290 likes | 432 Views
Are you collecting the right data for the NERC auditors?. About Industrial Defender, Inc. 17-years of real-time process control/SCADA industry experience Over 100 Employees Proven Track Record with over 350 Customers
E N D
About Industrial Defender, Inc. • 17-years of real-time process control/SCADA industry experience • Over 100 Employees • Proven Track Record with over 350 Customers • Leader of complete “Risk Prevention Lifecycle” solution targeted at Critical Infrastructure Process Control/SCADA domain. • Designed Security Offering from production environment up to Enterprise vs. Enterprise down • Acquired Teltone, Inc in June 2008 • Added secure remote authentication to Defense-in-Depth solution • Headquartered in Foxborough, MA with offices in: • Metairie, LA - Calgary, AB Canada - London, United Kingdom - Bothell, WA • Leader in Cyber Risk Protection™ and Global Threat Intelligence specifically for Electric Power, Water, Oil & Gas, Transportation & Chemical Industries Passionate, Focused and Committed to Long Term Strategy of being Global Leader in SCADA/PCS Cyber-Risk Protection
Industrial Defender Track-Record Over 100 Vulnerability Assessments/Penetration Testing/Red Team Testing/Compliance Gap Analysis/Training Over 5,800 SEM/NIDS/HIDS Over 800 Remote Access/Authentication Over 3,000 Dial-Up Substation Solutions 170 Plants in 21-Countries; Over 350 Firewalls Configured, Managed & Monitored Industry Leading Cyber Risk Protection Lifecycle™ Offering
Are you ready for your NERC CIP audit? • Spot audits are finding reportable issues • Accurate documentation and data for a successful audit is a challenge • Attestation is impossible if your not collecting the right information • Auditors will not think it is funny if you just drop a big pile of documents on their laps • Having all your CCA logs is not enough – you must demonstrate that you are reviewing them “Bill, the NERC auditor is here to review your logs….”
FERC Order 693 • “You must think like an auditor and know what an auditor knows to be successful in this process”1 Baker and Tilly • 3. We require that NERC and Regional Entities “base their compliance audit processes in the U.S. on professional auditing standards recognized in the U.S., such as Generally Accepted Accounting Standards, Generally Accepted Government Auditing Standards, and standards sanctioned by the Institute of Internal Auditors.” 1Introduction to Audit Principles and Techniques Carol Arneson and Russ Hissom Baker Tilly Virchow Krause September 1, 2009
Some Government updates • Five competing bills in House & Senate that address the need for further/tighter regulations • Until Obama appoints a cyber-czar it is unlikely new legislation will pass – Health Care and Climate control are top priority • FERC is pushing to include every asset as CCA • NERC CIP 3 – will look at CCA again from a BES reliability impact point of view • Will likely look to make an example out of a big utility
Access control logging requirements • CIP-005 Electronic Security, Requirement 3 - Monitoring Electronic Access • 24x7 Monitoring • Alerting on unauthorized access – if feasible • Manual review of logs at least every 90 days • CIP-005 Electronic Security, Requirement 5 - Access Log Retention • Retain logs for minimum of 90 days
Physical Security • CIP-006 Physical Security, Requirement 3 - Monitoring Physical Access • 24x7 Monitoring • CIP-006 Physical Security, Requirement 4 - Logging Physical Access • Computerized logging, Video Logging or Manual Logging • CIP-006 Physical Security, Requirement 5 - Access Log Retention • Retain logs for minimum of 90 days Physical security monitoring is typically outside of EMS operation group
Physical Security • Physical access to critical cyber assets must be monitored 24 x 7 • Monitoring consists of detecting access and creating alerts or alarms as appropriate. • An I/O processor and/or communications processor within each physical security perimeter can be used to collect, record, and report all physical security activity. • Each record should include the name of the device, name of the detected activity, and the time of activity with accuracy to the millisecond. • Physical access monitoring must be performed for access points into physical security perimeters and for specialized perimeters within physical security perimeters, which include, but are not limited to: • Substation control house • System administrator console location • Engineering access console locations • Storage location of mobile engineering access laptops • Server rooms • Media and tape storage locations • Data centers and modem pools locations • Telecommunications closets • Jurisdiction control handles • Operational status control handle
Security Status monitoring • CIP-007 Systems Security Management, Requirement 6 - Security Status Monitoring • Alert on cyber security events • Retain logs for minimum of 90 days • CIP-008 Incident Reporting and Response Planning, Requirement 2 - Cyber Security Incident Documentation • Retain relevant documentation related to reportable incidents for 3 years
Logging • Collect all CCA logs and events to a central event collector • Monitor: • Servers • Applications, Databases • Workstations, HMIs • FEPs • Gateways, RTUs, IEDs • Routers, Switches • Firewall, Access control, VPN • Analyze logs looking for events of interest like: • Unauthorized access • Failed Logins • System changes • Root Users
System Security • Log monitoring is the key but… • It’s difficult to configure, manage and keep systems up to date • OPEX verses CAPEX • Log monitoring is difficult • It’s boring • It’s hard to develop and maintain skills • Many devices do not provide logs • It’s a 24x7 job • Consider outsourcing to MSSP
There are many ways to get the job done… NERC CIP only provides requirements, it does not prescribe solutions, or specific recommendations…
No Silver bullets • Many open source & home grown security solutions • Swatch • Snare • Syslog NG • Splunk • Shell Scripts • Kiwi • LogView4Net • Flow tools • Countless commercial solutions People who have built their own solutions now face the maintenance burden
Ten reasons to invest in a SEM • Ability consolidate your logging in one place • Have your logs in a separated environment for log integrity (i.e., they cannot be tampered with) • Meet many compliance and audit objectives • A quality SEM can correlate events from multiple device sources and provide alerts • SEMs provide a better understanding of your security environment because it can accept events from various device sources. • Adds to the principal of “defense in depth” – it is another layer of defense • Allows an administrator to monitor only the most important events and ignore the noise • Automation of threat identification – via email, pager, or external ticketing system • Reporting of logs and events across multiple device types • Creates a history of log events for forensic reconstruction
What events are interesting? • Just logging is not enough • You either must manually review logs or automate • Having a baseline of your system is key • Look for anything that is not normal or not expected on the system • Document your actions and activity • Top Five from SANS • Attempts to gain access through existing accounts • Failed file or resource access attempts • Unauthorized changes to users, groups, and services • Systems most vulnerable to attack • Suspicious or unauthorized network traffic patterns
Example of setting up IDS alert priority for EMS config classification: attempted-dos, Attempted Denial of Service Activity which should not ever be seen on control system network. Any alerts should be investigated at a high priority
Are you ready? • NERC CIP readiness • Will you be able to produce attestation for the auditors in the required time frame? • How do you demonstrate that you’ve reviewed logs? • How do you know you’ve collected the logs you need, and that none have been lost? • How many people do you have administering NERC CIP? • How long does it take you to prepare for an audit? • How can you be sure you’ll pass the audit? • Have you had a 3rd party check your readiness? • How do you expect to be affected by NERC CIP 3? • Ongoing system management • What happens if your internal NERC CIP resources leave/transfer? • What are you doing for change management of the control system? • What are you doing for patch management of the control system? • What are you doing for configuration management of the control system? • What are you doing for asset management of the control system?
Timely access to information is vital… Most of us would never wait 3 weeks to check our email, yet do we ever check our critical cyber asset logs?
Contact Information Thank You Walter Sikora VP, Security Solutions Industrial Defender, Inc. wsikora@industrialdefender.com (office) +1.508.718.6706 (mobile) +1.508.369.5649 (fax) +1.508.718.6701