NERC CIP Faq
- Frequently asked questions for Change Tracker and NERC CIP version 5 Requirements
- Does NNT Change Tracker develop a baseline configuration, individually or by group, which includes the following items:
1.1 Operating system(s) (including version) or firmware where no independent operating system exists;
1.1.2. Any commercially available or open‐source application software (including version) intentionally installed;
1.1.3. Any custom software installed;
1.1.4. Any logical network accessible ports; and
1.1.5. Any security patches applied?
Yes, this is a standard application for Change Tracker – all platforms are supported, including Windows, Linux, Unix, Database Systems and firewalls/network appliances. Crucially for NERC CIP requirements, Change Tracker can also baseline other transmission/SCADA components such as relays, transceivers etc.
Standard reports for all requirements to provide auditors with exactly what they require.
- Does NNT Change Tracker authorize and document changes that deviate from the existing baseline configuration?
Yes, Change Tracker has an intelligent change control system to recognize changes that deviate from the initial baseline, by alerting the user via the dashboard or email. Once a change has been reviewed, at the most basic level, it can be simply acknowledged with details of the reason for the change appended. There is an advanced option to create an Intelligent Planned Change – see next response.
- For a change that deviates from the existing baseline configuration, does NNT Change Tracker update the baseline configuration as necessary within 30 calendar days of completing the change?
When using Change Tracker’s Intelligent Planned Change function, changes only need to be reviewed once only for just one representative device. An Intelligent Planned Change is Change Tracker’s unique way of learning about regular or repeated changes, like Windows Updates, that you want to be automatically approved when detected for other devices/on future occasions. In other words, the baseline is automatically updated and monitored for all devices in real-time. This cuts out all the ‘change noise’ to promote focus on suspicious activity events.
- For a change that deviates from the existing baseline configuration, does NNT Change Tracker enable the following:
1.4.1. Prior to the change, determine required cyber security controls in CIP‐005 and CIP‐007 that could be impacted by the change;
1.4.2. Following the change, verify that required cyber security controls determined in 1.4.1 are not adversely affected; and
1.4.3. Document the results of the verification?
Yes, Closed Loop Intelligent Change Control (CLICCS) allows you to set up multiple rules for changes that may be accepted and also combines NERC compliance monitoring with all associated changes. So any change that deviates from an otherwise compliant state will be notified and all checks and relevant information provided to ensure changes are managed properly with no adverse impact on the current CIP environment.
- Where technically feasible, for each change that deviates from the existing baseline configuration, does NNT Change Tracker:
1.5.1. Prior to implementing any change in the production environment, test the changes in a test environment or test the changes in a production environment where the test is performed in a manner that minimizes adverse effects, that models the baseline configuration to ensure that required cyber security controls in CIP‐005 and CIP‐007 are not adversely affected; and
1.5.2. Document the results of the testing and, if a test environment was used, the differences between the test environment and the production environment, including a description of the measures used to account for any differences in operation between the test and production environments?
Yes, Change Tracker has the ability to perform baseline testing within in a test environment. When patches or changes are applied to the baseline it can be tested in a test environment before changing the production environment so that way you know what can be expected. Change Tracker will also ‘learn’ what the resulting changes on any device are for a change and then automatically match any future similar changes to the same Planned Change ID.
- Does NNT Change Tracker monitor at least once every 35 calendar days for changes to the baseline configuration (as described in Requirement R1, Part 1.1). Document and investigate detected unauthorized changes?
Change Tracker will typically monitor continuously and report changes in real-time, but a scheduled poll interval can also be used where agentless tracking is preferred.
- Does NNT Change Tracker create and monitor baseline configurations for the following:
7.1.1 Operating System (Linux and Windows, network firmware)
7.1.2 Security Patches (Linux and Windows)
7.1.3 Ports (Linux and Windows)
7.1.4 GE application software (can you customize the directories you want to monitor-example $EXECDIR, $LIBDIR and can you select specific files you want to monitor like the GE jars or cparm.dat/back, opchar.dat/bak)
7.1.5 Custom software (ex: tech support scripts, dynamic ratings custom file)
7.1.6 Third-party software / applications
7.1.7 Firewalls, switches, and routers
7.1.8 VMware servers and appliance like NTP servers?
Yes, Change Tracker is delivered with a wide-range of pre-packed templates that will build and track an appropriate baseline for all devices, including all the elements/attributes specified above. Custom templates can also be created where additional file paths, registry keys, config files etc. are required, perfect for the GE requirements highlighted. Note that Change Tracker can even execute command line queries on devices where deeper information is needed for the baseline.
- Does NNT Change Tracker check ports against host based firewalls?
Yes any attribute can be audited against a compliance checklist, for example, CIS Benchmark (NNT are a Certified Vendor for CIS Benchmarks Checklists) or a customized checklist can be used. Any deviation from the required settings will be reported. In addition a baseline of ports can be recorded and then any drift from the initial baseline tracked and reported. Changes can either then be added to the baseline or exceptions made via an Intelligent Planned Change.
- Does NNT Change Tracker generate baselines based on some logical grouping of devices, such as all Windows or all Linux?
Yes Change Tracker is predominantly Group-oriented. As Devices are added to the system, a Discovery report is run to understand the type and configuration of the device and any discovered parameters, including IP address, name, config setting etc. can be used to automatically assign the Device to a Group. Once assigned to a Group, monitoring templates and report schedules are inherited from the Group setting automatically.
You can set groups based on a number of your internal parameters, whether they be, the geographical location of the device or the device brand, make or model. With the templates you can apply the same template to a grouping of devices.
- Does NNT Change Tracker log changes to the baseline?
Yes, any change event is logged and alerted – as changes are detected, these are automatically assessed against all Intelligent Planned Change rules and in doing so, the change is then processed as either a Planned or Unplanned change.
- Does NNT Change Tracker provide a notification or alert when a new baseline has not been generated even after a configurable number of days of a change in the baseline?
Yes, full audit trail of all system events is generated including comms events, baseline exceptions (i.e. missing folder/reg key)
- Does NNT Change Tracker monitor specific configuration changes to the Windows registry?
Yes, any key/subkey or value monitoring spec can be defined using wildcards/regex in order to precisely track just the information required and minimize unwanted/non-useful change noise.
- Does NNT Change Tracker include a change management control process?
Yes, as covered previously, Closed-Loop Intelligent Change Control means that changes can be planned, documented and defined in advance, or post-change.
- Does NNT Change Tracker capture, parse, categorize, and timestamp configuration parameters for Windows Desktop, and Windows Server Operating Systems?
Yes – key strength of Change Tracker. Other legacy FIM solutions require complicated rules and actions to be defined, usually with regex parsing specifications where Change Tracker uses built-in point and click setup for tracking with pre-defined match rules/filters. This makes Change Tracker the easiest to use and maintain FIM solution available.
- Does NNT Change Tracker capture, organize, and timestamp the hardware profile, including the installed firmware and network characteristics (NICs, ports, protocols, services, etc.) of any machine in the GMS environment?
Yes, key function of Change Tracker to capture a baseline configuration image, then track all changes going forwards.
- Does NNT Change Tracker have the capability to perform automated notification for information system configurations that are not compliant with baseline configuration? Does notification occur in real time?
Yes, Change Tracker uses real time FIM. An automated notification will be provided with the simple dashboard and via E-mail/syslog when the baseline is deviated from.
- In regards to the components of NNT Change Tracker itself, does NNT Change Tracker enforce access restrictions, roles and also provide ability to access auditing access?
Yes, Change Tracker is role based access control allowing user to be assigned certain roles and to certain groups that they would have direct contact with.
- Does NNT Change Tracker have the capability to provide notification of information system baseline configuration changes and OS level logs in syslog or other format compatible with McAfee SIEM?
Yes, Change Tracker is compatible with all leading SIEM solutions such as McAfee, QRadar, ArcSight and NNT Log Tracker.
- Does NNT Change Tracker require an agent?
Change Tracker offers a full choice of Agent-based or Agentless monitoring for all platforms including Windows, Linux, Unix, Database system, Firewall/Network Appliance or other devices such as Relays, transceivers/other transmission/SCADA component.
- Briefly summarize how Change Tracker would be used to deliver NERC CIP compliance?
All devices within the Management Network (EMS), generating/transmission networks and SCADA environments are monitored continuously. Each device is immediately assessed for compliance with a Hardened Build Standard, typically derived from CIS Benchmark or NIST 800-53 secure configuration guidance (but any SCAP/OVAL template can be used), or a custom report derived where needed.
This initial report ensures that key NERC CIP requirements are being met and flags any areas of non-compliance. Requirement 010 calls for a baseline of software, patches, firmware version, open ports, running services and other secure configuration attributes to be understood and justified. The compliance report will be scheduled to be re-run periodically to identify any configuration drift in a summarized format. The report not only identifies where action is required, but details the remediation work in terms of commands to use, areas of Group Policy to apply etc.
Configuration data is also baselined for each device and from this baseline any changes made subsequently will be recorded and assessed against documented Planned Changes. Any changes that do not match any specified Planned Change will be raised as Unplanned and should be investigated and remediated, or approved, documented and added to the Approved Baseline. In this way, security is always maintained by minimizing vulnerabilities while the ability to detect breach activity maximized, for example, a complete system integrity image is recorded for all files and settings for each device. In this way, a Trojan infiltration will be detected in real-time, along with any new software being installed, ports being opened, services started, user accounts being changed – in fact any change that weakens security will be notified immediately.
By operating Change Tracker in this way, the full intent and spirit of NERC CIP requirements can be met in a productive, straightforward manner, while always having the full and detailed audit trails and reports available for an external auditor to review