIP Updates  Oversight of cyber security at U.S. commercial nuclear power plants will be divided between the NRC and the NERC  CIP version 2 takes force in April 2010 and increases “strictness” Removal of the terms “reasonable business judgment” and “acceptance of risk” Training and Personnel Risk Assessments must be performed prior to granting access to authorized personnel Delegations must be specifically documented with areas of responsibility and approved by the designated Senior Manager Levels of Non-Compliance replaced with Violation Severity Levels and Violation Risk Factors  Future CIP versions look to introduce more alignment with best practice standards such as NIST

Slow Adoption

11 FERC – Bringing down the Hammer  Budget increase of over $17M to make reliability of the electric transmission grid—and enforcement of NERC Standards—a priority in 2011  Planning for an average of 100 violations each month in 2011  Strong response to NERC Technical Feasibility Exception (TFE) rules including mandate that all mitigating controls are equivalent to strict original control intent  Severely limited any safe harbor absent exceptional circumstances  May 4 th, 2010 – Michael Assante resigns as CSO of NERC

12 Growing the Grid  The Energy Independence and Security Act of 2007 established the Smart Grid program which mandates two-way flow of electricity and information with the end user  NIST IR-7628: Smart Grid Cyber Security Strategy and Requirements drafted addresses: Bottom-up Risk Based Assessment Privacy Concerns Vulnerability Class Analysis  Takes the threat to the end user: what’s the difference between shutting down the plant or conducting an Energy Denial of Service Attack against the consumer?

Measure and Report Program Design Establish Metrics Control testing Develop Compliance Portal Online Support Deploy and Operate Guidelines Control deployment Control Operation Operations Monitoring and Reporting Training Control Design Define system boundaries Control Design Documentation User Testing Policies, Plans Risk Assessment Asset Inventory Risk Assessment Control Selection Gap Analysis Remediation Roadmap CIP Program Approach Compliance Management Program

21 Steps to Improve Cyber Security 1.Identify all connections to SCADA 2.Disconnect unnecessary connections 3.Strengthen the security of remaining connections 4.Harden SCADA Networks 5.Do not rely of proprietary protocols 6.Implement the security features provided by vendors 7.Establish strong controls over media 8.Implement internal and external intrusion detection systems 9.Perform technical audits of SCADA devices and networks 10.Assess remote sites connected to the SCADA network – Access Controls 11. Identify and evaluate possible attack scenarios 12. Clearly define cyber security roles and responsibilities 13. Document network Architecture 14. Establish a risk management process 15. Establish a “defense–in-depth” security program 16. Clearly identify cyber security requirements 17. Establish configuration management processes 18. Conduct routine self-assessments 19. Establish a disaster recovery plan 20. Establish program accountability 21. Establish policies and provide Training Source: The President’s Critical Infrastructure Protection Board

Segment SCADA Network

Top 5 Risk Mitigation Steps 1.Segment SCADA systems (Diagram system boundaries) 2.Test Segmentation of SCADA Systems (Do not rely on proprietary protocols) 3.Restrict Remote Access 4.Contact your System Vendor for Secure Configurations and Operations Guides 5.Develop a good Incident Response Plan

References  Idaho National Labs – Vulnerabilities Report  NIST SP  NERC - Top 10 Vulnerabilities of Control Systems  GAO Report on Continuing Security Weakness  21 Steps to Improve SCADA System Security

Thank You 18 Rick Dakin ext 7001 Questions?