There’s a saying in the cybersecurity community which states that just because you are compliant doesn’t mean that you are secure. Over the years, many images have been used to illustrate the point. One memorable image is that of a nude bicyclist wearing a helmet. By all standards, that is the epitome of “compliant, but not secure”.
Many organizations have shifted the focus away from merely achieving compliance, to being both compliant and secure. Security is often more difficult to achieve than compliance, so the higher standard of security often fills in all the compliance details as well. This mindset is highlighted in organizations that are part of critical infrastructure, where adherence to very strict rules go far beyond compliance.
Electrical companies are tasked with the burden of providing uninterrupted power across the nation. In an effort to assist in this goal, the North American Electrical Reliability Corporation (NERC), was founded as an advisory body, making recommendations to increase the fidelity of the North American power grid. Over time, NERC took on a more regulatory role, creating the Critical Infrastructure Protection (CIP) standards, which govern the operation of electrical companies. One important aspect of the CIP standards is security.
When it comes to security, one of the most deceptively simple protective measures is to apply security patches to all the systems in the environment. Even in a small organization, this can be a challenge, as number of devices, coupled with the number of patches can quickly overwhelm even the most diligent security practitioner. When it comes to an electrical company, not only do the systems exceed hundreds, or thousands of patchable components, but the patches themselves can be just as numerous—this creates millions of patch/server combinations that must be measured every month, all requiring specific audit justification to be documented.
Tripwire and FoxGuard Solutions
To add to the specificity of guaranteeing electrical reliability, all patches must be approved before being deployed in an electrical company. The requirement of constant up-time, coupled with the need for security sounds unmanageable, however, there are methods to simplify this process. One way that patching is made more manageable in electrical companies is through a patch control system, such as that offered by FoxGuard Solutions, which helps to validate and advise which patches are critical or confirmed to be necessary each month.
FoxGuard can process the inventory of an electrical organization to discover and prioritize the available patches for all of the assets. FoxGuard also has the ability to determine if a patch is known to cause problems and will remove it from the list.
Tripwire has partnered with FoxGuard to integrate their systems with the Tripwire State Analyzer (TSA) software released last year. TSA already helped to by showing the users what the operating state is of the servers in an environment. Leveraging FoxGuard’s data into TSA allows this process to become more efficient as the operational needs change over time for electrical operators and other industries.
When it comes to NERC, an audit baseline is the intended operational state of their servers. Auditors require an organization to not only to be compliant, but to prove that compliance and whenever it deviates against the baseline. Part of that proof includes showing that the operational state is also secure. It's not just good enough to modify the configuration to make the server theoretically secure. An electrical organization must prove that it's actually secure as it is operating by monitoring open ports, installed software, users, and other critical data points.
Another part of security as it works in tandem with compliance is through the ability to prove that the approved patches were actually installed. Without a tool such as TSA it can be a very tedious job to examine all that detail, and TSA helps make this process more efficient. TSA allows the users to quickly compare all of the installed software on thousands of machines against the defined baseline state to identify any deviations. The integration with FoxGuard further aids this time savings by taking the hundreds (or thousands) of monthly updates to the baseline and builds a workflow into TSA allowing for effortless updates to the Allowlist (which represents the baseline).
Future releases of TSA are planned, and integrations with other patch control systems are anticipated, making patch management more workable for all industries. This can help organizations fulfill compliance, while achieving new heights of security.
