0% found this document useful (0 votes)

239 views30 pages

Nerc Cip

Security Considerations When Procuring and Implementing SCADA Systems

Uploaded by

Cedric Niamké

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

239 views30 pages

Nerc Cip

Security Considerations When Procuring and Implementing SCADA Systems

Uploaded by

Cedric Niamké

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 30

NERC CIP Considerations when Procuring and Implementing SCADA Systems

EMS Users Conference

September 18, 2012

2012Copyright.ConfidentialandproprietarytoTheStructureGroup,LLC.

Introductions

MarioMarchelli Director,EnergyManagement&ControlSystemsPracticeLead (832)5630897 [email protected] GilbertPerez Manager,EMCSPractice (786)8799544 [email protected]

2012Copyright.ConfidentialandproprietarytoTheStructureGroup,LLC.

Agenda

BestpracticesforSCADAprocurement BestpracticesforSCADAimplementation BestpracticesforSCADAGoLive ProperstepsforretirementoflegacySCADA Conclusions

2012Copyright.ConfidentialandproprietarytoTheStructureGroup,LLC.

BestPracticesforSCADASystemProcurement
WorkwithyourvendorinordertodriveyourdesiredESPDesign
CIP005

Correctlycommunicatecorporatestandardsfor ElectronicSecurityPerimeters(ESPs)toyourvendor. SpecifythelocationoftheProductionAssets. SpecifythelocationoftheDevelopmentAssets. SpecifythelocationoftheTraining(DTS)Assets. Specifythelocationofthereadonlyserversand theremoteaccesstothem.

Reference:R1.ElectronicSecurityPerimeter

2012Copyright.ConfidentialandproprietarytoTheStructureGroup,LLC.

BestPracticesforSCADASystemProcurement
TighterSecuritywillcontinuetobeimposedontheindustry,planforthefuture today
CIP005

Requestthefollowingsecurityenhancements: SecuredDNP3. SecuredICCP. ServiceDMZwhichwillhousetheprintersand othernonessentialdevices.

Reference:R2.ElectronicAccessControls

2012Copyright.ConfidentialandproprietarytoTheStructureGroup,LLC.

BestPracticesforSCADASystemProcurement
CIP007R1isthemosthighlyviolatedofalltheCIPStandards.Requesttoolswhich willhelpyouachievecompliance
CIP007

Testing/QAenvironment SpecifythelocationoftheQAAssets. Vendorprovidedtoolsfortesting Vendorservicesfortesting

Reference:R1.TestProcedures
2012Copyright.ConfidentialandproprietarytoTheStructureGroup,LLC.

BestPracticesforSCADASystemProcurement
Hardeningofsystemsisamust,auditorslovetodwellonportsandservices.
CIP007

Documentationofyourbaselinesoftware,portsand services. Removinganynonessentialsoftware,portsandservices priortodeliveryoftheSCADAsystem.

Reference:R2.PortsandServices

2012Copyright.ConfidentialandproprietarytoTheStructureGroup,LLC.

BestPracticesforSCADASystemProcurement
Sharetheresponsibilityofkeepingyoursystemuptodatewithyourvendor.
CIP007

Testingandvalidationofthepatchesforsecurity controlsnotjustfunctionality.
Reference:R3.SecurityPatchManagement

2012Copyright.ConfidentialandproprietarytoTheStructureGroup,LLC.

BestPracticesforSCADASystemProcurement
SharedAccountsareheadache,placetheburdenonyourvendor
CIP007

Disableguestaccounts. Implementpasswordcomplexityandagerequirements. Limittheuseofadministratoraccounts. Implementtheprincipleofleastprivilege.

Reference:R5.AccountManagement

2012Copyright.ConfidentialandproprietarytoTheStructureGroup,LLC.

BestPracticesforSCADASystemProcurement

CIP007

Implementtheusageofcentralizedlogging. ImplementtheusageofHostBasedIntrusionDetection System(HIDS)/IntrusionDetectionSystem(IDS).

Reference:R6.SecurityStatusMonitoring

2012Copyright.ConfidentialandproprietarytoTheStructureGroup,LLC.

BestPracticesforSCADASystemProcurement
SharedAccountsareheadache,requesttoolsformanagingtheseaccountsonyour vendor.
CIP007

Implementloggingtoolswhichallowstrackingof genericusernames. Tracktheuserutilizingthegenericusername. Trackthedateandtimewhichthegeneric usernamewasutilized. Tracktheactionswhichweretaken.

Reference:R5.AccountManagement

2012Copyright.ConfidentialandproprietarytoTheStructureGroup,LLC.

BestPracticesforSCADASystemProcurement
DecidewhoperformsyourvulnerabilityassessmentpriorissuingtheRFP
CIP007

Whowillconducttheassessment? Vendor Inhouse Thirdparty Decide: Timingofassessment. Responsibleparty

Reference:R8.CyberVulnerabilityAssessment

2012Copyright.ConfidentialandproprietarytoTheStructureGroup,LLC.

BestPracticesforSCADASystemProcurement
OtherissuestoconsiderpriorissuingtheRFP
CIP007

Virtualization: CIPandNonCIP StorageAreaNetworks: CIPandNonCIP. IPconnections.

Reference:SystemDesign(CIP005andCIP007)

2012Copyright.ConfidentialandproprietarytoTheStructureGroup,LLC.

BestPracticesforSCADASystemProcurement
RequesttoolsandprocedurestoaddressDisasterRecoveryonaperCCAbasis
CIP009

Consideravendorprovidedbackupsolution.
Reference:R4.BackupandRestore

IncludeinyourRFPthatthevendormustrestorethe SCADAsystemfrombackupmediapriortogoingonline.
*PleasenotethatyoumustdocumentedthefullrestorationoftheSCADAin ordertoprovidebookendingevidence.
Reference:R5.TestingBackupMedia

2012Copyright.ConfidentialandproprietarytoTheStructureGroup,LLC.

Agenda

BestpracticesforSCADAprocurement BestpracticesforSCADAimplementation BestpracticesforSCADAGoLive ProperstepsforretirementoflegacySCADA Conclusions

2012Copyright.ConfidentialandproprietarytoTheStructureGroup,LLC.

BestPracticesforSCADASystemImplementation
CIP002

HowtotestthenewSCADASystem: If controlling Testonesubstationatatime. AvoidSubstationsdeemedCriticalAssets Avoidtestingon500and300KVsites (CIPVersion4) Establishwelldocumentedtestprocedures.

2012Copyright.ConfidentialandproprietarytoTheStructureGroup,LLC.

BestPracticesforSCADASystemImplementation
DonotforgettoaddyournewcriticalCyberAssetstoyourCCAlist
CIP002

OnceanewSCADAsystemhastheabilitytocontrolthe BulkElectricalSystem,alloftheCriticalCyberAssets (CCAs)associatedwiththenewsystemneedtobe declaredandaddedtoyourexistingCCAlist.

Reference:R2.(V4) R3.(V3)CriticalCyberAssetIdentification CIP003

MakeyourcompanysCyberSecurityPolicyreadily availabletoallvendoremployeeswhowillworkonyour system.

Reference:R1.CyberSecurityPolicy
2012Copyright.ConfidentialandproprietarytoTheStructureGroup,LLC.

BestPracticesforSCADASystemImplementation
ImplementinganewESPisthebestpathtotake
CIP005

Ifpossible,establishanewESPforthenewSCADA system.Doingsowillallowyouto: Conducttestingpriortogoingonline. Establishwelldocumentedfirewallrules. Insurethatnonewvulnerabilitiesareintroduced tothecurrentproductionenvironment. Allowsfortheimplementationofnewernetwork equipmentwithminimalinterruptiontothe existingnetwork.

Reference:R2.ElectronicAccessControls
2012Copyright.ConfidentialandproprietarytoTheStructureGroup,LLC.

BestPracticesforSCADASystemImplementation
VulnerabilityTestinganddocumentationareamustpriortogoingonline..
CIP005

PriortothenewESPgoinglive,youmustperforma CyberVulnerabilityAssessment.
Verifythatthevendorhasprovideyoualistingoftheports andservices.Reference:R4.CyberVulnerabilityAssessment(CVA)

OncethenewESPisestablishedortheequipmenthas beenaddedtotheexistingESP,youmustupdatethe documentationtoreflectthemodificationofthe networkorcontrolswithinninetycalendardaysofthe changes. Reference:R5.2Documentation

2012Copyright.ConfidentialandproprietarytoTheStructureGroup,LLC.

BestPracticesforSCADASystemImplementation LetsnotforgetthoseTFEs

TechnicalFeasibilityExceptions
RequestthefollowingTechnicalFeasibility Documentation: ListofdevicesforwhichaTFEmustbetaken. Equipmentvendorlettersstatingthespecific requirementwhichcannotbemet. RoadmapforeliminatingalloftheseTFEs
Reference:CIP005andCIP007

2012Copyright.ConfidentialandproprietarytoTheStructureGroup,LLC.

Agenda

BestpracticesforSCADAprocurement BestpracticesforSCADAimplementation BestpracticesforSCADAGoLive ProperstepsforretirementoflegacySCADA Conclusions

2012Copyright.ConfidentialandproprietarytoTheStructureGroup,LLC.

BestPracticesforSystemGoLive
ProperCIPPersonnelcredentialsforContractorsandVendorsisamust.
CIP004

RequirethevendortotraintheiremployeesperyourCIPprogram. Requirethevendortoproviderecordsofthetrainingresults. Contractuallanguagetoaddressliabilitiesfornoncompliance.

Reference:R2.Training

RequirethevendortoprovidePersonnelRiskAssessmentforthe following: ProjectPersonnel

Maintenanceandsupportpersonnel. HardwareOEMsupportpersonnel.

RequirethevendortoprovideyourecordsofthePRAresults.
Reference:R3.PersonnelRiskAssessment(PRA)
2012Copyright.ConfidentialandproprietarytoTheStructureGroup,LLC.

BestPracticesforSystemGoLive
TestingofthemonitoringcapabilitiespriortogoingLIVEisessential.
CIP007

Verifythatloggingisbeingperformedforallofthefollowing securityevents: Failedaccessattempts. Successfulaccessattempts. Antivirusandantimalwarealerts.

*Developaplaninordertotestthatthesecurityeventslistedabovearebeing
properlyloggedoncethesystemgoeslive.
Reference:R6.SecurityStatusMonitoring
2012Copyright.ConfidentialandproprietarytoTheStructureGroup,LLC.

BestPracticesforSystemGoLive
Utilizestrictsecuritycontrolswhenallowingremoteaccessoncethesystem isliveisamust
CIP005

RemoteAccess(VendorandEmployees) Twofactorauthenticationforvendoraccessthruthe firewall. SecuredVPNaccess. Loggingofallvendoraccess. Layeredsecurity,possiblyajumpserverwithtwofactor authentication.

2012Copyright.ConfidentialandproprietarytoTheStructureGroup,LLC.

Agenda

BestpracticesforSCADAprocurement BestpracticesforSCADAimplementation BestpracticesforSCADAGoLive ProperstepsforretirementoflegacySCADA Conclusions

2012Copyright.ConfidentialandproprietarytoTheStructureGroup,LLC.

ProperStepsforretirementoflegacySCADAsystems
Followingthepropersequenceofeventsisessential.
CIP007

Whenredeployingmagneticmedia,overwritethe mediausingDoDStandard. Whendisposingofmedia,youmustphysicallydestroy suchmedia

*Pleasenotethatyoumustoverwriteordestroythediscardedmediawhile itstillresideswithinthePSP.

Youmustcreatedandmaintainedrecordsofdisposed and/orredeployedmedia.
Reference:R7.DisposalorRedeployment
2012Copyright.ConfidentialandproprietarytoTheStructureGroup,LLC.

ProperStepsforretirementoflegacySCADAsystems

CIP005

ElectronicSecurityPerimeter IfanewESPwascreated,retiretheoldESP.
RemovetheESPwheretheretiredequipmentresidedfromanydrawings.

CIP006

PhysicalSecurityPerimeter IfanewPSPwascreated,retiretheoldPSP.
RemovetheoldPSPfromthePhysicalSecurityPlan.

2012Copyright.ConfidentialandproprietarytoTheStructureGroup,LLC.

Agenda

BestpracticesforSCADAprocurement BestpracticesforSCADAimplementation BestpracticesforSCADAGoLive ProperstepsforretirementoflegacySCADA Conclusions

2012Copyright.ConfidentialandproprietarytoTheStructureGroup,LLC.

Conclusions Becomepartnerswithyourselectedvendorinsharingthe CIPSecurityresponsibilities. SelectavendorwhichhasembracedCIPSecurityandhas acultureofexceedingtheCIPRequirements. DeveloptestplansforSecurityTestingcontrolsduringthe implementationofyournewSCADAsystem. Oncethesystemgoeslive,insurethatallofthevendor personnelworkingonyoursystemhavetheproperCIP credentials. Properdisposalofyourdiscardedsystemisessential.
2012Copyright.ConfidentialandproprietarytoTheStructureGroup,LLC.

KeyCyberSecurityConsiderations Questions?

2012Copyright.ConfidentialandproprietarytoTheStructureGroup,LLC.

Active Directory IT Audit Checklist 1711870611
No ratings yet
Active Directory IT Audit Checklist 1711870611
5 pages
OSY Unit Wise QBank
100% (4)
OSY Unit Wise QBank
6 pages
Modular Antennas For MINI-LINK
100% (1)
Modular Antennas For MINI-LINK
13 pages
Servo Gun v2.8 (Eng) Obara
No ratings yet
Servo Gun v2.8 (Eng) Obara
63 pages
Security Information and Event Management (SIEM)
No ratings yet
Security Information and Event Management (SIEM)
16 pages
Tripwire CCM Policies and Platform Support 2015Q4 Datasheet
100% (1)
Tripwire CCM Policies and Platform Support 2015Q4 Datasheet
12 pages
NIST CSF Auditor Checklist: Function Category Identify (Id)
No ratings yet
NIST CSF Auditor Checklist: Function Category Identify (Id)
21 pages
Sample Assessment Questions
No ratings yet
Sample Assessment Questions
31 pages
Differentiating Between Access Control Terms
No ratings yet
Differentiating Between Access Control Terms
12 pages
DORA - DORA Implementation Checklist
100% (1)
DORA - DORA Implementation Checklist
7 pages
IS.000 Enterprise Information Security Policy
No ratings yet
IS.000 Enterprise Information Security Policy
8 pages
Security Guidance For Critical Areas of Focus in Cloud Computing v5 Release Presentation
No ratings yet
Security Guidance For Critical Areas of Focus in Cloud Computing v5 Release Presentation
51 pages
2015 UW-Madison Cybersecurity Strategic Plan Final Jul-01-2015
No ratings yet
2015 UW-Madison Cybersecurity Strategic Plan Final Jul-01-2015
47 pages
NIST Presentation
No ratings yet
NIST Presentation
42 pages
Two Factor Authentication
No ratings yet
Two Factor Authentication
45 pages
1-CS-Overview - CS Solutions For EPAS
No ratings yet
1-CS-Overview - CS Solutions For EPAS
91 pages
OSI Security
No ratings yet
OSI Security
50 pages
Ebook Data Protection Disaster Recovery Enterprise Cloud
No ratings yet
Ebook Data Protection Disaster Recovery Enterprise Cloud
40 pages
CIS Controls v8 Mapping To UK NCSC Cyber Assessment Framework v3.1 - 8-16-2022
No ratings yet
CIS Controls v8 Mapping To UK NCSC Cyber Assessment Framework v3.1 - 8-16-2022
115 pages
Spotting The Adversary With Windows Event Log Monitoring
No ratings yet
Spotting The Adversary With Windows Event Log Monitoring
54 pages
Bsi Cybersecurity Examining The Vulnerabilities of Iacs
No ratings yet
Bsi Cybersecurity Examining The Vulnerabilities of Iacs
9 pages
Security Audit Tools Free/Paid
100% (1)
Security Audit Tools Free/Paid
7 pages
Project Proposal - Lighting
100% (1)
Project Proposal - Lighting
9 pages
User Evidencecollection CC Evidence Collection Checklist v2-2021-11!23!02!35!16
No ratings yet
User Evidencecollection CC Evidence Collection Checklist v2-2021-11!23!02!35!16
71 pages
Achieving Ot Network Visibility Detective Controls Nerc Cip World 40360
No ratings yet
Achieving Ot Network Visibility Detective Controls Nerc Cip World 40360
24 pages
Domain 3 Questions
No ratings yet
Domain 3 Questions
16 pages
Incident Response in The Cloud: Dave Shackleford
No ratings yet
Incident Response in The Cloud: Dave Shackleford
36 pages
Report Experts Guide To PAM Success - (P8-P21-Ex-P20)
No ratings yet
Report Experts Guide To PAM Success - (P8-P21-Ex-P20)
34 pages
CIS Controls Measures and Metrics V7
No ratings yet
CIS Controls Measures and Metrics V7
55 pages
Passing Unix Linux Audit With Power Broker
100% (2)
Passing Unix Linux Audit With Power Broker
11 pages
SOW Security
100% (2)
SOW Security
3 pages
NIST SP 800-88r1
No ratings yet
NIST SP 800-88r1
64 pages
Domain 6 Questions
No ratings yet
Domain 6 Questions
6 pages
Domain 8 Questions
No ratings yet
Domain 8 Questions
8 pages
Information Security
No ratings yet
Information Security
138 pages
LTE Huawei
100% (7)
LTE Huawei
34 pages
Cissp Final Notes Cb#1
No ratings yet
Cissp Final Notes Cb#1
23 pages
SCADA Countermeasures
No ratings yet
SCADA Countermeasures
7 pages
Eurotherm 601 VFD Manual
No ratings yet
Eurotherm 601 VFD Manual
30 pages
76 - Holton - Construction 10 Aug 2022
No ratings yet
76 - Holton - Construction 10 Aug 2022
27 pages
Firewall Administration Audit Work Program
No ratings yet
Firewall Administration Audit Work Program
6 pages
Control Control Requirements: Statement of Applicability
No ratings yet
Control Control Requirements: Statement of Applicability
3 pages
It Service Continuity Management Itscm
No ratings yet
It Service Continuity Management Itscm
4 pages
Enabling Protection Against Data Exfiltration by Implementing Iso 27001:2022 Update
No ratings yet
Enabling Protection Against Data Exfiltration by Implementing Iso 27001:2022 Update
17 pages
Scada Basics - Ncs Tib 04-1
No ratings yet
Scada Basics - Ncs Tib 04-1
76 pages
CISSP Domain 2 Asset Security Detailed
No ratings yet
CISSP Domain 2 Asset Security Detailed
32 pages
Building Cybersecurity Into ICS Acceptance Testing
No ratings yet
Building Cybersecurity Into ICS Acceptance Testing
3 pages
Cybersecurity and Cyber Resilience Framework (CSCRF) For SEBI Regulated Entities (REs)
No ratings yet
Cybersecurity and Cyber Resilience Framework (CSCRF) For SEBI Regulated Entities (REs)
205 pages
Key Cyber Resiliency Terms and Concepts
No ratings yet
Key Cyber Resiliency Terms and Concepts
3 pages
Power Theft
No ratings yet
Power Theft
16 pages
Production Control Group Copy The Source Program To Production Libraries
No ratings yet
Production Control Group Copy The Source Program To Production Libraries
7 pages
A Physical Security Guide To Nerc Cip Compliance
No ratings yet
A Physical Security Guide To Nerc Cip Compliance
25 pages
STANDARD Asset Classification Template en
No ratings yet
STANDARD Asset Classification Template en
12 pages
Cybersecurity 101: Cyber Risks
No ratings yet
Cybersecurity 101: Cyber Risks
2 pages
Kiwiqa Services: Web Application Vapt Report
No ratings yet
Kiwiqa Services: Web Application Vapt Report
25 pages
Thesis Pentest-Methods Public
No ratings yet
Thesis Pentest-Methods Public
71 pages
Siem Brochure
No ratings yet
Siem Brochure
2 pages
Data Security Solution-Rev10.3
No ratings yet
Data Security Solution-Rev10.3
23 pages
Securing Web Portals
No ratings yet
Securing Web Portals
12 pages
Talakunchi - Scoping Questionnaires (Combined)
No ratings yet
Talakunchi - Scoping Questionnaires (Combined)
7 pages
Isms Certification Readiness Recheck Questionnaire
No ratings yet
Isms Certification Readiness Recheck Questionnaire
19 pages
Isc2 Cissp 1 13 1 Threat Modeling Concepts and Methodologies
No ratings yet
Isc2 Cissp 1 13 1 Threat Modeling Concepts and Methodologies
2 pages
Fisma Assignement (Template)
No ratings yet
Fisma Assignement (Template)
3 pages
CISO Mindmap 2022 No Headings
No ratings yet
CISO Mindmap 2022 No Headings
1 page
PD78F9116B, 78F9116B (A) : Mos Integrated Circuits
No ratings yet
PD78F9116B, 78F9116B (A) : Mos Integrated Circuits
56 pages
Phet Electricity Lab Student
No ratings yet
Phet Electricity Lab Student
12 pages
CPRT CSF 2 0 0 11-13-2024
No ratings yet
CPRT CSF 2 0 0 11-13-2024
17 pages
CAIQ Lite
No ratings yet
CAIQ Lite
12 pages
Ivy - Installation and Programming Manual - A5-WEB
No ratings yet
Ivy - Installation and Programming Manual - A5-WEB
32 pages
The Importance of Proper Planning For Telecom Procurement: Case Study
No ratings yet
The Importance of Proper Planning For Telecom Procurement: Case Study
8 pages
Mikrotik Transparent Traffic Shaper
No ratings yet
Mikrotik Transparent Traffic Shaper
9 pages
Indicator 11.7.1 Training Module Public Space
No ratings yet
Indicator 11.7.1 Training Module Public Space
39 pages
VERITY Brochure
No ratings yet
VERITY Brochure
6 pages
2001 Bookmatter RapidManufacturing
No ratings yet
2001 Bookmatter RapidManufacturing
11 pages
Lab 1 Effects of Sampling and Aliasing in Discrete Time Sinusoids
No ratings yet
Lab 1 Effects of Sampling and Aliasing in Discrete Time Sinusoids
5 pages
Section - 5 - Part B-31 Access Management Functional Requirements
No ratings yet
Section - 5 - Part B-31 Access Management Functional Requirements
3 pages
05 - Navigating The LGU System (Report Period and User Accounts)
No ratings yet
05 - Navigating The LGU System (Report Period and User Accounts)
14 pages
Qbittorrent: Download All The Essential Programs For Your Windows PC Completely Free!
No ratings yet
Qbittorrent: Download All The Essential Programs For Your Windows PC Completely Free!
2 pages
Vijaymentor - Vijaymentor - Whoami
No ratings yet
Vijaymentor - Vijaymentor - Whoami
11 pages
PR - ETCS Bangkok's Red Line PDF
100% (1)
PR - ETCS Bangkok's Red Line PDF
3 pages
Kinco VFD Software V2.5-20180226
No ratings yet
Kinco VFD Software V2.5-20180226
11 pages
BH 214
No ratings yet
BH 214
4 pages
Unix Kernel Update 2
No ratings yet
Unix Kernel Update 2
4 pages
Operating Manual: Continuous Band Sealer (Horizontal Orientation) Model No: FR-900S
No ratings yet
Operating Manual: Continuous Band Sealer (Horizontal Orientation) Model No: FR-900S
5 pages
Undertaking - Declaration For Online PI 2022 Common For All
No ratings yet
Undertaking - Declaration For Online PI 2022 Common For All
1 page
Ata Chapters 100 Memorize
No ratings yet
Ata Chapters 100 Memorize
3 pages
Assembly Language Final Term Paper Solutions
No ratings yet
Assembly Language Final Term Paper Solutions
7 pages
Scad A 1
No ratings yet
Scad A 1
76 pages
Dharmendra Sigh: Career Objective
No ratings yet
Dharmendra Sigh: Career Objective
2 pages
Rubber-Tyred Gantry Simulator Training Pack: Overview
No ratings yet
Rubber-Tyred Gantry Simulator Training Pack: Overview
2 pages

Nerc Cip

Uploaded by

Nerc Cip

Uploaded by

NERC CIP Considerations when Procuring and Implementing SCADA Systems

EMS Users Conference

September 18, 2012

MarioMarchelli Director,EnergyManagement&ControlSystemsPracticeLead (832)5630897 [email protected] GilbertPerez Manager,EMCSPractice (786)8799544 [email protected]

BestpracticesforSCADAprocurement BestpracticesforSCADAimplementation BestpracticesforSCADAGoLive ProperstepsforretirementoflegacySCADA Conclusions

Correctlycommunicatecorporatestandardsfor ElectronicSecurityPerimeters(ESPs)toyourvendor. SpecifythelocationoftheProductionAssets. SpecifythelocationoftheDevelopmentAssets. SpecifythelocationoftheTraining(DTS)Assets. Specifythelocationofthereadonlyserversand theremoteaccesstothem.

Requestthefollowingsecurityenhancements: SecuredDNP3. SecuredICCP. ServiceDMZwhichwillhousetheprintersand othernonessentialdevices.

Testing/QAenvironment SpecifythelocationoftheQAAssets. Vendorprovidedtoolsfortesting Vendorservicesfortesting

Documentationofyourbaselinesoftware,portsand services. Removinganynonessentialsoftware,portsandservices priortodeliveryoftheSCADAsystem.

Disableguestaccounts. Implementpasswordcomplexityandagerequirements. Limittheuseofadministratoraccounts. Implementtheprincipleofleastprivilege.

Implementtheusageofcentralizedlogging. ImplementtheusageofHostBasedIntrusionDetection System(HIDS)/IntrusionDetectionSystem(IDS).

Implementloggingtoolswhichallowstrackingof genericusernames. Tracktheuserutilizingthegenericusername. Trackthedateandtimewhichthegeneric usernamewasutilized. Tracktheactionswhichweretaken.

Whowillconducttheassessment? Vendor Inhouse Thirdparty Decide: Timingofassessment. Responsibleparty

Virtualization: CIPandNonCIP StorageAreaNetworks: CIPandNonCIP. IPconnections.

BestpracticesforSCADAprocurement BestpracticesforSCADAimplementation BestpracticesforSCADAGoLive ProperstepsforretirementoflegacySCADA Conclusions

HowtotestthenewSCADASystem: If controlling Testonesubstationatatime. AvoidSubstationsdeemedCriticalAssets Avoidtestingon500and300KVsites (CIPVersion4) Establishwelldocumentedtestprocedures.

OnceanewSCADAsystemhastheabilitytocontrolthe BulkElectricalSystem,alloftheCriticalCyberAssets (CCAs)associatedwiththenewsystemneedtobe declaredandaddedtoyourexistingCCAlist.

MakeyourcompanysCyberSecurityPolicyreadily availabletoallvendoremployeeswhowillworkonyour system.

OncethenewESPisestablishedortheequipmenthas beenaddedtotheexistingESP,youmustupdatethe documentationtoreflectthemodificationofthe networkorcontrolswithinninetycalendardaysofthe changes. Reference:R5.2Documentation

BestpracticesforSCADAprocurement BestpracticesforSCADAimplementation BestpracticesforSCADAGoLive ProperstepsforretirementoflegacySCADA Conclusions

RequirethevendortotraintheiremployeesperyourCIPprogram. Requirethevendortoproviderecordsofthetrainingresults. Contractuallanguagetoaddressliabilitiesfornoncompliance.

RequirethevendortoprovidePersonnelRiskAssessmentforthe following: ProjectPersonnel

Verifythatloggingisbeingperformedforallofthefollowing securityevents: Failedaccessattempts. Successfulaccessattempts. Antivirusandantimalwarealerts.

RemoteAccess(VendorandEmployees) Twofactorauthenticationforvendoraccessthruthe firewall. SecuredVPNaccess. Loggingofallvendoraccess. Layeredsecurity,possiblyajumpserverwithtwofactor authentication.

BestpracticesforSCADAprocurement BestpracticesforSCADAimplementation BestpracticesforSCADAGoLive ProperstepsforretirementoflegacySCADA Conclusions

Whenredeployingmagneticmedia,overwritethe mediausingDoDStandard. Whendisposingofmedia,youmustphysicallydestroy suchmedia

BestpracticesforSCADAprocurement BestpracticesforSCADAimplementation BestpracticesforSCADAGoLive ProperstepsforretirementoflegacySCADA Conclusions

You might also like