Upload
energysec
View
725
Download
0
Embed Size (px)
Citation preview
Lessons Learned For NERC CIPv5 Compliance & Configuration Change Management
Mark Prince, EntergyTim Erlin, Tripwire
Karl Perman, EnergySec
Logistics• Panelist discussion followed by questions and
answers• All lines other than panelists will be muted• Questions via chat function• Audio and slides will be posted within 72 hours
It’s Interactive
3
Please submit your questions through the control panel to get answers LIVE from our panelists.
Introductions
Mark PrinceManager OT Fossil
Tim ErlinDirector, IT Security and
Risk Strategist@terlin
Karl PermanVP, Member Services
@EnergySec
NERC CIP V5 Pain Points• Asset Identification and Categorization• Change Approval Process • Configuration Management• Compliance Management• Baseline Configuration • Patching• Malware Prevention and Detection• Access Management• Information Protection• Evidence of Compliance• Many manual processes
© 2015 Energy Sector Security Consortium, Inc. 6
General Change Management Process
• Develop baseline configurations• Authorize and document changes to baselines• Update baselines within 30 days• Verify security controls• Pre-change Testing
– High Impact BCS• Configuration Monitoring
– High Impact BCS, EACMS, and PCA
© 2015 Energy Sector Security Consortium, Inc. 7
Configuration Change Management Pain Points
• Number and variety of devices• Every time, every change
– No exceptional circumstances exemption• Identify security controls affected by
the change– CIP-005 and CIP-007
• High Impact needs to have “Double Test”– Once before change, once after change
• Automated system vs. manual process
© 2015 Energy Sector Security Consortium, Inc. 8
Evidence
• What needs to be maintained
• Maintain Documentation• Storage• Automated work flows or
manual processes
9
How did you come into this CIPv5 project?
10
What was your vendor selection process for CIPv5 compliance technologies?
11
What’s the architecture of the environment you’re addressing?
12
Entergy Fossil Generation
13
Lessons Learned
14
Lessons Learned
1. Data diodes and centralized reporting are not mutually exclusive.2. Your budget cycle does not match your audit cycle.3. Consistency creates efficiency.
Tripwire’s NERC Solution Suite
Tripwire helps meet 20 of 32 CIP requirements
17
Tripwire’s NERC CIP Solution
Tripwire Confidential
70% of the Top Electrical Utilities in the U.S. use Tripwire
18
NERC Alliance Network
19
Beyond Compliance to CybersecuritySecuring Critical Infrastructure
Critical Infrastructure is Evolving… …to a more connected energy supply
Tripwire Can HelpNew connections bring new challenges and new threats
Q & A
Mark PrinceManager OT Fossil
Tim ErlinDirector, IT Security and
Risk Strategist@terlin
Karl PermanVP, Member Services
@EnergySec