Meeting NERC CIP Access Control Standards Presented on February 12, 2014
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Meeting NERC CIP Access Control Standards
Presented on February 12, 2014
• The leading supplier of key-centric access control systems • Based in Corvallis, Oregon
2
• James T. McGowan • Technology & security industry veteran • Vice President of Sales & Marketing
Presented By: CyberLock
www.cyberlock.com
Objective
If you are involved in the physical security requirements
needed for NERC CIP compliance this webinar is for you.
www.cyberlock.com 3
NERC
www.cyberlock.com 4
• North American Electric Reliability Corporation • Originally a voluntary industry organization • Focused on developing reliability standards • Empowered with the Energy Policy Act of 2005
– Became Electric Reliability Organization (ERO) – Able to enforce standards and penalize non-compliance
Mission: “Ensure the reliability of the
North American bulk power system”
NERC CIP
www.cyberlock.com 5
• Critical Infrastructure Protection • Originally 8 specific reliability standards • Intended to protect BES* against “cyber attacks” • Approved January 18, 2008
*BES = Bulk Electric System
www.nerc.com
www.cyberlock.com 6
NERC CIP
www.cyberlock.com 7
www.nerc.com/pa/CI/Pages/default.aspx
Cri$cal Infrastructure
www.cyberlock.com 8
CIP Standards
CIP Standards
NERC CIP Standards Original Eight: • CIP-002-1 (BES Cyber System Categorization) • CIP-003-1 (Security Management Controls) • CIP-004-1 (Personnel & Training) • CIP-005-1 (Electronic Security Perimeters) • CIP-006-1 (Physical Security of BES Cyber Assets) • CIP-007-1 (System Security Management) • CIP-008-1 (Incident Reporting and Response Planning) • CIP-009-1 (Recovery Plans for BES Cyber Systems) Recent Additions: • CIP-010-1 (Configuration Change Management & Vulnerability
Assessments) • CIP-011-1 (Information Protection)
www.cyberlock.com 9
Sounds Easy to Follow?
These are standards in motion:
• 8 = Number Subject to Enforcement • 10 = Number Subject to Future Enforcement • 3 = Number Pending Regulatory Filing • 50 = Number Inactive
www.cyberlock.com 10
Why Comply? • Helps protect the North American BES
www.cyberlock.com 11 *Source = ICS-CERT Monitor April/May/June 2013
• Critical Infrastructure cyber attacks are increasing • Over 200 incidents reported between Oct ’12 and May ’13* • 53% Energy related
Why Comply? • Avoid fines
Possible fine, per day, for each day a violation continues.
www.cyberlock.com 12 *Source = Sanction Guidelines of the NERC, Appendix 4B, December 20, 2012
CIP-003-3 • Title: Cyber Security — Security Management Controls • Number: CIP-003-3 • Purpose: Standard CIP-003-3 requires that Responsible Entities have
minimum-security management controls in place to protect Critical Cyber Assets.
• Key Points: – …implement a program for managing access to protected Critical Cyber Asset
information…
www.cyberlock.com 13
NOTE: Subject to Enforcement
CIP-005-5 • Title: Cyber Security — Electronic Security Perimeter(s) • Number: CIP-005-5 • Purpose: To manage electronic access to BES Cyber Systems by
specifying a controlled Electronic Security Perimeter in support of protecting BES Cyber Systems against compromise that could lead to misoperation or instability in the BES.
• Key Points:
– …access control model that denies access by default, such that explicit access permissions must be specified….
– …entity shall review or otherwise assess access logs for attempts at or actual unauthorized accesses at least every ninety calendar days….
www.cyberlock.com 14
NOTE: Subject to Enforcement
CIP-006-3c • Title: Cyber Security — Physical Security of Critical Cyber Assets • Number: CIP-006-3c • Purpose: Standard CIP-006-3 is intended to ensure the implementation of
a physical security program for the protection of Critical Cyber Assets.
• Key Points: – …shall document and implement the operational and procedural controls to
manage physical access at all access points to the Physical Security Perimeter(s) twenty-four hours a day, seven days a week….
– …access shall document and implement the technical and procedural controls for monitoring physical access at all access points to the Physical Security Perimeter(s) twenty-four hours a day, seven days a week….
www.cyberlock.com 15
NOTE: Subject to Enforcement
CIP-006-5 • Title: Cyber Security — Physical Security of BES Cyber Systems • Number: CIP-006-5 • Purpose: : To manage physical access to BES Cyber Systems by
specifying a physical security plan in support of protecting BES Cyber Systems against compromise that could lead to misoperation or instability in the BES.
• Key Points: – …Utilize at least one physical access control to allow unescorted physical access
into each applicable Physical Security Perimeter to only those individuals who have authorized unescorted physical access.
– …Where technically feasible, utilize two or more different physical access controls (this does not require two completely independent physical access control systems) to collectively allow unescorted physical access into Physical Security Perimeters to only those individuals who have authorized unescorted physical access.
www.cyberlock.com 16
NOTE: Subject to Future Enforcement (7/1/15)
Summary of the Solution Cost effective, practical solution that: • Manages access to protected critical cyber assets • Denies access by default • Records physical access attempts • Manages physical access to facility perimeter(s) • Controls access for only authorized personnel • Provides a secondary physical access control solution
www.cyberlock.com 17
Access Control Options
• Mechanical Solution Master Key System
• Lock-Centric Solution Key Card System
• Key-Centric Solution Electronic Locks & Smart Keys
18 www.cyberlock.com
What is Key-Centric?
• Electronic access control to locks without power:
• Intelligent cylinders that replace mechanical cylinders
• Smart keys that hold permissions, store usage information, and energize the lock
• Access control management software that drives the system
www.cyberlock.com 19
Key holders access locks
Schedules & permissions are set in so:ware
Audit trails uploaded into so:ware
1 3
5
Updating permissions and downloading audit trails
occur simultaneously
Key-Centric In Action
Key holders upload schedules and permissions
via downloaders
2
Key holders download access ac$vity via downloaders
4
www.cyberlock.com 20
Practical Applications: Manage access to protected critical cyber assets:
Install key-centric cam locks on cabinets
Deny access by default:
Key-centric locks can only be opened by authorized users
www.cyberlock.com 21
Practical Applications:
Manage physical access to facility perimeter(s): Install key-centric padlocks on perimeter fences
Control access for only authorized personnel: Set permissions in management software
www.cyberlock.com 22
Electronic Locks
www.cyberlock.com 23
• Fit into existing hardware • No power/wiring needed • Install anywhere • Highly secure
• No pick-able keyway
• CIP-006 • “…manage physical
access to all access points…”
Install locks
Programmable Keys
www.cyberlock.com 24
Program and distribute keys
• Key has user information • Schedules • Permissions
• Remembers every touch • Battery energizes lock • CIP-005
• “…access control model that denies access by default, such that explicit access permissions must be specified…”
Downloading Stations
www.cyberlock.com 25
Download/upload information
• Install in convenient locations • Employee entrances • Break rooms
• Interface with software • Download audit trails • Upload new system info
• CIP-006 • Predefined electronic access
rights uploaded to key
• Log access activity to physical security
Management Software
www.cyberlock.com 26
Manage System
• Hierarchy of Administrators • Browser-based access • Intuitive GUI • CIP-006
• “…electronic access where the access rights are …predefined in a computer database…”
Which System? The Leader in Key-Centric Access Control: CyberLock • Field Proven
– Introduced in 2000 – 1 Million + CyberLock cylinders deployed
• Flexible – 300+ Lock Designs – Multiple Key & Downloading Options
• Feature-rich software
– Stable, Linux-based – Access via off-the-shelf browsers
• Expansion options – Lock-Centric capabilities – 3rd party integration
Fulfills NERC CIP Access Control Requirements
www.cyberlock.com 27
Summary Meet NERC CIP Access Control Standards with CyberLock:
• Proven • Affordable • Practical • Scalable • Supports compliance:
• CIP-003-3 • CIP-005-5 • CIP-006-3c • CIP-006-5
www.cyberlock.com 28
Related Documents
