The North American Electric Reliability Corporation, or NERC, as a not-for-profit organization to "ensure the reliability of the bulk power system in North America." This is accomplished in part by the development and enforcement of reliability standards. NERC is a self-regulatory organization, subject to oversight by the U.S. Federal Energy Regulatory Commission and governmental authorities in Canada.
NERC consists of several sections, many of which directly or indirectly involve adequate information security monitoring and reporting. Of note are:
Critical Asset Information
At a minimum, most organizations will have a control center and backup control center that will qualify as Critical Assets. The cyber assets that provide the data/information to drive the decisions made in the control room are critical cyber assets. Because of today's complex control room environment, many systems are involved in supporting control room activities. NitroView DBM detects data assets, notifying where certain types of data reside, and logging activity. NitroView ESM is able to perform a discovery of physical device assets, such as hosts, routers, etc
Security Management
CIP-003 applies to personnel and the role of managers in terms of security and compliance responsibilities. NitroView ESM can help here through the use of role-based authenticated access, which controls what devices and data managed by NitroView ESM is made available at the user or organizational level. This extends to CIP-003 R4 and R5, which dictate the protection of information and control over information access. When dealing with data assets, NitroView DBM can also help by alerting the "Responsible Entity" of information access outside of established roles and policies.
Personnel & Training
While personnel and training requirements are mostly outside of the influence of any security appliance(s), CIP-004 R4 requires "a list of all personnel granted access to critical cyber assets, including the specific electronic and physical access rights to the security perimeter(s)," for a period of 7 years. A log management facility such as NitroView ELM, when used in conjunction with SIEM or Database Monitor that logs user and access information, can provide this list.
Electronic Security Perimeters
CIP-005 requires the identification and location of critical cyber assets: NitroView DBM can detect critical information by looking for specific types of data within databases. NitroView ESM includes asset management, and can discover the entire network, mapping all devices to determine specific location within the network. The remainder of CIP-005 involves monitoring and access control, which can be provided through direct monitoring and access control via NitroGuard IPS or NitroView DBM, or indirectly through the collection and analysis of router logs and relevant ACLs.
CIP-005 also includes a requirement (R4) for vulnerability assessment. NitroView ESM is able to map results from a VA scan to events concerning critical cyber assets.
Physical Security
Many physical security systems include network-based activity notification. If this is done via syslog, NitroView ESM can collect this information for analysis along with other security event data.
Systems Security Management
R3 (security patch management) -- NitroView ESM uses active fingerprinting of detected hosts and servers to provide information such as OS type, OS patch level, ports / services information and other asset information. For critical cyber assets such as database servers, NitroView DBM can provide even more information about the system, and activity within that system.
R4 (malicious software protection) -- NitroGuard IPS provides direct protection against viruses, trojans, and other forms of malware.
R6 (security status monitoring) -- NitroView ESM provides central monitoring, reporting, analysis, and even the management of protective devices and policies such as NitroGuard IPS and NitroView DBM.
R8 (cyber vulnerability assessment) -- NitroView ESM accepts data from most VA scanners, and indicates which critical assets are susceptible to observed activity.
Incident Reporting & Response Planning
NitroView is able to produce and distribute NERC reports based primarily on CIP-007. NitroView ESM also support incident response by offering a system capable of maintaining the required three years of collected data in a form that allows for real-time analysis. This supports R1, which states that incidents must comply with the requirements of the NIPC's IAW (Indications, Analysis an Warnings procedure) Standard Operating Procedure (SOW). NitroView is able to distribute NERC reports in accord with IAW information sharing requirements.
|
Log in
Watch the SANS Webcast on Critical Infrastructure Security
Securing a Smarter Grid - Power Utility Security
