|
|
Demonstrate Compliance with NERC Cyber Security Standards
NERC Compliance Defined
Energy providers face increasing pressure to secure their operations from cyber security threats. Several high profile breaches, constant virus and worm threats, as well as the summer 2003 electrical blackout, have resulted in increased scrutiny. Further, in response to Presidential Decision Directive (PDD) 63 on Critical Infrastructure Protection, the federal government has demanded that the energy industry develop standards of practice to ensure the security of the nation's energy infrastructure. In August 2003, the North American Electric Reliability Council (NERC) approved the Cyber Security Standards for electric power providers. Like other security regulations such as HIPAA, Sarbanes-Oxley, and GLBA, NERC mandates the goals for information security, but not how to achieve them.
In July 2005 the Standards Drafting Team released the updated Cyber Security Standards. At the heart of these controls is an infrastructure with extensive logging and auditing mechanisms capable of storing and protecting massive volumes of log data throughout an entire enterprise network.
Protecting Energy Companies – Identifying and Preventing Cyber Threats
Given the criticality of the nation’s energy infrastructure, NERC calls on energy companies to develop comprehensive security strategies. These strategies must cover protection of critical cyber assets, ongoing monitoring to detect security threats, and comprehensive incident response to contain security breaches. However, most organizations focus their security efforts at the perimeter – preventing outsiders from getting inside. The IT research firm, Gartner Group, reports that “over 70% of unauthorized accesses to information systems are committed by employees.” (www.csoonline.com/analyst/report400.html)
Cyber threats, especially insider threats, are difficult to detect when existing security infrastructure focuses on protecting the perimeter. Insiders are not denied access by firewalls, they have valid user-names and pass-words and their activity does not trigger IDS alerts. The key to detecting abuse early is instituting a comprehensive consistent and frequent review of information system activity – quite simply, the data contained in log files. These log files contain the records of all IT activity. By analyzing this data, organizations can identify, investigate and respond to security incidents. The NERC Cyber Security Standards specifically recognizes the threat from insiders, and mandates energy companies to review internal log records to identify suspicious behavior. (See the attached table for more detail.)
Every workstation, email system, database, router, firewall, and server can produce thousands (even millions) of records daily. In aggregate, and an Agency can easily accumulate 100s of millions of log records to review every day. Given the sheer volume of data, and the breadth of different sources, log analysis presents a daunting challenge.
SenSage, the most flexible and cost-effective solution for NERC
SenSage provides energy companies with enterprise log management capabilities needed to secure their information systems and comply with NERC regulations. By automating the collection, archival, and analysis of log records from all systems – SenSage gives organizations much better visibility into IT activity, helping to identify and respond to security threats (including insider abuse) and comply with the NERC regulations.
SenSage was developed specifically to solve the challenges of enterprise-wide log management. Based on the patent-pending Scalable Log Server, this innovative solution scales to support virtually unlimited volumes of event logs, storing months or even years of records in an efficient and compressed format. The product’s unique compression technology facilitates queries under compression, producing rapid search results. SenSage’s web-based Analyzer provides an easy-to-use interface for viewing, creating and running reports, and performing comprehensive investigations. SenSage works seamlessly with all common platforms and legacy systems to produce the exhaustive and unified audit trails recommended by NERC.
IT AUDITING & LOGGING CONTROLS
The following table summarizes the auditing and logging requirements in the NERC Cyber Security Standards: For more information see: http://www.nerc.com/~filez/standards/Cyber-Security-Permanent.html
| NERC Requirement |
Requirements Addressed by SenSage |
| Key Definitions |
Critical Assets: Those facilities, systems, and equipment which, if destroyed, damaged, degraded, or otherwise rendered unavailable, would have a significant impact on the ability to serve large quantities of customers for an extended period of time, would have a detrimental impact on the reliability or operability of the Bulk Electric System, or would cause significant risk to public health and safety.
Cyber Assets: Those programmable electronic devices and communication networks including hardware, software, and data.
Critical Cyber Assets: Those Cyber Assets essential to the reliable operation of Critical Assets.
Electronic Security Perimeter: The logical border surrounding a network to which Critical Cyber Assets are connected and for which access is controlled. |
CIP-005-1
Electronic Security
This standard requires the identification and protection of the Electronic Security Perimeter(s) inside which all Critical Cyber Assets reside, as well as all access points on the perimeter.
|
R3. Monitoring Electronic Access Control — The Responsible Entity shall implement and document the controls for logging authorized access, detecting unauthorized access (intrusions), and attempts at unauthorized access at access points to the Electronic Security Perimeter(s) twenty-four hours a day, seven days a week.
R3.3. At least every ninety calendar days, the Responsible Entity shall review access logs for unauthorized access or attempts.
M3. Documentation of controls implemented to log and monitor access to the Electronic Security Perimeter(s), as well as logs and business records verifying that these controls have been implemented.
M3.3 Business records documenting the review of access logs to determine unauthorized access or attempts.
1.3. Data Retention
1.3.1 The Responsible Entity shall keep records (for example, access logs, firewall logs, intrusion detection logs) for a minimum of ninety calendar days.
1.3.2 The Responsible Entity shall keep other documents and records required by this standard from the previous full calendar year.
1.3.3 The compliance monitor shall keep audit records for three years. |
|
