Nerc Cip

NERC CIP Considerations when Procuring and Implementing SCADA Systems
EMS Users Conference
September 18, 2012
2012Copyright.ConfidentialandproprietarytoTheStructureGroup,LLC.
Introductions
MarioMarchelli Director,EnergyManagement&ControlSystemsPracticeLead (832)5630897 mario.marchelli@thestructuregroup.com GilbertPerez Manager,EMCSPractice (786)8799544 Gilbert.perez@thestructuregroup.com
Agenda
BestpracticesforSCADAprocurement BestpracticesforSCADAimplementation BestpracticesforSCADAGoLive ProperstepsforretirementoflegacySCADA Conclusions
BestPracticesforSCADASystemProcurement
WorkwithyourvendorinordertodriveyourdesiredESPDesign
CIP005
Correctlycommunicatecorporatestandardsfor ElectronicSecurityPerimeters(ESPs)toyourvendor. SpecifythelocationoftheProductionAssets. SpecifythelocationoftheDevelopmentAssets. SpecifythelocationoftheTraining(DTS)Assets. Specifythelocationofthereadonlyserversand theremoteaccesstothem.

Reference:R1.ElectronicSecurityPerimeter
TighterSecuritywillcontinuetobeimposedontheindustry,planforthefuture today
CIP005
Requestthefollowingsecurityenhancements: SecuredDNP3. SecuredICCP. ServiceDMZwhichwillhousetheprintersand othernonessentialdevices.

Reference:R2.ElectronicAccessControls
CIP007R1isthemosthighlyviolatedofalltheCIPStandards.Requesttoolswhich willhelpyouachievecompliance
CIP007
Testing/QAenvironment SpecifythelocationoftheQAAssets. Vendorprovidedtoolsfortesting Vendorservicesfortesting

Reference:R1.TestProcedures
Hardeningofsystemsisamust,auditorslovetodwellonportsandservices.
CIP007
Documentationofyourbaselinesoftware,portsand services. Removinganynonessentialsoftware,portsandservices priortodeliveryoftheSCADAsystem.

Reference:R2.PortsandServices
Sharetheresponsibilityofkeepingyoursystemuptodatewithyourvendor.
CIP007
Testingandvalidationofthepatchesforsecurity controlsnotjustfunctionality.
Reference:R3.SecurityPatchManagement
SharedAccountsareheadache,placetheburdenonyourvendor
CIP007
Disableguestaccounts. Implementpasswordcomplexityandagerequirements. Limittheuseofadministratoraccounts. Implementtheprincipleofleastprivilege.

Reference:R5.AccountManagement
CIP007
Implementtheusageofcentralizedlogging. ImplementtheusageofHostBasedIntrusionDetection System(HIDS)/IntrusionDetectionSystem(IDS).

Reference:R6.SecurityStatusMonitoring
10
SharedAccountsareheadache,requesttoolsformanagingtheseaccountsonyour vendor.
CIP007
Implementloggingtoolswhichallowstrackingof genericusernames. Tracktheuserutilizingthegenericusername. Trackthedateandtimewhichthegeneric usernamewasutilized. Tracktheactionswhichweretaken.

Reference:R5.AccountManagement
11
DecidewhoperformsyourvulnerabilityassessmentpriorissuingtheRFP
CIP007
Whowillconducttheassessment? Vendor Inhouse Thirdparty Decide: Timingofassessment. Responsibleparty

Reference:R8.CyberVulnerabilityAssessment
12
OtherissuestoconsiderpriorissuingtheRFP
CIP007
Virtualization: CIPandNonCIP StorageAreaNetworks: CIPandNonCIP. IPconnections.

Reference:SystemDesign(CIP005andCIP007)
13
RequesttoolsandprocedurestoaddressDisasterRecoveryonaperCCAbasis
CIP009
Consideravendorprovidedbackupsolution.
Reference:R4.BackupandRestore
IncludeinyourRFPthatthevendormustrestorethe SCADAsystemfrombackupmediapriortogoingonline.
*PleasenotethatyoumustdocumentedthefullrestorationoftheSCADAin ordertoprovidebookendingevidence.
Reference:R5.TestingBackupMedia
14
Agenda
15
BestPracticesforSCADASystemImplementation
CIP002
HowtotestthenewSCADASystem: If controlling Testonesubstationatatime. AvoidSubstationsdeemedCriticalAssets Avoidtestingon500and300KVsites (CIPVersion4) Establishwelldocumentedtestprocedures.
16
DonotforgettoaddyournewcriticalCyberAssetstoyourCCAlist
CIP002
OnceanewSCADAsystemhastheabilitytocontrolthe BulkElectricalSystem,alloftheCriticalCyberAssets (CCAs)associatedwiththenewsystemneedtobe declaredandaddedtoyourexistingCCAlist.

Reference:R2.(V4) R3.(V3)CriticalCyberAssetIdentification CIP003
MakeyourcompanysCyberSecurityPolicyreadily availabletoallvendoremployeeswhowillworkonyour system.

Reference:R1.CyberSecurityPolicy
17
ImplementinganewESPisthebestpathtotake
CIP005
Ifpossible,establishanewESPforthenewSCADA system.Doingsowillallowyouto: Conducttestingpriortogoingonline. Establishwelldocumentedfirewallrules. Insurethatnonewvulnerabilitiesareintroduced tothecurrentproductionenvironment. Allowsfortheimplementationofnewernetwork equipmentwithminimalinterruptiontothe existingnetwork.

Reference:R2.ElectronicAccessControls
18
VulnerabilityTestinganddocumentationareamustpriortogoingonline..
CIP005
PriortothenewESPgoinglive,youmustperforma CyberVulnerabilityAssessment.
Verifythatthevendorhasprovideyoualistingoftheports andservices.Reference:R4.CyberVulnerabilityAssessment(CVA)
OncethenewESPisestablishedortheequipmenthas beenaddedtotheexistingESP,youmustupdatethe documentationtoreflectthemodificationofthe networkorcontrolswithinninetycalendardaysofthe changes. Reference:R5.2Documentation

19
BestPracticesforSCADASystemImplementation LetsnotforgetthoseTFEs
TechnicalFeasibilityExceptions
RequestthefollowingTechnicalFeasibility Documentation: ListofdevicesforwhichaTFEmustbetaken. Equipmentvendorlettersstatingthespecific requirementwhichcannotbemet. RoadmapforeliminatingalloftheseTFEs
Reference:CIP005andCIP007
20
Agenda
21
BestPracticesforSystemGoLive
ProperCIPPersonnelcredentialsforContractorsandVendorsisamust.
CIP004
RequirethevendortotraintheiremployeesperyourCIPprogram. Requirethevendortoproviderecordsofthetrainingresults. Contractuallanguagetoaddressliabilitiesfornoncompliance.

Reference:R2.Training
RequirethevendortoprovidePersonnelRiskAssessmentforthe following: ProjectPersonnel

Maintenanceandsupportpersonnel. HardwareOEMsupportpersonnel.
RequirethevendortoprovideyourecordsofthePRAresults.
Reference:R3.PersonnelRiskAssessment(PRA)
22
TestingofthemonitoringcapabilitiespriortogoingLIVEisessential.
CIP007
Verifythatloggingisbeingperformedforallofthefollowing securityevents: Failedaccessattempts. Successfulaccessattempts. Antivirusandantimalwarealerts.

*Developaplaninordertotestthatthesecurityeventslistedabovearebeing
properlyloggedoncethesystemgoeslive.
Reference:R6.SecurityStatusMonitoring
23
Utilizestrictsecuritycontrolswhenallowingremoteaccessoncethesystem isliveisamust
CIP005
RemoteAccess(VendorandEmployees) Twofactorauthenticationforvendoraccessthruthe firewall. SecuredVPNaccess. Loggingofallvendoraccess. Layeredsecurity,possiblyajumpserverwithtwofactor authentication.

24
Agenda
25
ProperStepsforretirementoflegacySCADAsystems
Followingthepropersequenceofeventsisessential.
CIP007
Whenredeployingmagneticmedia,overwritethe mediausingDoDStandard. Whendisposingofmedia,youmustphysicallydestroy suchmedia

*Pleasenotethatyoumustoverwriteordestroythediscardedmediawhile itstillresideswithinthePSP.
Youmustcreatedandmaintainedrecordsofdisposed and/orredeployedmedia.
Reference:R7.DisposalorRedeployment
26
ProperStepsforretirementoflegacySCADAsystems
CIP005
ElectronicSecurityPerimeter IfanewESPwascreated,retiretheoldESP.
RemovetheESPwheretheretiredequipmentresidedfromanydrawings.
CIP006
PhysicalSecurityPerimeter IfanewPSPwascreated,retiretheoldPSP.
RemovetheoldPSPfromthePhysicalSecurityPlan.
27
Agenda
28
Conclusions Becomepartnerswithyourselectedvendorinsharingthe CIPSecurityresponsibilities. SelectavendorwhichhasembracedCIPSecurityandhas acultureofexceedingtheCIPRequirements. DeveloptestplansforSecurityTestingcontrolsduringthe implementationofyournewSCADAsystem. Oncethesystemgoeslive,insurethatallofthevendor personnelworkingonyoursystemhavetheproperCIP credentials. Properdisposalofyourdiscardedsystemisessential.
29
KeyCyberSecurityConsiderations Questions?
30

Nerc Cip

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Nerc Cip

Uploaded by

Copyright:

Available Formats

NERC CIP Considerations when Procuring and Implementing SCADA Systems

EMS Users Conference

September 18, 2012

MarioMarchelli Director,EnergyManagement&ControlSystemsPracticeLead (832)5630897 mario.marchelli@thestructuregroup.com GilbertPerez Manager,EMCSPractice (786)8799544 Gilbert.perez@thestructuregroup.com

BestpracticesforSCADAprocurement BestpracticesforSCADAimplementation BestpracticesforSCADAGoLive ProperstepsforretirementoflegacySCADA Conclusions

Correctlycommunicatecorporatestandardsfor ElectronicSecurityPerimeters(ESPs)toyourvendor. SpecifythelocationoftheProductionAssets. SpecifythelocationoftheDevelopmentAssets. SpecifythelocationoftheTraining(DTS)Assets. Specifythelocationofthereadonlyserversand theremoteaccesstothem.

Requestthefollowingsecurityenhancements: SecuredDNP3. SecuredICCP. ServiceDMZwhichwillhousetheprintersand othernonessentialdevices.

Testing/QAenvironment SpecifythelocationoftheQAAssets. Vendorprovidedtoolsfortesting Vendorservicesfortesting

Documentationofyourbaselinesoftware,portsand services. Removinganynonessentialsoftware,portsandservices priortodeliveryoftheSCADAsystem.

Disableguestaccounts. Implementpasswordcomplexityandagerequirements. Limittheuseofadministratoraccounts. Implementtheprincipleofleastprivilege.

Implementtheusageofcentralizedlogging. ImplementtheusageofHostBasedIntrusionDetection System(HIDS)/IntrusionDetectionSystem(IDS).

Implementloggingtoolswhichallowstrackingof genericusernames. Tracktheuserutilizingthegenericusername. Trackthedateandtimewhichthegeneric usernamewasutilized. Tracktheactionswhichweretaken.

Whowillconducttheassessment? Vendor Inhouse Thirdparty Decide: Timingofassessment. Responsibleparty

Virtualization: CIPandNonCIP StorageAreaNetworks: CIPandNonCIP. IPconnections.

BestpracticesforSCADAprocurement BestpracticesforSCADAimplementation BestpracticesforSCADAGoLive ProperstepsforretirementoflegacySCADA Conclusions

HowtotestthenewSCADASystem: If controlling Testonesubstationatatime. AvoidSubstationsdeemedCriticalAssets Avoidtestingon500and300KVsites (CIPVersion4) Establishwelldocumentedtestprocedures.

OnceanewSCADAsystemhastheabilitytocontrolthe BulkElectricalSystem,alloftheCriticalCyberAssets (CCAs)associatedwiththenewsystemneedtobe declaredandaddedtoyourexistingCCAlist.

MakeyourcompanysCyberSecurityPolicyreadily availabletoallvendoremployeeswhowillworkonyour system.

OncethenewESPisestablishedortheequipmenthas beenaddedtotheexistingESP,youmustupdatethe documentationtoreflectthemodificationofthe networkorcontrolswithinninetycalendardaysofthe changes. Reference:R5.2Documentation

BestpracticesforSCADAprocurement BestpracticesforSCADAimplementation BestpracticesforSCADAGoLive ProperstepsforretirementoflegacySCADA Conclusions

RequirethevendortotraintheiremployeesperyourCIPprogram. Requirethevendortoproviderecordsofthetrainingresults. Contractuallanguagetoaddressliabilitiesfornoncompliance.

RequirethevendortoprovidePersonnelRiskAssessmentforthe following: ProjectPersonnel

Verifythatloggingisbeingperformedforallofthefollowing securityevents: Failedaccessattempts. Successfulaccessattempts. Antivirusandantimalwarealerts.

RemoteAccess(VendorandEmployees) Twofactorauthenticationforvendoraccessthruthe firewall. SecuredVPNaccess. Loggingofallvendoraccess. Layeredsecurity,possiblyajumpserverwithtwofactor authentication.

BestpracticesforSCADAprocurement BestpracticesforSCADAimplementation BestpracticesforSCADAGoLive ProperstepsforretirementoflegacySCADA Conclusions

Whenredeployingmagneticmedia,overwritethe mediausingDoDStandard. Whendisposingofmedia,youmustphysicallydestroy suchmedia

BestpracticesforSCADAprocurement BestpracticesforSCADAimplementation BestpracticesforSCADAGoLive ProperstepsforretirementoflegacySCADA Conclusions

You might also like