Six Keys to Securing Critical Infrastructure and NERC Compliance

Six Keys to Securing Critical

Infrastructure and NERC Compliance

Today’s Agenda

Healthcare IT Security & Compliance Issues

Six Keys to Cost-Effective IT Security & Compliance

Applying the Critical Elements

Q&A and Conclusion

• Security and Compliance Challenges Related to Protecting Critical Infrastructure

• Six Critical Elements to Achieve Economies in Securing Critical Infrastructure and Compliance

• Panel Discussion and Q&A

2

Today’s Speakers

3

Chris MerrittDirector of Solution MarketingLumension

Michael RasmussenRisk & Compliance AdvisorCorporate Integrity, LLC

Paul HenrySecurity & Forensics AnalystMCP+I, MCSE, CCSA, CCSE, CFSA, CFSO, CISSP,-ISSAP, CISM, CISA, CIFI, CCE

Critical Infrastructure: Security and Compliance Demands

Slide 5© 2010, Corporate Integrity, LLC www.Corp-Integrity.com

Utilities Burdened by Critical Infrastructure Protection (CIP) Demands

• Increasing pressure for accountability bearing down from several angles, forcing them to rethink the approach to CIP.

• An increasingly interconnected world means utilities must consider– Emissions and global warming concerns, – Corporate social responsibility, – Capacity and future sustainability of power, and– Protection of critical infrastructure.

• Supervisory Control and Data Acquisition (SCADA) and Distribution Automation (DA) systems have been in operation for years.

– These systems were not designed with security in mind. – As utilities interconnect to the Internet and other systems, exposure grows

exponentially.

Slide 6© 2010, Corporate Integrity, LLC www.Corp-Integrity.com

CIP & Compliance Mandates on Utilities

• NERC established eight CIP reliability standards, containing 160+ requirements to protect the critical infrastructure of electric utilities.

– Compliance includes regular management & monitoring, with preparedness audits.

– As of July 1, 2010 these utilities face the next step in being auditably compliant.

• Other related and often overlapping security requirements impact utilities (even for those not facing NERC CIP compliance), such as:

– FTC Red Flags Rule– Payment Card Industry Data Security Standard (PCI DSS)– State Mandatory Disclosure Laws (for example, in Massachusetts and California)– Sarbanes-Oxley (SOX)

• Achieving economies requires implementation of an infrastructure for managing and monitoring compliance that crosses multiple mandates.

Slide 7© 2010, Corporate Integrity, LLC www.Corp-Integrity.com

A Grim View of the Current State…

Source: Open Compliance & Ethics Group

Slide 8© 2010, Corporate Integrity, LLC www.Corp-Integrity.com

Critical Elements to Achieve Economies in CIP & Compliance

• CIP requirements and other compliance mandates are not trivial. Utilities are burdened because of:

– Increased connectivity of critical infrastructure– Non-stop operations in a dynamic business environment– Standardized technology architecture– Shortage of resources

• Best practices require that utilities approach compliance and the protection of critical infrastructure as related processes and controls.

• Economical approach to NERC CIP and other mandates requires:– Centralized visibility across controls in IT systems and processes, – Automation of enforcement and monitoring, – Collaboration across IT roles and the business, and – Adoption of an integrated risk-based view of compliance.

Slide 9© 2010, Corporate Integrity, LLC www.Corp-Integrity.com

Big Picture of Compliance

OBJECTIVESstrategic, operational, customer, process, compliance objectives

BUSINESS MODELstrategy, people, process, technology and infrastructure in place to drive toward objectives

MANDATED BOUNDARYboundary established by external forces including laws, government regulation and other mandates.

VOLUNTARY BOUNDARYboundary defined by management including public commitments, organizational values, contractual obligations, and other voluntary policies.

OPPORTUNITIES

OPPORTUNITIES

OPPORTUNITIES

OB

ST

AC

LE

S

Source: Open Compliance & Ethics Group

Slide 10© 2010, Corporate Integrity, LLC www.Corp-Integrity.com

Components of Compliance & CIP

INFORM &INTEGRATE

DETECT & DISCERN

ORGANIZE & OVERSEE

ASSESS & ALIGN

MONITOR & MEASURE

PREVENT & PROMOTE

RESPOND & RESOLVE

Source: Open Compliance & Ethics Group

Slide 11© 2010, Corporate Integrity, LLC www.Corp-Integrity.com

Efficient, Effective & Responsive CIP

6 Key Elements to Achieve Economies in CIP & Compliance

Slide 13© 2010, Corporate Integrity, LLC www.Corp-Integrity.com

6 Keys to Economical CIP

Slide 14© 2010, Corporate Integrity, LLC www.Corp-Integrity.com

1 - Agility

• Utilities need a sustainable process and infrastructure for protection of critical infrastructure and related processes, including:

– Full discovery of the utility’s IT environment, critical infrastructure, and technology assets, including:

• Automatic assessment of the environment and devices that connect to it, to maintain the asset inventory required for compliance.

• Automated IT risk assessment that provides structure around the process of collecting scores and evidence for compliance controls, so utilities can demonstrate auditable compliance at any point in time.

• Policy enforcement of software updates, security patches, and standardized configurations to maintain adequate protection of critical infrastructure.

• Flexibility to handle the unique needs and requirements common in utilities and their IT environment.

• The ability to track access to critical infrastructure cyber assets — who accessed it, when, and where.

Slide 15© 2010, Corporate Integrity, LLC www.Corp-Integrity.com

2 - Consistency

• Utilities need a consistent approach to security and compliance, which can be achieved via streamlined workflows and process management capabilities that ensure:

– Comprehensive inventory and management of regulated systems (such as critical infrastructure), to:

• Deliver visibility of both physical and IT environments from one consolidated console.

• Manage an IT asset repository to include all resource types, including applications, databases, servers, networks, data centers, people, and processes across the utility.

– Continuously monitored compliance and IT risk postures to establish a mandatory baseline policy that all systems must meet.

– Established policies based on best practices, with pre-configured checks and elements that can be added and modified based on specific security needs.

– The ability to add, create, define, edit and import/export security configurations and checklists.

– Cross-referenced and normalized common controls for various regulations and mandates that impact the utility into a single control.

Slide 16© 2010, Corporate Integrity, LLC www.Corp-Integrity.com

3 - Efficiency

• Ensuring the protection of critical infrastructure and compliance with mandates can be burdensome, requiring a process and solution to manage documentation, tasks, reporting, and monitoring of requirements. Operational efficiency can be achieved by:

– Addressing multiple compliance reporting needs through a single solution.– Maximum policy flexibility with automated enforcement, saving time and effort by

IT staff.– The combination of standard configuration checklists from vetted utility industry

sources, with a repository of software vulnerabilities that deliver information with context to properly remediate errors.

– Automatic risk profile analysis that saves time over manual risk analysis practices.

Slide 17© 2010, Corporate Integrity, LLC www.Corp-Integrity.com

4 - Transparency

• Compliance within utilities requires transparency in reporting across enterprise systems, IT networks, and extended business relationships. This includes:

– Providing harmonization of compliance controls across a range of mandates (such as NERC CIP, PCI DSS, Red Flags Rule, and SOX).

– Viewing IT risk holistically across multiple information systems, processes, and departments, to:

• Collecting device, security and configuration information to provide consolidated visibility for system owners.

• Providing a global view of vulnerability status for all utility cyber assets with an at-a-glance understanding of risk and system status.

– Documenting changes and demonstrate progress toward audit and compliance requirements.

Slide 18© 2010, Corporate Integrity, LLC www.Corp-Integrity.com

5 - Accountability

• The utility is ultimately accountable for compliance and security of critical infrastructure, even across extended business relationships, communications, and systems. Accountability requires:

– Complete CIP status and visibility, which includes:• A complete view of overall compliance that drills down into specific assets,

requirements, and organization systems and processes.• Constant audit readiness through automated collection and centralization of

security configuration and vulnerability assessment results.• Workflow-based surveys to ensure understanding, training, and assessment

of CIP controls.• Stakeholder surveys to determine the business impact of a risk scenario that

compromises the confidentiality, integrity, or availability of critical infrastructure.

• Risk-based analysis of the IT posture that enables the organization to drill down on suspicious behavior for further investigation.

• Information system and role-based reporting and administration.– Comprehensive reporting to organization management and authorities at a

moment’s notice.

Slide 19© 2010, Corporate Integrity, LLC www.Corp-Integrity.com

6 - Security

• A primary concern for utilities today is protection of critical infrastructure. Security oversight aims to understand and model various unauthorized or inadvertent CIP exposure, and their likelihoods and impacts. Specific security economies are achieved through:

– Identification of controls that enhance CIP while meeting compliance requirements.

– Security policy enforcement:• In-depth assessment of vulnerabilities, patch status, security configurations,

installed software, and hardware inventory.• Vulnerability audits and remediation across software and endpoints. • Automated enforcement of malware protection, endpoint control and

security. • Timely response to issues and visibility across the organization’s information

systems environment.– Continuous monitoring and enforcement of security — particularly when new

people (access), information, processes, and technology assets are added.

Slide 20© 2010, Corporate Integrity, LLC www.Corp-Integrity.com

Utility Infrastructure Security & Compliance Platform Requirements

• Utilities should implement processes and corresponding technologies that bring economies and efficiency to CIP, including:

  Discovering, inventorying, and categorizing information systems Monitoring vulnerability exposure and the state of CIP Remediating and maintaining compliance to CIP requirements Managing security configurations and critical infrastructure protection

across all endpoints Controlling removable device use and enforcing data encryption Streamlining overlapping technical and procedural controls across CIP

requirements Maintaining trusted application use of critical infrastructure assets Enforcing compliance with evolving requirements Enabling reporting and monitoring of CIP

Panel Discussion and Q&A

Today’s Speakers

22

Chris MerrittDirector of Solution MarketingLumension

Michael RasmussenRisk & Compliance AdvisorCorporate Integrity, LLC

Paul HenrySecurity & Forensics AnalystMCP+I, MCSE, CCSA, CCSE, CFSA, CFSO, CISSP,-ISSAP, CISM, CISA, CIFI, CCE

Conclusion

Resources and Tools

• Whitepapers» 6 Critical Elements to Achieving Economical

NERC CIP Compliance» Enterprise Security: Moving Beyond AV» Shift Happens: The Evolution of Application

Whitelisting» and a host of other whitepapers

• Other Resources» Podcasts, Videos, Webcasts» On-Demand Demos» eBooks

• Premium Security Tools» Scanners

• Product Software Evaluations» Virtual Environment» Full Software Download

24

Global Headquarters8660 East Hartford Drive

Suite 300

Scottsdale, AZ 85255

1.888.725.7828

[email protected]

blog.lumension.com