White Paper. The North American Electric Reliability Corporation Standards for Critical Infrastructure Protection

White Paper The North American Electric Reliability Corporation Standards for Critical Infrastructure Protection February, 2017

Introduction The North American Electric Reliability Corporation (NERC) maintains standards for Critical Infrastructure Protection (CIP) covering security requirements with a main goal to improve all North American power system s security. In this white paper you will learn how to meet compliance with the NERC for CIP using SecureAuth IdP s unique strong authentication capabilities including adaptive (risk-based) authentication. Preventing the Misuse of Stolen Credentials 2

Table of Contents What is NERC CIP?... 4 What is SCADA?... 4 The SecureAuth Authentication System... 5 Adaptive & Contextual Authentication... 5 Additional Adaptive Authentication with Real-time Threat Analysis... 6 SecureAuth Authentication s NERC CIP Compliance Checklist... 6 Summary... 7 Preventing the Misuse of Stolen Credentials 3

What is NERC CIP? The North American Electric Reliability Corporation (NERC) maintains the various cybersecurity standards for Critical Infrastructure Protection (CIP). Consisting of 9 standards and 45 requirements covering security requirements ranging from perimeter protection, cyber assets controls, end-to-end accountability and reliability, training, security management and disaster recovery, the CIP program s main goal is to improve all North American power system s security. Under NERC CIP, organizations are required to identify critical assets and to regularly perform risk analysis of said assets. Defining of policies for monitoring and changing the configuration of assets as well as policies governing access to those assets is a requirement. In addition, NERC CIP requires the use of firewalls to block vulnerable ports and the implementation of cyber-attack monitoring. Further, organizations are required to enforce controls protecting access to critical cyber assets while systems for monitoring security events must be deployed, and must have comprehensive contingency plans. With CIP version 3, only general BES (bulk electric systems) facilities were required to comply with these standards, yet as Version 5 comes into place April 2016, and version 6 in 2017, all tiered classifications for BES facilities are required to comply. What is SCADA? Supervisory control and data acquisition (SCADA) is a system operating with coded signals over communication channels so as to provide control of remote equipment (typically one communication channel per remote station). The control system typically is connected to various data tools gathering and analyzing activity records. SCADA is a type of industrial control system (ICS) consisting of Remote Terminal Units (RTUs)/Programmable logic controllers (PLCs) or the brains of the various processes and the Human Machine Interface (HMI) which is usually linked to a database. But, SCADA systems historically distinguish themselves from other ICS systems by the sheer number of large-scale processes that can include multiple sites across various distances encompassing industrial, infrastructure, and facility-based processes. While most believe SCADA is safe, the actuality of SCADA systems today are networked, meaning that unauthorized access even via a simple command prompt to the main HMI or to any of the networked units, could potentially compromise the whole environment. Preventing the Misuse of Stolen Credentials 4

The SecureAuth Authentication System SecureAuth solves the problems of cyber security controls, monitoring, adaptive enforcement and authentication. The end result is a multifactor, adaptive solution that: + Requires Limited or no Software + Requires No Hard Tokens to Carry + Enables Geo-Location via IP and/or Country controls + Enables Geo-Velocity controls (Historical analysis of authentication access and geo-location) + Allows IP white-listing/black-listing controls + Checking the reputation of the IP address of the user s machine against the SecureAuth Threat Service, a combination of multiple industry leading sources of threat intelligence and threat information. + Behavioral Biometrics unique keystroke dynamics on varying devices + Multiple phone number related fraud checks including preventing attackers from spamming and guessing one-time passcodes, blocking recently ported phone numbers, blocking global carrier networks, and blocking certain class of phones (e.g. virtual, mobile, landline, toll-free, etc..) + Works from Any Browser on Any Site (Home, Office, Internet Café, etc.) + Fractions of the cost of Tokens The result is a more secure interface that meets government compliance, ease-of-use user experience, and limits any disruptions of processes without breaking the IT budget. Adaptive (risk-based) Authentication Utilizing various workflow options and integration points, SecureAuth provides adaptive and multi-factor authentication in one solution. For example, Use Case A, an engineer onsite needs to log into one of the SCADA units and as their IP address shows they are onsite in HQ, authentication could potentially be allowing user name and password. Then there is, Use Case B, a staff member needs to connect to the same SCADA unit but they are on the other side of the country connecting remotely, because staff member is logging in from new location, we can require a multi-factor authentication method before proceeding. Group membership along with IP/location can easily be utilized in defining the adaptive authentication a user experiences and security controls when accessing SCADA and/or NERC CIP ed systems. Let s say the engineer from Use Case A has rights to all the SCADA units and the staff member from Use Case B does not. The staff member happens to be asked to look into one of the PLCs, they don t have access but they do know the engineer from Use Case A, so they ask to borrow their credentials to login. With SecureAuth s geo-velocity solution, the staff member trying to utilize the engineer s credentials to authenticate will be utilizing Allow, Deny, Step-up, Step-down, or Redirect options, meaning that the systems can detect IP address changes and adaptively address authentication. Preventing the Misuse of Stolen Credentials 5

Additional Adaptive Authentication with SecureAuth Threat Service The SecureAuth Threat Service provides highly enriched and actionable threat intelligence that enhances SecureAuth IdP s adaptive authentication. We combine threat intelligence and threat information from leading industry sources and open source providers that are continually updated in real time. With the ability to analyze the IP address of where the user is authenticating from, and all other layers of risk via adaptive authentication, SecureAuth can help detect and protect against cyber-threats before harm can be done. We help identify and stop bad actors who attempt to log in externally, as well as bad actors who are inside and moving laterally in your network even if they have valid credentials. We can easily integrate with your existing infrastructure in hours, not weeks or months, and we maintain a smooth user experience by requiring multi-factor authentication only when risk factors are present. SecureAuth Authentication s NERC CIP Compliance Checklist* NERC CIP Requirements SecureAuth Authentication Feature Benefit CIP-003-3 R5 & D1.4 (Security Management Controls) Access control flexibility with auditing Sustainable access security controls with SIEM auditing CIP-005-3a R2.4 (Electronic Security Perimeter(s)) Access controls with Risk Analysis Risk Analysis at the perimeter along with SIEM integration and reporting CIP-007-3a R5.3 & R6 (Systems Security Management) 20+ Authentication Methods with system logging & SIEM options Security controls ranging from x.509v3 to RADIUS to SAML with logging Future-Proofing: CIP-005-5 R2-Part 2.3 Access controls with Risk Analysis Advanced Risk Analysis at the perimeter along with SIEM integration, dashboards and reporting CIP-007-5 R4-Part 4.1, 4.3, R5-Part 5.1, 5.5, 5.6 25+ Authentication Methods along with Identity Management Options By specifying security system requirements, the multitude of authentication options limit any compromise CIP-011-1 Part 1.2 (Information Protection) SecureAuth Adaptive Strong Authentication with SecureAuth Threat Service. Preventing unauthorized access and secure information handling *NOTE: All of the SecureAuth features and benefits listed above also are available for SCADA environments Preventing the Misuse of Stolen Credentials 6

Summary SecureAuth provides deployable and scalable solutions to meet both the security requirements of today and tomorrow along with the granularity needed for ever-changing regulations, processes, and controls. SCADA and organizations under CIP encounter various cyber-attacks and cyberterrorism and while this grows, the security processes and controls necessary can potentially become cumbersome to the point of disruption of critical systems. Solutions that provide external and internal security controls while not limiting or disrupting any and all systems, processes, and controls is what is truly needed in today s world. SecureAuth IdP delivers a solution to these Centralized Systems and Organizations. Preventing the Misuse of Stolen Credentials 7

ABOUT SECUREAUTH SecureAuth is the leader in adaptive access control solutions, empowering organizations to determine identities with confidence and preventing the misuse of stolen credentials. SecureAuth provides strong identity security while minimizing disruptions to the end-user. SecureAuth has been providing SSO and MFA solutions for over a decade. For the latest insights on adaptive access control, follow the SecureAuth blog, follow @ SecureAuth on Twitter and on LinkedIn, or Contact Us to get started today. Preventing the Misuse of Stolen Credentials 8