Date post: | 17-Dec-2015 |
Category: |
Documents |
Upload: | primrose-matthews |
View: | 214 times |
Download: | 0 times |
Cyber SecurityA Program to Meet NERC CIP Requirements
May 17, 2010
Rick DakinCoalfire systemsCEO and Co-founder
Agenda
The fastest 30 minutes in cyber security history• Introductions• The Threat• NERC CIP Requirements• CIP Program Rollout• Cyber Security Program Strategy• Questions
Coalfire Overview
3
Clients include Fortune 100, retail, government, education, financial, healthcare, and utilities
Offices in Denver, Seattle, NYC, Dallas and San Diego) with over 40 full-time IT auditors
Security, governance, compliance management, Audit – GLBA, SOX, PCI, HIPAA, SAS 70 & NERC CIP
Application security: PA-DSS certification, code audits, penetration testing, SDL development
Solutions: policy development, data classification, control management, incident response, etc.
Practice areas: risk and vulnerability assessment, e-discovery and forensic analysis
IT Audit and
Compliance Manageme
nt
4
Regulatory Backdrop
4
1970-1980
1980-1990
Computer Security Act of 1987
1990-2000
EU Data Protection HIPAA FDA 21CFR Part 11 C6-Canada GLBA
2000 to Present
COPPA USA Patriot Act 2001 EC Data Privacy Directive CLERP 9 CAN-SPAM Act FISMA Sarbanes Oxley (SOX) CIPA 2002 Basel II NERC CIP HITECH Payment Card Industry
(PCI) California Individual
Privacy SB1386
Other State Privacy Laws
Regulatory Environment is a New Challenge for IT Professionals
Strategic Barriers
'Smart Grid' may be vulnerable to hackersBy Jeanne Meserve CNN Homeland Security Correspondent UPDATED: 08:44 PM EDT 03.21.09 WASHINGTON (CNN)Is it really so smart to forge ahead with the high technology, digitally based electricity distribution and transmission system known as the "Smart Grid"? Tests have shown that a hacker can break into the system, and cyber security experts said a massive blackout could result.
Until the United States eliminates the Smart Grid's vulnerabilities, some experts said, deployment should proceed slowly.
"I think we are putting the cart before the horse here to get this stuff rolled out very fast," said Ed Skoudis, a co-founder of InGuardians, a network security research and consulting firm.
Trends – The Risk is Growing
• Cyber attacks are increasing• The deployment of IP networks in
critical infrastructure is growing• Legacy systems deployed in critical
systems only change every 5 – 12 years ….. and, were never designed to be secure
• The workforce is aging and will require re-training to modify processes and controls
• Control vendors are late contributors to cyber security plans. There are not industry standards for secure systems development for Critical Infrastructure
CIP Overview
The North American Reliability Corporation (NERC) Standards CIP-002 through CIP-009 provide a cyber security framework for the identification and protection of Critical Cyber Assets to support reliable operation of the Bulk Electric System. Effective December 2009, most operators must comply with the following requirements.
CIP Requirement
Controls
CIP 002 Cyber Asset Identification
CIP 003 Security Management Controls
CIP 004 Personnel Security and Training
CIP 005 Electronic Security Perimeter
CIP 006 Physical Security
CIP 007 Systems Security Management
CIP 008 Incident Reporting and Response Planning
CIP 009 Recovery Plans for Critical Cyber Assets
9
CIP Updates
Oversight of cyber security at U.S. commercial nuclear power plants will be divided between the NRC and the NERC
CIP version 2 takes force in April 2010 and increases “strictness”• Removal of the terms “reasonable business judgment” and
“acceptance of risk”• Training and Personnel Risk Assessments must be performed prior to
granting access to authorized personnel• Delegations must be specifically documented with areas of
responsibility and approved by the designated Senior Manager• Levels of Non-Compliance replaced with Violation Severity Levels and
Violation Risk Factors Future CIP versions look to introduce more alignment with
best practice standards such as NIST
11
FERC – Bringing down the Hammer
Budget increase of over $17M to make reliability of the electric transmission grid—and enforcement of NERC Standards—a priority in 2011
Planning for an average of 100 violations each month in 2011
Strong response to NERC Technical Feasibility Exception (TFE) rules including mandate that all mitigating controls are equivalent to strict original control intent
Severely limited any safe harbor absent exceptional circumstances
May 4th, 2010 – Michael Assante resigns as CSO of NERC
12
Growing the Grid
The Energy Independence and Security Act of 2007 established the Smart Grid program which mandates two-way flow of electricity and information with the end user
NIST IR-7628: Smart Grid Cyber Security Strategy and Requirements drafted addresses:• Bottom-up Risk Based Assessment• Privacy Concerns• Vulnerability Class Analysis
Takes the threat to the end user: what’s the difference between shutting down the plant or conducting an Energy Denial of Service Attack against the consumer?
Measure and Report Program Design Establish Metrics Control testing Develop Compliance
Portal Online Support
Deploy and Operate Guidelines Control deployment Control Operation Operations Monitoring
and Reporting Training
Control Design Define system boundaries Control Design Documentation User Testing Policies, Plans
Risk Assessment Asset Inventory Risk Assessment Control Selection Gap Analysis Remediation Roadmap
CIP Program Approach
Compliance Management Program
21 Steps to Improve Cyber Security
1. Identify all connections to SCADA
2. Disconnect unnecessary connections
3. Strengthen the security of remaining connections
4. Harden SCADA Networks
5. Do not rely of proprietary protocols
6. Implement the security features provided by vendors
7. Establish strong controls over media
8. Implement internal and external intrusion detection systems
9. Perform technical audits of SCADA devices and networks
10.Assess remote sites connected to the SCADA network – Access Controls
11. Identify and evaluate possible attack scenarios
12. Clearly define cyber security roles and responsibilities
13. Document network Architecture14. Establish a risk management
process15. Establish a “defense–in-depth”
security program16. Clearly identify cyber security
requirements17. Establish configuration
management processes18. Conduct routine self-assessments19. Establish a disaster recovery plan20. Establish program accountability21. Establish policies and provide
Training
Source: The President’s Critical Infrastructure Protection Board
Top 5 Risk Mitigation Steps
1. Segment SCADA systems (Diagram system boundaries)
2. Test Segmentation of SCADA Systems (Do not rely on proprietary protocols)
3. Restrict Remote Access
4. Contact your System Vendor for Secure Configurations and Operations Guides
5. Develop a good Incident Response Plan
References
Idaho National Labs – Vulnerabilities Reporthttp://www.controlsystemsroadmap.net/pdfs/INL_Common_Vulnerabilties.pdf
NIST SP 800-82http://csrc.nist.gov/publications/drafts/800-82/draft_sp800-82-fpd.pdf
NERC - Top 10 Vulnerabilities of Control Systemshttp://www.controlsystemsroadmap.net/pdfs/NERC_2007_Top_10.pdf
GAO Report on Continuing Security Weaknesshttp://www.controlsystemsroadmap.net/pdfs/GAO_2007_CS_Challenges_Remain.pdf
21 Steps to Improve SCADA System Securityhttp://www.controlsystemsroadmap.net/pdfs/21_steps_to_Improve_Cyber_Security_of_SCADA_Networks.pdf