automating for nerc cip-007-5-r1

Download Automating for NERC CIP-007-5-R1

Post on 15-Jul-2015

236 views

Category:

Technology

0 download

Embed Size (px)

TRANSCRIPT

TITLE SLIDE

AUTOMATING FOR NERC CIP-007-5-R1Robert Held, GCIHSenior Systems EngineerTripwireMarc C. Child, CISSPInformation Security Program Manager, Great River Energy

Robert Held with Marc ChildApril 16, 2015 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.4/17/20151

#CIP 007-5-R1Requirement 1:Where technically feasible, enable only logical network accessible ports that have been determined to be needed by the Responsible Entity, including port ranges or services where needed to handle dynamic ports. If a device has no provision for disabling or restricting logical ports on the device then those ports that are open are deemed needed.

#Evidence ExamplesDocumentation of the need for all enabled ports on all applicable Cyber Assets and Electronic Access Points, individually or by group.Listings of the listening ports on the Cyber Assets, individually or by group, from either the device configuration files, command output (such as netstat), or network scans of open ports.Configuration files of host-based firewalls or other device level mechanisms that only allow needed ports and deny all others. #NERC CIPv3 Top Audit Violations (18 months)SEPTEMBER 2011 MARCH 2013Perimeter#Horror stories from the compliance audit findings - Passwords 4 years old & default, passwords changed once in 2+ years, admin passwords still set to default, peoples accounts not closed after they left employment, employees and contractors remained untrained on security policies after 90 days, lax physical security, nearly 800 reliability incidents (where service was interrupted) for which the cause was undetermined 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.4/17/20155Typical ComplianceCollect netstat output from operating systemsRun port scans for network devicesDump data into network shareManual review and documentation matchingProduce spreadsheet of ports and documentationRepeat quarterly#Why Whats Done Today Doesnt WorkManual data gathering processIncomplete dataLarge time sink for staffManual review of data is error proneLong time gaps between compliance efforts result in rollercoaster of compliance#

#Additional Whitelist Capable DataServicesUsers with password ageGroups membershipsSoftwareSharesPersistent routes#

#Compliance Dashboards

#Manual Compliance ProcessesCompliance PreparednessCompliance Audit DeadlinePeriodic Self CertAudit Deadline#Tripwire Automated ComplianceCompliance PreparednessTimeCompliance Audit Deadline

PeriodicSelf CertAudit Deadline#Continuous Compliance with TripwireAudit evidence is always readyCustomer specific justifications for usageDay to day work only involves rare exceptionsRole based asset onboardingExcellent coverage for CIP 10Audit proven CIP 3 and CIP 5 audits#GRE & TripwireWebinar: Automating for NERC CIP-007-516-Apr-2015Marc A. ChildGreat River EnergySecurity Program ManagerTakeawaysWhy GRE chose to use TripwireUse cases for:Corporate SystemsNERC Assets Types of alertsFile-monitoringOS monitoringWhitelisting

Background2007Audit issue: Developer access to Production app2009Board member: Well, over at our cooperative2010Purchased 10-license starter packFocus on financial system2011CIP-007-3 R2 violationCorporate Systems

File-system Rules

COCR*

* Command Output Capture RuleOperating System

NERC AssetsWindows Servers and WorkstationsLinux RHEL 5/6Cisco ASACisco (2800/2960/3800/Nexus)OtherVMWare ESXCisco ACSNERC: Windows

Alerts

Alerts

Alerts

Whitelists

Whitelists

Services.CSVWhitelistsports.CSV

Whitelists - evidence

NERC Policies

Questions?

Wonder if they bought all that?THANK YOUrheld@tripwire.com, mchild@grenergy.com tripwire.com | @TripwireInc

View more >