Tripwire NERC Solution Suite

Automate and Simplify Compliance

The Tripwire NERC Solution Suite provides a comprehensive solution for NERC CIP compliance by offering a tailored combination of standard products, which includes Tripwire IP360 (vulnerability management), Tripwire Enterprise (security configuration management), Tripwire Log Center (intelligent event logging), NERC-specific extensions and industry-experienced consultants.

NERC Solution Suite Architecture
NERC Solution Suite Architecture

Tripwire enables registered entities to achieve and maintain NERC CIP compliance by:

  • Asset Discovery - Tripwire can scan your network and auto-discover the assets you have. This saves hours of manual effort and increases trust in the identification of systems and software in your environment
  • Continuous Monitoring - Continuously collect detailed status information on all your critical cyberassets and immediately detect any changes
  • Automated Assessment - Automatically aggregate and analyze your security data and alert on suspicious events or modifications that impact your compliance status
  • Audit-ready Evidence - Quickly generate reports and dashboards that fully document, by CIP requirement, your compliance with security controls and processes

Tripwire Coverage of NERC CIP Requirements

With the NERC Solution Suite, Tripwire can help power companies automate 20 of the 32 requirements contained in the NERC CIPv6 standards. Tripwire gets you ready for v5 or v6 today—and will help prepare you for whatever revisions may come. Click below to see how Tripwire addresses some of the toughest technical controls within each specific CIP requirement.

CIP-002-5: Cyber Security — BES Cyber System Identification and Categorization

CIP-002 R1: BES Cyber System Identification

Tripwire IP360 combined with professional services use of Tripwire discovery tools can help identify and track the critical cyber assets that are in scope. Tripwire IP360 can discover all assets in assigned IP scope using TCP and UDP protocols. Discovery of all assets allows for further classification and integration.

CIP-003-5: Cyber Security — Security Management Controls

CIP-003 R2: Cyber Security Policy for Low Systems R2.3 Tripwire validates and monitors security settings and related configurations to ensure that monitoring of dial-up services and features has been implemented.
  R2.4 Tripwire reports can provide excellent forensic details to assist in the investigation/analysis of an Incident or in the preparation/evaluation of an IOC report.

CIP-004-5 Cyber Security — Training & Personnel Security

CIP-004 R4: Access Management Program Tripwire Enterprise and Log Center is used to verify account and access control settings on systems and networks via logs and configuration changes.
  R4.3 Tripwire’s FIM whitelist profiler extension can verify only approved accounts exist on systems, as codified in an authorized user whitelist.
CIP-004 R5: Access Revocation Program R5.4 Standard monitoring access logs comes out of the box with Tripwire Log Center; access controls are monitored by TE, and tailored rules can be created to search for access control logs that match lists of former employees to validate that access and activity by the former employees has been stopped.
Tripwire’s FIM whitelist profiler extension can verify only approved accounts exist on systems, as codified in an authorized user whitelist.
  R5.5 Tripwire can help ensure that shared accounts have suitable controls, and that passwords have been changed according to stated policies.

CIP-005-5 Cyber Security — Electronic Security Perimeter(s)

CIP-005 R1: Electronic Security Perimeter R1.1 Tripwire IP360 combined with professional services use of Tripwire discovery tools can help identify and track the cyber assets that are in scope.
CIP-005 R2: Interactive Remote Access Management Tripwire Change Auditing and Configuration Assessment/reporting will track settings associated with authenticated access control for remote use.
  R2.2 Tripwire validates and monitors security settings and configurations made to ensure strong authentication by external interactive users.

CIP-006-5 Cyber Security — Physical Security of BES Cyber Systems

CIP-006 R1: Physical Security Plan R1.4 Tripwire can facilitate monitoring of physical access and other environmental monitoring systems through automated collection and analysis of these device logs by Tripwire Log Center.
  R1.5 Tripwire can facilitate monitoring of physical access and other environmental monitoring systems by analyzing the logs collected, utilizing custom correlation rules to alert on unauthorized access attempts.
  R1.6 Tripwire can facilitate monitoring of physical access and other environmental monitoring systems through automated collection and analysis of these device logs by Tripwire Log Center.
  R1.7 Tripwire can facilitate monitoring of physical access and other environmental monitoring systems by analyzing the logs collected, utilizing custom correlation rules to alert on unauthorized access attempts.
CIP-006 R2: Visitor Control Program R2.3 Log retention for the required periods can be assured through Tripwire’s log management and archiving capabilities.

CIP-007-5 Cyber Security — Systems Security Management

IP-007 R1: Ports and Services Tripwire’s FIM whitelist profiler extension can monitor ports and services and compare current state against a tailored set of customer-specific approved port and services, alerting when monitoring detects a variance.
  R1.1 Tripwire’s FIM whitelist profiler extension can monitor ports and services and compare current state against a tailored set of customer-specific approved port and services, alerting when monitoring detects a variance.
  R1.2 Tripwire can detect whether removeable media has been connected to a monitored system, providing timely alerting to potential violations.
CIP-007 R2: Security Patch Management Tripwire’s FIM whitelist profiler extension can identify software versions and installed patches and compare current state against a tailored set of customer-specific approved software versions and patches, alerting when there is a variance on specific BCA’s.
  R2.2 IP360's vulnerability assessment capabilities can identify any necessary patches that should be installed on a broad range of BCA systems based on vendor recommendations. The vulnerability database is typically updated every week.
  R2.3 Tripwire detects when patches are implemented and will record this information for later review and analysis.
CIP-007 R3: Malicious Code Prevention Tripwire can scan for anti-virus and malware products installed through tailored change auditing rules. Logs can be watched to find specific malware events and allow the Tripwire operator to examine the device for incident information.
  R3.1 Tripwire’s FIM monitoring can detect the introduction of unapproved/unauthorized files on a given system.
  R3.3 Tripwire checks for security settings and configurations to validate anti-virus and malware prevention is enabled and updated appropriately.
CIP-007 R4: Security Event Monitoring Tripwire can scan logs for account management activity and configuration settings for changes to account privilege, alerting as appropriate.
  R4.1 Tripwire Log Center rules can capture successful and unsuccessful logins for all monitored hosts, and provide alerting as desired.
  R4.2 Tripwire Log Center rules can detect and alert when a BCA stops logging activity, thus providing alerting on continuous 24x7 basis.
  R4.3 Log retention for the required periods can be assured through Tripwire’s log management and archiving capabilities.
  R4.4 Log retention for the required periods can be assured through Tripwire’s log management and archiving capabilities.
CIP-007 R5: System Access Controls Tripwire can scan logs for account management activity and configuration settings for changes to account privilege, alerting as appropriate.
  R5.1 Tripwire can scan logs for account management activity and configuration settings to ensure authentication is enforced, alerting as appropriate.
  R5.2 Tripwire's FIM whitelist profiler extension can verify only approved accounts exist on systems, as codified in an authorized user whitelist.
  R5.4 Tripwire can ensure that default accounts are disabled and/or passwords are changed where required, and activity logging can provide alerting on inappropriate use of such accounts.
  R5.5 Tripwire can verify configuration settings for passwords and other security settings to meet and maintain compliance requirements.
  R5.6 Tripwire can verify configuration settings for passwords and other security settings to meet and maintain compliance requirements.
  R5.7 Tripwire can verify configuration settings for passwords and other security settings to meet and maintain compliance requirements, and provide alerting when success/failure thresholds are exceeded.

CIP-008-5 Cyber Security — Incident Reporting and Response Planning

CIP-008 R1: Cyber Security Incident Response Plan R1.2 Tripwire reporting on logs, events, configuration and change detection would help to create IOC reports that could be part of an ISAC response document.

CIP-009-5 Cyber Security — Recovery Plans for BES Cyber Systems

CIP-009 R1: Recovery Plan Specifications R1.3 Tripwire products can be customized to create baselines for products and devices configuration. These may be called for and used for recovery steps taken after incidents of system attack or failure.
  R1.4 Tripwire products can be customized to create baselines for products and devices configuration. These may be called for and used for recovery steps taken after incidents of system attack or failure.
  R1.5 Tripwire products can be used to collect and aggregate logs and event information from a variety of sources. This information can be stored and later used for recovery steps taken after incidents of system attack or failure.
CIP-009 R2: Recovery Plan Implementation and Testing Tripwire products can be customized to create baselines for products and devices configuration. These may be called for and used for recovery steps taken after incidents of system attack or failure.
  R2.2 Tripwire products can be used to collect baselines, logs and event information from a variety of sources. This information can be stored and later used for recovery steps taken after incidents of system attack or failure.

CIP-010-1 Cyber Security — Configuration Change Management and Vulnerability Assessments

CIP-010 R1: Configuration Change Management Tripwire Configuration Assessment Policy and Change audit features can address the creation of a baseline configuration of computer systems and alert and report on change—supporting the process of formal change control and testing.
  R1.1 Tripwire Configuration Assessment Policy and Change audit features can address the creation of a baseline configuration of computer systems and alert and report on change—supporting the process of formal change control and testing.
  R1.2 Tripwire supports the tracking and authorization of change to system baseline and configurations—following the process defined by NIST for POA&M reporting
  R1.3 Tripwire supports the tracking and authorization of change to system baseline and configurations—following the process defined by NIST for POA&M reporting
  R1.4 Tripwire reports on security controls deployed, configured and operational status. This reporting will support this requirement.
  R1.5 Tripwire baseline comparison operations can verify that a given test environment accurately reflects the production systems.
CIP-010 R2: Configuration Monitoring Tripwire’s core functionality offers exceptional change detection and investigation capabilities.
  R2.1 Tripwire Enterprise’s core functionality offers exceptional change detection and investigation capabilities.
CIP-010 R3: Vulnerability Assessments Tripwire IP360 offers excellent vulnerability assessment and reporting across a broad variety of asset types.
  R3.1 Tripwire IP360 offers excellent vulnerability assessment and reporting across a broad variety of asset types.
  R3.2 Tripwire IP360 offers excellent vulnerability assessment and reporting across a broad variety of asset types. Controls exist to minimize the potential for adverse effects during a scan.
  R3.3 Tripwire IP360 offers excellent vulnerability assessment and reporting across a broad variety of asset types. Controls exist to minimize the potential for adverse effects during a scan.
Tripwire Enterprise can be used to ensure the test environment is equivalent to the target BCA.
  R3.4 SIH reporting can offer very capable analysis and mitigation reports. Can be tailored based on mitigation tools available.

CIP-011-1 Cyber Security — Information Protection

CIP-011 R1: Information Protection Tripwire can be used to 1) generate evidence for audit of BCA for file system access controls, and 2) identify files used for evidence of compliance, monitoring them for change and retention (according to requirements and reported for auditors and compliance officials.)
  R1.2 Tripwire Change Auditing feature can be custom configured to assess if an application or operating system is configured for secure data transmission, storage or event logging—itself logging when these settings are changed or suppressed. This feature could support the appropriate management of BES information protection.




Added to which, the Tripwire team and people from reseller PointGroup have an enormous amount of product expertise. They really know what they are talking about, and that inspires trust.

W

Nearly all executive branch state agencies are up and being continuously monitored by IP360, generating metrics that are enterprise-wide.

Chris Buse, CISO, State of Minnesota's Office of Enterprise Technology