The United States Department of Homeland Security has written the National Infrastructure Protection Plan (NIPP) in accordance with the Presidential Directive 7 (HSPD-7). This includes identifying critical infrastructure and key Resources (CI/KR).
The Critical Infrastructure is the managed network of electronic security systems and devices providing security functions and services in accordance with a risk assessment strategy as defined by the Presidential Decision Directive 63 (PDD-63) and Executive Order 13328.
These CI/KRs include: Energy, Chemical, Banking and Finance, Drinking Water and Water Treatment systems, Dams, Postal and Shipping Resources, Agriculture and Food, Defense Systems, Public Health and Healthcare, National Monuments, Transportation Systems, Commercial Firms and Commercial Nuclear Reactors, Materials and Waste.
Although each of these critical infrastructures is vastly different, they all have one thing in common. They are all dependent on control systems used to monitor and control their vital processes.
Several of these critical infrastructure sectors have issued standards or guidelines for configuring and managing the security of Industrial Automation and Control Systems. These include the energy sector, which has issued the Critical Infrastructure Protection (CIP) standards through the North American Electric Corporation (NERC). These standards are referred to as NERC-CIP and provide auditable standards and practices that owner-operators are to have in place for protection of power generation and distribution systems.
~ GAO-04-354 Cyber security of Control Systems
Mission — To advance the physical and cyber security of critical infrastructures in North America by establishing and maintaining a framework of valuable interactions between and among ISACa and government. DHS recommends that each of the 18 critical infrastructure sectors maintain an ISAC as an information-sharing hub.
NERC doubles as the Electricity Sector Information Sharing and Analysis Center (ES-ISAC). In this role, NERC develops best practices for security guidelines, identifies common areas of improvement and facilitates in developing audit readiness for compliance guidelines.
NERC is overseen by the Federal Energy Regulatory Commission (FERC). FERC has approved a set of sector wide cyber security reliability standards drafted by NERC, covering issues including asset identification, controls, training, incident reporting, and recovery. While the standards carry heavy fines for noncompliance, they illustrate the speed of regulation relative to cyber threats: the standards took three years to draft and will not be fully enforceable until December 2010.
NERC CIP (Critical Infrastructure Protection) standards are comprised of eight specific standards each of which are mandatory for electric power and utility companies and must be completed within very specific timeframes over a predefined multi-year implementation schedule. Those eight standards are:
The purpose of the NERC CIP standards is to ensure that all of the affected electric utilities which are responsible for the consistent and continued reliability of the US' electrical grid are properly protecting their critical cyber assets.
NERC, like many compliance standards, requires Incident Response Planning and rapid response to events. NitroSecurity's performance advantages enable utility companies to drastically reduce response times through faster analysis of larger sets of relevant security information.
As the migration to IP-based systems continues to grow, it permeates areas such as industrial control systems that formerly used proprietary network technologies. Besides being proprietary these systems were also not connected to the outside world. The transition to IP-based networking brings risks such as opportunities for interconnection of formerly isolated networks with non-industrial control system networks. The US Government Accountability Office (GOA) has described a dramatic new escalation in security risks to industrial control systems, citing four areas of concern:
As shown in the diagram below, these control system networks have become interconnected with typical network topologies as well as accessible via the internet. This contributes to the risk of cyber attacks in these control system networks.
CIP-002 requires the identification and documentation of the Critical Assets and Critical Cyber Assets. These assets are identified using a risk based analysis. The Critical Assets include the Digital Control Systems (DCS), SCADA systems, HMI systems as well as transmission substations, PLCs and related assets identified as critical to the operation and delivery of the Bulk Electric System. The cyber assets provide the data/information to drive the decisions made in the control room are critical cyber assets. Because of today's complex control room environment, many systems are involved in supporting control room activities. NitroView DBM detects data assets, notifying where certain types of data reside, and logging activity. NitroView ESM is able to perform a discovery of physical device assets, such as hosts, routers, etc
CIP-003 applies to personnel and the role of managers in terms of security and compliance responsibilities.
The Responsible Entity shall document and implement a program for managing access to protected Critical Cyber Asset information. CIP 003 R5.1 states that the Responsible Entity shall maintain a list of designated personnel who are responsible for authorizing logical or physical access to protected information.
NitroView ESM can help here through the use of role-based authenticated access, which controls what devices and data managed by NitroView ESM is made available at the user or organizational level. This extends to CIP-003 R4 and R5, which dictate the protection of information and control over information access. When dealing with data assets, NitroView DBM can also help by alerting the "Responsible Entity" of information access outside of established roles and policies.
CIP-004 requires that personnel having authorized cyber or authorized unescorted physical access to Critical Cyber Assets, including contractors and service vendors, have an appropriate level of personnel risk assessment, training, and security awareness. While personnel and training requirements are mostly outside of the influence of any security appliance(s), CIP-004 R4 requires "a list of all personnel granted access to critical cyber assets, including the specific electronic and physical access rights to the security perimeter(s)," for a period of 7 years. A log management facility such as NitroView ELM, when used in conjunction with SIEM or Database Monitor that logs user and access information, can provide this list.
CIP-005 requires the identification and location of critical cyber assets: NitroView DBM can detect critical information by looking for specific types of data within databases. NitroView ESM includes asset management, and can discover the entire network, mapping all devices to determine specific location within the network. The remainder of CIP-005 involves monitoring and access control, which can be provided through direct monitoring and access control via NitroGuard IPS or NitroView DBM, or indirectly through the collection and analysis of router logs and relevant ACLs.
CIP-005 also includes a requirement (R4) for vulnerability assessment. NitroView ESM is able to map results from a VA scan to events concerning critical cyber assets.
CIP-006 states the Responsible Entity shall create and maintain a physical security plan, approved by a senior manager or delegate(s). CIP-006 R1.2 includes Processes to identify all access points through each Physical Security Perimeter and measures to control entry at those access points. CIP-006 R4 provides information regarding Logging of Physical Access including electronic logs produced by these systems.
Many physical security systems include network-based activity notification. If this is done via syslog, NitroView ESM can collect this information for analysis along with other security event data.
CIP-007 R3 states that the responsible entity shall establish and document a security patch management program for tracking, evaluating, testing, and installing applicable cyber security software patches for all Cyber Assets within the Electronic Security Perimeter(s).
NitroView ESM uses active fingerprinting of detected hosts and servers to provide information such as OS type, OS patch level, ports / services information and other asset information. For critical cyber assets such as database servers, NitroView DBM can provide even more information about the system, and activity within that system.
CIP-008 record-keeping and reporting. This requirement mandates the documentation and archival of Cyber Security Incidents. This includes the ability of the reporting entity or auditor to investigate reports up to 3 years old. Cyber Security Incidents must be investigated so a ticketing control process should me implemented.
NitroView is able to produce and distribute NERC reports based primarily on CIP-007. NitroView ESM also support incident response by offering a system capable of maintaining the required three years of collected data in a form that allows for real-time analysis. This supports R1, which states that incidents must comply with the requirements of the NIPC's IAW (Indications, Analysis and Warnings procedure) Standard Operating Procedure (SOP). NitroView is able to distribute NERC reports in accord with IAW information sharing requirements.
Control systems are computer-based systems that are used by many infrastructures and industries to monitor and control sensitive processes and physical functions. Typically, control systems collect sensor measurements and operational data from the field, process and display this information, and relay control commands to local or remote equipment. There are two primary types of control systems. Distributed Control Systems (DCS) typically are used within a single processing or generating plant or over a small geographic area. Supervisory Control and Data Acquisition (SCADA) systems typically are used for large, geographically dispersed distribution operations.
Supervisory Control and Data Acquisition systems are large-scale, industrial control and measurement systems that consist of a central host, one or more remote units, a communications network, and specialized software. In the past SCADA data was limited to the SCADA system's consoles (HMI).
NitroSecurity supports SCADA rules within the NitroView product in accordance with IEC 870-6, IEC 60870-6 and IEEE std C37.1. Integration of SCADA support within the NitroView application allows our customers to leverage their investment in the SCADA infrastructure to improve control system and security management.
NitroSecurity SCADA variables include:
The NitroView user can edit these variables to identify the SCADA server IP and description and inherit the SCADA rules (included in the default policy when deployed). There are SCADA rules within the system that identifies events such as 'Cold restart from an unauthorized user', a SCADA control system application that has been 'stopped', and an unauthorized read request to a PLC. PLCs (programmable logic controllers) are the control hubs for a wide variety of SCADA systems and processes. An unauthorized read request would detect an attempt made by an unauthorized client to read data from the PLC. Another SCADA rule within NitroView is an 'unauthorized association request' which detects an attempt by an attacker to initiate an association request with other SCADA system devices. Many other SCADA rules are included in NitroView.
Critical infrastructures that rely on SCADA systems and processes recommend that security applications support FIPS 140-2 cryptographic module certification. NitroSecurity has FIPS 140-2 L2 certification and adheres to other standards such as IEEE C.37
The new North American Reliability Corp. (NERC) Critical Infrastructure Protection (CIP) standards, which have been given the force of law by the Federal Energy Regulatory Commission (FERC), are extensive and are backed by audits that can be enforced with fines of up to $1 million per day for utilities found out of compliance.
Since this expanse of regulation is new in the utility industry, many utilities are at a loss for how to deal with the new requirements. Many are struggling to establish a direction or are taking a "wait and see" attitude until there is more clarity around the still evolving regulations. Many companies, that serve the industry, are stepping up to fill the solutions.
NitroSecurity is well positioned to take the lead in serving entities that must adhere to NERC compliance by quickly and accurately delivering the security relevant information to those responsible for assuring their critical infrastructures are secure.
|
Log in
