30
A Tactical Approach to Continuous Compliance Walt Sikora, Vice President Security Solutions EMMOS 2013

A Tactical Approach to Continuous Compliance - EMMOSemmos.org/prevconf/2013/6.A Tactical Approach to Continuous... · A Tactical Approach to Continuous Compliance ... o Emerson DeltaV

Embed Size (px)

Citation preview

Page 1: A Tactical Approach to Continuous Compliance - EMMOSemmos.org/prevconf/2013/6.A Tactical Approach to Continuous... · A Tactical Approach to Continuous Compliance ... o Emerson DeltaV

A Tactical Approach to Continuous

Compliance

Walt Sikora, Vice President Security Solutions

EMMOS 2013

Page 2: A Tactical Approach to Continuous Compliance - EMMOSemmos.org/prevconf/2013/6.A Tactical Approach to Continuous... · A Tactical Approach to Continuous Compliance ... o Emerson DeltaV

9/24/2013 2

Abstract

NERC has moved quickly to address shortcomings and lack of

clarity in previous versions of CIP standards. While this was a

positive move, overall, it also presents some unique challenges

for Asset Owners.

This presentation will briefly cover changes and challenges

presented with NERC CIPv5 adoption and deliver tactical steps

that Asset Owners can take to fulfill requirements and achieve

continuous compliance when addressing CIP-010-5 “Cyber

Security – Configuration Management and Vulnerability

Assessment”.

Page 3: A Tactical Approach to Continuous Compliance - EMMOSemmos.org/prevconf/2013/6.A Tactical Approach to Continuous... · A Tactical Approach to Continuous Compliance ... o Emerson DeltaV

9/24/2013 3

Industrial Defender ranked #1

two years in a row by

independent analysts

• Security and compliance since

2002

• Exclusively focused on OT

• Pioneering automation systems

management: security,

compliance and change

management for ICS

• Turnkey technology and service

solution

• Multiple applications, one

platform

• Vendor agnostic

• Purpose built

10,000+ technology deployments

400+ customers

25+ countries

Industrial Defender at a Glance

Page 4: A Tactical Approach to Continuous Compliance - EMMOSemmos.org/prevconf/2013/6.A Tactical Approach to Continuous... · A Tactical Approach to Continuous Compliance ... o Emerson DeltaV

9/24/2013 4

NERC CIP v4 v. NERC CIP v5

Version 4 Version 5

42 requirements; 113 parts 37 requirements; 148 parts

No contextual information Includes background, rationale, and

guidelines and Technical Basis

Measures on high level requirement only Measures for each requirement, including

parts

14 requirements with Technical Feasibility

Exception (TFE) triggering language

12 requirements with TFE triggering

language

Undefined periodic terms Clear periodic requirements: initial

requirements in Implementation Plan

Many binary Violation Severity Levels

(VSLs)

More gradated VSLs

Source: http://www.nerc.com/docs/standards/sar/Webinar_Slides-Project_2008-06-April_10,_2012.pdf

Page 5: A Tactical Approach to Continuous Compliance - EMMOSemmos.org/prevconf/2013/6.A Tactical Approach to Continuous... · A Tactical Approach to Continuous Compliance ... o Emerson DeltaV

9/24/2013 5

Implications of the Changes

Change Implication

Less requirements, more parts More clarity, more coverage

Increased context, background, rationale More clarity

Measures for each requirement and part More clarity, more examples

Less potential for TFEs More mitigation, workarounds, or additional

solution(s)

Clearly defined periodic terms More clarity, less room for periodic errors

More gradated VSLs More flexibility

“Entities are not required to self-report deficiencies if they are identifying,

assessing and correcting them”

Page 6: A Tactical Approach to Continuous Compliance - EMMOSemmos.org/prevconf/2013/6.A Tactical Approach to Continuous... · A Tactical Approach to Continuous Compliance ... o Emerson DeltaV

9/24/2013 6

High, Medium, and Low Impact

• CIP-002-5 Attachment 1

– Impact Rating Criteria

– Rates BES Cyber Systems by:

• High Impact Rating (H)

• Medium Impact Rating (M)

• Low Impact Rating (L)

– Criteria listed for each rating level

– Rating level will determine which requirements/sub-requirements a BES

Cyber System owner will have to meet

– Rating level(s) are associated with each requirement

Page 7: A Tactical Approach to Continuous Compliance - EMMOSemmos.org/prevconf/2013/6.A Tactical Approach to Continuous... · A Tactical Approach to Continuous Compliance ... o Emerson DeltaV

9/24/2013 7

Strategic Goals for complying with CIP-010-5

• High-level strategy

– Continuous compliance

– Reduce overhead

– Improved resource allocation

• How do you get there?

– Are you there yet?

Page 8: A Tactical Approach to Continuous Compliance - EMMOSemmos.org/prevconf/2013/6.A Tactical Approach to Continuous... · A Tactical Approach to Continuous Compliance ... o Emerson DeltaV

9/24/2013 8

What we now know…

• Automation Systems becoming more complex

o Mix of legacy and next generation architectures

o Heterogeneous Systems

o Exponential Increase in intelligent devices

o Unclear responsibility/ownership

• Need for increased security

• Lots of technologies that can help

• Remember: No silver bullets!

• Managing change introduces additional business

process requirements and labor allocation

• Fewer Resources / increasing skill set gaps

Balancing Operational Requirements with

Security, Compliance, Change Management requirements

Maintain Reliability &

Performance standards

Ensure profitability

Report on activities

Priorities & Objectives

Page 9: A Tactical Approach to Continuous Compliance - EMMOSemmos.org/prevconf/2013/6.A Tactical Approach to Continuous... · A Tactical Approach to Continuous Compliance ... o Emerson DeltaV

9/24/2013 9

Change Management

Question:

Do you anticipate growth in intelligent devices over the next 3-5 years?

How will you manage: Patching? Firmware Updates? Configurations?

User Access?

Hardened

networking

devices

Servers: PCS,

SCADA, …

HMI

Stations Firewalls

Work

stations

IEDs,

Sensors, Controllers

PLCs

Page 10: A Tactical Approach to Continuous Compliance - EMMOSemmos.org/prevconf/2013/6.A Tactical Approach to Continuous... · A Tactical Approach to Continuous Compliance ... o Emerson DeltaV

9/24/2013 10

Quick Review of CIP-010-5 – Configuration Management

• R1 – Configuration Change Management

– R1.1 – Baseline configuration for:

• OS

• Commercial or Open-source Application(s)

• Custom software

• Logical network accessible ports

• Security Patches

– R1.2 – Authorize and document changes that deviate from the existing

baseline configuration

– R1.3 – For deviations, update baselines and documentation required by

CIP-007 and CIP-005 as necessary within 30 calendar days

– R1.4 – For changes that deviate

• R1.4.1 – Determine potentially impacted cyber security controls prior to change

• R1.4.2 – After change, verify controls are not adversely affected

• R1.4.3 – Document results of verification

Page 11: A Tactical Approach to Continuous Compliance - EMMOSemmos.org/prevconf/2013/6.A Tactical Approach to Continuous... · A Tactical Approach to Continuous Compliance ... o Emerson DeltaV

9/24/2013 11

ABB Siemens* Emerson*

Do you have more than one control system to worry about?

*Some vendors may supply security solutions for only their system

Page 12: A Tactical Approach to Continuous Compliance - EMMOSemmos.org/prevconf/2013/6.A Tactical Approach to Continuous... · A Tactical Approach to Continuous Compliance ... o Emerson DeltaV

9/24/2013 12

TICKETING MANAGEMENT

How many tools do you need to manage your EMS?

CHANGE MANAGEMENT

Change Ticketing

Source Code

Development

EVENT MANAGEMENT

Email/Web Events

DPI

Root Cause Analysis

PATCH MANAGEMENT

Patch Application

Ticketing workflows

Ticketing approvals

USER MANAGEMENT

Access Management

ASSET MANAGEMENT

GIS

Maintenance

Work Orders

NETWORK MANAGEMENT

Network Visualization

IED CONFIGURATION MANAGEMENT

Operational

Algorithms

Configuration

Change Initiation

Pre-Post change

Config/Policy Exceptions

Change Documentation

ICS Collectors

Logic Rules

Event Correlation

Documentation

Tasks

Patch Monitoring

Patch Base line

Patch Exception

User Base Lines

User Activity

Reporting

Device inventory

Logic Rules

Event Correlation

Configuration Backups

Event Correlation

Security logging

Change monitoring

Configuration Backups

What Industrial Defender’s ASM Covers

Page 13: A Tactical Approach to Continuous Compliance - EMMOSemmos.org/prevconf/2013/6.A Tactical Approach to Continuous... · A Tactical Approach to Continuous Compliance ... o Emerson DeltaV

9/24/2013 13

Cryptzone SE46

The current approach to security,

compliance and change

management typically takes at

least 10 screens.

Tripwire

McAfee

McAfee

WizNucleus

Lumension

Trigeo SEM

eEye Retina

McAfee

Industrial Defender

Industrial Defender

SonicWall

Page 14: A Tactical Approach to Continuous Compliance - EMMOSemmos.org/prevconf/2013/6.A Tactical Approach to Continuous... · A Tactical Approach to Continuous Compliance ... o Emerson DeltaV

9/24/2013 14

The current approach to security,

compliance and change

management typically takes at

least 10 screens.

Tripwire

McAfee

Trigeo SEM

eEye Retina

Industrial Defender

SonicWall

Cryptzone SE46

Industrial DefenderMcAfee

With the Automation Systems

Manager organizations can:

Secure vulnerabilities from

malicious attacks and human

error.

Implement regulatory

compliance measures and

efficiently process reporting

requirements from a

centralized dashboard.

Manage change across a

growing, heterogeneous

and complex automation

environment.

McAfee

WizNucleus

Lumension

Page 15: A Tactical Approach to Continuous Compliance - EMMOSemmos.org/prevconf/2013/6.A Tactical Approach to Continuous... · A Tactical Approach to Continuous Compliance ... o Emerson DeltaV

9/24/2013 15

DCS SCADA

PLC RTU

Automation Systems Management Architecture

PCS

Automation Systems Manager (ASM)Application Capabilities

ConfigurationChange Management

PolicyManagement

ReportingEvent

ManagementAsset

Management

Controller

s

Page 16: A Tactical Approach to Continuous Compliance - EMMOSemmos.org/prevconf/2013/6.A Tactical Approach to Continuous... · A Tactical Approach to Continuous Compliance ... o Emerson DeltaV

9/24/2013 16

Reporting

PolicyManagement

ConfigurationChange Management

EventManagement

AssetManagement

A single unified view of all assets within the automation system’s

environment. Enables onboarding and decommissioning of assets,

reports device status, information access and state information.

Brings visibility to control system and networks by providing event log data.

Receives and consolidates events from multiple security sources,

centralizes operations and reduces expenses.

Enables operators to track and audit device settings, software, firewall rules

and user accounts and view and baseline the system configurations, ports &

services, and software.

Enables operators to communicate new policies, track acceptance

and manage conformance.

A comprehensive suite of standard configurable reports to meet

regulatory requirements and simplify adherence to internal requirements.

Enables users to define, generate and automate reports as needed.

Software Applications essential

to Security, Compliance and

Change Management

Page 17: A Tactical Approach to Continuous Compliance - EMMOSemmos.org/prevconf/2013/6.A Tactical Approach to Continuous... · A Tactical Approach to Continuous Compliance ... o Emerson DeltaV

9/24/2013 17

Configuration Management – 2 Approaches

Passive

Always watching

Never changing production

“Oh, we see a change. Is it ok?

Click ‘Yes’ or ‘No’”

Baseline gets updated after the

fact if ‘Yes’

Production asset gets

manually reverted if ‘No’

Active

Always watching

Never changing production

“Oh, we see a change. Revert that change back to the approved configuration automatically.”

No permanent changes to production until approved configuration change

Baseline gets updated to enable change

Page 18: A Tactical Approach to Continuous Compliance - EMMOSemmos.org/prevconf/2013/6.A Tactical Approach to Continuous... · A Tactical Approach to Continuous Compliance ... o Emerson DeltaV

9/24/2013 18

Situational awareness

Page 19: A Tactical Approach to Continuous Compliance - EMMOSemmos.org/prevconf/2013/6.A Tactical Approach to Continuous... · A Tactical Approach to Continuous Compliance ... o Emerson DeltaV

9/24/2013 19

Central asset information

Page 20: A Tactical Approach to Continuous Compliance - EMMOSemmos.org/prevconf/2013/6.A Tactical Approach to Continuous... · A Tactical Approach to Continuous Compliance ... o Emerson DeltaV

9/24/2013 20

Which ports are used?

Page 21: A Tactical Approach to Continuous Compliance - EMMOSemmos.org/prevconf/2013/6.A Tactical Approach to Continuous... · A Tactical Approach to Continuous Compliance ... o Emerson DeltaV

9/24/2013 21

Device ports and services configuration details

Page 22: A Tactical Approach to Continuous Compliance - EMMOSemmos.org/prevconf/2013/6.A Tactical Approach to Continuous... · A Tactical Approach to Continuous Compliance ... o Emerson DeltaV

9/24/2013 22

Software inventory

Page 23: A Tactical Approach to Continuous Compliance - EMMOSemmos.org/prevconf/2013/6.A Tactical Approach to Continuous... · A Tactical Approach to Continuous Compliance ... o Emerson DeltaV

9/24/2013 23

Patches installed

Page 24: A Tactical Approach to Continuous Compliance - EMMOSemmos.org/prevconf/2013/6.A Tactical Approach to Continuous... · A Tactical Approach to Continuous Compliance ... o Emerson DeltaV

9/24/2013 24

Cyber Asset Details

Page 25: A Tactical Approach to Continuous Compliance - EMMOSemmos.org/prevconf/2013/6.A Tactical Approach to Continuous... · A Tactical Approach to Continuous Compliance ... o Emerson DeltaV

9/24/2013 25

Security Event Monitoring

Page 26: A Tactical Approach to Continuous Compliance - EMMOSemmos.org/prevconf/2013/6.A Tactical Approach to Continuous... · A Tactical Approach to Continuous Compliance ... o Emerson DeltaV

9/24/2013 26

Compliance reporting

Page 27: A Tactical Approach to Continuous Compliance - EMMOSemmos.org/prevconf/2013/6.A Tactical Approach to Continuous... · A Tactical Approach to Continuous Compliance ... o Emerson DeltaV

9/24/2013 27

• Security performance monitoringo ABB 800xA, Symphony/Harmony, Infi90,

Network Manager, FACTS, SYS600C and

MicroSCADA

o Automsoft RAPID Historian

o Emerson DeltaV and Emerson Ovation

o Emerson/Westinghouse WDPF

o GE XA/21

o GE PowerOn Fusion

o Foxboro I/A Series

o Honeywell Experion

o Itron OpenWay System

o Rockwell RSView

o Schneider/Telvent Oasys, Citect

Momentum, Quantum

o Siemens PCS7

o Yokogawa Centrum CS 3000

• Operating systemso Windows 7

o Win 2k, 2k3, 2k8 R2, XP, WinNT

o HP-UX PA-RISC & Itanium

o Linux

o DEC Tru-64

o Sun Solaris

o IBM AIX

• Industrial ruleso DNP3

o Modbus

o ICCP

o IEC 61850

o TCP/IP

Experience across many automation environments

Page 28: A Tactical Approach to Continuous Compliance - EMMOSemmos.org/prevconf/2013/6.A Tactical Approach to Continuous... · A Tactical Approach to Continuous Compliance ... o Emerson DeltaV

9/24/2013 28

Supervise™ Services

• Event Monitoring• Configuration Baseline Monitoring• Move, Add, Change Management

Sustain™ Services

• Firmware/Patch Updates• Performance/Alert Tuning• Re-Baselining Software, Patches,

Ports & Services

Survive™ Services

• Backup• Restoration• Disaster Recovery

Automation Systems Manager (ASM)Application Capabilities

CLIENTS SERVERS PERIMETER DEVICES NETWORK DEVICES

Automation Systems End-Points ( )Optional Agent

ConfigurationChange Management

PolicyManagement

ReportingEvent

ManagementAsset

Management

It’s a program, not a project

Page 29: A Tactical Approach to Continuous Compliance - EMMOSemmos.org/prevconf/2013/6.A Tactical Approach to Continuous... · A Tactical Approach to Continuous Compliance ... o Emerson DeltaV

9/24/2013 29

Industrial Defender

Your Solution for Automation

Systems Management

Meet the Challenges

Deeply integrated with a number of EMS vendors to ensure

performance & reliability

Tackle increasing security, compliance and change management

challenges despite resource constraints.

Simplify and scale with a complete turnkey solution:

Address resource and expertise challenges with

a single view, vendor agnostic platform.

Enable IT and OT to work together via

a purpose built solution.

Reduce overall TCO with a unified approach.

Sustain your automation environment as a program – not a

project!

• Rapidly changing technologies

• Evolving security threats, both internal

& external

• Lack of expertise

Challenges

Choosing Solutions

• Purpose built for control systems

• Eliminate manual work

• Report on activities

• Compatible with all your systems

Page 30: A Tactical Approach to Continuous Compliance - EMMOSemmos.org/prevconf/2013/6.A Tactical Approach to Continuous... · A Tactical Approach to Continuous Compliance ... o Emerson DeltaV

9/24/2013 30

Web

www.industrialdefender.com

Blog

blog.industrialdefender.com

Twitter

@i_defender