Tripwire NERC Solution Suite
AUTOMATE AND SIMPLIFY COMPLIANCE
The North American Electric Reliability Corporation (NERC) maintains comprehensive reliability standards that define requirements for planning and operating the bulk electric system. Among these are eight Critical Infrastructure Protection (CIP) Cyber Security Standards, which specify a minimum set of controls and processes for power generation and transmission companies to follow to ensure the security of the North American power grid. .
The Tripwire NERC Solution Suite provides a comprehensive solution for NERC CIP compliance by offering a combination of standard products, NERC-specific extensions and industry-experienced consultants.
NERC Solution Suite Architecture
Tripwire enables registered entities to achieve and maintain NERC CIP compliance by:
- Continuous Monitoring continuously collect detailed status information on all your critical cyber assets and immediately detect any changes
- Automated Assessment - automatically aggregate and analyze your security data and alert on suspicious events or modifications that impact your compliance status
- Audit-ready Evidence - quickly generate reports and dashboards that fully document, by CIP requirement, your compliance with security controls and processes
Tripwire Coverage of NERC CIP Requirements
With the NERC Solution Suite, Tripwire can help power companies automate 24 of the 43 requirements contained in the NERC CIP standards. Click below to see how Tripwire addresses some of the toughest technical controls within each specific CIP requirement.
|CIP 002 R2: Critical Cyber Asset Identification||Tripwire Log Center combined with professional services use of Tripwire discovery tools can help identify and track the critical cyber assets that are in scope.|
|CIP 003 R4: Information Protection||
Tripwire products can generate evidence for audit of CCA, and identify files used for evidence of compliance, monitoring them for change and retention.
|CIP 003 R5: Access Control||
Tripwire Enterprise and Tripwire Log Center are used to verify account and access control settings on systems and networks via logs and configuration changes. For R5.2, Tripwire Enterprise can identify local user accounts and compare current state against a customer-specific approved user list, alerting when there is a variance on individual CCAs.
|CIP 003 R6. Change Control and Configuration Management||
Tripwire Enterprise’s standard functionality is a change control and configuration management system. It can be used to baseline configurations and then used to show variance, including specific file content changes. Additionally, Tripwire Enterprise can be used to create hash fingerprints of audit records and for verification that the records themselves haven’t been tampered with.
|CIP 004 R4: Access||
For R4.1, tailored change audit rules can validate that Access Lists have not been tampered with or modified and verify that the list is updated in a timely fashion (7 days). For R4.2, standard monitoring access logs come out of the box with Tripwire Log Center; access controls are monitored by Tripwire Enterprise, and tailored rules can be created to search for access control logs that match lists of former employees to validate that access and activity by the former employees has been terminated.
|CIPP 005 R2: Electronic Access Controls||
Tripwire Enterprise validates and monitors security settings and related configurations to ensure that appropriate controls are in place (such as “deny by default”) and that explicit permission settings (R2.1), explicit controls for services and ports (R2.2), monitoring of dial-up services and features (R2.3), strong authentication for external interactive users (R2.4) and appropriate banners or other access control notifications are in place (R2.6).
|CIP 005 R3. Monitoring Electronic Access||
Tripwire Log Center can detect and alert when a CCA stops logging activity, thus alerting on violation of the twenty-four hours a day, seven days a week requirement. For R3.2, Tripwire Enterprise validates and monitors security settings and configurations to ensure that logs and access to logs is controlled.
|CIP 005 R4: Cyber Vulnerability Assessment||
For R4.2, Tripwire Enterprise can monitor ports and services and can be used to compare against a tailored set of customer-specific approved services, alerting when monitoring proves variance. For R4.3, standard change audit tests can be used to check default settings on network devices (e.g. default SNMP community strings).
|CIP 005 R5: Documentation Review and Maintenance||
Tripwire Enterprise baseline and compliance reports provide evidence of current configuration states. These can be scheduled to run to meet requirements. For R5.3, Tripwire Log Center can manage logs and ensure retention for the required time periods.
|CIP 006 R1: Physical Security Plan||
For R1.3, Tripwire Log Center can facilitate monitoring of physical access and other environmental monitoring systems through automated collection and analysis of their device logs. For R1.6, logs can be monitored specifi- cally for visitor information, including correlation rules to verify that login is followed by logout in a expected timeframe.
|CIP 006 R4: Physical Access Controls||
Tripwire Log Center can detect and alert when a CCA stops logging activity, thus providing alerting on continuous 24x7 basis.
|CIP 006 R5: Monitoring Physical Access||
Tripwire Log Center can facilitate monitoring of physical access and other environmental monitoring systems by analyzing the logs collected for R1.3, utilizing custom correlation rules to alert on unauthorized access attempts.
|CIP 006 R6: Logging Physical Access||
Tripwire Log Center can provide evidence of 24x7 physical access monitoring using data collection, normalization and retention features
|CIP 006 R7: Access Log Retention||
Log retention for the required periods can be assured through Tripwire Log Center’s log management and archiving capabilities.
|CIP 007 R1: Test Procedures||
Tripwire Enterprise can baseline and test new systems, assets and components, supporting change control practices and assisting in identifying non-compliant systems within the ESP. For R1.2, Tripwire Enterprise baseline comparisons prove that the test configuration is consistent with production, thereby increasing confidence in the results of the test.
|CIP 007 R2:Ports and Services||
Tripwire Enterprise can monitor ports and services and compare current state against a tailored set of customer- specific approved port and services, alerting when monitoring detects a variance. For R2.1, this same process will ensure that only those ports and services required for normal and emergency operations are enabled. For R2.2, this same process will check that all other ports and services are disabled, and provide an alert upon variance.
|CIP 007 R3: Security Patch Management||
Tripwire Enterprise can identify software versions and installed patches and compare current state against a tailored set of customer-specific approved software versions and patches, alerting when there is a variance on specific CCAs.
|CIP 007 R4: Malicious Software Prevention||
Tripwire Enterprise can scan for anti-virus and malware products installed through tailored change auditing rules. Logs can be monitored to find specific malware events and allow the Tripwire operator to examine the device for incident information. For R4.1, Tripwire Enterprise checks for security settings and configurations to validate anti- virus and malware prevention is enabled and updated appropriately.
|CIP 007 R5: Account Management||
Tripwire Log Center and Tripwire Enterprise can scan logs for account management activity and configuration settings for changes to account privilege, respectively, alerting as appropriate. For 5.1, Tripwire Products can use this data to document the process and procedures, which supports reporting cycle requirements and appropriate access privileges. For 5.2, the same capabilities can be used to document appropriate disabling of accounts. For R5.3, Tripwire Enterprise can verify configuration settings for passwords and other security settings to meet and maintain compliance requirements.
|CIP 007 R6: Security Status Monitoring||
Tripwire Enterprise change auditing and log monitoring features meet this requirement. For R6.1, it supports technical and procedural processes to validate and monitor security events on cyber assets. For R6.2, Tripwire Log Center can be configured to alert on a variety of events based on simple or complex rules tailored to the organization need and risk level. For R6.3 and R6.4, its log consolidation and retention features allow an organi- zation to maintain logs independent of the system or application capabilities.
|CIP 007 R8: Cyber Vulnerability Assessment||
For R8.2, Tripwire Enterprise can be used to monitor ports and services and can be used to compare against a tailored set of customer specific approved services, alerting upon variance. For R8.3, Tripwire Log Center can review logs and system behavior for changes to default accounts.
|CIP 008 R1: Cyber Security Incident Response Plan||
For R1.1, event types can be classified and tailored using custom correlation rules to help with incident identification and escalation. Tripwire VIA integration allows for comprehensive alerting on events of interest. For R1.3, Tripwire product reports on logs, events, configurations and change detection can be used to create IOC reports that may be included with an ISAC response document.
|CIP 009 R2: Exercises||
Tripwire Enterprise baselines and configuration settings can be used for validation of a successful restoration exercise.
|CIP 009 R4: Backup and Restore||
Tripwire Enterprise can aid in the restoration of CCAs or any baselined asset by ensuring that the most recent configuration state of each CCA is captured and retained on an ongoing basis, making the restoration process much easier to verify.