In case you have not heard the long anticipated news, on November 21st of 2013 the Federal Energy Regulatory Commission (FERC) approved the next version of the Critical Infrastructure Protection (CIP) standards. When version 5 of CIP standards takes effect, replacing version 3 and skipping version 4 altogether.
The CIP standards define what every company that helps supply or manage electricity for the North American grid, roughly speaking, has to do to protect their computer systems. The v5 news is a big deal because companies must show compliance with the standards set by FERC or risk hefty fines.
Additionally, many of the standards are notoriously difficult for which to show compliance. Imagine having to inventory all open ports and services, and provide documentation of why each one is allowed – that’s just one requirement.
Before addressing what’s new, it is worth mentioning what stays the same. The bulk of security related controls that companies were already spending time on are essentially the same: Documenting open ports and services, demonstrating log review, accounting for all local user accounts, security perimeter controls, and so on.
These and other controls that are familiar from CIP version 3 are still in version 5. (Check out requirements CIP-005 and 007 if you have not seen the controls before, starting on pp. 316 and 388 respectively, of this linked PDF from NERC.)
So what is new in CIP v5 and how does it relate to Tripwire?
Because the technical controls mentioned above stay the same in v5, the nuts and bolts of the Tripwire solution for addressing the requirements from version 3 of the CIP standards can stay the same as part of the migration to v5. There “just” needs to be focus on extending those controls to additional assets as needed and making sure data collection, reporting and improvement processes are in place.
I do not mean to down-play the effort needed for migrating to v5, but at least in the areas where Tripwire is already helping with v3, a company using Tripwire will have a significant head start over one without automation or foundational infrastructure for generating auditable data.
At a high level the new version of CIP is intended to help companies be more security conscious instead of focusing on merely being compliant, possibly at the expense of being secure.
Part of that new security oriented stance in the standard is applying a risk based approach. All assets will be categorized as low, medium or high impact. Another change is a modification in language that emphasizes improvement instead of getting hung up on specific deficiencies.
This is a constructive move which treats IT security more as an ongoing process instead of a state of perfection to be achieved and maintained. That is the hope at least. See the comment by the Anfield Group for a play-by-play on interpreting the Standards.
Two new standards, CIP-010 and 11 (pp. 546 and 580 respectively from the NERC PDF), were added as well. Of these, section 10 has requirements most related to problems solved by Tripwire:
Change and configuration management are of course what Tripwire Enterprise was designed for and has done for years. For vulnerability assessment, IP360 has been addressing that for years as well.
From the perspective of companies regulated by NERC, yes there are some very impactful changes in the new CIP version. For areas that Tripwire helps with and is already part of the assessment process however, the changes will most likely be incremental, not revolutionary.
- NERC CIP Version 5: One Giant Leap
- SCADA and Me: A Children’s Book for Security Policy Makers
- NERC CIP: It Gets Worse Before it Gets Better
- Introducing the Complete NERC Solution Suite
Tripwire Customer Success Stories: NERC
The North American Electric Reliability Corporation (NERC) maintains comprehensive reliability standards that define requirements for planning and operating the bulk electric system. The Tripwire NERC Solution Suite provides a comprehensive solution for NERC CIP compliance by offering a combination of standard products, NERC-specific extensions and industry-experienced consultants. This booklet contains success stories of organizations that have achieved continuous NERC compliance and have derived additional security value.
NERC Solution Suite Executive Brief
NERC CIP compliance doesn’t have to be overwhelming—not if you rely on Tripwire products and our cumulative experience helping over 100 electric utilities achieve, maintain and prove NERC compliance. Now we’ve combined that technology and consulting expertise into the Tripwire NERC Solution Suite, a tailored package that helps simplify and automate the technical controls required by the NERC CIP standard.
The Executive’s Guide to the Top 20 Critical Security Controls
Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].
Definitive Guide to Attack Surface Analytics
Also: Pre-register today for a complimentary hardcopy or e-copy of the forthcoming Definitive Guide™ to Attack Surface Analytics. You will also gain access to exclusive, unpublished content as it becomes available.
Title image courtesy of ShutterStock