slide1 n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Cyber Security A Program to Meet NERC CIP Requirements May 17, 2010 Rick Dakin Coalfire systems CEO and Co-founder PowerPoint Presentation
Download Presentation
Cyber Security A Program to Meet NERC CIP Requirements May 17, 2010 Rick Dakin Coalfire systems CEO and Co-founder

Loading in 2 Seconds...

play fullscreen
1 / 18

Cyber Security A Program to Meet NERC CIP Requirements May 17, 2010 Rick Dakin Coalfire systems CEO and Co-founder - PowerPoint PPT Presentation


  • 153 Views
  • Uploaded on

Cyber Security A Program to Meet NERC CIP Requirements May 17, 2010 Rick Dakin Coalfire systems CEO and Co-founder . Agenda. The fastest 30 minutes in cyber security history Introductions The Threat NERC CIP Requirements CIP Program Rollout Cyber Security Program Strategy Questions.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Cyber Security A Program to Meet NERC CIP Requirements May 17, 2010 Rick Dakin Coalfire systems CEO and Co-founder' - sanne


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
slide1

Cyber Security

A Program to Meet NERC CIP Requirements

May 17, 2010

Rick Dakin

Coalfire systems

CEO and Co-founder

slide2

Agenda

The fastest 30 minutes in cyber security history

  • Introductions
  • The Threat
  • NERC CIP Requirements
  • CIP Program Rollout
  • Cyber Security Program Strategy
  • Questions
coalfire overview

Offices in Denver, Seattle, NYC, Dallas and San Diego) with over 40 full-time IT auditors

Clients include Fortune 100, retail, government,

education, financial, healthcare, and utilities

Security, governance, compliance management,

Audit – GLBA, SOX, PCI, HIPAA, SAS 70 & NERC CIP

Practice areas: risk and vulnerability assessment,

e-discovery and forensic analysis

Solutions: policy development, data classification,

control management, incident response, etc.

Application security: PA-DSS certification, code audits,

penetration testing, SDL development

Coalfire Overview

IT Audit and Compliance Management

regulatory backdrop
Regulatory Backdrop

Regulatory Environment is a

New Challenge for IT Professionals

2000 to

Present

1970-1980

  • COPPA
  • USA Patriot Act 2001
  • EC Data Privacy Directive
  • CLERP 9
  • CAN-SPAM Act
  • FISMA
  • Sarbanes Oxley (SOX)
  • CIPA 2002
  • Basel II
  • NERC CIP
  • HITECH
  • Payment Card Industry (PCI)
  • California Individual Privacy SB1386
  • Other State Privacy Laws

1990-2000

1980-1990

  • EU Data Protection
  • HIPAA
  • FDA 21CFR Part 11
  • C6-Canada
  • GLBA
  • Computer Security Act of 1987

4

strategic barriers
Strategic Barriers

'Smart Grid' may be vulnerable to hackersBy Jeanne Meserve CNN Homeland Security Correspondent

UPDATED: 08:44 PM EDT 03.21.09

WASHINGTON (CNN)

Is it really so smart to forge ahead with the high technology, digitally based electricity distribution and transmission system known as the "Smart Grid"? Tests have shown that a hacker can break into the system, and cyber security experts said a massive blackout could result.Until the United States eliminates the Smart Grid's vulnerabilities, some experts said, deployment should proceed slowly."I think we are putting the cart before the horse here to get this stuff rolled out very fast," said Ed Skoudis, a co-founder of InGuardians, a network security research and consulting firm.

trends the risk is growing
Trends – The Risk is Growing
  • Cyber attacks are increasing
  • The deployment of IP networks in critical infrastructure is growing
  • Legacy systems deployed in critical systems only change every 5 – 12 years ….. and, were never designed to be secure
  • The workforce is aging and will require re-training to modify processes and controls
  • Control vendors are late contributors to cyber security plans. There are not industry standards for secure systems development for Critical Infrastructure
slide8

CIP Overview

The North American Reliability Corporation (NERC) Standards CIP-002 through CIP-009 provide a cyber security framework for the identification and protection of Critical Cyber Assets to support reliable operation of the Bulk Electric System. Effective December 2009, most operators must comply with the following requirements.

slide9

CIP Updates

  • Oversight of cyber security at U.S. commercial nuclear power plants will be divided between the NRC and the NERC
  • CIP version 2 takes force in April 2010 and increases “strictness”
    • Removal of the terms “reasonable business judgment” and “acceptance of risk”
    • Training and Personnel Risk Assessments must be performed prior to granting access to authorized personnel
    • Delegations must be specifically documented with areas of responsibility and approved by the designated Senior Manager
    • Levels of Non-Compliance replaced with Violation Severity Levels and Violation Risk Factors
  • Future CIP versions look to introduce more alignment with best practice standards such as NIST

9

slide11

FERC – Bringing down the Hammer

  • Budget increase of over $17M to make reliability of the electric transmission grid—and enforcement of NERC Standards—a priority in 2011
  • Planning for an average of 100 violations each month in 2011
  • Strong response to NERC Technical Feasibility Exception (TFE) rules including mandate that all mitigating controls are equivalent to strict original control intent
  • Severely limited any safe harbor absent exceptional circumstances
  • May 4th, 2010 – Michael Assante resigns as CSO of NERC

11

slide12

Growing the Grid

  • The Energy Independence and Security Act of 2007 established the Smart Grid program which mandates two-way flow of electricity and information with the end user
  • NIST IR-7628: Smart Grid Cyber Security Strategy and Requirements drafted addresses:
    • Bottom-up Risk Based Assessment
    • Privacy Concerns
    • Vulnerability Class Analysis
  • Takes the threat to the end user: what’s the difference between shutting down the plant or conducting an Energy Denial of Service Attack against the consumer?

12

cip program approach
CIP Program Approach

Risk Assessment

  • Asset Inventory
  • Risk Assessment
  • Control Selection
  • Gap Analysis
  • Remediation Roadmap

Control Design

  • Define system boundaries
  • Control Design
  • Documentation
  • User Testing
  • Policies, Plans

Risk Assessment

Control Design

Deploy and Operate

Measure and Report

Measure and Report

  • Program Design
  • Establish Metrics
  • Control testing
  • Develop Compliance

Portal

  • Online Support

Deploy and Operate

  • Guidelines
  • Control deployment
  • Control Operation
  • Operations Monitoring

and Reporting

  • Training

Compliance Management Program

21 steps to improve cyber security
21 Steps to Improve Cyber Security

Source: The President’s Critical Infrastructure Protection Board

top 5 risk mitigation steps
Top 5 Risk Mitigation Steps

Segment SCADA systems (Diagram system boundaries)

Test Segmentation of SCADA Systems (Do not rely on proprietary protocols)

Restrict Remote Access

Contact your System Vendor for Secure Configurations and Operations Guides

Develop a good Incident Response Plan

references
References

Idaho National Labs – Vulnerabilities Reporthttp://www.controlsystemsroadmap.net/pdfs/INL_Common_Vulnerabilties.pdf

NIST SP 800-82http://csrc.nist.gov/publications/drafts/800-82/draft_sp800-82-fpd.pdf

NERC - Top 10 Vulnerabilities of Control Systemshttp://www.controlsystemsroadmap.net/pdfs/NERC_2007_Top_10.pdf

GAO Report on Continuing Security Weaknesshttp://www.controlsystemsroadmap.net/pdfs/GAO_2007_CS_Challenges_Remain.pdf

21 Steps to Improve SCADA System Securityhttp://www.controlsystemsroadmap.net/pdfs/21_steps_to_Improve_Cyber_Security_of_SCADA_Networks.pdf

thank you
Thank You

Knowledge – Action = Negligence

Questions?

Rick Dakin

Rick.dakin@coalfiresystems.com

303.554.6333 ext 7001