• No results found

NERC CIP-007 v. 5 Patch Management: Factors for Success

N/A
N/A
Protected

Academic year: 2021

Share "NERC CIP-007 v. 5 Patch Management: Factors for Success"

Copied!
25
0
0

Loading.... (view fulltext now)

Full text

(1)

Cyber Security | Compliance | Industrial Computing

NERC CIP-007 v. 5 Patch Management:

Factors for Success

A Presentation By:

EnergySec

FoxGuard Solutions

NRG

(2)

It’s Interactive

Please submit your

questions through

the control panel to

get answers LIVE

from our panelists.

(3)

It’s Hip to Chat

EnergySec is hosting an online chat to accompany this

webinar which is open to all registered EnergySec

Community participants.

To join the chat as a guest, visit:

https://hipchat.energysec.org/gEUq1qmNi

If you have a HipChat account already, join us in the room.

Note: Registered users have access to the chat history, file

attachments, and links

(4)

Agenda

§

Introductions

§

CIP-007-5 Requirements

§

Need

§

Challenges

§

Understanding Patch and Update

Management

§

Customer Insight

§

Q&A

(5)

Meet Your Panelists

Larry  Snow  

Karl  Perman  

VP,  Services  

EnergySec  

Monta  Elkins  

Security  Architect  

FoxGuard  SoluJons  

(6)

CIP-007-5- SECURITY PATCH

MANAGEMENT

(7)

CIP-007-5 Part 2.1

§

High Impact BES Cyber Systems and their associated:

EACMS, PACS, PCA

§

Medium Impact BES Cyber Systems and their associated:

EACMS, PACS, PCA

§

A patch management process for tracking, evaluating, and

installing cyber security patches for applicable Cyber

Assets. The tracking portion shall include the identification

of a source or sources that the Responsible Entity tracks

for the release of cyber security patches for applicable

Cyber Assets that are updateable and for which a

(8)

CIP-007-5 Part 2.2

§

High Impact BES Cyber Systems and their

associated:

EACMS, PACS, PCA

§

Medium Impact BES Cyber Systems and their

associated:

EACMS, PACS, PCA

§

At least once every 35 calendar days, evaluate

security patches for applicability that have been

released since the last evaluation from the

(9)

CIP-007-5 Part 2.3

§

High Impact BES Cyber Systems and their associated:

  EACMS, PACS, PCA

§

Medium Impact BES Cyber Systems and their associated:

  EACMS, PACS, PCA

§

For applicable patches identified in Part 2.2, within 35 calendar

days of the evaluation completion, take one of the following actions:

  Apply the applicable patches;

  or Create a dated mitigation plan;

  or Revise an existing mitigation plan.

§

Mitigation plans shall include the Responsible Entity’s planned

actions to mitigate the vulnerabilities addressed by each security

patch and a timeframe to complete these mitigations.

(10)

CIP-007-5 Part 2.4

§

High Impact BES Cyber Systems and their associated:

  EACMS, PACS, PCA

§

Medium Impact BES Cyber Systems and their

associated:

  EACMS, PACS, PCA

§

For each mitigation plan created or revised in Part

2.3, implement the plan within the timeframe

specified in the plan, unless a revision to the plan or

an extension to the timeframe specified in Part 2.3 is

approved by the CIP Senior Manager or delegate.

(11)

Why the need for a patch

management program?

§

Know, track, and mitigate the known software

vulnerabilities associated with BES Cyber

Assets.

§

Intention is to be aware of in a timely manner

and manage all known vulnerabilities not

(12)

Challenges

§

What is a cyber security patch?

§

Who can be a source?

§

When does the assessment timeframe clock

start?

(13)

Understanding

(14)

Monta Elkins is the Security Architect for FoxGuard

Solutions, nation’s leading ICS patch provider.

A security researcher and consultant; he was formerly

Security Architect for Rackspace, and the first ISO for

Radford University. He has been a speaker at

DEFCON , Homeland Security’s ICSJWG (Industrial

Control Systems Joint Working Group), EnergySec's

Security Summit, VASCAN, GE Digital Energy's Annual

Software Summit, Educause Security Professionals

Conference, Toshiba's Industrial Control System's

Conference and other security conferences.

Monta is the author and instructor of the “Defense

against the Dark Arts” hands-on, hacker tools and

techniques classes. He also teaches rapid prototyping

and Arduino classes with Let's Code Blacksburg.

(15)

WHAT IS A PATCH?

! Feature Enhancements And / Or Security Patches

! Focus Is On The Security Patches, As These Address

UPDATE

UPGRADE

FIRMWARE ENHANCEMENT

SERVICE BULLETIN

P

A

T

C

H

(16)

SOURCE? WHY WE CARE

! The Source Of A Patch May Be:

! Product/Software Vendor

! SCADA Vendor

! Aggregated Resource Of Patches From A Variety Of Vendors

(17)

Current Patching Challenges

! NERC CIP-007-5

! Wide Variety Of Sources

! LARGE Documentation Effort

! Patching Restrictions (Warranty Issues)

! Timing Constraints

! Lots Of Specialized Equipment

(18)

DEVICES & APPLICATIONS SUPPORTED

OPERATING

SYSTEMS

3

RD

PARTY

APPLICATIONS

NETWORK

DEVICES

FIELD

DEVICES

SUPPORTED

ASSETS

SUPPORTED

ASSETS

(19)

STAGES OF PATCH MANAGEMENT

1.  ASSET IDENTIFICATION & BASELINE

2.  AVAILABILITY

3.  APPLICABILITY

4.  ACQUISITION

5.  VALIDATION

(20)

BENEFITS OF AGGREGATOR

! Patch Security Information

! Is This A Security Related Patch

! Are There Related CERT Notices, CVE’s

! Allow Multiple Customer Accounts With Access Control

To Support Large Organizations

(e.g.)

! Compliance Manager Role

! Implementation Engineer Role

! Compliance Support Documentation

! e.g. CIP Requires Documenting Patch Sources For Cyber Assets And

Evaluating Available Patches Every 35 Days

! Positive Notification

(21)

PATCH & UPDATE MANAGEMENT PROGRAM

Co-operative Agreement with the Department of Energy

! Patch & Update Data Aggregator, Web Portal Service

! Patch & Update Authentication / Hashing

! Validation Techniques & Methodologies

! Scanning & Patch Deployment Engine

(22)

Larry Snow has been in the power

generation business for 32 years.

He has spent many years as a

Controls Engineer.

Larry has also been involved in

NERC-CIP since 2008 and is

currently the NERC-CIP Manager

for NRG East & Midwest Regions.

Larry Snow, NERC-CIP Manager

NRG East & Midwest Regions

(23)

! The Patching “Burden”

! How Did We Reduce This Burden?

! How We Saved Time And Effort

(24)

GROUP DISCUSSION

Points To Remember

! 

Comprehensive Patch Management Solutions

! 

Over 10

Years Of Patching Expertise In The Energy Industry

! 

Long History Of Program Management

! 

Our Company Is Designed To Be An Extension Of Yours

!  The

Question & Answers

Session

(25)

CONTACT INFORMATION

HEADQUARTER

www.foxguardsolutions.com

877.446.4732

2285 Prospect Drive, Christiansburg VA 24073

WEBSITE

TELEPHONE

[email protected]

EMAIL

www.linkedin.com/company/717871

LINKEDIN

twitter.com/FoxGuardInc

TWITTER

References

Related documents

These were the Special Court for Sierra Leone, the Truth and Reconciliation Commission (TRC), disarmament, demobilisation and reintegration (DDR) programmes for ex-combatants, a

In these jurisdictions, if a contractor can prove that a delaying event was one for which it ought to have been awarded an extension of time and the certifier under the contract

Inflation Based replacement model for cutting tools using Markov Stochastic process#. Dr S Gajanana #1 ,Yayavaram Revanth Sai #2 , K Rahul #3 , S Rohith

Security Patch Management — The Responsible Entity, either separately or as a component of the documented configuration management process specified in CIP-003-3 Requirement R6,

Evidence must include each of the applicable documented processes that collectively include each of the applicable requirement parts in CIP-005-5 Table R1 – Electronic

As part of the NERC CIP Compliance Package, the enterprise assets are categorized according to NERC CIP CIP-002-1 Critical Cyber Asset Identification standards: Electronic Security

ASD atrial septal defect, AV aortic valve, CHD congenital heart disease, CoA coarctation of the aortic arch, MV mitral valve, LA left atrium, LV left ventricle, PDA patent

We use data from twelve different national leagues to test whether a proxy for team effort responds to a change in the number of slots that are assigned by the Champions’ League