WIXLIB

CIP & YOUR HMI:A SIMPLIFIED SOLUTIONAuthorGary Overstreet - Vice PresidentFoxGuard Solutions2285 Prospect Dr. NE, Christiansburg, VA 24073877.446.4732foxguardsolutions.com

CIP & YOUR HMI:A SIMPLIFIEDSOLUTIONINTRODUCTIONThe North America Electric Reliability CorporationCritical Infrastructure Protection (NERC CIP)under the direction of the Federal EnergyRegulatory Commission (FERC), has createdcompliance standards for the Bulk ElectricSystem (BES). Entities operating within theBES must adhere to these standards. Thesestandards are in place to insure that our electricalgeneration, transmission, and distribution cancontinue uninterrupted, especially as it wouldrelate to interruptions caused by cyber events.Penalties for not adhering to these standards canbe significant. In February of 2016, NERC issueda full notice of penalty regarding an UnidentifiedRegistered Entity, FERC Docket No. NP16- 000. The penalty amount was 1.7M1. In Octoberof 2016, NERC issued a full notice of penaltyregarding an Unidentified Registered Entity, FERCDocket No. NP17- -000 in the amount of 1.25M2.The stakes are very high relative to beingNERC CIP compliant.The industry is now about 10 years into theNERC CIP standards. The utilities within theBES have been working hard to understand therequirements and to put in place the necessaryprocesses, controls, and documentation to becompliant. They have instituted the necessaryprocesses to insure that their assets areprotected and their contribution to the grid, isas safe as it can be. But the NERC CIP standardshave been a moving target over the years. Soutilities have put different processes in place butas the standards progress, compliance may notbe to the level it should. Those entities who forwhatever reason, are not presently compliant,FoxGuard Solutionsface the possibility of much higher fines now andnegative perception within the industry.There are certainly different ways to increasethe level of security compliance. One way isto perform this work internally. This can beexpensive due to the need to hire many people,set up new equipment for testing and validation,and build new internal processes, all to create theproper environment for the successful executionof the cyber security program. Another optionor modification to the first option, would be tocreate a high level structure that manages thisprocess but puts a large amount of the burdenof compliance on those that supply the assetsto the utilities. This is certainly a decentralizedapproach but puts much of the resource burdenelsewhere to insure that execution occurs andin a timely manner. This paper will focus on thislatter alternative.Utilities have a daunting task. They are oftenfaced with the need to insure security complianceagainst an extremely large fleet of assets. Todo that requires increases in personnel butalso requires the knowledge and wherewithalto understand the standards, comply with thestandards, and then document said compliance.This could lead to focus in one critical area whileleaving other areas that fall under the standard,unattended. Having a supplier take on theburden of doing everything possible to increasethe security posture of the systems before theyarrive at the customer location, allows the endcustomer a bit more peace of mind that certainelements have been reviewed and addressed.2285 Prospect Dr. NE, Christiansburg, VA 24073877.446.4732foxguardsolutions.com

So let’s look at one of the standards and the compliance requirements as taken from NERC.CYBER SECURITY — SYSTEMS SECURITY MANAGEMENT3CIP-007-6Purpose: To manage system security by specifying select technical, operational, and proceduralrequirements in support of protecting BES Cyber Systems against compromise that could lead tomisoperation or instability in the Bulk Electric System Standard (BES).REQUIREMENTS Ports and Services — where technicallyidentified above that use signatures orpatterns, have a process for the update ofthe signatures or patterns. The process mustaddress testing and installing the signaturesor patterns.feasible, enable only logical networkaccessible ports that have been determinedto be needed by the Responsible Entity,including port ranges or services whereneeded to handle dynamic ports. If a device Security Event Monitoring — Log events athas no provision for disabling or restrictingthe BES Cyber System level (per BES Cyberlogical ports on the device then those portsSystem capability) or at the Cyber Asset levelthat are open are deemed needed. Protect(per Cyber Asset capability) for identificationagainst the use of unnecessary physical input/of, and after-the-fact investigations of,output ports used for network connectivity,Cyber Security Incidents that includes, asconsole commands, or Removable Media.a minimum, each of the following types ofevents: Security Patch Management — a patchmanagement process for tracking, evaluating, Detected successful login attemptsand installing cyber security patches Detected failed access attempts andfor applicable Cyber Assets is required.failed login attemptsThe tracking portion shall include theidentification of a source or sources that the Detected malicious codeResponsible Entity tracks for the release ofcyber security patches for applicable CyberGenerate alerts for security events that theAssets that are update able and for which aResponsible Entity determines necessitatespatching source exists.an alert, that includes, as a minimum, each ofthe following types of events (per Cyber Asset Malicious Code Prevention — Deployor BES Cyber System capability)method(s) to deter, detect, or prevent Detected malicious codemalicious code. Mitigate the threat ofdetected malicious code. For those methods Detected failure of event loggingFoxGuard Solutions2285 Prospect Dr. NE, Christiansburg, VA 24073877.446.4732foxguardsolutions.com

System Access Control – Have a method(s)to enforce authentication of interactive useraccess, where technically feasible. Identifyand inventory all known enabled defaultor other generic account types, either bysystem, by groups of systems, by location,or by system type(s). Identify individualswho have authorized access to sharedaccounts. Change known default passwords,per Cyber Asset capability. For passwordonly authentication for interactive useraccess, either technically or procedurallyenforce password parameters for lengthand complexity as stated in the CIP-007-6standard. Where technically feasible, forpassword-only authentication for interactiveuser access, either technically or procedurallyenforce password changes or an obligationto change the password at least once every 15calendar months. Where technically feasible,either: Limit the number of unsuccessfulauthentication attempts, or Generate alerts after a threshold ofunsuccessful authentication attempts.REMOVING THE BURDENhave internal controls relative to cyber securityand through the adherence to those controls,would provide products that have been carefullyand securely created, assembled, documented,and shipped.In the control room of a power plant or within asubstation, there are computers that performcontrols, SCADA, or gateway functionality. Thosecomputer systems could be one of the first placesto implement the supplier controls discussedabove. Firms are out there right now who haveimplemented the necessary security controlsinto their supply chain and fulfillment processes.Here are some of the examples of what thatmeans and the outcome for the utility. As youcan see, many of these items reflect back on therequirements set forth in NERC CIP-007.The supplier facility would be secured usingphysical and software controls. Only those whohave the proper clearance and security privileges,would be allowed access to the equipment andinformation required to assemble the product.A unique set of manufacturing steps would beapplied during the assembly process for NERCCIP compliance and those steps would include:What if the vendors who supplied the computing equipment, networking equipment, and any otherequipment deemed “programmable assets”,performed much of the work described in thestandards outlined above before that equipmentarrived at the site? If that burden was takenaway from the utility personnel and they couldfocus more on maintenance of security andcompliance, wouldn’t that be an efficiency andcost savings win?The idea conceived and proposed in this paperis to create an environment where the suppliersFoxGuard SolutionsSoftware The operating system and criticalapplications would be updated withthe latest verified and tested securitypatches. A system audit would be conducted forall users, installed applications, securitypatches, and ports and services. A vulnerability assessment would beperformed using a third party applicationsuch as Nessus Final manufacturing checks would beperformed including:2285 Prospect Dr. NE, Christiansburg, VA 24073877.446.4732foxguardsolutions.com

A full system scan using up to date andtrusted anti-virus software System diagnostics, final review forerrors, and associated documentation Full system backup Set up of a unique password for eachsystem Documentation of the final systemshutdown Hardware – To promote awareness ofunauthorized access or misuse of certainphysical ports, such as USB or Ethernet, installport blockers, attach warning labels, and lockchassis with a combination lock, to preventaccess to internal components.documentation would become a baselinefor the utility to prepare for NERC CIPaudits and for the ongoing maintenance oftheir compliance program. Custom cover page per platform Manufacturing quality signoff Hardware diagnostics report System overview List of users and groups List of installed software List of installed updates List of open ports List of service configuration Vulnerability Report Any additional information that mightbe specific to this implementation Training and User Guide (Per individualproject requirements) Packaging – tamper proof branded and Documentation: Manufacturing steps that are critical toserialized labels would be used to insure theproper chain of custody.NERC CIP standards would be documentedin two formats, electronic and hard copy. Hard copies would be placed in aunique binder for each system. ThisFoxGuard Solutions2285 Prospect Dr. NE, Christiansburg, VA 24073877.446.4732foxguardsolutions.com