Presentation is loading. Please wait.

Presentation is loading. Please wait.

NERC CIP Implementation – Lessons Learned and Path Forward

Published by서우 초 Modified over 6 years ago

Similar presentations

Presentation on theme: "NERC CIP Implementation – Lessons Learned and Path Forward"— Presentation transcript:

1 NERC CIP Implementation – Lessons Learned and Path Forward
Anfield Summit August 5-6, 2015 By Jeremy Anderson Manager, Sales Engineering NovaTech, LLC

2 NERC CIP Implementation – Lessons Learned and Path Forward
NERC CIP Version 5: Quick Overview The “Intermediate System” – Why Needed, and Design Suggestions Reliable Broadband-based Networking System – Not an Option The Importance of a Standards-based approach Manual, Semi-Automatic or Fully Automatic Design?

3 Current NERC CIP Documents
16-Sep-18 Current NERC CIP Documents CIP–002–3 — Cyber Security— Critical Cyber Asset Identification CIP–003–3 — Cyber Security — Security Management Controls  CIP–004–3 — Cyber Security — Personnel and Training  CIP–005–3 — Cyber Security — Electronic Security Perimeter(s)  CIP–006–3 — Cyber Security — Physical Security   CIP–007–3 — Cyber Security — Systems Security Management  CIP–008–3 — Cyber Security — Incident Reporting and Response Planning  CIP–009–3 — Cyber Security — Recovery Plans for Critical Cyber Assets

4 NERC CIP Documents “Version 5”
16-Sep-18 NERC CIP Documents “Version 5” CIP–002–5 — Cyber Security — BES Cyber System Categorization  CIP–003–5 — Cyber Security — Security Management Controls  CIP–004–5 — Cyber Security — Personnel and Training  CIP–005–5 — Cyber Security — Electronic Security Perimeter(s)  CIP–006–5 — Cyber Security — Physical Security of BES Cyber Systems  CIP–007–5 — Cyber Security — Systems Security Management  CIP–008–5 — Cyber Security — Incident Reporting and Response Planning  CIP–009–5 — Cyber Security — Recovery Plans for BES Cyber Systems  (new) CIP–010–1 — Cyber Security — Configuration Change Mgmt. and Vulnerability Assessments  (new) CIP–011–1 — Cyber Security — Information Protection (new) CIP–014–1 — Cyber Security — Physical Security

5 Version 5 Introduces New Definitions
Cyber Asset Programmable electronic devices, including the hardware, software, and data in those devices. BES Cyber Asset A Cyber Asset that if rendered unavailable, degraded, or misused would affect the reliable operation of the Bulk Electric System. BES Cyber System One or more BES Cyber Assets logically grouped to perform one or more reliability tasks. “Bulk Electric System” …generally 100kV or higher. September 16, 2018 Presentation title

6 Improved Definition of Criticality
V3/V4 V5 High Critical Medium Other Low Non-Critical Non-Critical

7 Version 5 Expands Definition of “Applicable Systems”
Electronic Access Control or Monitoring Systems (EACMS) – Applies to each Electronic Access Control or Monitoring System associated with a referenced high impact BES Cyber System or medium impact BES Cyber System. Examples may include, but are not limited to, firewalls, authentication servers, and log monitoring and alerting systems. Physical Access Control Systems (PACS) – Applies to each Physical Access Control System associated with a referenced high impact BES Cyber System or medium impact BES Cyber System with External Routable Connectivity. Protected Cyber Assets (PCA)– Applies to each Protected Cyber Asset associated with a referenced high impact BES Cyber System or medium impact BES Cyber System

8 Other Significant Changes V3/4 to V5
Must now use an “intermediate device” between User and Critical Asset The complete exemption of Cyber Assets from applicability to the NERC CIP standards based on communication characteristics no longer applies. Must remove/disable both unused “software ports” and unused “hardware points” Improved definition for patching Defines the source of the “patches” (also “hot fixes” and “updates”) Provides better definition of “release date” and “availability date” If installing the patch introduces more risk than the vulnerability represents, an alternate process is defined Does not mandate anti-virus software Requires security monitoring …and more. No longer can a large utility with hundreds of transmission substations claim they do not need to meet the CIP requirements because they unplugged.

9 The “Intermediate System” is stipulated in CIP-005-5
Mostly Control Centers Mostly Substations

10 What is Interactive Remote Access?
user-initiated access by a person employing a remote access client or other remote access technology using a routable protocol. Remote access originates from a Cyber Asset that is not an Intermediate System and not located within any of the Responsible Entity's Electronic Security Perimeter(s) or at a defined Electronic Access Point (EAP). Remote access may be initiated from: 1) Cyber Assets used or owned by the Responsible Entity, 2) Cyber Assets used or owned by employees, and 3) Cyber Assets used or owned by vendors, contractors, or consultants. Interactive remote access does not include system-to-system process communications.

11 Access Without Intermediate System
No Longer Permitted System User Broadband Connection Electronic Security Perimeter Critical Cyber Assets

12 Why Not? Intermediate system acts as a proxy. No need to have wide open rules in firewalls. Also protects from vulnerabilities on the host computer.

13 Access with Intermediate System
Networked Servers Server(s) for Connection Management and Password Management System User Restricts access to only authorized users Broadband Connection Electronic Security Perimeter Critical Cyber Assets A basic system could be a simple as a desktop PC that the users access via RDC. The intermediate system can do more!! It can manage user access to IEDs It can manage IED passwords. It can contain all the software that will need to be used in one location. This simplifies software management.

14 Summary of Intermediate System Functions
Networked Servers All users who interact with substation assets login to the system. System manages all user passwords and permission. System manages the details of all connections to substation assets. System manages passwords in the substation assets. System User Encrypted Broadband Connection Electronic Security Perimeter Critical Cyber Assets

15 Reliable Broadband-based Networking System – Not an Option
Broadband is the solution for… …securely transferring files (e.g. for NERC CIP-10) …efficiently accessing syslog events …implementing LDAP and Active Directory for remote, centralized authentication …simplifying access and management of substation assets Serial approaches are highly compromised for the above tasks and not a sustainable approach. 99.999% broadband uptime can be achieved

16 The Importance of a Standards-based Approach
The standards have been developed already, and they work: Secure Protocols: SSH, SSL, TLS, HTTPS, SFTP Security Event Access: Syslog System Management: SNMP Identity Management: Active Directory, LDAP, IPA No need for Utility-specific, homegrown or proprietary approaches

17 Manual, Semi-Automatic or Fully Automatic Design?
Not all IEDs were designed to support automatic access of configurations Only a few IEDs were designed to support automatic password changes Semi-automatic approach may be best Simpler can be better

18 Manual System Very time and paperwork intensive
Very easy to forget something

19 Example of Semi-Automatic System for Access Management
User logs on to Connection Manager server Connection Manager lists all relay assets. User selects relay. Encrypted connection established Password entered manually Networked Servers System User Broadband Connection Critical Cyber Assets Encrypted connection is automatic Password entry is manual Electronic Security Perimeter

20 Example of Semi Automatic Systems for Configuration Management
System User Networked Servers Substation appliance retrieves relay configuration files Substation appliance calculates checksum on all relay configuration files Substation appliance sends configurations/checksum to server System user compares configurations/checksum for relays to previous. Broadband Connection Critical Cyber Assets Electronic Security Perimeter

21 Contact Information Jeremy Anderson Manager, Sales Engineering NovaTech, LLC

Download ppt "NERC CIP Implementation – Lessons Learned and Path Forward"

Similar presentations

NERC Security Requirements – What Vendors Should Provide James W. Sample, CISSP, CISM Manager of Information Security California ISO.

NERC Security Requirements – What Vendors Should Provide James W. Sample, CISSP, CISM Manager of Information Security California ISO.
Darren T. Nielsen, M.Ad., CISA, CPP, PCI, PSP, CBRA, CBRM Senior Compliance Auditor, Cyber Security Salt Lake City, UT Office CIP-006 V3 to CIP-006 V5.

Darren T. Nielsen, M.Ad., CISA, CPP, PCI, PSP, CBRA, CBRM Senior Compliance Auditor, Cyber Security Salt Lake City, UT Office CIP-006 V3 to CIP-006 V5.
© 2005, QEI Inc. all characteristics subject to change. For clarity purposes, some displays may be simulated. Any trademarks mentioned remain the exclusive.

© 2005, QEI Inc. all characteristics subject to change. For clarity purposes, some displays may be simulated. Any trademarks mentioned remain the exclusive.
Project 2008-06 Cyber Security Order 706 January 10, 2012 Most of the material presented has been compiled from NERC webinars and drafting team meetings.

Project Cyber Security Order 706 January 10, 2012 Most of the material presented has been compiled from NERC webinars and drafting team meetings.
Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.

Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.

Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.
Security Management IACT 918 July 2004 Gene Awyzio SITACS University of Wollongong.

Security Management IACT 918 July 2004 Gene Awyzio SITACS University of Wollongong.
ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.

ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.
Network Security. Trust Relationships (Trust Zones) High trust (internal) = f c (once you gain access); g p Low trust ( ) = more controls; fewer privileges.

Network Security. Trust Relationships (Trust Zones) High trust (internal) = f c (once you gain access); g p Low trust ( ) = more controls; fewer privileges.
Directory and File Transfer Services Chapter 7. Learning Objectives Explain benefits offered by centralized enterprise directory services such as LDAP.

Directory and File Transfer Services Chapter 7. Learning Objectives Explain benefits offered by centralized enterprise directory services such as LDAP.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.
1 Kyung Hee University Prof. Choong Seon HONG Network Control.

1 Kyung Hee University Prof. Choong Seon HONG Network Control.
Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.

Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.
Entré NetMonitor Proactive IT monitoring, Management and support Think DIFFERENT about IT.

Entré NetMonitor Proactive IT monitoring, Management and support Think DIFFERENT about IT.
K E M A, I N C. NERC Cyber Security Standards and August 14 th Blackout Implications OSI PI User Group April 20, 2004 Joe Weiss

K E M A, I N C. NERC Cyber Security Standards and August 14 th Blackout Implications OSI PI User Group April 20, 2004 Joe Weiss
Lisa Wood, CISA, CBRM, CBRA Compliance Auditor, Cyber Security

Lisa Wood, CISA, CBRM, CBRA Compliance Auditor, Cyber Security
XA R7.8 Upgrade Process and Technical Overview Ruth Anne Pharr Sr. IT Consultant, CISTECH Inc.

XA R7.8 Upgrade Process and Technical Overview Ruth Anne Pharr Sr. IT Consultant, CISTECH Inc.
©Kwan Sai Kit, All Rights Reserved Windows Small Business Server 2003 Features.

©Kwan Sai Kit, All Rights Reserved Windows Small Business Server 2003 Features.
Federal Energy Regulatory Commission June 20091 Cyber Security and Reliability Standards Regis F. Binder Director, Division of Logistics & Security Federal.

Federal Energy Regulatory Commission June Cyber Security and Reliability Standards Regis F. Binder Director, Division of Logistics & Security Federal.

Similar presentations

Ads by Google