Transcript Slide 1
© 2009 Industrial Defender All rights reserved
Are you collecting the right data for the NERC auditors?
2
About Industrial Defender, Inc.
17-years of real-time process control/SCADA industry experience Over 100 Employees Proven Track Record with over 350 Customers Leader of complete “Risk Prevention Lifecycle” solution targeted at Critical Infrastructure Process Control/SCADA domain.
Designed Security Offering from production environment up to Enterprise vs. Enterprise down Acquired Teltone, Inc in June 2008 • Added secure remote authentication to Defense-in-Depth solution Headquartered in Foxborough, MA with offices in: • Metairie, LA - Calgary, AB Canada - London, United Kingdom - Bothell, WA Leader in Cyber Risk Protection™ and Global Threat Intelligence specifically for Electric Power, Water, Oil & Gas, Transportation & Chemical Industries
Passionate, Focused and Committed to Long Term Strategy of being Global Leader in SCADA/PCS Cyber-Risk Protection © 2009 Industrial Defender All rights reserved
3
Industrial Defender Track-Record
Over 100 Vulnerability Assessments/Penetration Testing/Red Team Testing/Compliance Gap Analysis/Training Over 5,800 SEM/NIDS/HIDS Over 800 Remote Access/Authentication Over 3,000 Dial-Up Substation Solutions 170 Plants in 21-Countries; Over 350 Firewalls Configured, Managed & Monitored
Industry Leading Cyber Risk Protection Lifecycle™ Offering
© 2009 Industrial Defender All rights reserved
Electric Power Industry Customers 4 © 2009 Industrial Defender All rights reserved
5
Are you ready for your NERC CIP audit?
Spot audits are finding reportable issues Accurate documentation and data for a successful audit is a challenge Attestation is impossible if your not collecting the right information Auditors will not think it is funny if you just drop a big pile of documents on their laps Having all your CCA logs is not enough – you must demonstrate that you are “Bill, the NERC auditor is here to review your logs….” reviewing them
© 2009 Industrial Defender All rights reserved
6 CONFIDENTIAL INFORMATION © 2009 Industrial Defender All rights reserved
7
FERC Order 693
3. We require that NERC and Regional Entities
“base their compliance audit processes in the U.S. on professional auditing standards recognized in the U.S., such as Generally Accepted Accounting Standards, Generally Accepted Government Auditing Standards, and standards sanctioned by the Institute of Internal Auditors.”
“You must think like an auditor and know what an auditor knows to be successful in this process” 1 Baker and Tilly 1Introduction to Audit Principles and Techniques Carol Arneson and Russ Hissom Baker Tilly Virchow Krause September 1, 2009
© 2009 Industrial Defender All rights reserved
8
Some Government updates
Five competing bills in House & Senate that address the need for further/tighter regulations Until Obama appoints a cyber czar it is unlikely new legislation will pass – Health Care and Climate control are top priority FERC is pushing to include every asset as CCA NERC CIP 3 – will look at CCA again from a BES reliability impact point of view Will likely look to make an example out of a big utility
© 2009 Industrial Defender All rights reserved
Monitoring EMS security
9 © 2009 Industrial Defender All rights reserved
Typical EMS System Diagram
10 © 2009 Industrial Defender All rights reserved
11
Access control logging requirements
CIP-005 Electronic Security, Requirement 3 - Monitoring Electronic Access • • 24x7 Monitoring Alerting on unauthorized access – if feasible • Manual review of logs at least every 90 days CIP-005 Electronic Security, Requirement 5 - Access Log Retention • Retain logs for minimum of 90 days
© 2009 Industrial Defender All rights reserved
12
Physical Security
CIP-006 Physical Security, Requirement 3 - Monitoring Physical Access • 24x7 Monitoring CIP-006 Physical Security, Requirement 4 - Logging Physical Access • Computerized logging, Video Logging or Manual Logging CIP-006 Physical Security, Requirement 5 - Access Log Retention • Retain logs for minimum of 90 days Physical security monitoring is typically outside of EMS operation group
© 2009 Industrial Defender All rights reserved
13
Physical Security
• • • • • Physical access to critical cyber assets must be monitored 24 x 7 Monitoring consists of detecting access and creating alerts or alarms as appropriate. An I/O processor and/or communications processor within each physical security perimeter can be used to collect, record, and report all physical security activity. Each record should include the name of the device, name of the detected activity, and the time of activity with accuracy to the millisecond.
Physical access monitoring must be performed for access points into physical security perimeters and for specialized perimeters within physical security perimeters, which include, but are not limited to: Substation control house System administrator console location Engineering access console locations Storage location of mobile engineering access laptops Server rooms • • • • • Media and tape storage locations Data centers and modem pools locations Telecommunications closets Jurisdiction control handles Operational status control handle
© 2009 Industrial Defender All rights reserved
14
Security Status monitoring
CIP-007 Systems Security Management, Requirement 6 Security Status Monitoring • •
Alert on cyber security events
Retain logs for minimum of 90 days CIP-008 Incident Reporting and Response Planning, Requirement 2 - Cyber Security Incident Documentation • Retain relevant documentation related to reportable incidents for 3 years
© 2009 Industrial Defender All rights reserved
15
Logging
Collect all CCA logs and events to a central event collector Monitor: • • • • • • • Servers Applications, Databases Workstations, HMIs FEPs Gateways, RTUs, IEDs Routers, Switches Firewall, Access control, VPN Analyze logs looking for events of interest like: • • • • Unauthorized access Failed Logins System changes Root Users
© 2009 Industrial Defender All rights reserved
16
System Security
Log monitoring is the key but… • It’s difficult to configure, manage and keep systems up to date • OPEX verses CAPEX Log monitoring is difficult • It’s boring • • • It’s hard to develop and maintain skills Many devices do not provide logs It’s a 24x7 job Consider outsourcing to MSSP
© 2009 Industrial Defender All rights reserved
There are many ways to get the job done…
17
NERC CIP only provides requirements, it does not prescribe solutions, or specific recommendations…
© 2009 Industrial Defender All rights reserved
18
No Silver bullets
Many open source & home grown security solutions Swatch Snare Syslog NG Splunk Shell Scripts Kiwi LogView4Net Flow tools Countless commercial solutions People who have built their own solutions now face the maintenance burden
© 2009 Industrial Defender All rights reserved
Central Logging to a SEM
19 © 2009 Industrial Defender All rights reserved
20
Ten reasons to invest in a SEM
Ability consolidate your logging in one place Have your logs in a separated environment for log integrity (i.e., they cannot be tampered with) Meet many compliance and audit objectives A quality SEM can correlate events from multiple device sources and provide alerts SEMs provide a better understanding of your security environment because it can accept events from various device sources.
Adds to the principal of “defense in depth” – it is another layer of defense Allows an administrator to monitor only the most important events and ignore the noise Automation of threat identification – via email, pager, or external ticketing system Reporting of logs and events across multiple device types Creates a history of log events for forensic reconstruction
© 2009 Industrial Defender All rights reserved
Finding that event of interest is hard – if done manually
21 © 2009 Industrial Defender All rights reserved
22 © 2009 Industrial Defender All rights reserved
23
What events are interesting?
Just logging is not enough You either must manually review logs or automate Having a baseline of your system is key Look for anything that is not normal or not expected on the system Document your actions and activity Top Five from SANS • Attempts to gain access through existing accounts • • Failed file or resource access attempts Unauthorized changes to users, groups, and services • • Systems most vulnerable to attack Suspicious or unauthorized network traffic patterns
© 2009 Industrial Defender All rights reserved
Example of setting up IDS alert priority for EMS
24 config classification: attempted-dos, Attempted Denial of Service Activity which should not ever be seen on control system network. Any alerts should be investigated at a high priority © 2009 Industrial Defender All rights reserved
25
Are you ready?
NERC CIP readiness • Will you be able to produce attestation for the auditors in the required time frame?
• How do you demonstrate that you’ve reviewed logs?
• How do you know you’ve collected the logs you need, and that none have been lost?
• How many people do you have administering NERC CIP?
• How long does it take you to prepare for an audit?
• How can you be sure you’ll pass the audit?
• Have you had a 3 rd party check your readiness?
• How do you expect to be affected by NERC CIP 3?
Ongoing system management • What happens if your internal NERC CIP resources leave/transfer?
• What are you doing for change management of the control system?
• What are you doing for patch management of the control system? • What are you doing for configuration management of the control system?
• What are you doing for asset management of the control system?
© 2009 Industrial Defender All rights reserved
Timely access to information is vital…
26
Most of us would never wait 3 weeks to check our email, yet do we ever check our critical cyber asset logs?
© 2009 Industrial Defender All rights reserved
27
Contact Information
Walter Sikora VP, Security Solutions Industrial Defender, Inc.
[email protected]
(office) +1.508.718.6706
(mobile) +1.508.369.5649
(fax) +1.508.718.6701
Thank You
© 2009 Industrial Defender All rights reserved
www.industrialdefender.com