Stop Chasing the Version:Compliance with CIPv5 through CIPv99Dealing with the ever-changing landscape of CIP compliance
Sid Shaffer (MBA, CISA)
Energy Sector Lead, Commercial Cybersecurity & Compliance
Jason Iler (ITIL, CISA)
Principal Services Architect
Trey Kirkpatrick Vice President, Energy & Utility Compliance Services
Thank You!
Cybersecurity &
Compliance Advisory
and Implementation
Services
NERC Compliance
Management
Software Solutions
Security and compliance
assessment, monitoring
automation and threat
intelligence technology for
IT/OT environments
Agenda and Key Takeaways
3
2
1
About ICF
• 70+ offices worldwide
• 5,000 employees, 1,500+ IT professionals
• 2014 revenue of $1.3 billion
• Assisting clients with NERC and CIP compliance since 2006
• End-to-end technology, advisory, implementation, and assessment services
Overview of Shifting Landscape
• CIP v5
• New terms, Changed terms, Organization, Groupings
• Cyber Asset Classification (High, Medium, Low)
Key Changes
• CIP v5
• New terms, Changed terms, Organization, Groupings
• Cyber Asset Classification (High, Medium, Low)
• CIP v6 / v7
• More new terms, clarifications
• Changes for Low Impact, Transient Devices, Removable Media
Key Changes
• CIP v5
• New terms, Changed terms, Organization, Groupings
• Cyber Asset Classification (High, Medium, Low)
• CIP v6 / v7
• More new terms, clarifications
• Changes for Low Impact, Transient Devices, Removable Media
• Beyond
• More uncertainty (Virtualization, NIST Cyber, ES-C2M2, DHS C³)
• Increased awareness = Increased Likelihood of Change
Key Changes
Commonly Seen Compliance Program
Compliance Program Goal
• Companies are re-aligning / upgrading existing programs with:
• Letter of the Law Approaches
• Increased use of RAI and Risk Based Approaches
• Holistic Approaches
What We Are Seeing
• Compliance• Know relevant
regulations
• Understand specifics
• Represents the base
• Cyber• Beyond Scope of
specific compliance
• Cyber Risks to reliable delivery of energy
• Cyber Risks to the organization
• Controls• Identify
• Rationalize
• Ownership
• Map to Risk
• Resiliency• Not all risk will be
addressed
• Organization incident & event response
• More compelling “Compliance Story”
• Greater Consistency Through Regulatory Changes
• Reduces Risk
• Increase Efficiency
• Closer Alignment with Regulatory Direction
– Potentially Decreases Regulatory Burden
Advantages of the Holistic Approach
• Both Based on Internal Control Approaches
– Preventative, Detective, Corrective
• Ties directly to “Internal Controls Evaluation” (ICE)
• Generates audit ready evidence
• Supports zero fine paths:
– Find Fix Track (FFT) / Compliance Exception / Self Logging
How Holistic Approach Supports RAI (and more)
• Prepare for Change
• Create a Cross Functional Team
• Determine a solid baseline• “Knowing yourself is the beginning of all wisdom.” - Aristotle
• Analyze Risk
• Set your goals
• Implement Controls & Controls Based Program• “Regurgitating the Requirement language does not constitute developing
a program, process, or procedure.” - WECC
Implementing the Strategy
Example – Critical Data
• COMPLIANCE– CIP-011-1, HIPAA, DHS, Etc.
• CYBER– Impact of sensitive information being exposed
• CONTROLS– Data Classification & Credentials (P) , Access Alerting Mechanism (D),
Event Driven SLA (C)
• RESILIENCY– Execution of what’s been stated in SLA
Example – CIP-004-5 R4.1 (Access Management)
• COMPLIANCE– [A “need based” authorization process for Electronic Access, Physical
Access, and Critical Information]*
• CYBER– Not just BES Cyber System components
• CONTROLS– Onboarding / Offboarding process (P), Log review of unauthorized access
attempts (D), Access revocation & password change protocols (C)
• RESILIENCY– What happens when unauthorized use is detected?
* Paraphrased
• Upgrading Program is an opportunity to:
• Implement Controls
• Automate
• Utilize tools
• to manage & report compliance
• to monitor & automate responses
Program Upgrade Considerations
• Establish CIP Policies & Procedures
– With Periodic Review & Approval
• Periodic/Scheduled Activities
– Collect Log files, Review Security Patches, Access Review, etc…
• Asset & Change Management
– BES Cyber Systems, Cyber Assets, Security Perimeters, Asset Groups
• Access Management
– Users, Access Roles
• Mitigation Plans
– EUEM Corrective Action Process
NERC CIP v5 and Beyond Standards
AssurX CIP Solution
User
Access Role
Cyber Asset
Asset Group
Has Access ToSecurity
PerimeterSystem
AssurX CIP Change Request
AssurX CIP Baseline
AssurX CIP Access Change Request
Tripwire Has Been Providing NERC CIP Security and
Compliance since the first CIP Requirements in 2007
The Goal:-Identify secure configurations of all High and Medium Cyber Assets(“80% benchmarks”)
Continuous security configuration management
Understands changes – controls “drift”, continuously
Monitors your attack surface
Detects threats in real-time and enables fast response
Lower costs, greater efficiency
“The Responsible Entity shall establish, document and implement a process to
ensure that only those ports and services required for normal and emergency
operations are enabled.”
• Document every port and active service on every BCA, with justification,
confirm regularly, and be able to prove it
• Tripwire customized solution: “Whitelist Profiler” approach
– Capture port/services list once in .csv file, including asset tags and discrete names
– Tripwire agent downloads file and applies to its local system
– Use element content report to documents port/service state on every monitored host
– Use custom policy test to monitor continuously, display on dashboard and provide
alerts
Example of Tripwire Solution Extensions
• Used for CIP 007 (Ports & Services), CIP 007 (Patch Levels) and
CIP 003 (Access Privileges)
NERC Solution – Whitelist Profiling
Tripwire Enterprise Server
File Systems
• – collect current
status & changes on all critical cyber
assets
• – analyze
security data and alert on suspicious
events
• – generate
reports and dashboards that document
compliance
Tripwire NERC Solution Suite – Key Benefits
wide range of device
and software inventory, and can be asset tagged for
High/Medium/Low Impact Cyber Assets
• Remember - Not a “Silver Bullet” to solve compliance
• Start with and document what you have
• Leverage a recognized framework (COSO, NIST, ISO27k)
• Institutionalize a corrective action process
• Identify accountable parties / communication paths
• Prevent atrophy with regular evaluation of program
Tips for Holistic Cyber Program Implementation
• Don’t try to ELIMINATE risk – Diminishing returns
– A company can spend a lot and never reach a 100% level of risk assurance
– Objective is to lower risk
• Don’t add controls for the sake of adding controls– More controls is not always better
– Tailor the controls to the risks and address the higher risk items
• Don’t identify controls without control owners & performers identified
Pitfalls to Avoid
• What are our greatest areas of Risk?
• Does our company already have an internal controls program?
• Are our controls defined & documented anywhere?
• What basis / framework did we use for our controls?
• How often are our controls reviewed / tested?
• How much is enough? How much is too much?
• Do we consider resiliency?
Questions to ask
• Manage– Holistic corporate controls framework covers multiple areas of
business risk (including NERC)
• Maintain– Ongoing operation of internal controls will ensure that compliance is
maintained
• Improve– Reviewing & Revising steps to ensure internal controls are effective
will continuously improve the compliance efforts
– Corrective actions taken as a result of ongoing monitoring of the control environment will improve overall risk profile
Example of an End State
• FBI cybersecurity experts will brief us on the current attack landscape on energy Critical Infrastructure, and what you can do about it.
• Sam Visner, ICF’s Senior Vice President and General Manager, Cybersecurity is former Chief of Signals Intelligence Programs at the NSA and adjunct professor at Georgetown University. Sam will discuss how “the sky is falling” thinking can give way to reasoned, useful, and appropriate investments in cybersecurity as a national imperative.
• You’ll receive in-depth practical “How Tos” to shorten your audit preparation, save time and costs and build a “business as usual” culture for security
• Compliance Workshop (Limit 40 attendees), CE credit available
• URL: https://tripwirenercworkshop.eventbrite.com
Join Us in Houston March 25-26 for a Free 1.5 Day Workshop
Thank You!
Cybersecurity &
Compliance Advisory
and Implementation
Services
NERC Compliance
Management
Software Solutions
Security and
compliance
assessment, monitoring
and automation
technology for IT/OT
environments