North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) Version 5 CIP Cyber Security Standards
NERC CIP Version 5 is now fully enforced, with many more electric companies seeking to implement NERC CIP measures and looking to the market for automated solutions to help. For those that have been subject to the standard for years already, now is a good time to review solutions implemented at the time and re-evaluate the options for simpler and less expensive alternatives that are now available.
Demonstrating compliance can be a costly and time-consuming exercise, but NNT can help: NNT Change Tracker Enterprise Gen7 R2 is the Number 1 Alternative to Tripwire®, providing an easier to use and less expensive solution that provides a perfect solution to the majority of NERC CIP controls.
- Out of the Box reports provided to address CIP Standards and prove requirements are being met, such as CIP 010-3: The need to first develop, then report drift from, an authorized baseline configuration for all devices, including Operating system or firmware, all application software and patches installed and any logical network accessible ports
- NNT SecureOps™ solutions can help address all CIP Standards, meeting requirements of CIP-002,CIP-003,CIP-004,CIP-005, CIP-006,CIP-007,CIP-008,CIP-009,CIP-010 and CIP-011
- CIS Certified Hardened Build Checklists provided as standard (Note: In June 2012, the Idaho National Laboratory, home of the National SCADA Test Bed, of the U.S. Department of Energy, completed a very favorable analysis of how the CIS Controls applied in the electric sector as a first step in assessing the applicability of the controls to specific industrial sectors)
- Configuration Management and Change/Breach Detection provided for all devices and platforms And, by adopting a full NNT SecureOps™ strategy, incorporating NNT Vulnerability Tracker and NNT Log Tracker working in parallel with Change Tracker, you can deliver an automated and cost-effective solution to full NERC CIP compliance covering the Version 5 CIP Cyber Security Standards.
And, by adopting a full NNT SecureOps™ strategy, incorporating NNT Vulnerability Tracker and NNT Log Tracker working in parallel with Change Tracker, you can deliver an automated and cost-effective solution to full NERC CIP compliance covering the Version 5 CIP Cyber Security Standards.
NERC CIP VERSION 5 BACKGROUNDER »
- The Critical Infrastructure Protection initiative of the North America Electric Reliability Corporation has helped protect Bulk Electric Systems and keep the lights on since its initial introduction in 2008.
- The increased proliferation of network-accessible Operational Technology (OT) and Industrial Control Systems (ICS) presents a much larger and more vulnerable attack surface than ever before.
- Identity and Access Management, Configuration Hardening, Vulnerability Management, File Integrity Monitoring, Firewalling, Anti-Virus, Audit Trail Monitoring, Change and Configuration Management and Disaster Recovery along with Physical Security and documented processes and procedures are all mandated. Core security best practices mandate the development of authorized baseline configurations for devices, against which any drift from this baseline can be reported. Approved changes must be authorized with a business justification documented. The key intent of this approach is to regularly review and question the configuration of all devices in order to ensure vulnerabilities are removed and the attack surface of all devices minimized.
- Cyber Security threats to BES generating facilities are now more widespread and with the growing sophistication of malware, APTs, ransomware and social-engineered Spear Phishing attacks, the need for robust operation of all security best practices is critical.
- Change Tracker Gen 7 has been designed from the ground up to automatically operate these key security controls, recording configuration baselines for all devices then continuously monitoring and reporting any drift. Built-in Intelligent Change Control allows approval of changes recorded for all devices, whether in advance of changes being made or as a post-implementation review process.
NERC CIP VERSION 5 TRACK OPEN PORTS »
- Networked SCADA, ICS and Intelligent electronic devices (IEDs), such as PLCs, Sensors, Controllers, and Relays are all potentially vulnerable to tampering and a cyber attack. Access to these devices must, therefore, be carefully restricted and as such, monitoring of all open network ports is an essential dimension of NERC CIP compliance.
- Change Tracker Gen 7 R2 is equipped with a distributed network port scanning capability specifically developed to address the exact requirements of the NERC standard. Having the option to distribute scanning vantage points is important to both minimize network traffic but more critically to preserve internal firewalling robustness. Full port scans can be operated without compromise and without any need to make any special allowances in firewalling rules.
- Port ranges are simply dialed in for scanning, with any exceptions made for 'whitelisted' ports/ranges. Naturally, any rules covering ports included/excluded for scanning will be accompanied with explanatory notes in a clear audit trail. An Open Ports Baseline can be saved and labeled at any point and used to report any changes from previous points in time or to expose differences between similar devices. When authorized changes to the Open Ports Baseline are made, the report is updated and of course, with a fully descriptive audit trail record.
Figure 1: NNT Change Tracker Gen 7 Networked Port Scanner for NERC CIP Compliance
CIP-002-3 R3: Cyber Security — Critical Cyber Asset Identification:
CIP-002-3 R1, R2, R3
| Purpose | NNT solution | Products needed | ||
|---|---|---|---|---|
| CT | VT | LT | ||
|
NERC Standards CIP-002-3 through CIP-009-3 provide a cybersecurity framework for the identification and protection of Critical Cyber Assets to support reliable operation of the Bulk Electric System. Standard CIP-002-3 requires the identification and documentation of the Critical Cyber Assets associated with the Critical Assets that support the reliable operation of the Bulk Electric System. These Critical Assets are to be identified through the application of a risk-based assessment. |
Automated Network Discovery is provided by NNT Vulnerability Tracker to identify any Cyber Assets using a routable protocol. Any devices discovered will then be more deeply interrogated to establish other identification attributes and then, in turn, active Network Vulnerability Tests will be run to simulate Hacker activity and expose any exploitable vulnerabilities. |
|
|
|
CIP-003-5: Cyber Security — Security Management Controls:
CIP-003-5 R1, R2, R3 and R4
| Purpose | NNT solution | Products needed | ||
|---|---|---|---|---|
| CT | VT | LT | ||
|
To specify consistent and sustainable security management controls that establish responsibility and accountability to protect BES Cyber Systems against compromise that could lead to mis operation or instability in the BES. Each Responsible Entity shall implement, one or more documented cyber security policies that collectively address the following topics: |
Monitoring and logging, Strategies for system hardening, Password policies including length, complexity, enforcement, prevention of brute force attempts, Recognition of Cyber Security Incidents, among others The NNT SecureOps solution set is designed to automate key security controls with real-time alerts and scheduled summary reports to give a simple overview of what you need to know, true management by exception. |
|
|
|
CIP-004-3: Cyber Security — Personnel & Training:
CIP-004-3 R4
| Purpose | NNT solution | Products needed | ||
|---|---|---|---|---|
| CT | VT | LT | ||
|
Standard CIP-004-3 requires that personnel having authorized cyber or authorized unescorted physical access to Critical Cyber Assets, including contractors and service vendors, have an appropriate level of personnel risk assessment, training, and security awareness. Standard CIP-004-3 should be read as part of a group of standards numbered Standards CIP-002-3 through CIP-009-3. |
All User and System activity will be tracked to and audit trails provided to ensure access is in-line with authorized privilege. Any new accounts or increased privilege will also be reported for review and approval. |
|
|
|
CIP-005-5: Cyber Security — Electronic Security Perimeter(s):
CIP-005-5 R1, R2
| Purpose | NNT solution | Products needed | ||
|---|---|---|---|---|
| CT | VT | LT | ||
|
To manage electronic access to BES Cyber Systems by specifying a controlled Electronic Security Perimeter in support of protecting BES Cyber Systems against compromise that could lead to mis operation or instability in the BES. |
Use NNT Change Tracker to apply a secure and hardened configuration baseline. NNT are a Certified Vendor for CIS Benchmark Checklists and an Official OVAL Adopter, ensuring the most secure and effective configuration settings are used for firewalls and all other perimeter devices. Any changes are validated as approved, planned and accurately implemented, and any other drift from the secure baseline is reported in line with CIP 010-3. |
|
|
|
CIP-006-3c: Cyber Security — Physical Security of Critical Cyber Asset (s):
CIP-006-3c R1, R2
| Purpose | NNT solution | Products needed | ||
|---|---|---|---|---|
| CT | VT | LT | ||
|
Standard CIP-006-3 is intended to ensure the implementation of a physical security program for the protection of Critical Cyber Assets. The Responsible Entity shall maintain a physical security plan and implement the technical and procedural controls for monitoring physical access at all access points. |
Physical access controls can be audited using automated audit trails and correlation rules. Configuration assessment and change control is automated using Change Tracker Note: Any systems used to operate physical access controls will also need configuration hardening, change control and breach detection/anti-tampering measures to be enforced for the cyber elements |
|
|
|
CIP-007-3: Cyber Security — Systems Security Management:
CIP-007-3 R1, R2, R3, R4, R5
| Purpose | NNT solution | Products needed | ||
|---|---|---|---|---|
| CT | VT | LT | ||
|
Standard CIP-007-3 requires Responsible Entities to define methods, processes, and procedures for securing systems within the Electronic Security Perimeter(s). The Entity shall ensure that new Cyber Assets and significant changes to existing Cyber Assets do not adversely affect existing cyber security controls. Changes include implementation of security patches, cumulative service packs, vendor releases, and version upgrades of operating systems, applications, database platforms, or other third-party software or firmware. |
With Change Tracker monitoring in place all changes are reported then analyzed and validated. Changes are assessed for risk based on knowledge within the system drawn from a range of trusted sources, such as your ITSM system planned change details, previously observed change patterns and file reputation whitelists like NNT F.A.S.T. Cloud. In addition, network and device changes can be actively tested using NNT Vulnerability Tracker to probe for exploitable vulnerabilities. And finally, because new attack methods are always being derived by the cyber criminals, NNT also provide real-time breach detection, vital for the detection of any Stuxnet-style APT attacks. |
|
|
|
CIP-008-3: Cyber Security — Incident Reporting and Response Planning:
CIP-008-3 R1, R2
| Purpose | NNT solution | Products needed | ||
|---|---|---|---|---|
| CT | VT | LT | ||
|
Standard CIP-008-3 ensures the identification, classification, response, and reporting of Cyber Security Incidents related to Critical Cyber Assets. Standard CIP-008-3 should be read as part of a group of standards numbered Standards CIP-002-3 through CIP-009-3. |
Anomalous behaviors are detected via both change detection and log analysis. Changes are reviewed automatically against expected, planned and previously approved change patterns using NNT Closed-Loop Intelligent Change Control and NNT F.A.S.T. Cloud. Any Unplanned Changes are reported as potential security incidents and an investigation and review process is provided within Change Tracker. In addition, all system and user activity are also baselined and analyzed using automated log correlation algorithms to identify unusual and suspicious behaviors. Audit trails are securely archived in line with NERC requirements for retrospective analysis and investigation. |
|
|
|
CIP-009-3: Cyber Security — Recovery Plans for Critical Cyber Assets:
CIP-009-3 R4
| Purpose | NNT solution | Products needed | ||
|---|---|---|---|---|
| CT | VT | LT | ||
|
Standard CIP-009-3 ensures that recovery plan(s) are put in place for Critical Cyber Assets and that these plans follow established business continuity and disaster recovery techniques and practices. |
Configuration settings are recorded after every change that is made. Change Tracker built-in workflow requires all changes to be assigned to a Planned Change with documentation providing a full audit trail to be used when restoring systems to an earlier state. Compliance Reports provide a long-form version of the Initial Configured Baseline for all system. A full backup with incremental change history is provided for any text-based config file including firewalls, ICS, OT and any other IED. |
|
|
|
CIP-010-3: Cyber Security — Configuration Change Management and Vulnerability Assessments:
CIP-010-3 R1, R2, R3, R4
| Purpose | NNT solution | Products needed | ||
|---|---|---|---|---|
| CT | VT | LT | ||
|
To prevent and detect unauthorized changes to BES Cyber Systems by specifying configuration change management and vulnerability assessment requirements in support of protecting BES Cyber Systems from compromise that could lead to mis operation or instability in the Bulk Electric System (BES). Key requirement is to develop a baseline configuration including the following items:
1.1.1. Operating system or firmware version where no independent operating system exists; Authorize and document changes that deviate from the existing baseline configuration. For a change that deviates from the existing baseline configuration, update the baseline configuration as necessary within 30 calendar days of completing the change. |
Change Tracker provides a comprehensive solution to address CIP-10-3. Initial vulnerability assessments are performed using Certified CIS Benchmark hardening checklists and these can be tailored to match exactly the required hardened build standard for BES Cyber Systems. Any other source of automated compliance content such as OVAL or SCAP can also be used. This encompasses CIP-005 and CIP-007 Requirements. NNT Vulnerability Tracker will then identify any missing patches and further remediation work necessary to maximize security. Once systems are in a hardened compliant state, all changes are tracked and assessed automatically against Approved Planned Changes. Any changes identified as 'Known Approved' are reconciled with the Planned Change documentation. Changes that 'deviate from the existing baseline' can be reviewed and retrospectively assigned to a Planned Change with rationale documentation. The Configuration Baseline can then be updated and used to assess other similar systems to ensure all are using a consistent secure build. Part 1.5 of CIP 010-3 also specifies “Prior to implementing any change in the production environment, test the changes in a test environment… Document the results of the testing and the differences between the test environment and the production environment” This part of the process is also automated within Change Tracker: All changes experienced by the test system will be reported and captured. These can then be used to build a Change Manifest to automatically validate consistency of changes when made in Production. Finally NNT Vulnerability Tracker can also be used to verify security vulnerabilities have not been introduced by changes through regular automated follow-up scans. |
|
|
|
CIP-011-1: Cyber Security — Information Protection:
CIP-011-1 R1
| Purpose | NNT solution | Products needed | ||
|---|---|---|---|---|
| CT | VT | LT | ||
|
To prevent unauthorized access to BES Cyber System Information by specifying information protection requirements in support of protecting BES Cyber Systems against compromise that could lead to mis operation or instability in the BES. Required best practices are to identify information that meets the definition of BES Cyber System Information, then define procedure(s) for protecting and securely handling BES Cyber System Information, including storage, transit, use and disposal. |
Secure configuration standards can be assessed and records produced using NNT Change Tracker for BES Cyber System Information, including storage, transit, and use. |
|
|
|
NERC CIP 5 REQUIREMENTS: FREQUENTLY ASKED QUESTIONS - SHOW MORE +
- Does NNT Change Tracker develop a baseline configuration, individually or by group, which includes the following items:
1.1 Operating system(s) (including version) or firmware where no independent operating system exists;
1.1.2. Any commercially available or open‐source application software (including version) intentionally installed;
1.1.3. Any custom software installed;
1.1.4. Any logical network accessible ports; and
1.1.5. Any security patches applied?
Yes, this is a standard application for Change Tracker – all platforms are supported, including Windows, Linux, Unix, Database Systems and firewalls/network appliances. Crucially for NERC CIP requirements, Change Tracker can also baseline other transmission/SCADA components such as relays, transceivers etc.
Standard reports for all requirements to provide auditors with exactly what they require.
- Does NNT Change Tracker authorize and document changes that deviate from the existing baseline configuration?
Yes, Change Tracker has an intelligent change control system to recognize changes that deviate from the initial baseline, by alerting the user via the dashboard or email. Once a change has been reviewed, at the most basic level, it can be simply acknowledged with details of the reason for the change appended. There is an advanced option to create an Intelligent Planned Change – see next response.
- For a change that deviates from the existing baseline configuration, does NNT Change Tracker update the baseline configuration as necessary within 30 calendar days of completing the change?
When using Change Tracker's Intelligent Planned Change function, changes only need to be reviewed once only for just one representative device. An Intelligent Planned Change is Change Tracker's unique way of learning about regular or repeated changes, like Windows Updates, that you want to be automatically approved when detected for other devices/on future occasions. In other words, the baseline is automatically updated and monitored for all devices in real-time. This cuts out all the 'change noise' to promote focus on suspicious activity events.
- For a change that deviates from the existing baseline configuration, does NNT Change Tracker enable the following:
1.4.1. Prior to the change, determine required cybersecurity controls in CIP‐005 and CIP‐007 that could be impacted by the change;
1.4.2. Following the change, verify that required cybersecurity controls determined in 1.4.1 are not adversely affected; and
1.4.3. Document the results of the verification?
Yes, Closed Loop Intelligent Change Control (CLICCS) allows you to set up multiple rules for changes that may be accepted and also combines NERC compliance monitoring with all associated changes. So any change that deviates from an otherwise compliant state will be notified and all checks and relevant information provided to ensure changes are managed properly with no adverse impact on the current CIP environment.
- Where technically feasible, for each change that deviates from the existing baseline configuration, does NNT Change Tracker:
1.5.1. Prior to implementing any change in the production environment, test the changes in a test environment or test the changes in a production environment where the test is performed in a manner that minimizes adverse effects, that models the baseline configuration to ensure that required cyber security controls in CIP‐005 and CIP‐007 are not adversely affected; and
1.5.2. Document the results of the testing and, if a test environment was used, the differences between the test environment and the production environment, including a description of the measures used to account for any differences in operation between the test and production environments?
Yes, Change Tracker has the ability to perform baseline testing within in a test environment. When patches or changes are applied to the baseline it can be tested in a test environment before changing the production environment so that way you know what can be expected. Change Tracker will also 'learn' what the resulting changes on any device are for a change and then automatically match any future similar changes to the same Planned Change ID.
- Does NNT Change Tracker monitor at least once every 35 calendar days for changes to the baseline configuration (as described in Requirement R1, Part 1.1). Document and investigate detected unauthorized changes?
Change Tracker will typically monitor continuously and report changes in real-time, but a scheduled poll interval can also be used where agentless tracking is preferred.
- Does NNT Change Tracker create and monitor baseline configurations for the following:
7.1.1 Operating System (Linux and Windows, network firmware)
7.1.2 Security Patches (Linux and Windows)
7.1.3 Ports (Linux and Windows)
7.1.4 GE application software (can you customize the directories you want to monitor-example $EXECDIR, $LIBDIR and can you select specific files you want to monitor like the GE jars or cparm.dat/back, opchar.dat/bak)
7.1.5 Custom software (ex: tech support scripts, dynamic ratings custom file)
7.1.6 Third-party software / applications
7.1.7 Firewalls, switches, and routers
7.1.8 VMware servers and appliance like NTP servers?
Yes, Change Tracker is delivered with a wide-range of pre-packed templates that will build and track an appropriate baseline for all devices, including all the elements/attributes specified above. Custom templates can also be created where additional file paths, registry keys, config files etc. are required, perfect for the GE requirements highlighted. Note that Change Tracker can even execute command line queries on devices where deeper information is needed for the baseline.
- Does NNT Change Tracker check ports against host based firewalls?
Yes any attribute can be audited against a compliance checklist, for example, CIS Benchmark (NNT are a Certified Vendor for CIS Benchmarks Checklists) or a customized checklist can be used. Any deviation from the required settings will be reported. In addition a baseline of ports can be recorded and then any drift from the initial baseline tracked and reported. Changes can either then be added to the baseline or exceptions made via an Intelligent Planned Change.
- Does NNT Change Tracker generate baselines based on some logical grouping of devices, such as all Windows or all Linux?
Yes Change Tracker is predominantly Group-oriented. As Devices are added to the system, a Discovery report is run to understand the type and configuration of the device and any discovered parameters, including IP address, name, config setting etc. can be used to automatically assign the Device to a Group. Once assigned to a Group, monitoring templates and report schedules are inherited from the Group setting automatically.
You can set groups based on a number of your internal parameters, whether they be, the geographical location of the device or the device brand, make or model. With the templates you can apply the same template to a grouping of devices.
- Does NNT Change Tracker log changes to the baseline?
Yes, any change event is logged and alerted – as changes are detected, these are automatically assessed against all Intelligent Planned Change rules and in doing so, the change is then processed as either a Planned or Unplanned change.
- Does NNT Change Tracker provide a notification or alert when a new baseline has not been generated even after a configurable number of days of a change in the baseline?
Yes, full audit trail of all system events is generated including comms events, baseline exceptions (i.e. missing folder/reg key)
- Does NNT Change Tracker monitor specific configuration changes to the Windows registry?
Yes, any key/subkey or value monitoring spec can be defined using wildcards/regex in order to precisely track just the information required and minimize unwanted/non-useful change noise.
- Does NNT Change Tracker include a change management control process?
Yes, as covered previously, Closed-Loop Intelligent Change Control means that changes can be planned, documented and defined in advance, or post-change.
- Does NNT Change Tracker capture, parse, categorize, and timestamp configuration parameters for Windows Desktop, and Windows Server Operating Systems?
Yes – key strength of Change Tracker. Other legacy FIM solutions require complicated rules and actions to be defined, usually with regex parsing specifications where Change Tracker uses built-in point and click setup for tracking with pre-defined match rules/filters. This makes Change Tracker the easiest to use and maintain FIM solution available.
- Does NNT Change Tracker capture, organize, and timestamp the hardware profile, including the installed firmware and network characteristics (NICs, ports, protocols, services, etc.) of any machine in the GMS environment?
Yes, key function of Change Tracker to capture a baseline configuration image, then track all changes going forwards.
- Does NNT Change Tracker have the capability to perform automated notification for information system configurations that are not compliant with baseline configuration? Does notification occur in real time?
Yes, Change Tracker uses real time FIM. An automated notification will be provided with the simple dashboard and via E-mail/syslog when the baseline is deviated from.
- In regards to the components of NNT Change Tracker itself, does NNT Change Tracker enforce access restrictions, roles and also provide ability to access auditing access?
Yes, Change Tracker is role based access control allowing user to be assigned certain roles and to certain groups that they would have direct contact with.
- Does NNT Change Tracker have the capability to provide notification of information system baseline configuration changes and OS level logs in syslog or other format compatible with McAfee SIEM?
Yes, Change Tracker is compatible with all leading SIEM solutions such as McAfee, QRadar, ArcSight and NNT Log Tracker.
- Does NNT Change Tracker require an agent?
Change Tracker offers a full choice of Agent-based or Agentless monitoring for all platforms including Windows, Linux, Unix, Database system, Firewall/Network Appliance or other devices such as Relays, transceivers/other transmission/SCADA component.
- Briefly summarize how Change Tracker would be used to deliver NERC CIP compliance?
All devices within the Management Network (EMS), generating/transmission networks and SCADA environments are monitored continuously. Each device is immediately assessed for compliance with a Hardened Build Standard, typically derived from CIS Benchmark or NIST 800-53 secure configuration guidance (but any SCAP/OVAL template can be used), or a custom report derived where needed.
This initial report ensures that key NERC CIP requirements are being met and flags any areas of non-compliance. Requirement 010 calls for a baseline of software, patches, firmware version, open ports, running services and other secure configuration attributes to be understood and justified. The compliance report will be scheduled to be re-run periodically to identify any configuration drift in a summarized format. The report not only identifies where action is required, but details the remediation work in terms of commands to use, areas of Group Policy to apply etc.
Configuration data is also baselined for each device and from this baseline any changes made subsequently will be recorded and assessed against documented Planned Changes. Any changes that do not match any specified Planned Change will be raised as Unplanned and should be investigated and remediated, or approved, documented and added to the Approved Baseline. In this way, security is always maintained by minimizing vulnerabilities while the ability to detect breach activity maximized, for example, a complete system integrity image is recorded for all files and settings for each device. In this way, a Trojan infiltration will be detected in real-time, along with any new software being installed, ports being opened, services started, user accounts being changed – in fact any change that weakens security will be notified immediately.
By operating Change Tracker in this way, the full intent and spirit of NERC CIP requirements can be met in a productive, straightforward manner, while always having the full and detailed audit trails and reports available for an external auditor to review
Register for a free trial and automate your systems now.
Figure 2: Example NNT Change Tracker Gen 7 reports for NERC CIP Compliance
CASE STUDY
Learn about NNT Change Tracker for Industrial Control Systems (ICS) and Operational Technology (OT)
CIS Controls (Version 7)
An Implementation Guide for
Industrial Control Systems
- GVEC Relies on NNT Change Tracker for NERC CIP Compliance
- NNT Change Tracker Gen7 R2 for Industrial Control Systems (ICS) and Operational Technology (OT)
- All NERC CIP Case Studies
With the increased regulatory pressures associated to PCI DSS and NERC CIP compliance, NNT Change Tracker has become an invaluable addition to both our processes and systems that allow us to maintain our compliance without adversely affecting our workload
Chris Murphy, Head of IT, Guadalupe Valley Electric Co-Op, Texas
