North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) Version 5 CIP Cyber Security Standards
With NERC CIP Version 5 now enforced, many more electric companies will have to implement NERC CIP measures for the first time and will be going to the market now to look for automated solutions to help. For those that have been subject to the standard for years already, now is a good time to review solutions implemented at the time and re-evaluate the market for easier to use and less expensive alternatives that are now available.
Demonstrating compliance can be a costly and time-consuming exercise, but NNT can help:
- Out of the Box reports provided to address CIP Standards and prove Requirements are being met, such as the need to first develop, then report drift from, an authorized baseline configuration for all devices, including Operating system or firmware, all application software and patches installed and any logical network accessible ports
- NNT solutions can help address all CIP Standards, meeting requirements of CIP-002,CIP-003,CIP-004,CIP-005, CIP-006,CIP-007,CIP-008,CIP-009,CIP-010 and CIP-011
- CIS Certified Hardened Build Checklists provided as standard (Note: In June 2012, the Idaho National Laboratory, home of the National SCADA Test Bed, of the U.S. Department of Energy, completed a very favorable analysis of how the CIS Critical Controls applied in the electric sector as a first step in assessing the applicability of the controls to specific industrial sectors)
- Configuration Management and Change/Breach detection provided for all devices and platforms
NNT Change Tracker Enterprise is the Number 1 Alternative to Tripwire®, providing an easier to use and less expensive solution that provides a perfect solution to the majority of NERC CIP controls.
NERC CIP VERSION 5 BACKGROUNDER - SHOW MORE +
The Critical Infrastructure Protection initiative of the North America Electric Reliability Corporation has helped protect Bulk Electric Systems and keep the lights on since its initial introduction in 2008.
Cyber Security threats to BES generating facilities are now more widespread and with the growing sophistication of malware, APTs, ransomware and social-engineered Spear Phishing attacks, the need for robust operation of all security best practices is critical.
Identity and Access Management, Configuration Hardening, vulnerability management, file integrity monitoring, firewalling, anti-virus, audit trail monitoring, change and configuration management and disaster recovery along with physical security and documented processes and procedures are all mandated. Core security best practices mandate the development of authorized baseline configurations for devices, against which any drift from this baseline can be reported. Approved changes must be authorized with a business justification documented. The key intent of this approach is to regularly review and question the configuration of all devices in order to ensure vulnerabilities are removed and the attack surface of all devices minimized.
Change Tracker Gen 7 has been designed from the ground up to automatically operate these key security controls, recording configuration baselines for all devices then continuously monitoring and reporting any drift. Built-in Intelligent Change Control allows approval of changes recorded for all devices, whether in advance of changes being made or as a post-implementation review process.
NERC CIP VERSION 5 TRACK OPEN PORTS - SHOW MORE +
Networked SCADA and ICS systems, and in particular field devices, IEDs, Sensors, Controllers and Relays are all potentially vulnerable to tampering and a cyber attack. Access to these devices must therefore be carefully restricted and as such, monitoring of all open network ports is an essential dimension of NERC CIP compliance.
Change Tracker Gen 7 is equipped with a distributed network port scanning capability specifically developed to address the exact requirements of the NERC standard. Having the option to distribute scanning vantage points is important to both minimize network traffic but more critically to preserve internal firewalling robustness. Full port scans can be operated without compromise and without any need to make any special allowances in firewalling rules.
Port ranges are simply dialed in for scanning, with any exceptions made for 'whitelisted' ports/ranges. Naturally any rules covering ports included/exlcuded for scanning will be accompanied with explanatory notes in a clear audit trail. An Open Ports Baseline can be saved and labeled at any point and used to report any changes from previous points in time, or to expose differences between similar devices. When authorized changes to the Open Ports Baseline are made, the report is updated and of course, with a fully descriptive audit trail record.
Figure 1: NNT Change Tracker Gen 7 Networked Port Scanner for NERC CIP Compliance
How NNT Interacts with the NERC CIP Compliance Standard
CIP-002-3: Cyber Security — Critical Cyber Asset Identification:
|NERC CIP Version 5||Requirement||NNT Solution|
Cyber Security — Critical Cyber Asset Identification:
Automated Network Discovery is provided to identify any Cyber Assets using a routable protocol. Any devices discovered will then be more deeply interrogated to establish other identification attributes. For Change Tracker Gen 7, a full System Information and Configuration Audit can then be automated.
CIP-003-5: Cyber Security — Security Management Controls:
Cyber Security — Security Management Controls:
Pre-built Hardened Build-Standard documentation, with continuous automated auditing for compliance is provided and these can be adopted then tailored by the "Responsible Entities."
CIP-004-3: Cyber Security — Personnel & Training:
Cyber Security — Personnel & Training:
All User and System activity will be tracked to and audit trails provided to ensure access is in-line with authorized privilege. Any new accounts or increased privilege will also be reported for review and approval.
When access privilege is revoked this will also be audited and reported for review.
CIP-005-5: Cyber Security — Electronic Security Perimeter(s):
Cyber Security — Electronic Security Perimeter(s):
Use NNT Change Tracker to apply a configuration baseline – NNT are a Certified Vendor for CIS Benchmark Checklists and an Official OVAL Adopter, ensuring the most secure and effective configuration settings are used for firewalls.
Apply File Integrity Monitoring to firewall rules and other security configuration settings for tight change management, plus collect logs from firewalls to detect security incidents in advance of any breach
CIP-006-3c: Cyber Security — Physical Security of Critical Cyber Asset (s):
Cyber Security — Physical Security of Critical Cyber Asset (s):
Physical access controls can be audited using automated audit trails and correlation rules. Configuration assessment and change control is automated using Change Tracker
Note: Any systems used to operate physical access controls will also need configuration hardening, change control and breach detection/anti-tampering measures to be enforced for the cyber elements
CIP-007-3: Cyber Security — Systems Security Management:
Cyber Security — Systems Security Management:
Built-in reports identify all open ports and whether the use of these is approved. Any other open ports will be highlighted for mitigation. Similarly all services and daemons can be audited and validated for compliance with the approved hardened build standard.
NNT are a Certified Vendor for CIS Benchmark hardening checklists, providing a full assessment of all configuration settings and identifying any vulnerabilities. NNT also provide real-time breach detection, vital for detection of any Stuxnet-style APT attacks
CIP-008-3: Cyber Security — Incident Reporting and Response Planning:
Cyber Security — Incident Reporting and Response Planning:
In the first instance, any incident is alerted and reviewed automatically against expected, planned changes using NNT Closed-Loop Intelligent Change Control. Any Unplanned Changes are reported as potential security incidents and an investigation and review process is provided within Change Tracker, augmented with log data from Log Tracker
By providing forensic-detailed audit trails of all system and user activity, security incident investigation is straightforward (all audit trails are retained for a 12 month period in line with NERC CIP Version 5 requirements
CIP-009-3: Cyber Security — Recovery Plans for Critical Cyber Assets:
Cyber Security - Recovery Plans for Critical Cyber Assets:
Configuration settings are recorded after every change that is made. Change Tracker built-in workflow requires all changes to be assigned to a Planned Change with documentation providing a full audit trail to be used when restoring systems to an earlier state.
Compliance Reports provide a long-form version of the Initial Configured Baseline for all system. A full backup with incremental change history is provided for any text-based config file including firewall appliances and other network devices.
CIP-010-3: Cyber Security — Configuration Change Management and Vulnerability Assessments:
Cyber Security - Configuration Change Management and Vulnerability Assessments:
Change Tracker provides a comprehensive solution to address CIP-10-3. Initial vulnerability assessments are performed using Certified CIS Benchmark hardening checklists and these can be tailored to match exactly the required hardened build standard for BES Cyber Systems. Any other source of automated compliance content such as OVAL or SCAP can also be used. This encompasses CIP-005 and CIP-007 Requirements
Once systems are in a hardened compliant state, all changes are tracked and assessed automatically against Approved Planned Changes. Any changes identified as 'Known Approved' are reconciled with the Planned Change documentation.
Changes that 'deviate from the existing baseline' can be reviewed and retrospectively assigned to a Planned Change with rationale documentation. The Planned Change can then be applied to all change history for other BES Systems, effectively updating the baseline configuration automatically.
CIP-011-1: Cyber Security — Information Protection:
Cyber Security - Information Protection:
Secure configuration standards can be assessed and records produced using NNT Change Tracker for BES Cyber System Information, including storage, transit, and use.
Figure 2: Example NNT Change Tracker Gen 7 reports for NERC CIP Compliance
NERC CIP 5 REQUIREMENTS: FREQUENTLY ASKED QUESTIONS - SHOW MORE +
- Does NNT Change Tracker develop a baseline configuration, individually or by group, which includes the following items:
1.1 Operating system(s) (including version) or firmware where no independent operating system exists;
1.1.2. Any commercially available or open‐source application software (including version) intentionally installed;
1.1.3. Any custom software installed;
1.1.4. Any logical network accessible ports; and
1.1.5. Any security patches applied?
Yes, this is a standard application for Change Tracker – all platforms are supported, including Windows, Linux, Unix, Database Systems and firewalls/network appliances. Crucially for NERC CIP requirements, Change Tracker can also baseline other transmission/SCADA components such as relays, transceivers etc.
Standard reports for all requirements to provide auditors with exactly what they require.
- Does NNT Change Tracker authorize and document changes that deviate from the existing baseline configuration?
Yes, Change Tracker has an intelligent change control system to recognize changes that deviate from the initial baseline, by alerting the user via the dashboard or email. Once a change has been reviewed, at the most basic level, it can be simply acknowledged with details of the reason for the change appended. There is an advanced option to create an Intelligent Planned Change – see next response.
- For a change that deviates from the existing baseline configuration, does NNT Change Tracker update the baseline configuration as necessary within 30 calendar days of completing the change?
When using Change Tracker's Intelligent Planned Change function, changes only need to be reviewed once only for just one representative device. An Intelligent Planned Change is Change Tracker's unique way of learning about regular or repeated changes, like Windows Updates, that you want to be automatically approved when detected for other devices/on future occasions. In other words, the baseline is automatically updated and monitored for all devices in real-time. This cuts out all the 'change noise' to promote focus on suspicious activity events.
- For a change that deviates from the existing baseline configuration, does NNT Change Tracker enable the following:
1.4.1. Prior to the change, determine required cyber security controls in CIP‐005 and CIP‐007 that could be impacted by the change;
1.4.2. Following the change, verify that required cyber security controls determined in 1.4.1 are not adversely affected; and
1.4.3. Document the results of the verification?
Yes, Closed Loop Intelligent Change Control (CLICCS) allows you to set up multiple rules for changes that may be accepted and also combines NERC compliance monitoring with all associated changes. So any change that deviates from an otherwise compliant state will be notified and all checks and relevant information provided to ensure changes are managed properly with no adverse impact on the current CIP environment.
- Where technically feasible, for each change that deviates from the existing baseline configuration, does NNT Change Tracker:
1.5.1. Prior to implementing any change in the production environment, test the changes in a test environment or test the changes in a production environment where the test is performed in a manner that minimizes adverse effects, that models the baseline configuration to ensure that required cyber security controls in CIP‐005 and CIP‐007 are not adversely affected; and
1.5.2. Document the results of the testing and, if a test environment was used, the differences between the test environment and the production environment, including a description of the measures used to account for any differences in operation between the test and production environments?
Yes, Change Tracker has the ability to perform baseline testing within in a test environment. When patches or changes are applied to the baseline it can be tested in a test environment before changing the production environment so that way you know what can be expected. Change Tracker will also 'learn' what the resulting changes on any device are for a change and then automatically match any future similar changes to the same Planned Change ID.
- Does NNT Change Tracker monitor at least once every 35 calendar days for changes to the baseline configuration (as described in Requirement R1, Part 1.1). Document and investigate detected unauthorized changes?
Change Tracker will typically monitor continuously and report changes in real-time, but a scheduled poll interval can also be used where agentless tracking is preferred.
- Does NNT Change Tracker create and monitor baseline configurations for the following:
7.1.1 Operating System (Linux and Windows, network firmware)
7.1.2 Security Patches (Linux and Windows)
7.1.3 Ports (Linux and Windows)
7.1.4 GE application software (can you customize the directories you want to monitor-example $EXECDIR, $LIBDIR and can you select specific files you want to monitor like the GE jars or cparm.dat/back, opchar.dat/bak)
7.1.5 Custom software (ex: tech support scripts, dynamic ratings custom file)
7.1.6 Third-party software / applications
7.1.7 Firewalls, switches, and routers
7.1.8 VMware servers and appliance like NTP servers?
Yes, Change Tracker is delivered with a wide-range of pre-packed templates that will build and track an appropriate baseline for all devices, including all the elements/attributes specified above. Custom templates can also be created where additional file paths, registry keys, config files etc. are required, perfect for the GE requirements highlighted. Note that Change Tracker can even execute command line queries on devices where deeper information is needed for the baseline.
- Does NNT Change Tracker check ports against host based firewalls?
Yes any attribute can be audited against a compliance checklist, for example, CIS Benchmark (NNT are a Certified Vendor for CIS Benchmarks Checklists) or a customized checklist can be used. Any deviation from the required settings will be reported. In addition a baseline of ports can be recorded and then any drift from the initial baseline tracked and reported. Changes can either then be added to the baseline or exceptions made via an Intelligent Planned Change.
- Does NNT Change Tracker generate baselines based on some logical grouping of devices, such as all Windows or all Linux?
Yes Change Tracker is predominantly Group-oriented. As Devices are added to the system, a Discovery report is run to understand the type and configuration of the device and any discovered parameters, including IP address, name, config setting etc. can be used to automatically assign the Device to a Group. Once assigned to a Group, monitoring templates and report schedules are inherited from the Group setting automatically.
You can set groups based on a number of your internal parameters, whether they be, the geographical location of the device or the device brand, make or model. With the templates you can apply the same template to a grouping of devices.
- Does NNT Change Tracker log changes to the baseline?
Yes, any change event is logged and alerted – as changes are detected, these are automatically assessed against all Intelligent Planned Change rules and in doing so, the change is then processed as either a Planned or Unplanned change.
- Does NNT Change Tracker provide a notification or alert when a new baseline has not been generated even after a configurable number of days of a change in the baseline?
Yes, full audit trail of all system events is generated including comms events, baseline exceptions (i.e. missing folder/reg key)
- Does NNT Change Tracker monitor specific configuration changes to the Windows registry?
Yes, any key/subkey or value monitoring spec can be defined using wildcards/regex in order to precisely track just the information required and minimize unwanted/non-useful change noise.
- Does NNT Change Tracker include a change management control process?
Yes, as covered previously, Closed-Loop Intelligent Change Control means that changes can be planned, documented and defined in advance, or post-change.
- Does NNT Change Tracker capture, parse, categorize, and timestamp configuration parameters for Windows Desktop, and Windows Server Operating Systems?
Yes – key strength of Change Tracker. Other legacy FIM solutions require complicated rules and actions to be defined, usually with regex parsing specifications where Change Tracker uses built-in point and click setup for tracking with pre-defined match rules/filters. This makes Change Tracker the easiest to use and maintain FIM solution available.
- Does NNT Change Tracker capture, organize, and timestamp the hardware profile, including the installed firmware and network characteristics (NICs, ports, protocols, services, etc.) of any machine in the GMS environment?
Yes, key function of Change Tracker to capture a baseline configuration image, then track all changes going forwards.
- Does NNT Change Tracker have the capability to perform automated notification for information system configurations that are not compliant with baseline configuration? Does notification occur in real time?
Yes, Change Tracker uses real time FIM. An automated notification will be provided with the simple dashboard and via E-mail/syslog when the baseline is deviated from.
- In regards to the components of NNT Change Tracker itself, does NNT Change Tracker enforce access restrictions, roles and also provide ability to access auditing access?
Yes, Change Tracker is role based access control allowing user to be assigned certain roles and to certain groups that they would have direct contact with.
- Does NNT Change Tracker have the capability to provide notification of information system baseline configuration changes and OS level logs in syslog or other format compatible with McAfee SIEM?
Yes, Change Tracker is compatible with all leading SIEM solutions such as McAfee, QRadar, ArcSight and NNT Log Tracker.
- Does NNT Change Tracker require an agent?
Change Tracker offers a full choice of Agent-based or Agentless monitoring for all platforms including Windows, Linux, Unix, Database system, Firewall/Network Appliance or other devices such as Relays, transceivers/other transmission/SCADA component.
- Briefly summarize how Change Tracker would be used to deliver NERC CIP compliance?
All devices within the Management Network (EMS), generating/transmission networks and SCADA environments are monitored continuously. Each device is immediately assessed for compliance with a Hardened Build Standard, typically derived from CIS Benchmark or NIST 800-53 secure configuration guidance (but any SCAP/OVAL template can be used), or a custom report derived where needed.
This initial report ensures that key NERC CIP requirements are being met and flags any areas of non-compliance. Requirement 010 calls for a baseline of software, patches, firmware version, open ports, running services and other secure configuration attributes to be understood and justified. The compliance report will be scheduled to be re-run periodically to identify any configuration drift in a summarized format. The report not only identifies where action is required, but details the remediation work in terms of commands to use, areas of Group Policy to apply etc.
Configuration data is also baselined for each device and from this baseline any changes made subsequently will be recorded and assessed against documented Planned Changes. Any changes that do not match any specified Planned Change will be raised as Unplanned and should be investigated and remediated, or approved, documented and added to the Approved Baseline. In this way, security is always maintained by minimizing vulnerabilities while the ability to detect breach activity maximized, for example, a complete system integrity image is recorded for all files and settings for each device. In this way, a Trojan infiltration will be detected in real-time, along with any new software being installed, ports being opened, services started, user accounts being changed – in fact any change that weakens security will be notified immediately.
By operating Change Tracker in this way, the full intent and spirit of NERC CIP requirements can be met in a productive, straightforward manner, while always having the full and detailed audit trails and reports available for an external auditor to review
Register for a free trial and automate your systems now.
NERC CIP Case Studies
With the increased regulatory pressures associated to PCI DSS and NERC CIP compliance, NNT Change Tracker has become an invaluable addition to both our processes and systems that allow us to maintain our compliance without adversely affecting our workload
Chris Murphy, Head of IT, Guadalupe Valley Electric Co-Op, Texas