Are you an organization that operates a Bulk Power System (BPS) in the United States? If so, you understand the need to comply with the Critical Infrastructure Protection (CIP) standards. Developed by the North American Electric Reliability Corporation (NERC), CIP is a set of requirements through which in-scope entities can protect themselves against digital attacks, thereby strengthening the reliability of the U.S. electric grid overall.
The issue is that it is becoming more and more challenging to ensure policy compliance with NERC CIP. As noted in another blog post for the State of Security, the NERC CIP standards are continually changing, making it difficult for organizations to stay current with what they need to do. Simultaneously, many in-scope entities continue to pursue their own digital transformations. Such a dynamic journey makes it difficult for organizations to keep their documentation current when it comes time for an audit.
It also complicates the task of manually monitoring an increasingly vast IT environment and of updating their security policies accordingly. This leaves in-scope entities with several questions. “How can I validate that my systems are configured according to my security policy?” “Can I automate that process?” “Can I provide justification for my established policy?” “Can I easily manage my policy, especially as it applies to assets and groups of assets?”
Introducing Tripwire State Analyzer
Fortunately, there’s an answer to all those questions in Tripwire State Analyzer (TSA).
A “policy hardening” product used in conjunction with Tripwire Enterprise (TE), TSA defines a set of required records or allowed system settings for the seven services of Network Ports, Local Users, Local Groups, Services, Installed Software, Local Shares, and Persistent Routes. When a system is examined, the product generates a comprehensive report of the seven services regarding authorized and unauthorized settings along with justification information. This helps to increase automation and efficiency by reducing the time needed to provide audit documentation and minimizing the opportunities for human error.
Some readers might think that this description sounds a lot like the Whitelist Profiler (WLP). Just as a refresher, WLP is a command-line product that manages records in a comma-separated value (CSV) format per each TE console. But it’s not the same as TSA. Indeed, TSA is a completely new product with a modern UI, database, multi-TE console capability, and a robust API. It’s a massive improvement in usability and added functionality that builds upon the prior value offered by WLP and is the intended replacement to serve these needs.
TSA leverages the rich configuration information gathered by TE and port data from IP360 or nmap to automate the validation of detected system configurations as well as generate the attestations, or reports, that identify the security policy control element or record, what is allowed, what is unauthorized, and configuration changes. These reports are very comprehensive and widely recognized as a “complete” answer to many audits that exhibit customers being in control of their security program. As such, TSA provides the granularity and control via allowlisting to increase audit preparation efficiency for security policies like NERC CIP.
Here’s a look at how TSA can help to address the requirements contained in NERC CIPv6:
- CIP-007 R1: Ports and Services — The app can monitor ports and services and compare current state against a tailored set of customer-specific approved port and services, alerting when monitoring detects a variance.
- CIP-007 R2: Security Patch Management — The app can identify software versions and installed patches and compare current state against a tailored set of Patch Management customer-specific approved software versions and patches, alerting when there is a variance on specific BCAs.
- CIP-007 R5.2: System Access Controls — The app can verify only approved accounts exist on systems, as codified in an authorized user allowlist.
- CIP-004: Access Management & Access Revocation Programs — The app can verify that only approved accounts exist on systems, as codified in an authorized user allowlist.
Personal Reflections on TSA
I am so proud of the Tripwire team for creating a UI and database that modernizes, expands, and vastly improves the customer experience and functionality of TSA. The Tripwire team isn’t done, either. Looking ahead, we’re looking to iterate or improve the product much faster. (We’ve also engaged in an Early Access Program with select customers to gain immediate feedback.) This has helped us to plan several expanded capability roadmap versions. Along the way, we’ll see TSA’s use expand to other security policies and different business applications. Stay tuned.