How to Integrate NERC CIP Requirements in an

advertisement
How to Integrate NERC CIP Requirements in an
Ongoing Automation and Integration Project
Jacques Benoit, Cooper Power Systems Inc.
jacques.benoit@cybectec.com
Robert O’Reilly, Cooper Power Systems Inc.
robert.oreilly@cybectec.com
Outline
ƒ
ƒ
ƒ
ƒ
ƒ
Introduction
NERC CIP calendar
The challenges
The project
Implementing NERC CIP requirements
NERC CIP calendar
ƒ Depends on Responsible Entity
ƒ Typically –
•
•
•
•
End of 2nd Qtr 2007 – Begin work
End of 2nd Qtr 2008 – Substantially compliant
End of 2nd Qtr 2009 – Compliant
End of 2nd Qtr 2010 – Auditably compliant
Challenges to project engineer
ƒ Organizational – it is a cross-departmental effort
ƒ Minimize impact on current projects
• Deadlines
• Do more with same budget
ƒ Evaluate impact on previous projects
ƒ Define strategy for future projects
To begin – Reduce the scope of the project
ƒ These standards can be considered to be
outside the project scope –
•
•
•
•
CIP-001 Sabotage Reporting
CIP-007 Physical Security (partially)
CIP-008 Incident Reporting and Response Planning
CIP-009 Recovery Plans for Critical Cyber Assets
Complying with NERC
ƒ From the beginning –
• Address NERC committee’s concerns
• Plan for auditability
• Plan to perform audit during FAT
ƒ Security is a strong as the weakest link – NERC
defines only minimum security!
The substation modernization project
ƒ
ƒ
ƒ
ƒ
ƒ
15-years old
New equipment
Legacy equipment
Operation must not be interrupted
CIP compliance is now mandatory
A Typical Legacy Substation
The project goals
ƒ Provide SCADA with access to operational data
produced by the IEDs
ƒ Provide other control centers with access to data
ƒ Provide remote access to the IEDs –
• To retrieve event (non-operational) data
• To retrieve/change device settings
Proposed substation architecture
Evaluating the architecture
ƒ IT provides a network infrastructure that performs as an
electronic perimeter –
• Firewall blocks unused ports
• Router ensures the authenticity of both ends
• VPN ensures secure data exchange between substation LAN
and control center LAN
ƒ The solution provides real-time data to SCADA in a
substantially NERC CIP compliant manner
Shortcomings
ƒ Remote access for maintenance and event retrieval is not
authenticated, monitored and logged – as required by
NERC CIP
ƒ There is no provision for data distribution –
• Devices do not support simultaneous client connections
ƒ Protocol issues are exported to the client systems
An alternative substation architecture
FRAD/WAN Access Point
Gateway
From Serial
Devices
832
009
714
To Gateway
832
009
714
Power
metering
To Gateway
Power
metering
Transformer
Data & Alarming
Transformer
Data & Alarming
RTU/PLC
To Gateway
To Gateway
To Gateway
Overcurrent
Overcurrent
Overcurrent
To Gateway
Bus coupler
Bus protection
Overload
Overload
Overload
Overcurrent Relay
Advanced protection relay with:
- Frequency
- Voltage
- Fault indication
Differential
Reclosure
832
009
714
Metering
To Gateway
Reclosure
832
009
714
Distance
Metering
Distance
Transformer
Data & Alarming
832
009
714
To Gateway
To Gateway
Metering
Using a substation gateway
ƒ The use of a gateway device can now be considered an
industry best practice –
•
•
•
•
Concentrates device data and reduces bandwidth utilization
Supports protocol conversion locally
Supports connections to multiple control centers
Acts as a serial port switch to provide access to device
maintenance ports
• Provides additional services – modem support, automation
functions, time synchronization, security, etc.
The gateway as an electronic perimeter
ƒ Modern gateway devices also perform as an
electronic perimeter –
•
•
•
•
Local and/or global authentication
Firewall
VPN
Logging and monitoring
ƒ The gateway can thus be used to implement
secure remote connections for maintenance and
engineering
Securing remote device access
SCADA / EMS / OMS
PROTECTION
`
ENGINEERING
`
`
WAN
GATEWAY
RTU
PROTECTION
RELAY
The gateway device
connects to a corporate
server for centralized
authentication
The gateway device can
provide local authentication,
access logging and
monitoring services
MONITORING
DEVICE
An alternative method to secure engineering and
maintenance access
`
`
`
WAN
GATEWAY
An enterprise-level
application provides
authentication, access
logging, and monitoring
services
Some issues
ƒ IT and process networks are designed with
fundamentally different requirements
• Network availability
> For data communications
> For authentication
• Operational procedures
> Account lockout
> Access permissions
Project Review
ƒ Asset identification
ƒ Critical cyber asset identification
ƒ Access requirements
•
•
•
•
Users
Groups
Devices
Tasks to perform
Asset identification
ƒ For each device in the substation –
•
•
•
•
•
•
•
ID
Location
Type
Manufacturer
Model
Serial Number
Manager
Access requirements
ƒ Establish permissions per user, per device –
•
•
•
•
•
•
•
•
•
Security management
System management
Read configuration
Modify configuration
Run diagnostics
Passthrough
Monitor
Operate
Modem access
Help from Other Groups
ƒ Management and operations
• Define access control
ƒ Human resources
• Personnel risk assessment
ƒ IT
• Deploy authentication servers and remote access
servers
• Implement access policies
• Implement two-factor authentication
Change Control
Identify, control and document all entity or
vendor related changes to hardware and
software components
ƒ Part of the standard project documentation
process
ƒ If required, commercial and open source
solutions are available for managing document
and file change history
Security Patches and Malware
“Updates are available”
ƒ Solutions based on popular operating systems need more
frequent security updates
ƒ Standard transmission vectors should be blocked – remap
ports if possible
ƒ Enterprise-wide solutions are available and already
managed by IT
• System availability issues
• Documentation, testing and history required
Security Status Monitoring
Implement automated tools or organizational process
controls to monitor system events that are related to cyber
security.
ƒ Intrusion detection systems
ƒ Protocol firewalls
ƒ Data points to report gateway operational and security
status
ƒ Standard reporting and logging solutions SNMP, SYSLOG,
etc.
Testing
ƒ
ƒ
ƒ
ƒ
Final engineering phase
Prepare framework with vendors and integrators
Change default settings and passwords
Check ports and services – IT can provide
automated solutions, NESSUS, CS2SAT
(Control System Cyber Security SelfAssessment Tool), etc.
Conclusion
ƒ NERC CIP compliance is an interdepartmental
effort
ƒ Technology is but a limited part of the effort
ƒ Most of the required reports are natural
extensions of the engineering process
ƒ Compliance will result in a more reliable
infrastructure
References
ƒ
National Institute of Standards and Technology
•
•
•
•
•
•
•
•
•
SP800-12 An Introduction to Computer Security: The NIST Handbook for Security
SP800-26 Rev.1 Guide for information Security Assessment and System Reporting
Form
SP800-80 Guide for Developing Performance Metrics for Information Security
SP800-82 Guide to Supervisory Control and Data Acquisition (SCADA) and Industrial
Control Systems Security
SP800-83 Guide to Malware Incident Prevention and Handling
SP800-92 Guide to Computer Security Log Management
SP800-95 Guide to Secure Web Services
P800-100 Information Security Handbook: A Guide for Managers
NISTR 6885-2004 Automated Security Self-Evaluation tool user Manual
References
ƒ
North American Electric Reliability Corporation
Critical Infrastructure Protection
http://www.nerc.com/~filez/standards/Cyber-Security-Permanent.html
• CIP-001
Sabotage Reporting
• CIP-002
Critical Cyber Assets
• CIP-003
Security Management Controls
• CIP-004
Personnel & Training
• CIP-005
Electronic Security
• CIP-006
Physical Security
• CIP-007
Systems Security Management
• CIP-008
Incident Reporting and Response Planning
• CIP-009
Recovery Plans
References
ƒ CYBERSECURITY for SCADA Systems, by William T.
Shaw, PhD, CISP, PennWell 2006
ƒ ANSI/ISA-TR99.00.02-2004 “Integrating Electronic
Security into the Manufacturing and Control Systems
Environment”
ƒ AGA Report #12 “Cryptographic Protection of SCADA
Communications –General Recommendations.
ƒ Control System Cyber Security Self-Assessment tool,
http://www.us-cert.gov/control_systems/pdf/CS2SAT.pdf
Download