Comprehensive Mitigation

Transcription

1 Comprehensive Mitigation Jenny Anderson Compliance Engineer - CIP janderson.re@spp.org July 25, 2013

2 Goals and Benefits of Mitigation Mitigation should lessen the risk of unintended consequences and reduce vulnerabilities that may pose risk to the BES, with ultimate goal of improving system reliability Reduce Risk Improve Security Increase Reliability 2

3 Submitting Comprehensive Mitigation Plans Saves time and resources Speeds up mitigation and violation processing Could reduce the penalty amount Allows you to tell your story 3

4 The Life of a Mitigation Plan VIOLATION MITIGATION COMPLETION Identified Status Reported Evidence Provided Validated Changes Implemented Completed Scoped Changes Planned Verified 4

5 Section 1 MITIGATION PLANNING 5

6 Mitigation Planning Review documentation Violation Description Audit Report, Self-Report, etc. Evidence Identified Standard and Requirement Compliance Application Reports Request For Information/responses Determine scope VIOLATION Identified Validated Scoped 6

7 Violation Summary Cause Identification Method Duration Scope Standard Requirement Included requirement(s) 7

8 Summary Examples LACKING Patch management program was not followed. GOOD Several patches were not assessed for applicability within 30 days. BETTER It was identified that 12 of 27 patches released between April 1 and April 30, 2011 were not assessed for applicability within the 30 days prescribed in CIP R3. 8

9 Summary Examples BEST The SPP RE audit team found at the February 2012 CIP audit that 12 of 27 patches released between April 1 and April 30, 2011 were not assessed for applicability within the 30 days prescribed in CIP R3, R3.1. 9

10 Violation Summary A gold star violation summary contains Standard and Requirement(s) violated Specific violation Method of identification Scope and duration 10

11 Relevant Information Root Cause Additional Information 11

12 Relevant Information Examples LACKING Patches were assessed. GOOD The missed patches were assessed 38 days after availability. BETTER These patches were not assessed in the required 30 days because the patch management program that alerts IT staff when a patch is available had become unresponsive. This was found and fixed, and the missed patches were assessed 38 days after availability. 12

13 Relevant Information BEST The patch management application alerts IT staff when a patch is available. However, the patch management application had become unresponsive and no alerts of available patches were received by IT staff. This was discovered by IT staff when they became suspicious of the lack of alerts, and the patch management program was immediately restarted. The missed patches were assessed 38 days after release. 13

14 Plan Details and Additional Information Tasks or actions taken or to be completed 14

15 Plan Detail Examples LACKING Patches were assessed. GOOD The patch management program was restarted, and the missing patches were assessed. BETTER The patch management program was restarted, and the missed patches were assessed 38 days after availability and have been applied. 15

16 Plan Details BEST Immediately upon realizing the patch management application had failed, IT staff restarted the application on April 9, 2012 and inventoried those patches that were not assessed/applied. The 12 missed patches were assessed the same day; 38 days after their availability. These patches were subsequently installed. We now verify daily that the patch management server is operating properly. 16

17 Additional Information Examples LACKING GOOD Staff are taking measures to improve the patch management program. BETTER IT Staff will ensure patch management program is running. 17

18 Additional Information BEST The patch management server will be added to the automated health check system. Until then, IT staff will manually verify the patch management program is functioning. 18

19 Summary: Plan Details and Additional Information PLAN DETAILS Corrective action(s) Mitigating action(s) taken Actions to be taken ADDITIONAL INFO Any compensating measure(s) Other actions taken or planned Able to be supported by evidence 19

20 Activities and Timeline Future milestones Supported by evidence 20

21 Milestones Should be: Measurable Not to exceed 90 day interval(s) Future dated any completed activity should be documented in the plan details section Stepped activity, i.e. 1 st, 2 nd, 3 rd Able to be supported by evidence Remember! Don t list previouslycompleted activities 21

22 Milestones LACKING Single comprehensive milestone Already complete Are not relevant Cannot be supported by evidence BETTER Future activity Multiple Specific Stepped Able to be supported by evidence 22

23 Milestone Examples GOOD Add patch management server to automated health check system BETTER Acquire additional license Configure Test Place into production Run in parallel to ensure works correctly Drop manual process 23

24 Milestones Gold star milestones Are appropriate to the violation Corrective or mitigating action Consider evidence 24

25 Proposed Completion Date When all activities in the mitigation plan were or will be completed The final milestone proposed completion date The proposed and actual completion dates should be consistent 25

26 Reliability Risk and Prevention Risk Potential Impact to: - Self - BES Prevention - Immediate - Future 26

27 Risk Statement Examples LACKING There is no risk. GOOD There is minimal risk because we are small and patches are rarely released that have a serious impact. BETTER There is minimal risk to the BES because the patches released were not all urgent, and because the systems for which patches were released were protected by other means. 27

28 Risk Statement BEST There was minimal risk to the BES because none of the vulnerabilities for which the patches were released were being actively exploited. The vulnerabilities addressed by the security patches were mitigated by existing defense in-depth compensating measures including highly restrictive firewall rules, limited physical access, and security hardening of the vulnerable Cyber Assets including active, up-to-date anti-malware, system enforced prohibition of removable media, and limited user rights. 28

29 Risk Statement A gold star risk statement Actual AND potential risk to the BES Considers what ifs Compensating measures 29

30 Prevention Statement Examples LACKING Completion of the plan will minimize or prevent further occurrences. GOOD The 30 day patch assessment requirement will not be missed. BETTER By eliminating the risk of missing the 30 day patch assessment, patches will be assessed per the requirement and applied with the intended urgency. 30

31 Prevention Statement BEST By performing a daily status check of the patch management server and ultimately adding the server to the automated health check process, failures of this server will be promptly identified and remediated. The risk of missing the 30 day patch assessment will be eliminated and patches will be assessed per the requirement and applied with the intended urgency. 31

32 Prevention Statement A gold star prevention statement tells how the entity will prevent further or similar violations and addresses Root cause Future considerations Compensating measures 32

33 Section 1 COMPLETING MITIGATION 33

34 Demonstrating Completion Evidence should Be submitted for all plan details/milestones Be specific to the activity Provide context and a supportable end date Sufficient, appropriate, and adequate SHOW YOUR WORK 34

35 Evidence Submission webcdms For evidence that does not contain sensitive CIP-related information EFT Server CIP-protected or sensitive information Requires access Is secured with PGP encryption 35

36 Determining What to Submit 1. Violation Summary and Relevant Information 2. Plan Details and Additional Information 3. Activities and Timeline (Milestones) 4. Risk and Prevention Statements 36

37 Examples of Evidence SUMMARY The SPP RE audit team found at the February 2012 CIP audit that 12 of 27 patches released between April 1 and April 30, 2011 were not assessed for applicability within the 30 days prescribed in CIP R3, R3.1. EVIDENCE Patch inventory 37

38 Examples of Evidence RELEVANT INFO patch management application alerts IT staff when a patch is available patch management application had become unresponsive and no alerts of available patches were received... discovered by IT patch management program was immediately restarted missed patches were assessed 38 days after release. EVIDENCE Change record of the application restart Patch assessments 38

39 Examples of Evidence PLAN DETAILS IT staff restarted the application on April 9, 2012, inventoried those patches that were not assessed days after their availability subsequently installed. We now verify daily that the patch management server is operating properly. EVIDENCE Change record of the application restart Patch inventory and assessments Patch install records Verification check 39

40 Examples of Evidence MILESTONES Acquire additional license Configure Test Place into production Run in parallel to ensure works correctly Drop manual process EVIDENCE Purchase order/receipt Configuration screen captures Testing records Change records 40

41 Examples of Evidence RISK STATEMENT minimal risk none of the vulnerabilities were actively exploited were mitigated by restrictive firewall rules, limited physical access, anti-malware, system enforced prohibition of removable media, and limited user rights. EVIDENCE Patch alerts Applicable firewall rule sets Physical access controls, access list Screen captures of AV, disabled ports User list, PRAs 41

42 Examples of Evidence PREVENTION daily check of patch management server adding automated health check, failures remediated risk of missing patch assessment eliminated patches assessed per requirement applied with the intended urgency. EVIDENCE Daily check-out Automated configuration Postimplementation patch notification/ assessment 42

43 Evidence Gold star evidence Is specific to activities in the mitigation plan Is sufficient, appropriate, and adequate Supports completion date(s) 43

44 Certification of Completion Submit only when mitigation plan is complete AND has been reviewed to determine that it Meets the Standard and Requirement Provides sufficient evidence supporting date of completion of milestones and plan Was completed in advance of or on the proposed completion date 44

45 Submitting Comprehensive MPs Saves time and resources Speeds up mitigation and violation processing Could reduce the penalty amount Allows you to tell your story 45

46 46

47 SPP RE Training Videos: vimeopro.com/sppre/basics Audits: Top 10 Ways to Prepare CIP Audit: What to Expect CIP-005: Electronic Security Perimeter CIP R3 CIP-006: Physical Security CIP-007 Compliance CIP-007: R1 System Configuration CIP-007 R3 and R4 Compliance Education at My Company Internal Compliance Programs Q&A Event Analysis-Entity Perspective Evidence Submission Firewalls: 13 Ways to Break Through Hashing: How To Human Performance - Entity Perspective Human Performance -NERC Mitigation Plans: Milestones, Completion, and Evidence Mock 693 Audit Self-Reporting: When and How TFE Expectations and Issues Training Employees on Compliance 47

48 Jenny Anderson Compliance Enforcement Analyst