How to Integrate NERC CIP Requirements in an Ongoing Automation and Integration Project Jacques Benoit, Cooper Power Systems Inc. [email protected] Robert O’Reilly, Cooper Power Systems Inc. [email protected] Outline Introduction NERC CIP calendar The challenges The project Implementing NERC CIP requirements NERC CIP calendar Depends on Responsible Entity Typically – • • • • End of 2nd Qtr 2007 – Begin work End of 2nd Qtr 2008 – Substantially compliant End of 2nd Qtr 2009 – Compliant End of 2nd Qtr 2010 – Auditably compliant Challenges to project engineer Organizational – it is a cross-departmental effort Minimize impact on current projects • Deadlines • Do more with same budget Evaluate impact on previous projects Define strategy for future projects To begin – Reduce the scope of the project These standards can be considered to be outside the project scope – • • • • CIP-001 Sabotage Reporting CIP-007 Physical Security (partially) CIP-008 Incident Reporting and Response Planning CIP-009 Recovery Plans for Critical Cyber Assets Complying with NERC From the beginning – • Address NERC committee’s concerns • Plan for auditability • Plan to perform audit during FAT Security is a strong as the weakest link – NERC defines only minimum security! The substation modernization project 15-years old New equipment Legacy equipment Operation must not be interrupted CIP compliance is now mandatory A Typical Legacy Substation The project goals Provide SCADA with access to operational data produced by the IEDs Provide other control centers with access to data Provide remote access to the IEDs – • To retrieve event (non-operational) data • To retrieve/change device settings Proposed substation architecture Evaluating the architecture IT provides a network infrastructure that performs as an electronic perimeter – • Firewall blocks unused ports • Router ensures the authenticity of both ends • VPN ensures secure data exchange between substation LAN and control center LAN The solution provides real-time data to SCADA in a substantially NERC CIP compliant manner Shortcomings Remote access for maintenance and event retrieval is not authenticated, monitored and logged – as required by NERC CIP There is no provision for data distribution – • Devices do not support simultaneous client connections Protocol issues are exported to the client systems An alternative substation architecture FRAD/WAN Access Point Gateway From Serial Devices 832 009 714 To Gateway 832 009 714 Power metering To Gateway Power metering Transformer Data & Alarming Transformer Data & Alarming RTU/PLC To Gateway To Gateway To Gateway Overcurrent Overcurrent Overcurrent To Gateway Bus coupler Bus protection Overload Overload Overload Overcurrent Relay Advanced protection relay with: - Frequency - Voltage - Fault indication Differential Reclosure 832 009 714 Metering To Gateway Reclosure 832 009 714 Distance Metering Distance Transformer Data & Alarming 832 009 714 To Gateway To Gateway Metering Using a substation gateway The use of a gateway device can now be considered an industry best practice – • • • • Concentrates device data and reduces bandwidth utilization Supports protocol conversion locally Supports connections to multiple control centers Acts as a serial port switch to provide access to device maintenance ports • Provides additional services – modem support, automation functions, time synchronization, security, etc. The gateway as an electronic perimeter Modern gateway devices also perform as an electronic perimeter – • • • • Local and/or global authentication Firewall VPN Logging and monitoring The gateway can thus be used to implement secure remote connections for maintenance and engineering Securing remote device access SCADA / EMS / OMS PROTECTION ` ENGINEERING ` ` WAN GATEWAY RTU PROTECTION RELAY The gateway device connects to a corporate server for centralized authentication The gateway device can provide local authentication, access logging and monitoring services MONITORING DEVICE An alternative method to secure engineering and maintenance access ` ` ` WAN GATEWAY An enterprise-level application provides authentication, access logging, and monitoring services Some issues IT and process networks are designed with fundamentally different requirements • Network availability > For data communications > For authentication • Operational procedures > Account lockout > Access permissions Project Review Asset identification Critical cyber asset identification Access requirements • • • • Users Groups Devices Tasks to perform Asset identification For each device in the substation – • • • • • • • ID Location Type Manufacturer Model Serial Number Manager Access requirements Establish permissions per user, per device – • • • • • • • • • Security management System management Read configuration Modify configuration Run diagnostics Passthrough Monitor Operate Modem access Help from Other Groups Management and operations • Define access control Human resources • Personnel risk assessment IT • Deploy authentication servers and remote access servers • Implement access policies • Implement two-factor authentication Change Control Identify, control and document all entity or vendor related changes to hardware and software components Part of the standard project documentation process If required, commercial and open source solutions are available for managing document and file change history Security Patches and Malware “Updates are available” Solutions based on popular operating systems need more frequent security updates Standard transmission vectors should be blocked – remap ports if possible Enterprise-wide solutions are available and already managed by IT • System availability issues • Documentation, testing and history required Security Status Monitoring Implement automated tools or organizational process controls to monitor system events that are related to cyber security. Intrusion detection systems Protocol firewalls Data points to report gateway operational and security status Standard reporting and logging solutions SNMP, SYSLOG, etc. Testing Final engineering phase Prepare framework with vendors and integrators Change default settings and passwords Check ports and services – IT can provide automated solutions, NESSUS, CS2SAT (Control System Cyber Security SelfAssessment Tool), etc. Conclusion NERC CIP compliance is an interdepartmental effort Technology is but a limited part of the effort Most of the required reports are natural extensions of the engineering process Compliance will result in a more reliable infrastructure References National Institute of Standards and Technology • • • • • • • • • SP800-12 An Introduction to Computer Security: The NIST Handbook for Security SP800-26 Rev.1 Guide for information Security Assessment and System Reporting Form SP800-80 Guide for Developing Performance Metrics for Information Security SP800-82 Guide to Supervisory Control and Data Acquisition (SCADA) and Industrial Control Systems Security SP800-83 Guide to Malware Incident Prevention and Handling SP800-92 Guide to Computer Security Log Management SP800-95 Guide to Secure Web Services P800-100 Information Security Handbook: A Guide for Managers NISTR 6885-2004 Automated Security Self-Evaluation tool user Manual References North American Electric Reliability Corporation Critical Infrastructure Protection http://www.nerc.com/~filez/standards/Cyber-Security-Permanent.html • CIP-001 Sabotage Reporting • CIP-002 Critical Cyber Assets • CIP-003 Security Management Controls • CIP-004 Personnel & Training • CIP-005 Electronic Security • CIP-006 Physical Security • CIP-007 Systems Security Management • CIP-008 Incident Reporting and Response Planning • CIP-009 Recovery Plans References CYBERSECURITY for SCADA Systems, by William T. Shaw, PhD, CISP, PennWell 2006 ANSI/ISA-TR99.00.02-2004 “Integrating Electronic Security into the Manufacturing and Control Systems Environment” AGA Report #12 “Cryptographic Protection of SCADA Communications –General Recommendations. Control System Cyber Security Self-Assessment tool, http://www.us-cert.gov/control_systems/pdf/CS2SAT.pdf