B-6 Establishing a Cyber Security Program to Meet ... - IEEE REPC

decisioncrunchΔίκτυα και Επικοινωνίες

20 Νοε 2013 (πριν από 3 χρόνια και 7 μήνες)

121 εμφανίσεις

Cyber Security

A Program to Meet NERC CIP Requirements


May 17, 2010


Rick Dakin

Coalfire systems

CEO and Co
-
founder


Agenda

The fastest 30 minutes in cyber security history


Introductions


The Threat


NERC CIP Requirements


CIP Program Rollout


Cyber Security Program Strategy


Questions


Coalfire Overview

3

Clients include Fortune 100, retail, government,

education, financial, healthcare, and utilities

Offices in Denver, Seattle, NYC, Dallas and San Diego)

with over 40 full
-
time IT auditors

Security, governance, compliance management,

Audit


GLBA, SOX, PCI, HIPAA, SAS 70 &
NERC CIP

Application security: PA
-
DSS certification, code audits,

penetration testing, SDL development

Solutions: policy development, data classification,

control management, incident response, etc.

Practice areas: risk and vulnerability assessment,

e
-
discovery and forensic analysis

IT Audit and
Compliance
Management

4

Regulatory Backdrop

4

1970
-
1980

1980
-
1990


Computer Security Act of 1987

1990
-
2000


EU Data Protection


HIPAA


FDA 21CFR Part 11


C6
-
Canada


GLBA

2000 to

Present


COPPA


USA Patriot Act 2001


EC Data Privacy Directive


CLERP 9


CAN
-
SPAM Act


FISMA


Sarbanes Oxley (SOX)


CIPA 2002


Basel II


NERC
CIP


HITECH


Payment Card Industry
(PCI)


California Individual
Privacy

SB1386


Other State Privacy Laws

Regulatory Environment is a

New Challenge for
IT Professionals

Why Protect Infrastructure?

5

Strategic Barriers

'Smart Grid' may be vulnerable to hackers

By Jeanne Meserve CNN Homeland Security Correspondent



UPDATED: 08:44 PM EDT 03.21.09



WASHINGTON (CNN)

Is it really so smart to forge ahead with the high technology, digitally
based electricity distribution and transmission system known as the
"Smart Grid"? Tests have shown that a hacker can break into the system,
and cyber security experts said a massive blackout could result.


Until the United States eliminates the Smart Grid's vulnerabilities, some
experts said, deployment should proceed slowly.


"I think we are putting the cart before the horse here to get this stuff
rolled out very fast," said Ed Skoudis, a co
-
founder of InGuardians, a
network security research and consulting firm.


Trends


The Risk is Growing


Cyber attacks are increasing


The deployment of IP networks in
critical infrastructure is growing


Legacy systems deployed in critical
systems only change every 5


12
years ….. and, were never designed
to be secure


The workforce is aging and will
require re
-
training to modify
processes and controls


Control vendors are late contributors
to cyber security plans. There are not
industry standards for secure systems
development for Critical
Infrastructure



CIP Overview

The North American Reliability Corporation (NERC) Standards CIP
-
002 through CIP
-
009 provide a cyber security framework for the
identification and protection of Critical Cyber Assets to support
reliable operation of the Bulk Electric System
. Effective December
2009, most operators must comply with the following requirements.

CIP Requirement

Controls

CIP 002

Cyber Asset Identification


CIP 003

Security Management Controls


CIP 004

Personnel Security and Training


CIP 005

Electronic Security Perimeter


CIP 006

Physical Security


CIP 007

Systems Security Management


CIP 008

Incident Reporting and Response Planning


CIP 009

Recovery Plans for Critical Cyber Assets


9

CIP Updates


Oversight of cyber security at U.S. commercial nuclear power
plants will be divided between the NRC and the NERC


CIP version 2 takes force in April 2010 and increases
“strictness”


Removal of the terms “
reasonable business judgment
” and

acceptance of risk



Training and Personnel Risk Assessments must be performed
prior to
granting access to authorized personnel


Delegations must be specifically documented with areas of
responsibility and approved by the designated Senior Manager


Levels of Non
-
Compliance replaced with Violation Severity Levels and
Violation Risk Factors


Future CIP versions look to introduce more alignment with
best practice standards such as NIST




Slow Adoption

11

FERC


Bringing down the Hammer


Budget increase of over $17M to make reliability of the
electric transmission grid

and enforcement of NERC
Standards

a priority in 2011


Planning for an average of 100 violations each month in
2011


Strong response to NERC Technical Feasibility Exception
(TFE) rules including mandate that all mitigating controls
are equivalent to strict original control intent


Severely limited any safe harbor absent exceptional
circumstances


May 4
th
, 2010


Michael Assante resigns as CSO of NERC

12

Growing the Grid


The Energy Independence and Security Act of 2007 established
the Smart Grid program which mandates
two
-
way flow
of
electricity and
information

with the end user


NIST IR
-
7628: Smart Grid Cyber Security Strategy and
Requirements drafted addresses:


Bottom
-
up Risk Based Assessment


Privacy Concerns


Vulnerability Class Analysis


Takes the threat to the end user: what’s the difference between
shutting down the plant or conducting an Energy Denial of
Service Attack against the consumer?


Measure and Report



Program Design



Establish Metrics



Control testing



Develop
Compliance


Portal



Online Support

Deploy and Operate



Guidelines



Control deployment



Control Operation



Operations Monitoring


and Reporting



Training

Control Design



Define system boundaries



Control
Design



Documentation



User Testing



Policies, Plans


Risk Assessment



Asset Inventory



Risk Assessment



Control Selection



Gap Analysis



Remediation Roadmap

CIP Program Approach


Compliance Management Program

21 Steps to Improve Cyber Security

1.
Identify all connections to SCADA

2.
Disconnect unnecessary connections

3.
Strengthen the security of remaining
connections

4.
Harden SCADA Networks

5.
Do not rely of proprietary protocols

6.
Implement the security features
provided by vendors

7.
Establish strong controls over media

8.
Implement internal and external
intrusion detection systems

9.
Perform technical audits of SCADA
devices and networks

10.
Assess remote sites connected to the
SCADA network


Access Controls

11. Identify and evaluate possible attack
scenarios

12. Clearly define cyber security roles
and responsibilities

13. Document network Architecture

14. Establish a risk management process

15. Establish a “defense

in
-
depth”
security program

16. Clearly identify cyber security
requirements

17. Establish configuration management
processes

18. Conduct routine self
-
assessments

19. Establish a disaster recovery plan

20. Establish program accountability

21. Establish policies and provide Training

Source: The President’s Critical Infrastructure Protection Board

Segment SCADA Network

Top 5 Risk Mitigation Steps

1.
Segment SCADA systems
(Diagram system
boundaries)

2.
Test Segmentation of SCADA Systems
(Do not rely
on proprietary protocols)

3.
Restrict Remote Access

4.
Contact your System Vendor for Secure
Configurations and Operations Guides

5.
Develop a good Incident Response Plan


References


Idaho National Labs


Vulnerabilities Report

http://www.controlsystemsroadmap.net/pdfs/INL_Common_Vulnerabilties.pdf


NIST SP 800
-
82

http://csrc.nist.gov/publications/drafts/800
-
82/draft_sp800
-
82
-
fpd.pdf


NERC
-

Top 10 Vulnerabilities of Control Systems

http://www.controlsystemsroadmap.net/pdfs/NERC_2007_Top_10.pdf


GAO Report on Continuing Security Weakness

http://www.controlsystemsroadmap.net/pdfs/GAO_2007_CS_Challenges_Remain.pdf


21 Steps to Improve SCADA System Security

http://www.controlsystemsroadmap.net/pdfs/21_steps_to_Improve_Cyber_Security_of_SCADA_Networks.pdf

Thank You

18

Rick Dakin


Rick.dakin@coalfiresystems.com

303.554.6333 ext 7001

Questions?