INVENTORY
AND CLASSIFICATION / CIP-002 R1 AND ATTACHMENT 1
PURPOSE TENABLE.OT
Identify and categorize Bulk Electric System Cyber Systems and their associated BES Cyber Assets for the application of cyber security requirements commensurate with the adverse impact that loss, compromise, or misuse of those BES Cyber Systems could have on the reliable operation of the BES. Identification and categorization of BES Cyber Systems support appropriate protection against compromises that could lead to misoperation or instability in the BES.
Automatic discovery and mapping of ALL OT devices in your network
A cardinal principle of cyber security states that “You can’t secure what you don’t know exists.” To secure your control systems, as well as to comply with NERC CIP, the first thing you need to do is identify what you have. Tenable.ot automatically discovers and maps all OT devices (even dormant) and keeps an up-to-date inventory of these assets. This includes the operator and engineering workstations, the controllers (PLCs, RTUs and DCS controllers), and other devices.
Tenable.ot categorizes assets according to their manufacturer and device model and collects highly granular information including the firmware versions and serial numbers of the devices.
The asset inventory is continuously and automatically updated when a change is made to a device, or when any device is added to or removed from the OT network. This eliminates the need for complex and error-laden manual processes.
If your plant is rated Medium impact under CIP versions 5 and 6 and you are starting your asset identification process or doing your annual review, your first step will be to comply with CIP-002 R1. To do that, you need to identify all of your devices that meet the NERC definition of Cyber Asset (i.e. “programmable electronic device”). Tenable.ot helps you inventory a complete list of potential cyber assets from which you can identify your BES Cyber Systems.
If your plant is Low impact, you aren’t required to identify your BES Cyber Systems, although it is recommended to do so as a security best practice. In any case, you will need to at least have an idea of the types of BES Cyber Systems you have (PLCs, protection relays, etc.) and their approximate numbers. You will also need to know to which networks they are connected, and have a network diagram showing this information (although not necessarily showing each BES Cyber System).
SECURITY MANAGEMENT CONTROLS / CIP-003 PURPOSE
Specify consistent and sustainable security management controls that establish responsibility and accountability to protect BES Cyber Systems against compromise that could lead to misoperation or instability in the BES.
Real-time alerts that enforce security management policies
Tenable.ot alerts in real-time on any unauthorized access activities to the OT environment as well as enabling the enforcement of security management policies.
In addition, it fully audits all OT activities, including controller engineering activities like logic updates, configuration changes and firmware uploads/downloads. Tenable.ot tracks the source of the activity, the exact commands used, the devices impacted and the specific impact to these devices, as well as the date and time of each activity. This comprehensive audit trail enables grid owners and operators to establish responsibility and accountability. It also helps in the prevention of malicious or erroneous activities that could lead to misoperation or instability of the plant.
Data Sheet / Tenable.ot NERC-CIP / 090922 2
TENABLE.OT
ACCESS MANAGEMENT AND ACCESS CONTROLS / CIP-004 R4 AND R5 PURPOSE TENABLE.OT
Minimize the risk against compromise that could lead to misoperation or instability in the BES from individuals accessing BES Cyber Systems by requiring an appropriate level of personnel risk assessment, training, and security awareness in support of protecting BES Cyber Systems.
Real-time alerts of unauthorized access or changes to the controller
Whether or not your grid/electrical facility has to comply with the access management and access revocation requirements of CIP-004, it is vital that you will be notified when a non-authorized person accesses controllers, and when a suspicious change is made to controller logic. Tenable.ot leverages its patented technology and helps you address both these issues.
Controllers, such as PLCs, don’t have inherent access control capability; anyone who can gain access to the device can do anything they want on it. Tenable.ot allows you to set policies defining who can access the controller and what they can do when they access it. If someone who isn’t authorized does gain network access, you will be alerted in real-time. In the same way, if an authorized person does something that your policy doesn’t permit them to do, such as change controller logic, you will also receive a real-time alert.
Tenable.ot regularly scans each controller and downloads its configuration file. It compares this with the previous day’s file, notes any changes, and alerts you with information on those changes. This allows you to catch suspicious changes and investigate or reverse them. Conventional anomaly detection solutions can’t do this.
REMOTE ACCESS MANAGEMENT / CIP-005 R2
PURPOSE TENABLE.OT
Manage electronic access to BES Cyber Systems by specifying a controlled Electronic Security Perimeter in support of protecting BES Cyber Systems against compromise that could lead to misoperation or instability in the BES.
Real-time alerts on remote interactive or machine-to-machine access to controllers
Tenable.ot identifies and logs any remote access to assets in the OT infrastructure. Furthermore, Tenable. ot alerts in real-time if the access is new, unauthorized or both – and provides detailed information on the connection. This functionality enables security staff to detect perimeter breaches and ensure system safety. This applies to both interactive and “machine-to-machine” remote access.
While you may already be familiar with the controls on interactive remote access in CIP-005 R2.1-R2.3, you may not know that the CIP-005 R2.4 (came into effect in 2019 with CIP-013, the new supply chain security standard) will require NERC entities to be able to identify and monitor active machine-to-machine remote access sessions, as well as interactive ones. Tenable.ot is unique in its ability to provide you with alerts in real-time on any remote interactive or machine-to-machine access to controllers.
PHYSICAL SECURITY OF BES CYBER SYSTEMS / CIP-006
PURPOSE TENABLE.OT
Manage physical access to BES Cyber Systems by specifying a physical security plan in support of protecting BES Cyber Systems against compromise that could lead to misoperation or instability in the BES.
Identification of changes made to controllers by direct physical access
Tenable.ot uniquely identifies changes made to controllers by direct physical access. This means that even if an employee or integrator connected to the device using a serial cable or a USB device, Tenable.ot will identify any changes and raise an alert. Thus, Tenable.ot enables threat mitigation by making sure security staff is aware of the access and its impact on the device.
Data Sheet / Tenable.ot NERC-CIP / 090922 3
SYSTEM SECURITY MANAGEMENT / CIP-007
PURPOSE TENABLE.OT
Manage system security by specifying select technical, operational, and procedural requirements in support of protecting BES Cyber Systems against compromise that could lead to misoperation or instability in the BES.
PURPOSE
Rule-based detections of anomalies
Tenable.ot detects the presence of an anomaly, such as a malicious actor or the deployment of malicious code. It is rule-based, so each power generation owner or operator can customize network policies, according to its internal policies or to future versions of NERC CIP standards. This approach is deterministic and hence has no false positives.
R1.1 – Ports and Services – Enabling only necessary logical ports
Tenable.ot monitors constantly and alerts on open and unneeded ports on critical devices. In addition, the system monitors the network traffic and alerts on network connections that are using ports that are outside the list of necessary ports.
R3 – Malicious Code Prevention
Tenable.ot identifies malicious code activities on the network, including malware propagation, abnormal communications, network attacks on controllers and direct attacks via connected compromised laptops. Realtime alerts enable security staff to mitigate threats before they lead to misoperation or instability.
R4 – Security Event Monitoring
R4.1: Log events at the BES Cyber System level
Tenable.ot identifies and logs all unauthorized electronic use or actions on controllers in real-time, enabling staff to respond immediately to cyber security incidents and/or forensic activity after the fact.
R4.2: Generate alerts for security events
Tenable.ot raises alerts in real-time for security events on controllers, enabling staff to respond immediately to cyber security incidents. For example, if an unauthorized person logs in to a controller over the network, or takes an action – like downloading code or upgrading firmware – that they are not allowed to take, you will receive an immediate alert.
Note: Tenable.ot integrates with industry-leading SIEM solutions, NGFWs and other IT based security solutions to streamline security event management across IT and OT environments.
INCIDENT REPORTING AND RESPONSE PLANNING / CIP-008
TENABLE.OT
Mitigate the risk to the reliable operation of the BES as the result of a cyber security incident by specifying incident response requirements.
Real-time alerts and audit trails to enable security staff to identify, investigate and respond to cyber security incidents
Tenable.ot can aid incident response for OT networks in three important ways:
1. Real-time alerts on detected threats, anomalies and unauthorized activities on OT devices. These can then be investigated to determine whether they constitute a cyber security incident.
2. To help make this determination, Tenable.ot provides a comprehensive audit trail of activities and changes to control devices.
3. Should the organization decide that a forensic investigation is required, the audit trail provides invaluable visibility into OT activities and changes.
Together, these capabilities enable security staff to identify, investigate and respond to cyber security incidents.
RECOVERY PLANS FOR BES CYBER SYSTEMS / CIP-009
PURPOSE
Recover reliability functions performed by BES Cyber Systems by specifying recovery plan requirements in support of the continued stability, operability, and reliability of the BES.
TENABLE.OT
Configuration Control for reliable and quick recovery
Tenable.ot provides comprehensive audit trail of changes to all devices in the OT infrastructure, thereby supporting recovery planning, implementation and testing.
CIP-009 R1 – Recovery Plan Specifications: processes for the backup and storage of information
Tenable.ot regularly captures a baseline of each controller’s configuration and activity using its patented active querying feature. By actively gathering detailed information about the devices, Tenable.ot finds properties and changes that can’t be identified over the network. Tenable.ot keeps historical snapshots of device baselines, enabling security staff to use the information for backup and recovery in case the controller needs to be restored to a previously known good state.
Data Sheet / Tenable.ot NERC-CIP / 090922 4
CONFIGURATION CHANGE MANAGEMENT AND VULNERABILITY ASSESSMENTS / CIP-010
PURPOSE TENABLE.OT
Prevent and detect unauthorized changes to BES Cyber Systems by specifying configuration change management and vulnerability assessment requirements in support of protecting BES Cyber Systems from compromise that could lead to misoperation or instability in the BES.
Real-time alerts to meet configuration monitoring requirements and vulnerability notifications that apply to your devices
Tenable.ot’s unique technology provides a comprehensive audit trail of all OT control devices, including changes made to the controller’s logic, whether done over the network or by physically connecting to the device. Real-time alerts enable utilities to meet configuration monitoring requirements.
In addition,Tenable.ot maintains a continuously-updated list of the version numbers of all software and firmware installed on your controllers, and compares this regularly against a list of known vulnerabilities (NVD Data). Tenable.ot notifies you whenever a new vulnerability appears that applies to a software or firmware version installed on one of your devices. Additionally, Tenable.ot is completely integrated with Tenable.sc and Tenable.io to provide a stream of vulnerability and security data in a single pane of glass view and response to all cyber exposure and risk incidents.
CIP-010 R1 – Configuration Change Management
Develop a baseline configuration
Tenable.ot automatically establishes a baseline of each controller configuration and continuously monitors for configuration changes. All changes are reported to you, and security staff members are alerted if any unauthorized change is made through the network. Besides providing useful information to you, this capability will provide valuable evidence at audit, showing that all configuration changes to controllers were noted and accounted for.
CIP-010 R2 – Configuration Monitoring
Monitor at least once every 35 calendar days for changes to the baseline configuration Tenable.ot automatically identifies and alerts on changes to baseline configurations of controllers, eliminating the need for manual monitoring and reporting. This is not only more effective and more accurate; it enables staff to respond quickly to unauthorized changes.
CIP-010-2 Table R3 – Vulnerability Assessments
At least once every 15 calendar months, conduct a paper or active vulnerability assessment Tenable.ot combines passive network activity monitoring with active querying context queries to provide the most in-depth device vulnerability assessment. For example, it provides asset inventory, information on current device firmware versions and associated CVEs. This includes open ports and calculates an accurate, up-to-date risk score that is not based on “last seen traffic.”
If a purely “passive” vulnerability assessment is required, the Tenable.ot gathers the information based on the network traffic (“last seen traffic”), which provides detailed information, yet may miss changes made via serial cable connections.
Document the results of the testing
Tenable.ot provides a detailed vulnerability assessment report, eliminating the need to compose manual and often inaccurate or outdated controller reports.
ABOUT TENABLE
Tenable®️ is the Cyber Exposure company. Approximately 40,000 organizations around the globe rely on Tenable to understand and reduce cyber risk. As the creator of Nessus®️, Tenable extended its expertise in vulnerabilities to deliver the world’s first platform to see and secure any digital asset on any computing platform. Tenable customers include approximately 60 percent of the Fortune 500, approximately 40 percent of the Global 2000, and large government agencies. Learn more at tenable.com.
Data Sheet / Tenable.ot NERC-CIP / 090922 COPYRIGHT 2022 TENABLE, INC. ALL RIGHTS RESERVED. TENABLE, TENABLE.IO, NESSUS, ALSID, INDEGY, LUMIN, ASSURE, AND LOG CORRELATION ENGINE ARE REGISTERED TRADEMARKS OF TENABLE, INC. OR ITS AFFILIATES. TENABLE.SC, TENABLE.OT, TENABLE.AD, EXPOSURE.AI, AND THE CYBER EXPOSURE COMPANY ARE TRADEMARKS OF TENABLE, INC. OR ITS AFFILIATES. ALL OTHER PRODUCTS OR SERVICES ARE TRADEMARKS OF THEIR RESPECTIVE OWNERS.