Project CIP Modifications

Similar documents
Project CIP Modifications

Project CIP Modifications

Critical Infrastructure Protection (CIP) Version 5 Revisions. Standard Drafting Team Update Industry Webinar September 19, 2014

Project Modifications to CIP Standards

Project CIP Modifications. Webinar on Revisions in Response to LERC Directive August 16, 2016

NERC-Led Technical Conferences

Modifications to TOP and IRO Standards

Industry Webinar. Project Modifications to CIP-008 Cyber Security Incident Reporting. November 16, 2018

Project Modifications to BAL Frequency Response and Frequency Bias Setting. Industry Webinar December 18, 2018

Industry Webinar. Project Single Points of Failure. August 23, 2018

Project Modifications to CIP Standards. Technical Conference April 19, 2016 Atlanta, GA

Virtualization Security & Audit. John Tannahill, CA, CISM, CGEIT, CRISC

Supply Chain Cybersecurity Risk Management Standards. Technical Conference November 10, 2016

Unofficial Comment Form Project Modifications to CIP Standards Virtualization in the CIP Environment

Breakfast. 7:00 a.m. 8:00 a.m.

NERC CIP VERSION 6 BACKGROUND COMPLIANCE HIGHLIGHTS

Better Practices to Provide Reasonable Assurance of Compliance with the CIP Standards, Part 2

Consideration of Issues and Directives Federal Energy Regulatory Commission Order No. 791 June 2, 2014

Interactive Remote Access FERC Remote Access Study Compliance Workshop October 27, Eric Weston Compliance Auditor Cyber Security.

Purpose. ERO Enterprise-Endorsed Implementation Guidance

Unofficial Comment Form Project Modifications to CIP Standards Requirements for Transient Cyber Assets CIP-003-7(i)

Consideration of Issues and Directives Federal Energy Regulatory Commission Order No. 791 January 23, 2015

CIP V5 Updates Midwest Energy Association Electrical Operations Conference

CIP Technical Workshop

STRATEGIC WHITE PAPER. Securing cloud environments with Nuage Networks VSP: Policy-based security automation and microsegmentation overview

Standard Development Timeline

CS 356 Operating System Security. Fall 2013

Industrial Defender ASM. for Automation Systems Management

2015 Risk Element: Extreme Physical Events

IPM Secure Hardening Guidelines

Survey Results: Virtual Insecurity

CIP Cyber Security Configuration Change Management and Vulnerability Assessments

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

CIP Cyber Security Electronic Security Perimeter(s)

Physical Security Reliability Standard Implementation

ДОБРО ПОЖАЛОВАТЬ SIEMENS AG ENERGY MANAGEMENT

CIP Cyber Security Configuration Change Management and Vulnerability Assessments

Cyber Security Requirements for Electronic Safety and Security

Lesson Learned CIP Version 5 Transition Program CIP : Communications and Networking Cyber Assets Version: October 6, 2015

Standard CIP 005 2a Cyber Security Electronic Security Perimeter(s)

Cloud Customer Architecture for Securing Workloads on Cloud Services

Standard CIP 005 4a Cyber Security Electronic Security Perimeter(s)

Standards Authorization Request Form

Education Network Security

Network Virtualization Business Case

Frequently Asked Questions November 25, 2014 CIP Version 5 Standards

The threat landscape is constantly

CIP-014. JEA Compliance Approach. FRCC Fall Compliance Workshop Presenter Daniel Mishra

Why the cloud matters?

Designing Secure Remote Access Solutions for Substations

CIP 005 R2: Electronic Access Controls

Virtualization and Future Technologies. Project Standards Drafting Team: The Case for Change

NERC CIP Information Protection

Securing your Virtualized Datacenter. Charu Chaubal Senior Architect, Technical Marketing 6 November, 2008

Parallels EMEA Partner Roadshow Parallels Virtualization Portfolio how can I get my piece of the virtualization cake?

Building a More Secure Cloud Architecture

ISACA Arizona May 2016 Chapter Meeting

Cyber Threats? How to Stop?

TEL2813/IS2820 Security Management

CIP Cyber Security Configuration Change Management and Vulnerability Assessments

i-pcgrid WORKSHOP 2016 INTERACTIVE REMOTE ACCESS

Cyber security for digital substations. IEC Europe Conference 2017

Disturbance Monitoring Standard Drafting Team August 7, p.m. 5 p.m. August 8, a.m. 5 p.m. August 9, a.m. noon

Dell EMC Ready System for VDI on VxRail

Functional. Safety and. Cyber Security. Pete Brown Safety & Security Officer PI-UK

Security Management Models And Practices Feb 5, 2008

Dynamic Datacenter Security Solidex, November 2009

Securing the Grid and Your Critical Utility Functions. April 24, 2017

Cloud Operations for Oracle Cloud Machine ORACLE WHITE PAPER MARCH 2017

T12: Virtualization: IT Audit and Security Perspectives Jason Chan, VMware

SYSTEMS ASSET MANAGEMENT POLICY

CIP Standards Update. SANS Process Control & SCADA Security Summit March 29, Michael Assante Patrick C Miller

Summary of FERC Order No. 791

Welcome to the webinar! We will start within a few minutes

2011 North American SCADA & Process Control Summit March 1, 2011 Orlando, Fl

Implementation Plan. Project CIP Version 5 Revisions. January 23, 2015

Cyber Security Program

CIP Cyber Security Configuration Management and Vulnerability Assessments

DRAFT Voice Communications in a CIP Environment Critical Infrastructure Protection Committee Implementation Recommendation May 22, 2017

IBM Europe, Middle East, and Africa Services Announcement ZS , dated October 6, 2009

Implementation Plan. Project CIP Version 5 Revisions 1. January 23, 2015

Industrial Cyber Security. ICS SHIELD Top-down security for multi-vendor OT assets

Dell EMC Ready Architectures for VDI

Industrial Security - Protecting productivity. Industrial Security in Pharmaanlagen

Surprisingly Successful: What Really Works in Cyber Defense. John Pescatore, SANS

UNITED STATES OF AMERICA BEFORE THE FEDERAL ENERGY REGULATORY COMMISSION ) )

Cyber Security Defense-In-depth RICH KINAS ORLANDO UTILITIES COMMISSION COMPLIANCE SPRING WORKSHOP MAY 9-10, 2017

Ensuring Your Plant is Secure Tim Johnson, Cyber Security Consultant

You knew the job was dangerous when you took it! Defending against CS malware

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Transforming Security Part 2: From the Device to the Data Center

Implementing Cyber-Security Standards

Reinvent Your 2013 Security Management Strategy

Use Case Brief BUILDING A PRIVATE CLOUD PROVIDING PUBLIC CLOUD FUNCTIONALITY WITHIN THE SAFETY OF YOUR ORGANIZATION

CIP Cyber Security Configuration Change Management and Vulnerability AssessmentsManagement

TRAINING WEEK COURSE OUTLINE May RADISSON HOTEL TRINIDAD Port of Spain, Trinidad, W.I.

Changing face of endpoint security

Lindström Tomas Cyber security from ABB System 800xA PA-SE-XA

1. Post for 45-day comment period and pre-ballot review. 7/26/ Conduct initial ballot. 8/30/2010

The Evolution of Data Center Security, Risk and Compliance

Transcription:

Project 2016-02 CIP Modifications Webinar on Standard Drafting Team Considerations for the Use of Virtualization in the CIP Environment April 18, 2017

Administrative Items NERC Antitrust Guidelines It is NERC s policy and practice to obey the antitrust laws and to avoid all conduct that unreasonably restrains competition. This policy requires the avoidance of any conduct that violates, or that might appear to violate, the antitrust laws. Among other things, the antitrust laws forbid any agreement between or among competitors regarding prices, availability of service, product design, terms of sale, division of markets, allocation of customers or any other activity that unreasonably restrains competition. Notice of Open Meeting Participants are reminded that this webinar is public. Notice of the webinar was posted on the NERC website and the access number was widely distributed. Speakers on the call should keep in mind that the listening audience may include members of the press and representatives of various governmental authorities, in addition to the expected participation by industry stakeholders. 2

Agenda Opening Remarks and Introduction of Presenters Administrative Items Antitrust and Disclaimers Webinar Format Standard Drafting Team Hypervisors What is multi-tenancy? Questions and Answers 3

CIP Standard Drafting Team 4

Virtualization Webinar Summary 1. Hypervisors Template Considerations Why VM guest need to be treated as CyberAsset Security Patches address ongoing Hypervisor Vulnerabilities 2. What is multi-tenancy? Define Multi-tenancy, Tenants, Overlay, and Underlay Building a multi-tenant environment Introduce ESZ Concept 5

Hypervisor Templates VDI Use Cases 6

Hypervisor Templates VDI Use Cases 7

Hypervisor Templates VDI Use Cases 8

Hypervisor Templates VDI Use Cases 9

Hypervisor Templates VDI Use Cases 10

HV Templates Dormant Images 11

HV Templates Dormant Images 12

HV Templates Dormant Images 13

HV Templates Dormant Images 14

CIP Considerations for the Gold Images 15

Considerations for Templates in CIP-010 Baseline Templates Could be created for Database Servers, Webservers, etc Contains no specific application settings but is up to date with security patches and baselined software packages for rapid deployment CIP-010 Part 1.1 requires the development of a baseline configuration individually or by group, demonstration of compliance for the VMs could be achieved by using the baseline configuration of the Master Image, all baseline configuration elements being identical to the master image for all instances created. 16

VM s as Software on Cyber Assets 17

VM s as Software on Assets: Ports/Services 18

VM s as Software on Assets: Ports/Services 19

VM s treated as CA s: Ports/Services 20

VM s treated as Software on bare-metal HV: Malware Prevention 21

VM s treated as Software on bare-metal HV: Malware Prevention 22

VM s treated as Software on bare-metal HV: Malware Prevention 23

VM s treated as Software on bare-metal HV: Malware Prevention 24

VM s treated as Software on bare-metal HV: Malware Prevention 25

VM s treated as Software on bare-metal HV: Malware Prevention 26

VM s treated as Software on Hosted HV: Malware Prevention 27

Hypervisor : Bare-Metal and Hosted Considerations Hypervisors and VM s should be treated as discrete cyber assets It is difficult to keep proper redundancy strategies in place with hypervisors when treating VM s as software on the CA Bare-metal hypervisors have strong separation using an independent resource scheduler that prevents malware from accessing the backplane. Hosted platforms do not have this separation and require additional steps to maintain security such as management plane isolation Malware detection considerations need to be applied direction to all operating systems involved. Applying them at the hypervisor is not sufficient to ensure security 28

Hypervisor Threats Because the hypervisor ensures the separation of guests, it needs to be patched regularly: Security patches address ongoing Hypervisor vulnerabilities such as VM escape attacks Hypervisor is a Cyber Asset; afforded same controls including physical security NIST bare-metal hypervisors have a smaller attack surface (SP800-125 chapter 2) o Reduced devices drivers o Management Plane Separation 29

Virtualization Webinar Summary 1. Hypervisors Template Considerations Why VM guest need to be treated as PCA's Security Patches address ongoing Hypervisor Vulnerabilities 2. What is multi-tenancy? Define Multi-tenancy, Tenants, Overlay, and Underlay Building a multi-tenant environment Introduce ESZ Concept 30

Multi-Tenancy Definitions Multi-Tenancy - an environment where a shared infrastructure serves multiple tenants. Tenants discrete groups of applications, functions, or environments that share a common resource with specific privileges or security levels that consume resources from the shared infrastructure. The instances (Tenants) are logically isolated but physically interconnected. Underlay Network A network that supports Overlay Networks. It does not trust the overlay network. Overlay Network A network utilized by Tenant. It is unaware that the underlay network exists. Centralized Management System - A centralized system for administration or configuration of BES Cyber Systems, including but not limited to systems management, network management, storage management or patch management 31

Multi-Tenancy: Management and Data Plane Isolation 32

Multi-Tenancy: Basic Physical Devices 33

Multi-Tenancy: Centralized Management Systems 34

Multi-Tenancy : Adding Tenant Networks 35

Multi-Tenancy : Adding Tenant Networks 36

Multi-Tenancy : Add Some Storage 37

Multi-Tenancy : Add some VM s 38

Multi-Tenancy : Add a Firewall 39

Multi-Tenancy: Considerations Multi-Tenancy Considerations VM Infrastructures are designed to support Multi-Tenancy from the ground up and should be considered to be Multi-Tenant environments even if there is only one Tenant Tenant Systems should not have access to the management plane (Logical Isolation at a minimum, Physical is best) Underlay hardware assumes the highest level of security because it required for all Tenants to perform their functions Tenants Transit the Underlay, but have no means of accessing it 40

ESZ Concept The SDT is considering the creation of a construct called an Electronic Security Zone to describe controls used to separate Tenants with logical isolation This concept would be used to separate the management plane from the data plane The concept can be used to create other ESZ s within an ESP (Such as to isolate outbound communication, or to split a storage array) Devices that support multi-tenancy need to use the management ESZ to communicate with their Centralized Management System(CMS) Not limited to networking concepts, can be used to model any type of logical control 41

ESZ Example: Management Plane Isolation 42

ESZ Example: DMZ Seperation 43

ESZ Example: DMZ Seperation 44

ESZ Example: DMZ Seperation 45

ESZ Example: ESZ vs ESP 46

ESP and ESZ Interaction? 47

ESZ Considerations The SDT is considering the creation of a construct called an Electronic Security Zone to describe controls used to separate Tenants with logical isolation This concept would be used to separate the management plane from the data plane The concept can be used to create other ESZ s within an ESP (Such as to isolate outbound communication, or to split a storage array) Devices that support multi-tenancy need to use the management ESZ to communicate with their Centralized Management System(CMS) Not limited to networking concepts, can be used to model any type of logical control 48

49

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback