Cyber SecurityA Program to Meet NERC CIP Requirements

May 17, 2010

Rick DakinCoalfire systemsCEO and Co-founder

Agenda

The fastest 30 minutes in cyber security history• Introductions• The Threat• NERC CIP Requirements• CIP Program Rollout• Cyber Security Program Strategy• Questions

Coalfire Overview

3

Clients include Fortune 100, retail, government, education, financial, healthcare, and utilities

Offices in Denver, Seattle, NYC, Dallas and San Diego) with over 40 full-time IT auditors

Security, governance, compliance management, Audit – GLBA, SOX, PCI, HIPAA, SAS 70 & NERC CIP

Application security: PA-DSS certification, code audits, penetration testing, SDL development

Solutions: policy development, data classification, control management, incident response, etc.

Practice areas: risk and vulnerability assessment, e-discovery and forensic analysis

IT Audit and

Compliance Manageme

nt

4

Regulatory Backdrop

4

1970-1980

1980-1990

Computer Security Act of 1987

1990-2000

EU Data Protection HIPAA FDA 21CFR Part 11 C6-Canada GLBA

2000 to Present

COPPA USA Patriot Act 2001 EC Data Privacy Directive CLERP 9 CAN-SPAM Act FISMA Sarbanes Oxley (SOX) CIPA 2002 Basel II NERC CIP HITECH Payment Card Industry

(PCI) California Individual

Privacy SB1386

Other State Privacy Laws

Regulatory Environment is a New Challenge for IT Professionals

Why Protect Infrastructure?

5

Strategic Barriers

'Smart Grid' may be vulnerable to hackersBy Jeanne Meserve CNN Homeland Security Correspondent                                            UPDATED: 08:44 PM EDT 03.21.09 WASHINGTON (CNN)Is it really so smart to forge ahead with the high technology, digitally based electricity distribution and transmission system known as the "Smart Grid"? Tests have shown that a hacker can break into the system, and cyber security experts said a massive blackout could result.

Until the United States eliminates the Smart Grid's vulnerabilities, some experts said, deployment should proceed slowly.

"I think we are putting the cart before the horse here to get this stuff rolled out very fast," said Ed Skoudis, a co-founder of InGuardians, a network security research and consulting firm.

Trends – The Risk is Growing

• Cyber attacks are increasing• The deployment of IP networks in

critical infrastructure is growing• Legacy systems deployed in critical

systems only change every 5 – 12 years ….. and, were never designed to be secure

• The workforce is aging and will require re-training to modify processes and controls

• Control vendors are late contributors to cyber security plans. There are not industry standards for secure systems development for Critical Infrastructure

CIP Overview

The North American Reliability Corporation (NERC) Standards CIP-002 through CIP-009 provide a cyber security framework for the identification and protection of Critical Cyber Assets to support reliable operation of the Bulk Electric System. Effective December 2009, most operators must comply with the following requirements.

CIP Requirement

Controls

CIP 002 Cyber Asset Identification

CIP 003 Security Management Controls

CIP 004 Personnel Security and Training

CIP 005 Electronic Security Perimeter

CIP 006 Physical Security

CIP 007 Systems Security Management

CIP 008 Incident Reporting and Response Planning

CIP 009 Recovery Plans for Critical Cyber Assets

9

CIP Updates

Oversight of cyber security at U.S. commercial nuclear power plants will be divided between the NRC and the NERC

CIP version 2 takes force in April 2010 and increases “strictness”• Removal of the terms “reasonable business judgment” and

“acceptance of risk”• Training and Personnel Risk Assessments must be performed prior to

granting access to authorized personnel• Delegations must be specifically documented with areas of

responsibility and approved by the designated Senior Manager• Levels of Non-Compliance replaced with Violation Severity Levels and

Violation Risk Factors Future CIP versions look to introduce more alignment with

best practice standards such as NIST

Slow Adoption

11

FERC – Bringing down the Hammer

Budget increase of over $17M to make reliability of the electric transmission grid—and enforcement of NERC Standards—a priority in 2011

Planning for an average of 100 violations each month in 2011

Strong response to NERC Technical Feasibility Exception (TFE) rules including mandate that all mitigating controls are equivalent to strict original control intent

Severely limited any safe harbor absent exceptional circumstances

May 4th, 2010 – Michael Assante resigns as CSO of NERC

12

Growing the Grid

The Energy Independence and Security Act of 2007 established the Smart Grid program which mandates two-way flow of electricity and information with the end user

NIST IR-7628: Smart Grid Cyber Security Strategy and Requirements drafted addresses:• Bottom-up Risk Based Assessment• Privacy Concerns• Vulnerability Class Analysis

Takes the threat to the end user: what’s the difference between shutting down the plant or conducting an Energy Denial of Service Attack against the consumer?

Measure and Report Program Design Establish Metrics Control testing Develop Compliance

Portal Online Support

Deploy and Operate Guidelines Control deployment Control Operation Operations Monitoring

and Reporting Training

Control Design Define system boundaries Control Design Documentation User Testing Policies, Plans

Risk Assessment Asset Inventory Risk Assessment Control Selection Gap Analysis Remediation Roadmap

CIP Program Approach

Compliance Management Program

21 Steps to Improve Cyber Security

1. Identify all connections to SCADA

2. Disconnect unnecessary connections

3. Strengthen the security of remaining connections

4. Harden SCADA Networks

5. Do not rely of proprietary protocols

6. Implement the security features provided by vendors

7. Establish strong controls over media

8. Implement internal and external intrusion detection systems

9. Perform technical audits of SCADA devices and networks

10.Assess remote sites connected to the SCADA network – Access Controls

11. Identify and evaluate possible attack scenarios

12. Clearly define cyber security roles and responsibilities

13. Document network Architecture14. Establish a risk management

process15. Establish a “defense–in-depth”

security program16. Clearly identify cyber security

requirements17. Establish configuration

management processes18. Conduct routine self-assessments19. Establish a disaster recovery plan20. Establish program accountability21. Establish policies and provide

Training

Source: The President’s Critical Infrastructure Protection Board

Segment SCADA Network

Top 5 Risk Mitigation Steps

1. Segment SCADA systems (Diagram system boundaries)

2. Test Segmentation of SCADA Systems (Do not rely on proprietary protocols)

3. Restrict Remote Access

4. Contact your System Vendor for Secure Configurations and Operations Guides

5. Develop a good Incident Response Plan

References

Idaho National Labs – Vulnerabilities Reporthttp://www.controlsystemsroadmap.net/pdfs/INL_Common_Vulnerabilties.pdf

NIST SP 800-82http://csrc.nist.gov/publications/drafts/800-82/draft_sp800-82-fpd.pdf

NERC - Top 10 Vulnerabilities of Control Systemshttp://www.controlsystemsroadmap.net/pdfs/NERC_2007_Top_10.pdf

GAO Report on Continuing Security Weaknesshttp://www.controlsystemsroadmap.net/pdfs/GAO_2007_CS_Challenges_Remain.pdf

21 Steps to Improve SCADA System Securityhttp://www.controlsystemsroadmap.net/pdfs/21_steps_to_Improve_Cyber_Security_of_SCADA_Networks.pdf

Thank You

18

Knowledge – Action = Negligence

Rick Dakin

Rick.dakin@coalfiresystems.com303.554.6333 ext 7001

Questions?