Upload File

automating for nerc cip-007-5-r1

of 33 /33

Author: tripwire

Post on 15-Jul-2015

238 views

Category:

Technology


0 download

Report

Tags:

Embed Size (px)

TRANSCRIPT

TITLE SLIDE

AUTOMATING FOR NERC CIP-007-5-R1Robert Held, GCIHSenior Systems EngineerTripwireMarc C. Child, CISSPInformation Security Program Manager, Great River Energy

Robert Held with Marc ChildApril 16, 2015 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.4/17/20151

#CIP 007-5-R1Requirement 1:Where technically feasible, enable only logical network accessible ports that have been determined to be needed by the Responsible Entity, including port ranges or services where needed to handle dynamic ports. If a device has no provision for disabling or restricting logical ports on the device then those ports that are open are deemed needed.

#Evidence ExamplesDocumentation of the need for all enabled ports on all applicable Cyber Assets and Electronic Access Points, individually or by group.Listings of the listening ports on the Cyber Assets, individually or by group, from either the device configuration files, command output (such as netstat), or network scans of open ports.Configuration files of host-based firewalls or other device level mechanisms that only allow needed ports and deny all others. #NERC CIPv3 Top Audit Violations (18 months)SEPTEMBER 2011 MARCH 2013Perimeter#Horror stories from the compliance audit findings - Passwords 4 years old & default, passwords changed once in 2+ years, admin passwords still set to default, peoples accounts not closed after they left employment, employees and contractors remained untrained on security policies after 90 days, lax physical security, nearly 800 reliability incidents (where service was interrupted) for which the cause was undetermined 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.4/17/20155Typical ComplianceCollect netstat output from operating systemsRun port scans for network devicesDump data into network shareManual review and documentation matchingProduce spreadsheet of ports and documentationRepeat quarterly#Why Whats Done Today Doesnt WorkManual data gathering processIncomplete dataLarge time sink for staffManual review of data is error proneLong time gaps between compliance efforts result in rollercoaster of compliance#

#Additional Whitelist Capable DataServicesUsers with password ageGroups membershipsSoftwareSharesPersistent routes#

#Compliance Dashboards

#Manual Compliance ProcessesCompliance PreparednessCompliance Audit DeadlinePeriodic Self CertAudit Deadline#Tripwire Automated ComplianceCompliance PreparednessTimeCompliance Audit Deadline

PeriodicSelf CertAudit Deadline#Continuous Compliance with TripwireAudit evidence is always readyCustomer specific justifications for usageDay to day work only involves rare exceptionsRole based asset onboardingExcellent coverage for CIP 10Audit proven CIP 3 and CIP 5 audits#GRE & TripwireWebinar: Automating for NERC CIP-007-516-Apr-2015Marc A. ChildGreat River EnergySecurity Program ManagerTakeawaysWhy GRE chose to use TripwireUse cases for:Corporate SystemsNERC Assets Types of alertsFile-monitoringOS monitoringWhitelisting

Background2007Audit issue: Developer access to Production app2009Board member: Well, over at our cooperative2010Purchased 10-license starter packFocus on financial system2011CIP-007-3 R2 violationCorporate Systems

File-system Rules

COCR*

* Command Output Capture RuleOperating System

NERC AssetsWindows Servers and WorkstationsLinux RHEL 5/6Cisco ASACisco (2800/2960/3800/Nexus)OtherVMWare ESXCisco ACSNERC: Windows

Alerts

Alerts

Alerts

Whitelists

Whitelists

Services.CSVWhitelistsports.CSV

Whitelists - evidence

NERC Policies

Questions?

Wonder if they bought all that?THANK [email protected], [email protected] tripwire.com | @TripwireInc


Recommended Guidelines for NERC CIP … Measurement...PNNL-26874 Prepared for the U.S. Department of Energy Under Contract DE-AC05-76RL01830 Recommended Guidelines for NERC CIP Compliance
NERC CIP -1, -2 and -3: A Comparison - NERC CIP Version 6 ... · PDF fileNERC CIP Standards Comparison: -1 to -2 Standard v1 Req Number v1 Requirement Did the requirement change? v2
Update in NERC CIP Activities September 4, 2014
NERC CIP Version 5 Compliance | Simpli˜ed...NERC Compliance CIP & 693 Solution NERC CIP Version 5 Compliance | Simpli˜ed.Meeting NERC CIP v5 Head On The CIP version 5 standards represent
Explore the Implicit Requirements of the NERC CIP RSAWs
NERC CIP Vulnerability Assessment Report - SAINT · PDF fileNERC CIP Vulnerability Assessment Report Report Generated: December 14, 2015 1 Background NERC introduced its Critical Infrastructure
NERC CIP Version 6 - emmos.orgemmos.org/prevconf/2017/9. NERC CIP6 - Ron Koziy.pdf · NERC CIP Version 6 - Robert Koziy Director – Cyber Security Compliance Open Systems International
Cisco NERC CIP v5 Compliance · PDF fileCisco NERC CIP v5 Compliance Solutions ... Although NERC CIP does not yet address virtualization, Cisco has developed virtual security
NERC CIP Course Catalog - CMMC Training for Federal
CIP-006-5 — Cyber Security — Physical Security of BES - NERC
CIP-014 - Home - FRCC Home & CIP-006 Threat Vulnerability ... (reference NERC CIP-014, page 9) NERC Visit •NERC SRP and NERC Physical Security Group representative and FRCC team
Top 10 NERC CIP Transition Challenges
NERC CIP Compliance Program Design, Implementation · PDF fileNERC CIP Compliance Program Design, Implementation & Controls, and Metrics & ... Ms. Rayo is a NERC CIP Compliance Program
Structured NERC CIP Process Improvement Using Six Sigma
NERC CIP Compliance Application - Midwest Reliability Organization
Meeting NERC CIP Access Control Standards - CyberLock · PDF fileObjective If you are involved in the physical security requirements needed for NERC CIP compliance this webinar is
109745672 NERC CIP Compliance Matrix ROS ... - Siemens · PDF fileWarranty and Liability NERC CIP Compliance Matrix of RUGGEDCOM ROS Operating System Entry-ID: 109745672, 1.0, 03/2017
NERC CIP V5 Standards Position Unidirectional Security ... · PDF fileinfrastructures. The NERC CIP V5 standards are designed specifically to enhance the reliability of the Bulk Electric
Comment Report - NERC 201602 Modifications to CIP... · Comment Report Project Name: 2016-02 Modifications to CIP Standards | Virtualization Updates for CIP-004, CIP-005, CIP-006,
NERC CIPC Chair Report Highlights... · NERC presented draft RSAWs for CIP -002, CIP -007, and CIP -009 to the ... Part 2.5 – Cyber Security Incident response plan(s) Part 2.6 –
NERC CIP Services & Solutions - Honeywell Process · PDF fileFEATURES & BENEFITS • Expertise in the interpretation and application of the NERC CIP Reliability Standards • Largest
NERC CIP Information Protection - StarChapter...NERC CIP Information Protection 1 Eric Ruskamp Manager, Regulatory Compliance September 13, 2017 Agenda NERC History NERC Compliance
ABB NERC CIP · PDF file · 2015-05-25abb nerc cip v5 special interest group low asset discussion and future cip versions & compliance activity november 5, 2014
Rapid7 NERC-CIP Compliance Guide
NERC CIP · 2 days ago · SANS ICS | sans.org/ ics Critical Infrastructure Protection CIP Best Of
WhitePaper_MPLS and NERC CIP Compliance BellLab
NERC CIP v6 Continuous Compliance with Tufin Orchestration ... · Tufin Orchestration Suite enables NERC CIP V6 compliance by providing enterprises responsible for BES networks with
Virtualization and NERC-CIP - UTC
NERC CIP Compliance
NERC CIP Version 5 Compliance | Simpli˜ed · PDF fileNERC Compliance CIP & 693 Solution NERC CIP Version 5 Compliance | Simpli˜ed. Meeting NERC CIP v5 Head On The CIP version 5 standards
Software Supply Chain Risks and Mitigations for NERC CIP
VMware Product Applicability Guide for NERC CIP v5
Successful NERC CIP Compliance - Robert Hoopes, PPL Corporation
nerc cip u - Broadcom Inc. › ... › ESM › NERC › nerc_cip_win.pdfBaseline Policy Manual for NERC CIP(Windows) The software that is described in this document is furnished under
NERC CIP Vulnerability Assessment Report - SAINT · PDF file · 2016-10-27NERC CIP Vulnerability Assessment Report Report Generated: November 14, 2011 1.0 Background NERC introduced