Essential Power, LLC

The Road to CIP Compliance

Stephen Theodos, CISSP

Essential Power, LLC ~ Proprietary & Confidential

2

About Essential Power

Founded in 2008 Own and operate five generation facilities throughout the

Northeast Our fleet is primarily peaking power fueled predominantly by

natural gas Just over 2,000 megawatts of total generation capacity Headquartered in Princeton, NJ

Essential Power, LLC ~ Proprietary & Confidential

3

Discussion Overview

What did we start with?

What hurdles did we face as our company developed and as enforcement dates loomed for CIP?

How were we able to overcome these challenges?

What are some potential hurdles coming up regarding future risk and CIP 5?

Essential Power, LLC ~ Proprietary & Confidential

4

Bears, Beets, ……

Essential Power, LLC ~ Proprietary & Confidential

5

The beginning…

Inherited our generation networks Lacked thoughtful design Used overlapping IP address subnets Lacked “intelligent hardware”

Minimal Security

No Logging

No backup plan

Essential Power, LLC ~ Proprietary & Confidential

6

Action Plan

Retrofit security as much as possible to existing networks A complete redesign from scratch was not possible at the time Our time frame was incredibly short

A new mindset - not just generation of energy, but securely Defense In Depth Deter, Delay, Detect, Defend

Essential Power, LLC ~ Proprietary & Confidential

7

… More Actions

Perform our GAP analysis Secure all devices Manage and document all user accounts Create ESPs and PSPs

Enable logging on all devices Monitor these logs for any unexpected behavior Make sure we are meeting our CIP requirements

Essential Power, LLC ~ Proprietary & Confidential

8

ESP Illustration

Essential Power, LLC ~ Proprietary & Confidential

9

Benefits of a SIEM

CIP-005 and CIP-007 require reviewing of log samples from Critical Cyber Assets and Access Control and Monitoring devices and requires us to have an auditable log of user activity

It was determined a Security Information and Event Management (SIEM) system that would collect and correlate system logs in a centralized server location would be required

A centralized SIEM would mean convergence of existing segregated networks Network Address Translation was required due to the overlapping

networks

Opportunities to Detect Cyberthreat Gaps

The Cyber Threat Kill Chain-Lockheed Martin

LEVEL OF EXPOSURE

CH

AN

CE

OF

DETEC

TIO

N

Recon Weaponi

zation &

Delivery

Exploitation C2-Command & Control

Malicious Action(Exfiltration and

Business Disruption)

Most Efficient Points to Detect

11

Security Configuration Management

Working Together to Enforce Security Policies, Detect Anomalies, and Integrate with Ops

Secu

re S

erve

r & N

etw

ork

Confi

gura

tions

Time

MEGASCAN required to

reassess

Periodic Assessment

Continuous Security Configuration Mgmt Understands Changes in the Environment The Goal is Security, not Audit Lower Costs, Greater Efficiency Continual Risk Reduction Measurable, Sustainable Security

Configuration Changes Occur Constantly

Manual Assessment

The goal: An enterprise-wide policy for secure

configuration standards

(“80% of CIS Benchmarks”)

Essential Power, LLC ~ Proprietary & Confidential

12

Choosing a SIEM

We reviewed three different SIEM vendors during our RFP / review process

Ultimately chose Tripwire, due to a combination of factors

At the time, they were one of the few vendors that had predetermined CIP rules

Offered solid value for the overall cost compared to other competitors

Their support team was willing and able to assist us throughout the deployment

Interface was simple, intuitive, and provided exactly what we needed to see

We opted for both Tripwire Log Center and Tripwire Enterprise

Essential Power, LLC ~ Proprietary & Confidential

13

NERC CIP Requirements that Tripwire Log Center meets

CIP-005 R3.2. Alerting for Cyber Security Incidents for access control and monitoring devices

CIP-005 R5.3. Retain and review electronic access logs for at least ninety calendar days for Access Control and Monitoring devices

CIP-007 R6.2 Alerting for Cyber Security Incidents for critical cyber assets

CIP-007 R6.3 Logs of system events related to cyber security for critical cyber assets

CIP-007 R6.4 Retain Logs of critical cyber assets for 90 days CIP-007 R6.5 Reviewing Logs of for critical cyber assets at

least every 90 days CIP-008 R3 Logs related to reportable incidents shall be kept

for 3 years

Essential Power, LLC ~ Proprietary & Confidential

14

NERC CIP Requirements that Tripwire Enterprise meets

CIP-003 R5 requires Responsible Entities to “document and implement a program for managing access to protected Critical Cyber Asset information.”

CIP-003 R6 requires change control and configuration management processes to be established and documented

CIP-007 R3 Security Patch Management. The file integrity monitoring reports unauthorized modifications or changes and provides documentation of authorized changes

CIP-007 R5 Account Management requires technical and procedural controls that enforce access authentication and accountability for all user activity

Essential Power, LLC ~ Proprietary & Confidential

15

Security Benefits Provided

Easy to use GUI allows for easy modification of rules and alerts

Daily and weekly traffic reports to set baseline traffic patterns and easily analyze any anomalies

Daily change reports let us know immediately if and when any changes occur to the file system

Essential Power, LLC ~ Proprietary & Confidential

16

Alerting and Notification

Instant notification of cyber security related events

Advanced correlation of system logs which saves many hours of log review

Essential Power, LLC ~ Proprietary & Confidential

17

Auditing And Forensic Data

Practical and useful search criteria for audits and investigations

The data is easily available for forensic analysis if necessary

Essential Power, LLC ~ Proprietary & Confidential

18

Future Risks

“The concern over cybersecurity risks to critical infrastructure, of which power generation is a significant element, is unlikely to wane in the foreseeable future.” – Steven Parker, President of EnergySec

Essential Power, LLC ~ Proprietary & Confidential

19

Moving Forward

How are we preparing for CIP 5?

Updating and cleaning up current CIP document repository

Verifying and updating documentation of all electronic devices as necessary

Using a 3rd party to perform a GAP analysis of where we may be lacking when it comes to CIPv5 preparation

Scheduling mock audits internally

Attempting to allocate resources accordingly

Essential Power, LLC ~ Proprietary & Confidential

20

Newer and Smarter Defenses

Vendors have increased their support of CIP compliance initiatives

SIEMs are smarter and more capable than in the past

Newer technologies constantly available to make our lives easier

Better “whitelist” capabilities Improved patch management Improved port scanning and confirmation Ability to tie in physical security logging and alerts Easier access to compliance reports and audit results

Essential Power, LLC ~ Proprietary & Confidential

21

Essential Power, LLC ~ Proprietary & Confidential

22

Thoughts on Deployments of SIEM

Provide appropriate security controls to your SIEM

Spend time tuning it! The system can only run as well as it is configured

Don’t be afraid to contact the vendor directly for support

Use it frequently! Hands on is the best way to learn

Essential Power, LLC ~ Proprietary & Confidential

23

Q&A

Questions? Comments?

Essential Power, LLC ~ Confidential24