- CIP-005-6 – Cyber Security – Electronic Security Perimeter(s)
- R2 Part 2.4 – This new requirement part introduces the need to have at least one method for determining active vendor remote access sessions. Tripwire solutions that help satisfy this requirement include Tripwire Log Center to log access and alerts on vendor remote sessions as well as monitor activity, Tripwire Enterprise to track all change performed by vendor accounts during their remote access sessions, and Tripwire Industrial Visibility to alert on configuration change to control network assets, remote access, and RDP sessions. Lastly, we have a remote access solution called ProSoft Connect from our sister company ProSoft Technology.
- R2 Part 2.5 – This new requirement part includes an ability to disable active vendor remote access. I think a great feature of Prosoft Connect is the new patent-pending Virtual Lockout-Tagout capability.
- Key Takeaways – The scope of this remote access is not just applicable to interactive remote access but also to system-to-system remote access. If you’ve studied CIP-005-5 R2, you know that system-to-system remote communication is, of course, exempt to the multi-factor authentication requirement. Therefore, this component could be easy to overlook, but it is an essential capability in case of a system breach.
- CIP-010-3 – Cyber Security – Configuration Change Management and Vulnerability Assessments
- R1 Part 1.6 – This new section requires that the Responsible Entity verify the identity of the software source as well as verify the integrity of the software obtained from the source prior to a change that can cause a baseline modification of certain components (CIP-010 R1.1.1 Operating System or Firmware, R1.1.2 intentionally installed software, and R1.1.5 security patch installation). Tripwire Enterprise can be used to verify the integrity of the software obtained via several methods, such as by verifying the hash of downloaded software and validating the files that are modified as part of the software or patch deployment. An extension to Tripwire Enterprise called Dynamic Software Reconciliation can help facilitate the automation of validating deployed software components.
- Key Takeaways – The requirement leaves out the trigger for baseline change of custom software and logical network accessible ports, so there's no need to perform this requirement for changes that fit that criteria. Verification of the identity of the software source can be tricky, as there is a lot that is out of your control on the internet. (I’m thinking of domain hijacking, fake websites, and phishing email campaigns.) Verification of the integrity of the software obtained from the source is a much simpler task (through the use of hash verification), but it relies heavily on the due diligence performed on the verification of the software source.
- CIP-013-1 – Cyber Security – Supply Chain Risk Management
- Rather than rehash the details on this requirement here, I thought I’d just link to another blog post on the topic here, called “So You Want to Achieve NERC CIP-013-1 Compliance…”
- Implement the new Tripwire Enterprise Ransomware Protection Rules. Details can be found here.
- Brush up on your policies and procedures that cover the CIP Exceptional Circumstances. You know, just in case. Here’s a quick refresher on the subject from the NERC Glossary of terms:
A situation that involves or threatens to involve one or more of the following, or similar, conditions that impact safety or BES reliability: risk of injury or death; a natural disaster; civil unrest; an imminent or existing hardware, software, or equipment failure; a Cyber Security Incident requiring emergency assistance; a response by emergency services; the enactment of a mutual assistance agreement; or an impediment of large scale workforce availability.
- Check out the Tripwire Private Energy Group on the Tripwire Forums. Email us here if you’d like to request access (must be a Tripwire electric utility customer).
- Check out Travis Smith’s series on the MITRE ATT&CK Framework and follow that up with a short read on the new Industrial Control Systems MITRE ATT&CK Framework.
- Exercise your CIP-008 Incident Response Plan. What better time is there to do so than when there’s not an actual incident? Don’t forget to take credit for your exercise by documenting the 15 month test requirement identified in CIP-008- R2.1.
- Lastly, make sure your backups are working, and test a restore. Also, like the item above, don’t forget to take credit for CIP-009-5 requirement 2.1 to test recovery plans at least once every 15 calendar months.