NERC CIP Standards and ICS Security Compliance

Page 1

NERC CIP STANDARDS AND ICS SECURITY COMPLIANCE

Cyber security for industrial control systems (ICS) is one of the most important challenges facing the North American power industry. Recent incidents, such CrashOverride and TRISIS underscore the increasing threat of electronic and computer-based attacks on critical infrastructure. CrashOverride was an attack on a Ukrainian electric utility which involved the Industroyer malware and TRISIS was the incident at a Middle Eastern oil and gas refinery which was used to attack a Triconex Safety Instrumented System. In addition, manufacturing and critical infrastructure (including nuclear plants) have been repeatedly targeted by phishing and other attacks. Clearly, power is in the crosshairs.

Beyond having to ensure your organization’s security from the latest threat, it is also essential to be aware of and follow the NERC CIP standards. Since CIP version 5 came into effect in 2016, with its classification of assets by High, Medium and Low impact, most generating stations have been classified as Low impact. Currently, the only cyber security requirement that applies to “Lows” is a method to control “external routable connectivity” (in most cases, this is a firewall). Nonetheless, the Federal Energy Regulatory Commission (FERC) have begun to take steps to increase stricter cyber security controls for grid and power providers.

Tenable.otTM has unique capabilities to help electric power generators secure their facilities, and achieve compliance with both current and upcoming and anticipated NERC CIP regulations.

Keeping the Lights On

Located at the heart of automated ICS networks in power plants, the industrial controllers (e.g., PLCs, RTUs, and DCS controllers) are responsible for process automation, safety and control. Any unauthorized access or changes to these missioncritical devices, whether malicious or unintentional, can put industrial and critical infrastructure at risk, and lead to misoperation or instability in the Bulk Electric System (BES).

Tenable.ot offers comprehensive security tools and reports for IT security personnel and OT engineers. It provides unmatched visibility into converged IT/OT segments and ICS activity, and delivers crystal-clear situational awareness across both IT and OT based assets, in a single pane of glass. The table below describes ten important ways that Tenable.ot can help with both security and CIP compliance.

DATA SHEET

How Tenable.ot Supports NERC CIP

CYBER ASSET

INVENTORY

AND CLASSIFICATION / CIP-002 R1 AND ATTACHMENT 1

PURPOSE TENABLE.OT

Identify and categorize Bulk Electric System Cyber Systems and their associated BES Cyber Assets for the application of cyber security requirements commensurate with the adverse impact that loss, compromise, or misuse of those BES Cyber Systems could have on the reliable operation of the BES. Identification and categorization of BES Cyber Systems support appropriate protection against compromises that could lead to misoperation or instability in the BES.

Automatic discovery and mapping of ALL OT devices in your network

A cardinal principle of cyber security states that “You can’t secure what you don’t know exists.” To secure your control systems, as well as to comply with NERC CIP, the first thing you need to do is identify what you have. Tenable.ot automatically discovers and maps all OT devices (even dormant) and keeps an up-to-date inventory of these assets. This includes the operator and engineering workstations, the controllers (PLCs, RTUs and DCS controllers), and other devices.

Tenable.ot categorizes assets according to their manufacturer and device model and collects highly granular information including the firmware versions and serial numbers of the devices.

The asset inventory is continuously and automatically updated when a change is made to a device, or when any device is added to or removed from the OT network. This eliminates the need for complex and error-laden manual processes.

If your plant is rated Medium impact under CIP versions 5 and 6 and you are starting your asset identification process or doing your annual review, your first step will be to comply with CIP-002 R1. To do that, you need to identify all of your devices that meet the NERC definition of Cyber Asset (i.e. “programmable electronic device”). Tenable.ot helps you inventory a complete list of potential cyber assets from which you can identify your BES Cyber Systems.

If your plant is Low impact, you aren’t required to identify your BES Cyber Systems, although it is recommended to do so as a security best practice. In any case, you will need to at least have an idea of the types of BES Cyber Systems you have (PLCs, protection relays, etc.) and their approximate numbers. You will also need to know to which networks they are connected, and have a network diagram showing this information (although not necessarily showing each BES Cyber System).

SECURITY MANAGEMENT CONTROLS / CIP-003 PURPOSE

Specify consistent and sustainable security management controls that establish responsibility and accountability to protect BES Cyber Systems against compromise that could lead to misoperation or instability in the BES.

Real-time alerts that enforce security management policies

Tenable.ot alerts in real-time on any unauthorized access activities to the OT environment as well as enabling the enforcement of security management policies.

In addition, it fully audits all OT activities, including controller engineering activities like logic updates, configuration changes and firmware uploads/downloads. Tenable.ot tracks the source of the activity, the exact commands used, the devices impacted and the specific impact to these devices, as well as the date and time of each activity. This comprehensive audit trail enables grid owners and operators to establish responsibility and accountability. It also helps in the prevention of malicious or erroneous activities that could lead to misoperation or instability of the plant.

Data Sheet / Tenable.ot NERC-CIP / 090922 2
TENABLE.OT

ACCESS MANAGEMENT AND ACCESS CONTROLS / CIP-004 R4 AND R5 PURPOSE TENABLE.OT

Minimize the risk against compromise that could lead to misoperation or instability in the BES from individuals accessing BES Cyber Systems by requiring an appropriate level of personnel risk assessment, training, and security awareness in support of protecting BES Cyber Systems.

Real-time alerts of unauthorized access or changes to the controller

Whether or not your grid/electrical facility has to comply with the access management and access revocation requirements of CIP-004, it is vital that you will be notified when a non-authorized person accesses controllers, and when a suspicious change is made to controller logic. Tenable.ot leverages its patented technology and helps you address both these issues.

Controllers, such as PLCs, don’t have inherent access control capability; anyone who can gain access to the device can do anything they want on it. Tenable.ot allows you to set policies defining who can access the controller and what they can do when they access it. If someone who isn’t authorized does gain network access, you will be alerted in real-time. In the same way, if an authorized person does something that your policy doesn’t permit them to do, such as change controller logic, you will also receive a real-time alert.

Tenable.ot regularly scans each controller and downloads its configuration file. It compares this with the previous day’s file, notes any changes, and alerts you with information on those changes. This allows you to catch suspicious changes and investigate or reverse them. Conventional anomaly detection solutions can’t do this.

REMOTE ACCESS MANAGEMENT / CIP-005 R2

PURPOSE TENABLE.OT

Manage electronic access to BES Cyber Systems by specifying a controlled Electronic Security Perimeter in support of protecting BES Cyber Systems against compromise that could lead to misoperation or instability in the BES.

Real-time alerts on remote interactive or machine-to-machine access to controllers

Tenable.ot identifies and logs any remote access to assets in the OT infrastructure. Furthermore, Tenable. ot alerts in real-time if the access is new, unauthorized or both – and provides detailed information on the connection. This functionality enables security staff to detect perimeter breaches and ensure system safety. This applies to both interactive and “machine-to-machine” remote access.

While you may already be familiar with the controls on interactive remote access in CIP-005 R2.1-R2.3, you may not know that the CIP-005 R2.4 (came into effect in 2019 with CIP-013, the new supply chain security standard) will require NERC entities to be able to identify and monitor active machine-to-machine remote access sessions, as well as interactive ones. Tenable.ot is unique in its ability to provide you with alerts in real-time on any remote interactive or machine-to-machine access to controllers.

PHYSICAL SECURITY OF BES CYBER SYSTEMS / CIP-006

PURPOSE TENABLE.OT

Manage physical access to BES Cyber Systems by specifying a physical security plan in support of protecting BES Cyber Systems against compromise that could lead to misoperation or instability in the BES.

Identification of changes made to controllers by direct physical access

Tenable.ot uniquely identifies changes made to controllers by direct physical access. This means that even if an employee or integrator connected to the device using a serial cable or a USB device, Tenable.ot will identify any changes and raise an alert. Thus, Tenable.ot enables threat mitigation by making sure security staff is aware of the access and its impact on the device.

Data Sheet / Tenable.ot NERC-CIP / 090922 3

SYSTEM SECURITY MANAGEMENT / CIP-007

PURPOSE TENABLE.OT

Manage system security by specifying select technical, operational, and procedural requirements in support of protecting BES Cyber Systems against compromise that could lead to misoperation or instability in the BES.

PURPOSE

Rule-based detections of anomalies

Tenable.ot detects the presence of an anomaly, such as a malicious actor or the deployment of malicious code. It is rule-based, so each power generation owner or operator can customize network policies, according to its internal policies or to future versions of NERC CIP standards. This approach is deterministic and hence has no false positives.

R1.1 – Ports and Services – Enabling only necessary logical ports

Tenable.ot monitors constantly and alerts on open and unneeded ports on critical devices. In addition, the system monitors the network traffic and alerts on network connections that are using ports that are outside the list of necessary ports.

R3 – Malicious Code Prevention

Tenable.ot identifies malicious code activities on the network, including malware propagation, abnormal communications, network attacks on controllers and direct attacks via connected compromised laptops. Realtime alerts enable security staff to mitigate threats before they lead to misoperation or instability.

R4 – Security Event Monitoring

R4.1: Log events at the BES Cyber System level

Tenable.ot identifies and logs all unauthorized electronic use or actions on controllers in real-time, enabling staff to respond immediately to cyber security incidents and/or forensic activity after the fact.

R4.2: Generate alerts for security events

Tenable.ot raises alerts in real-time for security events on controllers, enabling staff to respond immediately to cyber security incidents. For example, if an unauthorized person logs in to a controller over the network, or takes an action – like downloading code or upgrading firmware – that they are not allowed to take, you will receive an immediate alert.

Note: Tenable.ot integrates with industry-leading SIEM solutions, NGFWs and other IT based security solutions to streamline security event management across IT and OT environments.

INCIDENT REPORTING AND RESPONSE PLANNING / CIP-008

TENABLE.OT

Mitigate the risk to the reliable operation of the BES as the result of a cyber security incident by specifying incident response requirements.

Real-time alerts and audit trails to enable security staff to identify, investigate and respond to cyber security incidents

Tenable.ot can aid incident response for OT networks in three important ways:

1. Real-time alerts on detected threats, anomalies and unauthorized activities on OT devices. These can then be investigated to determine whether they constitute a cyber security incident.

2. To help make this determination, Tenable.ot provides a comprehensive audit trail of activities and changes to control devices.

3. Should the organization decide that a forensic investigation is required, the audit trail provides invaluable visibility into OT activities and changes.

Together, these capabilities enable security staff to identify, investigate and respond to cyber security incidents.

RECOVERY PLANS FOR BES CYBER SYSTEMS / CIP-009

PURPOSE

Recover reliability functions performed by BES Cyber Systems by specifying recovery plan requirements in support of the continued stability, operability, and reliability of the BES.

TENABLE.OT

Configuration Control for reliable and quick recovery

Tenable.ot provides comprehensive audit trail of changes to all devices in the OT infrastructure, thereby supporting recovery planning, implementation and testing.

CIP-009 R1 – Recovery Plan Specifications: processes for the backup and storage of information

Tenable.ot regularly captures a baseline of each controller’s configuration and activity using its patented active querying feature. By actively gathering detailed information about the devices, Tenable.ot finds properties and changes that can’t be identified over the network. Tenable.ot keeps historical snapshots of device baselines, enabling security staff to use the information for backup and recovery in case the controller needs to be restored to a previously known good state.

Data Sheet / Tenable.ot NERC-CIP / 090922 4

CONFIGURATION CHANGE MANAGEMENT AND VULNERABILITY ASSESSMENTS / CIP-010

PURPOSE TENABLE.OT

Prevent and detect unauthorized changes to BES Cyber Systems by specifying configuration change management and vulnerability assessment requirements in support of protecting BES Cyber Systems from compromise that could lead to misoperation or instability in the BES.

Real-time alerts to meet configuration monitoring requirements and vulnerability notifications that apply to your devices

Tenable.ot’s unique technology provides a comprehensive audit trail of all OT control devices, including changes made to the controller’s logic, whether done over the network or by physically connecting to the device. Real-time alerts enable utilities to meet configuration monitoring requirements.

In addition,Tenable.ot maintains a continuously-updated list of the version numbers of all software and firmware installed on your controllers, and compares this regularly against a list of known vulnerabilities (NVD Data). Tenable.ot notifies you whenever a new vulnerability appears that applies to a software or firmware version installed on one of your devices. Additionally, Tenable.ot is completely integrated with Tenable.sc and Tenable.io to provide a stream of vulnerability and security data in a single pane of glass view and response to all cyber exposure and risk incidents.

CIP-010 R1 – Configuration Change Management

Develop a baseline configuration

Tenable.ot automatically establishes a baseline of each controller configuration and continuously monitors for configuration changes. All changes are reported to you, and security staff members are alerted if any unauthorized change is made through the network. Besides providing useful information to you, this capability will provide valuable evidence at audit, showing that all configuration changes to controllers were noted and accounted for.

CIP-010 R2 – Configuration Monitoring

Monitor at least once every 35 calendar days for changes to the baseline configuration Tenable.ot automatically identifies and alerts on changes to baseline configurations of controllers, eliminating the need for manual monitoring and reporting. This is not only more effective and more accurate; it enables staff to respond quickly to unauthorized changes.

CIP-010-2 Table R3 – Vulnerability Assessments

At least once every 15 calendar months, conduct a paper or active vulnerability assessment Tenable.ot combines passive network activity monitoring with active querying context queries to provide the most in-depth device vulnerability assessment. For example, it provides asset inventory, information on current device firmware versions and associated CVEs. This includes open ports and calculates an accurate, up-to-date risk score that is not based on “last seen traffic.”

If a purely “passive” vulnerability assessment is required, the Tenable.ot gathers the information based on the network traffic (“last seen traffic”), which provides detailed information, yet may miss changes made via serial cable connections.

Document the results of the testing

Tenable.ot provides a detailed vulnerability assessment report, eliminating the need to compose manual and often inaccurate or outdated controller reports.

ABOUT TENABLE

Tenable®️ is the Cyber Exposure company. Approximately 40,000 organizations around the globe rely on Tenable to understand and reduce cyber risk. As the creator of Nessus®️, Tenable extended its expertise in vulnerabilities to deliver the world’s first platform to see and secure any digital asset on any computing platform. Tenable customers include approximately 60 percent of the Fortune 500, approximately 40 percent of the Global 2000, and large government agencies. Learn more at tenable.com.

Data Sheet / Tenable.ot NERC-CIP / 090922 COPYRIGHT 2022 TENABLE, INC. ALL RIGHTS RESERVED. TENABLE, TENABLE.IO, NESSUS, ALSID, INDEGY, LUMIN, ASSURE, AND LOG CORRELATION ENGINE ARE REGISTERED TRADEMARKS OF TENABLE, INC. OR ITS AFFILIATES. TENABLE.SC, TENABLE.OT, TENABLE.AD, EXPOSURE.AI, AND THE CYBER EXPOSURE COMPANY ARE TRADEMARKS OF TENABLE, INC. OR ITS AFFILIATES. ALL OTHER PRODUCTS OR SERVICES ARE TRADEMARKS OF THEIR RESPECTIVE OWNERS.

Turn static files into dynamic content formats.

Create a flipbook
Issuu converts static files into: digital portfolios, online yearbooks, online catalogs, digital photo albums and more. Sign up and create your flipbook.