In May, 2014 the US Department of Homeland Security and its Industrial Control Systems Cyber Emergency Response Team, or ICS-CERT, issued a report confirming several recent attacks on public utilities from the first quarter of 2014. DHS confirmed that a sophisticated threat actor gained unauthorized access to an unnamed public utility’s control system network.
Incidents of this type haven’t been as widely publicized as recent retail breaches, but it is believed by many that there are far more incidents occurring within the Energy Sector than are heard about in the press. Lack of enforced and implemented policy and compliance, poor capability for early detection of threat indicators, and lack of visibility and automation may all be contributing to failure in rapidly detecting attacks and breaches.
Essential Power™ (formerly known as North American Energy Alliance) is a wholesale power generator and marketer providing electric energy and located in the North Eastern United States. Essential Power will share a case study on its own journey towards achieving NERC CIP compliance within a very short five-month timeline, and how they did it.
2. Founded in 2008
Own and operate five generation facilities throughout the Northeast
Our fleet is primarily peaking power fueled predominantly by natural gas
Just over 2,000 megawatts of total generation capacity
Headquartered in Princeton, NJ
Essential Power, LLC ~ Proprietary & Confidential
2
3. What did we start with?
What hurdles did we face as our company developed and as
enforcement dates loomed for CIP?
How were we able to overcome these challenges?
What are some potential hurdles coming up regarding future
risk and CIP 5?
Essential Power, LLC ~ Proprietary & Confidential
3
5. Inherited our generation networks
Lacked thoughtful design
Used overlapping IP address subnets
Lacked “intelligent hardware”
Minimal Security
No Logging
No backup plan
Essential Power, LLC ~ Proprietary & Confidential
5
6. Retrofit security as much as possible to existing networks
A complete redesign from scratch was not possible at the time
Our time frame was incredibly short
A new mindset - not just generation of energy, but securely
Defense In Depth
Deter, Delay, Detect, Defend
Essential Power, LLC ~ Proprietary & Confidential
6
7. Perform our GAP analysis
Secure all devices
Manage and document all user accounts
Create ESPs and PSPs
Enable logging on all devices
Monitor these logs for any unexpected behavior
Make sure we are meeting our CIP requirements
Essential Power, LLC ~ Proprietary & Confidential
7
9. CIP-005 and CIP-007 require reviewing of log samples from Critical
Cyber Assets and Access Control and Monitoring devices and requires
us to have an auditable log of user activity
It was determined a Security Information and Event Management (SIEM)
system that would collect and correlate system logs in a centralized
server location would be required
A centralized SIEM would mean convergence of existing segregated
networks
Network Address Translation was required due to the overlapping networks
Essential Power, LLC ~ Proprietary & Confidential
9
10. Cyberthreat Gaps
The CyberThreat Kill Chain
-Lockheed Martin
LEVEL OF EXPOSURE
CHANCEOFDETECTION
Recon Weaponiza
tion &
Delivery
Exploitation C2-Command
& Control
Malicious Action
(Exfiltration and
Business Disruption)
11. MEGASCAN
required to
reassess
Periodic
Assessment
Continuous Security Configuration Mgmt
Understands Changes in the Environment
The Goal is Security, not Audit
Lower Costs, Greater Efficiency
Continual Risk Reduction
Measurable, Sustainable Security
Configuration Changes Occur Constantly
Manual
Assessment
12. We reviewed three different SIEM vendors during our RFP / review
process
Ultimately chose Tripwire, due to a combination of factors
At the time, they were one of the few vendors that had predetermined CIP
rules
Offered solid value for the overall cost compared to other competitors
Their support team was willing and able to assist us throughout the
deployment
Interface was simple, intuitive, and provided exactly what we needed to see
We opted for both Tripwire Log Center and Tripwire Enterprise
Essential Power, LLC ~ Proprietary & Confidential
12
13. CIP-005 R3.2. Alerting for Cyber Security Incidents for access control
and monitoring devices
CIP-005 R5.3. Retain and review electronic access logs for at least
ninety calendar days for Access Control and Monitoring devices
CIP-007 R6.2 Alerting for Cyber Security Incidents for critical cyber
assets
CIP-007 R6.3 Logs of system events related to cyber security for critical
cyber assets
CIP-007 R6.4 Retain Logs of critical cyber assets for 90 days
CIP-007 R6.5 Reviewing Logs of for critical cyber assets at least every
90 days
CIP-008 R3 Logs related to reportable incidents shall be kept for 3 years
Essential Power, LLC ~ Proprietary & Confidential
13
14. CIP-003 R5 requires Responsible Entities to “document and implement a
program for managing access to protected Critical Cyber Asset
information.”
CIP-003 R6 requires change control and configuration management
processes to be established and documented
CIP-007 R3 Security Patch Management. The file integrity monitoring
reports unauthorized modifications or changes and provides
documentation of authorized changes
CIP-007 R5 Account Management requires technical and procedural
controls that enforce access authentication and accountability for all user
activity
Essential Power, LLC ~ Proprietary & Confidential
14
15. Easy to use GUI allows for easy modification of rules and alerts
Daily and weekly traffic reports to set baseline traffic patterns and easily
analyze any anomalies
Essential Power, LLC ~ Proprietary & Confidential
15
Daily change reports let us know immediately if and when any changes
occur to the file system
16. Instant notification of cyber security related events
Advanced correlation of system logs which saves many hours of log
review
Essential Power, LLC ~ Proprietary & Confidential
16
17. Practical and useful search criteria for audits and investigations
The data is easily available for forensic analysis if necessary
Essential Power, LLC ~ Proprietary & Confidential
17
18. “The concern over cybersecurity risks to critical infrastructure, of which
power generation is a significant element, is unlikely to wane in the
foreseeable future.” – Steven Parker, President of EnergySec
Essential Power, LLC ~ Proprietary & Confidential
18
19. How are we preparing for CIP 5?
Updating and cleaning up current CIP document repository
Verifying and updating documentation of all electronic devices as necessary
Using a 3rd party to perform a GAP analysis of where we may be lacking when
it comes to CIPv5 preparation
Scheduling mock audits internally
Attempting to allocate resources accordingly
Essential Power, LLC ~ Proprietary & Confidential
19
20. Vendors have increased their support of CIP compliance initiatives
SIEMs are smarter and more capable than in the past
Newer technologies constantly available to make our lives easier
Better “whitelist” capabilities
Improved patch management
Improved port scanning and confirmation
Ability to tie in physical security logging and alerts
Easier access to compliance reports and audit results
Essential Power, LLC ~ Proprietary & Confidential
20
22. Provide appropriate security controls to your SIEM
Spend time tuning it! The system can only run as well as it is configured
Don’t be afraid to contact the vendor directly for support
Use it frequently! Hands on is the best way to learn
Essential Power, LLC ~ Proprietary & Confidential
22
Version 3 -- As many of you know, manual log review is both cumbersome and generally extremely time consuming.
Of course the ideal solution is to prevent breaches from occurring by employee good security controls.
During the Recon phase detection is very difficult but having good security practives such as hardening security configurations and minimizing vulnerabilities will make you an unattractive target for attackers. (Can we include a quote from Jane XXX at the CSC?)
The best opportunity for detection before a loss has occurred is during the Exploitation phase. Because the attacker has now successfully entered the network, most likely undetected, they are now executing activities on the host systems and are leaving digital fingerprints which can be detected by looking for changes to the host systems.
Detection is also likely during the Malicious Action phase using various Malware detection products, however at this point detection is after some level of loss or damage has occurred..