Lessons Learned For NERC CIPv5 Compliance & Configuration Change Management

Lessons Learned For NERC CIPv5 Compliance & Configuration Change Management

Mark Prince, EntergyTim Erlin, Tripwire

Karl Perman, EnergySec

Logistics• Panelist discussion followed by questions and

answers• All lines other than panelists will be muted• Questions via chat function• Audio and slides will be posted within 72 hours

It’s Interactive

3

Please submit your questions through the control panel to get answers LIVE from our panelists.

Introductions

Mark PrinceManager OT Fossil

Tim ErlinDirector, IT Security and

Risk Strategist@terlin

Karl PermanVP, Member Services

@EnergySec

NERC CIP V5 Pain Points• Asset Identification and Categorization• Change Approval Process • Configuration Management• Compliance Management• Baseline Configuration • Patching• Malware Prevention and Detection• Access Management• Information Protection• Evidence of Compliance• Many manual processes

© 2015 Energy Sector Security Consortium, Inc. 6

General Change Management Process

• Develop baseline configurations• Authorize and document changes to baselines• Update baselines within 30 days• Verify security controls• Pre-change Testing

– High Impact BCS• Configuration Monitoring

– High Impact BCS, EACMS, and PCA

© 2015 Energy Sector Security Consortium, Inc. 7

Configuration Change Management Pain Points

• Number and variety of devices• Every time, every change

– No exceptional circumstances exemption• Identify security controls affected by

the change– CIP-005 and CIP-007

• High Impact needs to have “Double Test”– Once before change, once after change

• Automated system vs. manual process

© 2015 Energy Sector Security Consortium, Inc. 8

Evidence

• What needs to be maintained

• Maintain Documentation• Storage• Automated work flows or

manual processes

9

How did you come into this CIPv5 project?

10

What was your vendor selection process for CIPv5 compliance technologies?

11

What’s the architecture of the environment you’re addressing?

12

Entergy Fossil Generation

13

Lessons Learned

14

Lessons Learned

1. Data diodes and centralized reporting are not mutually exclusive.2. Your budget cycle does not match your audit cycle.3. Consistency creates efficiency.

Tripwire’s NERC Solution Suite

Tripwire helps meet 20 of 32 CIP requirements

17

Tripwire’s NERC CIP Solution

Tripwire Confidential

70% of the Top Electrical Utilities in the U.S. use Tripwire

18

NERC Alliance Network

19

Beyond Compliance to CybersecuritySecuring Critical Infrastructure

Critical Infrastructure is Evolving… …to a more connected energy supply

Tripwire Can HelpNew connections bring new challenges and new threats

Q & A

Mark PrinceManager OT Fossil

Tim ErlinDirector, IT Security and

Risk Strategist@terlin

Karl PermanVP, Member Services

@EnergySec