Slide 1

Transcript Slide 1

Are you collecting the right data for the NERC auditors?

About Industrial Defender, Inc.

17-years of real-time process control/SCADA industry experience Over 100 Employees Proven Track Record with over 350 Customers Leader of complete “Risk Prevention Lifecycle” solution targeted at Critical Infrastructure Process Control/SCADA domain.

Designed Security Offering from production environment up to Enterprise vs. Enterprise down Acquired Teltone, Inc in June 2008 • Added secure remote authentication to Defense-in-Depth solution Headquartered in Foxborough, MA with offices in: • Metairie, LA - Calgary, AB Canada - London, United Kingdom - Bothell, WA Leader in Cyber Risk Protection™ and Global Threat Intelligence specifically for Electric Power, Water, Oil & Gas, Transportation & Chemical Industries

Industrial Defender Track-Record

Over 100 Vulnerability Assessments/Penetration Testing/Red Team Testing/Compliance Gap Analysis/Training Over 5,800 SEM/NIDS/HIDS Over 800 Remote Access/Authentication Over 3,000 Dial-Up Substation Solutions 170 Plants in 21-Countries; Over 350 Firewalls Configured, Managed & Monitored

Industry Leading Cyber Risk Protection Lifecycle™ Offering

Are you ready for your NERC CIP audit?

Spot audits are finding reportable issues Accurate documentation and data for a successful audit is a challenge Attestation is impossible if your not collecting the right information Auditors will not think it is funny if you just drop a big pile of documents on their laps Having all your CCA logs is not enough – you must demonstrate that you are “Bill, the NERC auditor is here to review your logs….” reviewing them

FERC Order 693

3. We require that NERC and Regional Entities

“base their compliance audit processes in the U.S. on professional auditing standards recognized in the U.S., such as Generally Accepted Accounting Standards, Generally Accepted Government Auditing Standards, and standards sanctioned by the Institute of Internal Auditors.”

“You must think like an auditor and know what an auditor knows to be successful in this process” 1 Baker and Tilly 1Introduction to Audit Principles and Techniques Carol Arneson and Russ Hissom Baker Tilly Virchow Krause September 1, 2009

Some Government updates

Five competing bills in House & Senate that address the need for further/tighter regulations Until Obama appoints a cyber czar it is unlikely new legislation will pass – Health Care and Climate control are top priority FERC is pushing to include every asset as CCA NERC CIP 3 – will look at CCA again from a BES reliability impact point of view Will likely look to make an example out of a big utility

Monitoring EMS security

Typical EMS System Diagram

Access control logging requirements

CIP-005 Electronic Security, Requirement 3 - Monitoring Electronic Access • • 24x7 Monitoring Alerting on unauthorized access – if feasible • Manual review of logs at least every 90 days CIP-005 Electronic Security, Requirement 5 - Access Log Retention • Retain logs for minimum of 90 days

Physical Security

CIP-006 Physical Security, Requirement 3 - Monitoring Physical Access • 24x7 Monitoring CIP-006 Physical Security, Requirement 4 - Logging Physical Access • Computerized logging, Video Logging or Manual Logging CIP-006 Physical Security, Requirement 5 - Access Log Retention • Retain logs for minimum of 90 days Physical security monitoring is typically outside of EMS operation group

Physical Security

• • • • • Physical access to critical cyber assets must be monitored 24 x 7 Monitoring consists of detecting access and creating alerts or alarms as appropriate. An I/O processor and/or communications processor within each physical security perimeter can be used to collect, record, and report all physical security activity. Each record should include the name of the device, name of the detected activity, and the time of activity with accuracy to the millisecond.

Physical access monitoring must be performed for access points into physical security perimeters and for specialized perimeters within physical security perimeters, which include, but are not limited to: Substation control house System administrator console location Engineering access console locations Storage location of mobile engineering access laptops Server rooms • • • • • Media and tape storage locations Data centers and modem pools locations Telecommunications closets Jurisdiction control handles Operational status control handle

Security Status monitoring

CIP-007 Systems Security Management, Requirement 6 Security Status Monitoring • •

Alert on cyber security events

Retain logs for minimum of 90 days CIP-008 Incident Reporting and Response Planning, Requirement 2 - Cyber Security Incident Documentation • Retain relevant documentation related to reportable incidents for 3 years

Logging

Collect all CCA logs and events to a central event collector Monitor: • • • • • • • Servers Applications, Databases Workstations, HMIs FEPs Gateways, RTUs, IEDs Routers, Switches Firewall, Access control, VPN Analyze logs looking for events of interest like: • • • • Unauthorized access Failed Logins System changes Root Users

System Security

Log monitoring is the key but… • It’s difficult to configure, manage and keep systems up to date • OPEX verses CAPEX Log monitoring is difficult • It’s boring • • • It’s hard to develop and maintain skills Many devices do not provide logs It’s a 24x7 job Consider outsourcing to MSSP

There are many ways to get the job done…

NERC CIP only provides requirements, it does not prescribe solutions, or specific recommendations…

No Silver bullets

Many open source & home grown security solutions Swatch Snare Syslog NG Splunk Shell Scripts Kiwi LogView4Net Flow tools Countless commercial solutions People who have built their own solutions now face the maintenance burden

Central Logging to a SEM

Ten reasons to invest in a SEM

Ability consolidate your logging in one place Have your logs in a separated environment for log integrity (i.e., they cannot be tampered with) Meet many compliance and audit objectives A quality SEM can correlate events from multiple device sources and provide alerts SEMs provide a better understanding of your security environment because it can accept events from various device sources.

Adds to the principal of “defense in depth” – it is another layer of defense Allows an administrator to monitor only the most important events and ignore the noise Automation of threat identification – via email, pager, or external ticketing system Reporting of logs and events across multiple device types Creates a history of log events for forensic reconstruction

Finding that event of interest is hard – if done manually

What events are interesting?

Just logging is not enough You either must manually review logs or automate Having a baseline of your system is key Look for anything that is not normal or not expected on the system Document your actions and activity Top Five from SANS • Attempts to gain access through existing accounts • • Failed file or resource access attempts Unauthorized changes to users, groups, and services • • Systems most vulnerable to attack Suspicious or unauthorized network traffic patterns

Example of setting up IDS alert priority for EMS

24 config classification: attempted-dos, Attempted Denial of Service Activity which should not ever be seen on control system network. Any alerts should be investigated at a high priority © 2009 Industrial Defender All rights reserved

Are you ready?

NERC CIP readiness • Will you be able to produce attestation for the auditors in the required time frame?

• How do you demonstrate that you’ve reviewed logs?

• How do you know you’ve collected the logs you need, and that none have been lost?

• How many people do you have administering NERC CIP?

• How long does it take you to prepare for an audit?

• How can you be sure you’ll pass the audit?

• Have you had a 3 rd party check your readiness?

• How do you expect to be affected by NERC CIP 3?

Ongoing system management • What happens if your internal NERC CIP resources leave/transfer?

• What are you doing for change management of the control system?

• What are you doing for patch management of the control system? • What are you doing for configuration management of the control system?

• What are you doing for asset management of the control system?

Timely access to information is vital…

Most of us would never wait 3 weeks to check our email, yet do we ever check our critical cyber asset logs?

Contact Information

Walter Sikora VP, Security Solutions Industrial Defender, Inc.

[email protected]

(office) +1.508.718.6706

(mobile) +1.508.369.5649

(fax) +1.508.718.6701

Thank You

www.industrialdefender.com

Slide 1

Transcript Slide 1

Are you collecting the right data for the NERC auditors?

About Industrial Defender, Inc.

Industrial Defender Track-Record

Are you ready for your NERC CIP audit?

FERC Order 693

Some Government updates

Monitoring EMS security

Typical EMS System Diagram

Access control logging requirements

Physical Security

Physical Security

Security Status monitoring

Logging

System Security

There are many ways to get the job done…

NERC CIP only provides requirements, it does not prescribe solutions, or specific recommendations…

No Silver bullets

Central Logging to a SEM

Ten reasons to invest in a SEM

Finding that event of interest is hard – if done manually

What events are interesting?

Example of setting up IDS alert priority for EMS

Are you ready?

Timely access to information is vital…

Contact Information

Walter Sikora VP, Security Solutions Industrial Defender, Inc.

[email protected]

(office) +1.508.718.6706

(mobile) +1.508.369.5649

(fax) +1.508.718.6701

Thank You

Directory