200 likes | 445 Views
Cyber Security A Program to Meet NERC CIP Requirements May 17, 2010 Rick Dakin Coalfire systems CEO and Co-founder . Agenda. The fastest 30 minutes in cyber security history Introductions The Threat NERC CIP Requirements CIP Program Rollout Cyber Security Program Strategy Questions.
E N D
Cyber Security A Program to Meet NERC CIP Requirements May 17, 2010 Rick Dakin Coalfire systems CEO and Co-founder
Agenda The fastest 30 minutes in cyber security history • Introductions • The Threat • NERC CIP Requirements • CIP Program Rollout • Cyber Security Program Strategy • Questions
Offices in Denver, Seattle, NYC, Dallas and San Diego) with over 40 full-time IT auditors Clients include Fortune 100, retail, government, education, financial, healthcare, and utilities Security, governance, compliance management, Audit – GLBA, SOX, PCI, HIPAA, SAS 70 & NERC CIP Practice areas: risk and vulnerability assessment, e-discovery and forensic analysis Solutions: policy development, data classification, control management, incident response, etc. Application security: PA-DSS certification, code audits, penetration testing, SDL development Coalfire Overview IT Audit and Compliance Management
Regulatory Backdrop Regulatory Environment is a New Challenge for IT Professionals 2000 to Present 1970-1980 • COPPA • USA Patriot Act 2001 • EC Data Privacy Directive • CLERP 9 • CAN-SPAM Act • FISMA • Sarbanes Oxley (SOX) • CIPA 2002 • Basel II • NERC CIP • HITECH • Payment Card Industry (PCI) • California Individual Privacy SB1386 • Other State Privacy Laws 1990-2000 1980-1990 • EU Data Protection • HIPAA • FDA 21CFR Part 11 • C6-Canada • GLBA • Computer Security Act of 1987 4
Strategic Barriers 'Smart Grid' may be vulnerable to hackersBy Jeanne Meserve CNN Homeland Security Correspondent UPDATED: 08:44 PM EDT 03.21.09 WASHINGTON (CNN) Is it really so smart to forge ahead with the high technology, digitally based electricity distribution and transmission system known as the "Smart Grid"? Tests have shown that a hacker can break into the system, and cyber security experts said a massive blackout could result.Until the United States eliminates the Smart Grid's vulnerabilities, some experts said, deployment should proceed slowly."I think we are putting the cart before the horse here to get this stuff rolled out very fast," said Ed Skoudis, a co-founder of InGuardians, a network security research and consulting firm.
Trends – The Risk is Growing • Cyber attacks are increasing • The deployment of IP networks in critical infrastructure is growing • Legacy systems deployed in critical systems only change every 5 – 12 years ….. and, were never designed to be secure • The workforce is aging and will require re-training to modify processes and controls • Control vendors are late contributors to cyber security plans. There are not industry standards for secure systems development for Critical Infrastructure
CIP Overview The North American Reliability Corporation (NERC) Standards CIP-002 through CIP-009 provide a cyber security framework for the identification and protection of Critical Cyber Assets to support reliable operation of the Bulk Electric System. Effective December 2009, most operators must comply with the following requirements.
CIP Updates • Oversight of cyber security at U.S. commercial nuclear power plants will be divided between the NRC and the NERC • CIP version 2 takes force in April 2010 and increases “strictness” • Removal of the terms “reasonable business judgment” and “acceptance of risk” • Training and Personnel Risk Assessments must be performed prior to granting access to authorized personnel • Delegations must be specifically documented with areas of responsibility and approved by the designated Senior Manager • Levels of Non-Compliance replaced with Violation Severity Levels and Violation Risk Factors • Future CIP versions look to introduce more alignment with best practice standards such as NIST 9
FERC – Bringing down the Hammer • Budget increase of over $17M to make reliability of the electric transmission grid—and enforcement of NERC Standards—a priority in 2011 • Planning for an average of 100 violations each month in 2011 • Strong response to NERC Technical Feasibility Exception (TFE) rules including mandate that all mitigating controls are equivalent to strict original control intent • Severely limited any safe harbor absent exceptional circumstances • May 4th, 2010 – Michael Assante resigns as CSO of NERC 11
Growing the Grid • The Energy Independence and Security Act of 2007 established the Smart Grid program which mandates two-way flow of electricity and information with the end user • NIST IR-7628: Smart Grid Cyber Security Strategy and Requirements drafted addresses: • Bottom-up Risk Based Assessment • Privacy Concerns • Vulnerability Class Analysis • Takes the threat to the end user: what’s the difference between shutting down the plant or conducting an Energy Denial of Service Attack against the consumer? 12
CIP Program Approach Risk Assessment • Asset Inventory • Risk Assessment • Control Selection • Gap Analysis • Remediation Roadmap Control Design • Define system boundaries • Control Design • Documentation • User Testing • Policies, Plans Risk Assessment Control Design Deploy and Operate Measure and Report Measure and Report • Program Design • Establish Metrics • Control testing • Develop Compliance Portal • Online Support Deploy and Operate • Guidelines • Control deployment • Control Operation • Operations Monitoring and Reporting • Training Compliance Management Program
21 Steps to Improve Cyber Security Source: The President’s Critical Infrastructure Protection Board
Top 5 Risk Mitigation Steps Segment SCADA systems (Diagram system boundaries) Test Segmentation of SCADA Systems (Do not rely on proprietary protocols) Restrict Remote Access Contact your System Vendor for Secure Configurations and Operations Guides Develop a good Incident Response Plan
References Idaho National Labs – Vulnerabilities Reporthttp://www.controlsystemsroadmap.net/pdfs/INL_Common_Vulnerabilties.pdf NIST SP 800-82http://csrc.nist.gov/publications/drafts/800-82/draft_sp800-82-fpd.pdf NERC - Top 10 Vulnerabilities of Control Systemshttp://www.controlsystemsroadmap.net/pdfs/NERC_2007_Top_10.pdf GAO Report on Continuing Security Weaknesshttp://www.controlsystemsroadmap.net/pdfs/GAO_2007_CS_Challenges_Remain.pdf 21 Steps to Improve SCADA System Securityhttp://www.controlsystemsroadmap.net/pdfs/21_steps_to_Improve_Cyber_Security_of_SCADA_Networks.pdf
Thank You Knowledge – Action = Negligence Questions? Rick Dakin Rick.dakin@coalfiresystems.com 303.554.6333 ext 7001