1 of 15

NERC CIP-003-9: What Now? Response Requirements (Part 3)

NERC CIP-003-9

Keon McEwen | Ben Stirling | Sean Thompson | Joe Baxter

2 of 15

Webinar Information

  • Enter your question(s) in the GoToWebinar “Questions” section anytime throughout the presentation.�
  • A PDF copy of this webinar’s presentation will be available in the “Handouts” section of the GoToWebinar panel.�
  • Today’s webinar is being recorded and will become available at: �www.abs-group.com/webinars
  • Please allow 1-2 business days for the webinar recording to be posted.

3 of 15

Quick Recap NERC CIP-003-9

3

    • Discussed the new NERC CIP-003-9 requirements and the implementation of the new Section 6 "Vendor Electronic Remote Access Security Controls". - What does section 6 mean for Low Impact Generation

The New Requirements and How to Comply – Part 1

    • Discussed the preparation and performance elements required to meet CIP-003-9 Standard Requirements. – What is the minimum requirements VS best practice

What You Should Do vs What You Must Do – Part 2

4 of 15

NERC CIP-003-9 – What can Make Your Program Successful

4

Ensure Plant Personnel �from Management to I&C �and Operations Understand �the Requirements

Compliance has a �Good Understanding �of Each Site

Drive to Consistency

    • Vigilance – Like safety; security and compliance is everyone's job
    • Ensure changes are reported
    • Report any failures – self reporting is not a bad thing
    • Remove “tribal” knowledge boundaries across the relevant organizations
    • Know the vendors involved and how they operate
    • Know key personnel at each site from management to operations and maintenance
    • When possible, visit each site and take pictures
    • Start with each site and then develop their best practices
    • Combine the best of breed from across your fleet
    • Ensure that documentation is consistently formatted between sites: same terms, same controls

5 of 15

Securing generation and compliance with NERC CIP is not a simple task (don’t expect this to be a quick or easy journey).

The combination requires an intimate understanding of the specific generation process and the Cyber and Physical unique footprint of each site.

  • A security program can be compliant
  • A compliance program does NOT ensure security

Only with the two objectives in mind can you achieve both

Understand the Difference

5

6 of 15

6.1 Vendor Electronic Remote Access (VERA)�

6

6.1 One or more method(s) for determining vendor electronic remote access;

Evidence

Required:

Document ALL network paths that CAN or could be used by Vendors for remote access

Develop and document methods to authorize Vendor remote access

Develop and document methods to monitor Vendor remote access

Develop and document methods to alert and record Vendor remote access

7 of 15

6.1 Vendor Electronic Remote Access (VERA)�

7

  • Who is connected?
  • What can they do?
  • When do they connect?
  • Where can they go?
  • How do I know?
  • What can I do?

Internet

LIBCS

Your Site

Internet

VERA

8 of 15

6.1 Vendor Electronic Remote Access (VERA)�

8

9 of 15

6.2 Method(s) for Disabling Vendor Remote Access�

6.2 One or more method(s) for disabling vendor electronic remote access;

�Evidence

required:

9

Develop and document methods for disabling vendor remote access

Develop and document methods for disabling inbound and/or outbound communication

Develop and document methods for removing physical layer connectivity (brake glass approach)

10 of 15

6.3 Detecting Known or Suspected Malicious Communications�

6.3 One or more method(s) for detecting known or suspected inbound and outbound malicious communications for vendor electronic remote access

�Evidence

required:

10

Document use of Anti‐malware technologies (where they are installed and how they are updated)

Document use of Intrusion Detection/Prevention Systems IDS/IPS

Document use of automated and/or manual log review

Document use of automated and/or manual alerting

11 of 15

Why Consistency Matters for Security and Audits

11

Inconsistency

Security: �Two Analysts = Two Outcomes

    • Process matters
    • Ensuring correct decisions
    • Consequences: reporting, risk and response

Compliance: �Significance of Contradiction

    • Additional RFIs
    • Areas of concern
    • Effects on audit schedule

12 of 15

What Consistency Looks Like (and How We can Help)

12

Compliance and Response to RFI

Reduced Burden for Plant Personnel

Concise Responses to RFIs and �Reduced RFIs Follow Up

Documentation and Preparation

Consistent Recording of Security and Compliance Actions for IR Activities

Technical Documentation: Validation and Packaging

Security and Monitoring

Reliable Logging and Analysis

Effective Threat Detection and �Incident Response (IR)

13 of 15

Questions

  • Enter your question(s) in the GoToWebinar “Questions” section at this time.
  • A PDF copy of this webinar’s presentation is available in the “Handouts” section of the GoToWebinar panel.
  • Today’s webinar is being recorded and will become available at: �www.abs-group.com/webinars
  • Please allow 1-2 business days for the webinar recording to be posted.

14 of 15

Thank You

Sean Thompson

NERC CIP Services Supervisor

Sean.thompson@naes.com

www.naes.com

linkedin.com/company/naes-corporation/

Joseph Baxter

Director -  Solutions Engineering

jb@network-perception.com

www.network-perception.com

linkedin.com/company/network-perception/

Keon McEwenISOC Director, Industrial Cybersecurity �kmcewen@abs-group.com

Ben Stirling

Director - Industrial Cybersecurity

bstirling@abs-group.com

www.abs-group.com

linkedin.com/company/absgroup

15 of 15