Electric industry asset owners in North America are subject to mandatory cybersecurity regulations developed by the North American Electric Reliability Corporation (NERC). The regulations, known as the NERC CIP standards, carry the force of law in the United States, based on their approval by the Federal Energy Regulatory Commission (FERC), and in Canada, based on provincial authorities. In addition, many countries in Latin America are adopting the NERC CIP standards on a voluntary basis, with possible future government mandates.
These standards impose a wide range of technical and procedural requirements on industry asset owners (commonly known as Registered Entities). To meet the requirements, Registered Entities typically deploy a variety of technical security controls that directly address the requirements, or indirectly support compliance with the requirements. Also, some requirements may be imposed on security technology used within NERC CIP regulated environments. This paper describes how Tripwire’s fully integrated platform supports entities’ compliance efforts while helping to improve the cybersecurity and operational reliability of power generation and transmission systems. We will map NERC CIP requirements to specific functionality provided by Tripwire® Industrial Visibility and provide answers to the most common questions asked by utilities regarding NERC CIP compatibility.
Electronic Security Perimeters
NERC standard CIP-005 specifies requirements for Electronic Security Perimeters (ESPs), secure networks containing Cyber Assets that are in scope for CIP requirements. Tripwire Industrial Visibility assists with the design and verification of these networks by identifying and mapping all assets communicating on control networks (Field Bus / Serial & IP Networks). This information is used to construct network diagrams identifying all external routable communication paths and access points and even the ability to identify Remote Interactive Access. This standard also requires monitoring of inbound and outbound access to the ESPs for the purpose of detecting malicious activity. Tripwire Industrial Visibility is well suited to meet this requirement via its unique combination of signatures, purpose built OT behavioral models, and proprietary anomaly detection capabilities. This can immediately detect and provide actionable information on malicious activities. Most importantly, Tripwire Industrial Visibility can identify potentially malicious communications within OT protocols that may not be understood by traditional security tools, filling a potential gap in compliance.
System Security Management
CIP-007 establishes several requirements related to system management. Tripwire Industrial Visibility can assist with many of these.
Ports and Services
CIP-007 R1 requires entities to disable unnecessary “logical network accessible ports”. Tripwire Industrial Visibility monitors network communications and identifies ports on which devices are communicating. This can be used to supplement other solutions (such as Tripwire IP360™ and the Tripwire State Analyzer app) to identify ports for this requirement, or as an additional control to identify misconfigured devices or potential security incidents.
Patch Management
CIP-007 R2 establishes requirements for the management of security related patches. Tripwire Industrial Visibility can assist with this process by identifying specific hardware and firmware versions for devices on networks it monitors. This can supplement other solutions (such as Tripwire IP360™ and the Tripwire State Analyzer app) to provide an inventory that can be used to establish and track patch sources. This inventory can also be used when evaluating specific patches for applicability to determine which specific devices may require the patch.
Malicious Code Prevention
CIP-007 R3 requires entities to implement controls that deter, detect, or prevent malicious code on their in scope systems. For devices that do not have commercially available anti-malware software available, the standard allows for network based detection. Tripwire Industrial Visibility is a perfect solution for these situations. Tripwire has documented a full hardening procedure as part of the system deployment process (refer to the Tripwire Industrial Visibility Administration Guide for more details). Additionally, Tripwire Industrial Visibility’s security fabric can monitor all network traffic within a protected network. With its advanced deep packet inspection (DPI) capabilities, built specifically for ICS networks and protocols, and its advanced machine learning algorithms, Tripwire Industrial Visibility automatically generates rules for detected legitimate baseline activities and alerts on any changes or anomalies. These features provide a robust capability to detect malware activity occurring on the network.
Password Guessing Attacks
CIP-007 R5 requires entities to limit the number of unsuccessful login attempts allowed. The standard permits alerting to be used to meet this requirement. Tripwire Industrial Visibility’s monitoring process can detect unsuccessful login attempts for some types of logins passively throughout the ICS network.
Security Event Monitoring
CIP-007 R4 requires entities to log system events related to cyber security. Many ICS devices have limited logging capabilities, but this can be addressed through Tripwire Industrial Visibility’s ability to identify security related events through its inspection of ICS network traffic. If a Cyber Asset is not capable of logging an event type, it can identify the event through its deep packet inspection capability. This includes Cyber Asset communication connections, user login/ logouts, baseline network configuration, firmware changes, types of commands and registers used, and the values of the responses.
Events identified by Tripwire Industrial Visibility for monitored assets can be reviewed as needed via management reports. It can also be configured to capture and store network traffic to support after the fact investigations of security incidents. Tripwire industrial Visibility provides real time, actionable alerts on known and unknown threats, suspicious activity, and changes that pose a risk, so organizations can protect their resources against threats on the OT network.
Configuration Change Management and Monitoring
CIP-010 R1 requires entities to document baseline configurations for in scope assets. This includes operating system or firmware, installed software and patches, and open ports. Tripwire Industrial Visibility can identify and document these baseline configurations for vendor agnostic landscape devices, including, but not limited to, SEL relays and GE remote terminal units (RTUs), using both passive monitoring and active detection, and can act as a supplement to Tripwire Enterprise and the Tripwire State Analyzer app.
Tripwire Industrial Visibility documents the configuration baseline of most assets on the ICS network. Historical data is stored for each individual asset, allowing organizations to review and report on changes that deviate from the authorized baseline. Reports can be executed on the assets to verify accepted changes. These reports can be routed to designated approval authorities, and the documentation then placed in the organization’s change control database. These functions support answers to auditor evidence requests during NERC CIP audits. CIP-010 R2 requires monitoring of baseline configurations and investigation of any detected, unauthorized changes, Tripwire Industrial Visibility provides alerts when it detects that an asset has deviated from its collected baseline. If unauthorized components are connected to the ICS Network or unauthorized communications take place on the ICS network, it creates alerts for designated officials.
Vulnerability Assessments
CIP-010 R3 requires entities to perform vulnerability assessments. Through passive and active monitoring and detection techniques, Tripwire Industrial Visibility obtains detailed knowledge of the configuration of networks, the devices on those networks, and the communications between those devices. This provides a rich set of information from which to conduct vulnerability assessments. This passive assessment capability rounds out a best practices approach that combines active and agent based vulnerability assessment by Tripwire IP360, tailored to robustness of the monitored assets.
Tripwire Industrial Visibility has several capabilities to support vulnerability assessments:
- Tripwire Industrial Visibility generates numerous “insights” from its analysis of network traffic. These are prioritized and made available via a number of standard reports. These insights identify potential vulnerabilities or weak spots in system design or defenses such as unpatched vulnerabilities, insecure protocols, and external communications.
- Tripwire Industrial Visibility can also generate a summarized Risk Assessment Report which provides a quick and easy overview of system security.
- With deep insights into the ICS environment, Tripwire Industrial Visibility enables users to proactively identify and fix configuration and other network hygiene issues that can leave your network vulnerable to attacks. Leveraging proprietary intelligence, the system continuously monitors the network for new known vulnerabilities—providing precise CVE matching down to the firmware versions for industrial devices.
Using precise asset inventory and sanitized CVE database, Tripwire Industrial Visibility can present “actual” conclusive vulnerabilities. Some solutions either fail to collect the full asset context (e.g. model and firmware) or fail to thoroughly sanitize their CVE databases. This in turn increases alert fatigue and results in precious time and money spent chasing false alarms.
NERC CIP Compatibility
Although the NERC CIP standards are designed to protect devices used directly in the real time operation of the Bulk Electric System, certain other devices deployed in such an environment can be in scope for some requirements. For example, devices used for electronic access control or monitoring, remote access, or simply installed onto a protected network that contains other in scope devices. All of Tripwire’s solutions are designed to be compatible with the NERC CIP standards. This means that capabilities exist that allow entities to easily comply with the requirements, and that Tripwire provides the information that entities need to document and apply these capabilities. The following sections outline these areas.
Ports and Services
Tripwire Industrial Visibility makes compliance with CIP-007 R1 easy. By default, it requires only port 22 (SSH) and port 443 (HTTPS) to be open and accessible via the network.
Security Patch Management
As a fully supported, turnkey system, Tripwire Industrial Visibility simplifies compliance with the patch management requirements of CIP-007 R2. Tripwire provides all necessary patches, including security patches, for its software and the underlying operating system platform. These cover system functionality and operating system security. Patches for Red Hat Linux or CentOS are tested by Tripwire in house prior to release to customers. Updates are provided in standard RPM Package Manager format, providing ease of installation, tracking and security.
Malicious Code Prevention
Tripwire Industrial Visibility easily supports compliance with CIP-007 R3 malicious code prevention requirements. As permitted by the standard, malicious code risks are addressed via security hardening of the solution. Tripwire encrypts and signs all software updates and new software versions prior to being sent to customers. This provides strong security and supports the new supply chain requirements in CIP-010 R1, Part 1.6 and CIP-013 requirements to verify software integrity and authenticity effective July 1, 2020.
Security Event Monitoring
Tripwire Industrial Visibility provides strong logging features and integration with Tripwire Log Center™, making it easy to meet the requirements of CIP- 007 R4. Tripwire Industrial Visibility provides broad and robust logging capabilities, including support for the ubiquitous syslog protocol, allowing easy integration with Tripwire Log Center. Tripwire Industrial Visibility , as a primary function, can generate numerous security relevant log events and alerts that exceed the requirements of the CIP standards and fully supports the underlying objective of detecting cybersecurity incidents. Its log message format is well-documented.
Tripwire Industrial Visibility has robust alerting capabilities. Alerts can be generated for a wide range of security relevant events detected are monitored networks. These alerts can be sent directly via email or can be forwarded to Tripwire Log Center for centralized alerting and response. Tripwire Industrial Visibility can alert when a monitoring interface goes down, supporting the requirement to alert on loss of logging under CIP-007 R4.2.2.
Tripwire Industrial Visibility is capable of retaining logs for the required 90 day interval, and by default, Tripwire Log Center compresses and encrypts all local log files then retains them for a user defined time period.
Log review requirements can be met in two ways. By taking advantage of Tripwire Log Center, log review can be performed in a consolidated view by a Registered Entity’s analyst team. Additionally, Tripwire Industrial Visibility can generate reports that highlight specific events relevant to the operational environment. This allows operational technology staff to easily review security events.
Account Management
Tripwire Industrial Visibility is well positioned to meet the requirements of CIP-007 R5, which contains several account management and password related items:
User Authentication—Tripwire Industrial Visibility contains a built-in capability to authenticate users against an internal user database. It is also capable of integrating with Microsoft Active Directory to support centralized administration of user accounts, user authentication, and authorization permissions.
Default Accounts—Tripwire Industrial Visibility’s platform has four default accounts. A built-in administrator account (admin) exists. During the initial setup phase, Tripwire Industrial Visibility will prompt and allow this account to be renamed and a new password to be set. Tripwire Industrial Visibility’s database and web front end have three built-in accounts: a root database account, a system database account, and a web front end account. The passwords for these accounts can be easily changed by an administrator during system setup.
Password Controls—Tripwire Industrial Visibility enables strong password controls. For deployments that leverage Active Directory, password controls are automatically provided based on the entities’ configuration. For built-in accounts within the Tripwire Industrial Visibility system, strong controls are supported. Administrators are able to set a password expiration (in days) to ensure passwords are changed at regular intervals. Administrators can also expire all passwords with the push of a single button, requiring all passwords in the system to be changed. Tripwire Industrial Visibility leverages the Linux Pluggable Authentication Modules (PAM) system to enforce password requirements. The available hardening guide includes steps to require CIP compliant password length, complexity, and change intervals.
Account Lockouts—Tripwire Industrial Visibility supports controls to deter password guessing attacks. For deployments that leverage Active Directory, account lockout settings are automatically provided based on the entities’ configuration. Additionally, Active Directory logging can support alerting for multiple failed login attempts. For built-in accounts within the Tripwire Industrial Visibility system, administrators can configure accounts to lock after a configurable number of failed logins using Linux PAM settings. Failed login attempts are logged, supporting the alternative alerting approach to this requirement.
Backup and Recovery
CIP-009 requires entities to develop recovery plans for all systems in-scope for NERC CIP. Tripwire Industrial Visibility easily supports these plans with preconfigured backup and restore scripts that make recovery a snap. All information needed to restore an installed instance is easily saved to a single file which can then be archived to an entity preferred backup media. Restoration is a one step process. Simply run the provided restoration script against the previously backed up file and the system is restored. Additionally, Tripwire Industrial Visibility supports virtualized environments, making recovery even easier.
Change Management
Tripwire Industrial Visibility’s software installation leverages the RPM system, the standard for ease, security, and manageability of software on Linux systems. Tripwire provides all required packages, which run on hardened, minimized Red Hat or CentOS platforms, making change management easy.
Conclusion
Many electric utilities are seeking to strengthen cybersecurity in their ICS environments, which are susceptible to today’s sophisticated attacks. Many of these environments are subject to the mandatory NERC CIP standards, making it critical that deployed solutions are compatible with and support compliance with the CIP requirements. An important part of this effort is the implementation of innovative solutions that improve cyber resiliency without creating compliance risks. When considering a solution, seek one that provides both strong security features and full support for regulatory mandates.