Skip to content
NGTEdu Logo

NGTEdu

A PRODUCT OF NGTECH.CO.IN

NGTEdu Logo

NGTEdu

  • Home
  • Cyber Attacks
  • Malware
  • Vulnerabilities
  • Data Breach
  • Home
  • Data Breach
  • Navigating Cybersecurity with NERC CIP as the North Star
  • Critical Vulnerability
  • Data Breach
  • Malware
  • Vulnerabilities

Navigating Cybersecurity with NERC CIP as the North Star

4 years ago Michael Betti
Navigating Cybersecurity with NERC CIP as the North Star

Working in the Electric Utility sector of critical infrastructure gives a person a very unique perspective on how many of the pieces of the puzzle fit together to provide uninterrupted services to a broad population. My personal experience as a software engineer in the electrical industry introduced me to the nuances that the average person doesn’t consider when they flip on a light switch. When I moved into the cybersecurity space, an entirely new realm was opened up.

The shifting sands of cybersecurity, along with regulations are sowing the seeds of vast changes, not only in the electrical sector, but in all utilities. However, when seeking direction in protecting the utility sector, the most mature model is the one presented by the North American Electric Reliability Corporation (NERC), specifically, the Critical Infrastructure Protection (CIP) guidance. The NERC CIP is the most mature of the utility control models and has just surpassed its 20th birthday.

Part of what makes NERC CIP relevant to critical industry verticals as a whole is that it was developed out of the attention brought about by the large East Coast power outage of 2003. Realization that malware lurking on systems giving command and control capability to and outside entity was a major risk to our infrastructure and safety and something had to be done to address that risk. Recent events in water management, food production and pipeline security have shone a bright light on making these sectors more secure as well. What better way to create new guidance than to borrow what works from an existing source?

Why More Guidance for Critical INfrastructure was Created

The need for more guidance in other sectors hit a tipping point in the last year. Both supply chain attacks, and trade wars lead to new protective responses, including the Pipeline System Security Directive, the Rail and Airport Operators Security Directive, and the Water/Wastewater 100-day plan. These are all aimed towards making the security of these critical systems more comprehensive.

Yet, it is still the early days of these new protective mechanisms. For example, the Pipeline System Security Directive is still voluntary. Also, the Transportation Safety Administration (TSA), which authored the directive has gone so far as to recommend that pipeline management should consider NERC CIP as the framework to follow. Likewise, TSA is looking to institute fines for violations, mimicking NERC CIP, but to a lesser extent. This is a very aggressive approach, as it moves compliance from voluntary to compulsory.

The questions that arise from all this are not unlike many of the other questions that surround other regulations. That is, is the guidance aimed towards Information Technology (IT), or Operational Technology (OT), or both and is the guidance attempting to achieve security, or compliance? Additionally, each of the above critical infrastructure verticals falls under a different jurisdiction of Sector Risk Management Agencies (DOE, EPA, TSA, etc.) and not centrally under CISA. Thus, the balkanized jurisdiction structure magnifies the complicating the matters of added expense due to redundancy, timeliness of implementation and consistency of cybersecurity policies, procedures and compliance to protect all critical infrastructure. Tactically, there are also the typical questions about audit and enforcement, such as how, and who will be the gatekeepers? After twenty years of NERC CIP, the rapid emergence of these new directives can be viewed as revolutionary – but also very necessary. It’s been shown over and over that companies do not provide satisfactory levels of system security without regulations that have teeth.

Predictions and Recommendations

Some organizations in the critical infrastructure have been practicing security that goes beyond the recommended requirements, and they started on this path prior to the new directives. Some because it was economical to do the same monitoring in Gas/SCADA and Water/Wastewater that they do in their NERC/CIP environments, others because the costs of around insuring against breaches is starting to have an effect. Many of the attacks of recent years, such as ransomware, and intellectual property theft are not going away, as they are too profitable for criminals to resist and becoming too costly for utilities to ignore.

The best recommendation is to start with asset tracking. Only after an accurate accounting of an organization’s assets can other steps be taken to protect any sector, including vulnerability assessment, network segmentation, change management, and log management. Most important with all of these is the configuration measurement and change detection. You can’t tell if something has changed without an accurate starting measurement (a baseline).

If your organization is newly examining the guidance and framework that works best, there are many to choose from, including those offered by the National Institute of Standards and Technology, (NIST 800-53), the Center for Internet Security (CIS Controls), and the International ElectroTechnical Commission (IEC 62443). Perhaps you may want to jump directly into NERC CIP to evaluate if that is the most appropriate course of action. Each framework is subtly different, but all follow the above basic control. Either way, there are enough resources to get started down the right path. Likewise, don’t hesitate. Even if you begin down the path of a certain framework and regulations change causing you to have to follow a different framework, many of the principles and the same and you can quickly pivot and continue down your cybersecurity journey.

It is understandable that these are big decisions to consider, but when we reflect upon how all industries have transitioned from an air-gapped or even non-IP environment, to a connected environment, it becomes clear that action must be taken.

Of course, Tripwire has tools that can help you achieve better security. Products, such as Tripwire Enterprise (TE) for file integrity monitoring (FIM) and configuration management (SCM) of your IT devices. On top of these critical controls, TE contains a vast policy library, including all those discussed above, to detect, measure, report and remediate policy violations. Specific, and critical to NERC CIP compliance, allowlisting is managed through Tripwire State Analyzer in tandem with TE. Vulnerability Management (VM) is provided by IP360 and all can be offered as a managed service through Tripwire’s Expert Operations (ExOps). For OT, or in the ICS environment, Tripwire has two OT passive asset discovery, inventory and vulnerability tools (Tripwire Industrial Visibility (TIV) and Sentinel (TIS)). Additionally, Log Management (LM) is provided via the integrated Tripwire Log Center product and a managed service is also available for TIV.

What makes Tripwire unique in protecting critical infrastructure is that the solutions can protect both IT and OT assets. Typically, asset management, change detection and cybersecurity policy enforcement occur separately between IT and OT. Through our numerous integrations, you have the ability to manage both from TE.

The industry is abuzz with “closing the gap between IT and OT”. Tripwire is already there and the gap is closed.

The post ” Navigating Cybersecurity with NERC CIP as the North Star” appeared first on TripWire

Source:TripWire – Michael Betti

Tags: Critical Severity, Goverment, Malware, Ransomware, TripWire

Continue Reading

Previous Feds Forced Travel Firms to Share Surveillance Data on Hacker
Next Researchers Disclose Critical Flaws in Industrial Access Control System from Carrier

More Stories

  • Cyber Attacks
  • Data Breach
  • Malware
  • Vulnerabilities

Iran-Linked RedKitten Cyber Campaign Targets Human Rights NGOs and Activists

2 days ago [email protected] (The Hacker News)
  • Cyber Attacks
  • Data Breach
  • Malware
  • Vulnerabilities

Mandiant Finds ShinyHunters-Style Vishing Attacks Stealing MFA to Breach SaaS Platforms

2 days ago [email protected] (The Hacker News)
  • Cyber Attacks
  • Data Breach
  • Malware

CERT Polska Details Coordinated Cyber Attacks on 30+ Wind and Solar Farms

2 days ago [email protected] (The Hacker News)
  • Cyber Attacks
  • Data Breach
  • Malware
  • Vulnerabilities

Researchers Uncover Chrome Extensions Abusing Affiliate Links and Stealing ChatGPT Access

2 days ago [email protected] (The Hacker News)
  • Cyber Attacks
  • Data Breach
  • Malware
  • Vulnerabilities

China-Linked UAT-8099 Targets IIS Servers in Asia with BadIIS SEO Malware

3 days ago [email protected] (The Hacker News)
  • Cyber Attacks
  • Data Breach
  • Malware

Ex-Google Engineer Convicted for Stealing 2,000 AI Trade Secrets for China Startup

3 days ago [email protected] (The Hacker News)

Recent Posts

  • Iran-Linked RedKitten Cyber Campaign Targets Human Rights NGOs and Activists
  • Mandiant Finds ShinyHunters-Style Vishing Attacks Stealing MFA to Breach SaaS Platforms
  • CERT Polska Details Coordinated Cyber Attacks on 30+ Wind and Solar Farms
  • Researchers Uncover Chrome Extensions Abusing Affiliate Links and Stealing ChatGPT Access
  • China-Linked UAT-8099 Targets IIS Servers in Asia with BadIIS SEO Malware

Tags

Android APT Bug CERT Cloud Compliance Coronavirus COVID-19 Critical Severity Encryption Exploit Facebook Finance Google Google Chrome Goverment Hacker Hacker News High Severity Instagram iPhone Java Linux Low Severity Malware Medium Severity Microsoft Moderate Severity Mozzila Firefox Oracle Patch Tuesday Phishing Privacy QuickHeal Ransomware RAT Sim The Hacker News Threatpost TikTok TripWire VMWARE Vulnerability Whatsapp Zoom
Copyright © 2020 All rights reserved | NGTEdu.com
This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Read More here.Cookie settingsACCEPT
Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Non-necessary
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
SAVE & ACCEPT