The Path to Confident Compliance and the Transition to NERC CIP Version 5 – A Case Study
Download as PPT, PDF1 like1,292 views
The document outlines PNM Resources' journey to achieve compliance with NERC CIP version 5, detailing their struggles with previous compliance standards and the steps taken to improve their systems and processes. Key points include enhancing automation, maintaining updated security controls, and preparing for audits, ultimately leading to effective compliance management for over 3,500 control points. The case study emphasizes the importance of integrating technology for continuous monitoring and addressing cybersecurity risks across the organization.
The Path to Confident Compliance and the Transition to NERC CIP Version 5 – A Case Study
- 1. September 25, 2015 The Path to Confident Compliance and the Transition to NERC CIP Version 5 – A Case Study ROBERT LANDAVAZO, NERC SECURITY COMPLIANCE ADMIN
- 2. SLIDE 2 | September 25, 2015 ABOUT ME ROBERT LANDAVAZO
- 3. SLIDE 3 | September 25, 2015 OVERVIEW OF OUR CASE STUDY THE PMN JOURNEY TO NERC CIP V5 • PNM Background • Organization & functional responsibility • The state of compliance 2012 • Re-implementing forgotten solutions • Compliance over time • Current environment • A look at the future, a transtion • Lessons Learned
- 4. SLIDE 4 | September 25, 2015 ABOUT PNM RESOURCES PNM RESOURCES – PNM AND TNMP • Functional Registrations » PNM = BA, DP, GO, GOP, LSE, PA, PSE, RP, TO, TOP, TP, TSP » TNMP = DP, LSE, TO, TOP , TP • Subject to Regional Entity(s) = WECC for PNM & TRE for TNMP • Generation Capability = 3000+ MW; 8 Plants (PNM only) • Peak Load = 2600 MW (PNM Only) • Miles of BES Transmission = 15000+ miles at various BES voltages (PNM and TNMP) • Control Centers = 2 in PNM and 2 for TNMP • Approximate Electric Customers Served = 750,000
- 5. SLIDE 5 | September 25, 2015 OBJECTIVE - FUNCTIONAL ALIGNMENT Streamline support functions of key systems • Operations systems strategy • Control Systems design • Security/Network Architecture • Control System Security Standards • Enterprise Security and Architecture Standards • Evaluation of emerging technologies • Project Support • Energy Management Systems • Generation Management Systems • Plant Control Systems/ Distributed Controls Systems Applications support • Historian Systems • DOC/OMS Systems Support • Network/communication configuration maintenance • Network Diagnostics/ Performance Management • CIP Compliance Process/ Procedure Development • OT Security Operations (security event management/ incident response/forensics) • Disaster Recovery/Business Continuity • Security Configuration Management
- 6. SLIDE 6 | September 25, 2015 OT STRATEGIC BENEFITS Support across PNMR “operations” business areas • Mitigating cyber security risks consistently across the enterprise • Aligning support, compliance, and cyber security skills • Integrating cyber security risk and compliance decision making into 3RD party contracts and services procurement • Better positioned to support/integrate emerging OT technology and Smart Grid initiatives • Architecture and systems standardization • Mitigating cyber security risks consistently across the enterprise • Aligning support, compliance, and cyber security skills • Integrating cyber security risk and compliance decision making into 3RD party contracts and services procurement • Better positioned to support/integrate emerging OT technology and Smart Grid initiatives • Architecture and systems standardization
- 7. SLIDE 7 | September 25, 2015 THE STATE OF COMPLIANCE IN 2012 CIP V3 COMPLIANCE WASN’T EASY AND WASN’T SUSTAINABLE • Inadequate state of compliance • Support tools were shelfware • Smart team working the hard way • Manual controls • Support system sprawl across Business Units and Companies • Frequent identification of potential violations • Looming WECC audit in 2014
- 8. 8 Changeinsystems,processes,oroperations Time CIPv3 Audit The Fate of CIPv3 Compliance A Model • Business changes affect compliance • Massive effort to achieve audit-readiness • No reason to expect pattern to change
- 9. 9 A Different Model for Maintaining ComplianceChangeinsystems,processes,oroperations Time Compliance Audit Deadline or Security Event Quarterly Audit Review or Security Assessment Continuous Security and Compliance Lowers Cost Increases Efficiency Increases Security Reduces Risk
- 10. SLIDE 10 | September 25, 2015 BRINGING THE TOOLS BACK TO LIFE TRANSITIONING TO AUTOMATION Our Systems’ State: •Systems patched but content not updated and maintained – going through the motions but no care & feeding •Multiple tools untouched for years •Incorrectly configured or missing configs •More failed jobs than successful ones •Poor documentation •Non existent monitoring for health and uptime •Newly discovered issues bring to light more PVs
- 11. 11
- 12. SLIDE 12 | September 25, 2015 THE RESULTS ARE WHAT COUNTS CURRENT STATE OF COMPLIANCE AT PNM 90 Day Aggregate NERC CIP Compliance 1.5 Year Aggregate NERC CIP Compliance
- 13. SLIDE 13 | September 25, 2015 COMPLIANCE TODAY TRANSITION TO V5 V3 Achieved in 2 years 3,500 control points CIP-002-3 CIP-004-3 CIP-005-3 CIP-007-3 CIP-009-3 V5 Working towards 5,000+ control points by Q1 2016 CIP-002-5 CIP-004-6 CIP-005-5 CIP-007-6 CIP-009-6 CIP-010-2 Use the NERC Transition Guidance!
- 14. SLIDE 14 | September 25, 2015 WHAT’S NEXT? THE FUTURE STATE OF COMPLIANCE • “No new people” • Need more tools!
- 15. SLIDE 15 | September 25, 2015 STREAMLINING COMPLIANCE “IT TAKES A VILLAGE” Automated Workflow for Asset & Change Management (CIP-002, CIP-010) •Delivers time savings Automated Workflow for Identity Management ( CIP-004, CIP-007 ) •Ensures user account accuracy VIM Software White List (Future) (CIP-007 R2) •Minimizing risks •Reducing workload Substation IED Management (CIP-007, CIP-010) • Ensures continuous monitor & control
- 16. SLIDE 16 | September 25, 2015 ARCHITECTURE INTEGRATED MONITOR & CONTROL Tripwire EnterpriseTripwire Log Center IP 360 Secunia VIM Eaton/Cooper Yukon IMS Sigmaflow AlertEnterprise! IDM HI & MI Control CentersMI Substations Passive Compliance Monitoring Active Compliance Monitoring
- 17. SLIDE 17 | September 25, 2015 PATHWAY TO CIP V5 Requirement Key Ask Technology Support Patch Management 35 days or viable mitigation plan Secunia VIM, Tripwire citede within mitigation plan Malicious Code Prevention “deter, detect & prevent” McAfee/Intel Security, Cisco NGFW, and Tripwire Security Event Logging Log events – identify & after the fact investigation Tripwire Log Center & Yukon IMS Ports & Services Logical network access ports Adding physical in-out ports Tripwire Enterprise, physical port locks, tamper tape and signage System Access Control Verify authentication methods Tripwire Enterprise and IP360 LEVERAGING TECHNOLOGY
- 18. SLIDE 18 | September 25, 2015 ICS-CERT RECENT INCIDENTS ENERGY INDUSTRY CONTINUES TREND
- 19. SLIDE 19 | September 25, 2015 TAKE-AWAYS BEST PRACTICES Get the right people working on the right things – OT Org Recognize shortcomings and identify tools to rectify Leverage technology to automate continuous monitoring Ensure that your tools integrate to some degree – single pane of glass The foundation of security is built on compliance – it isn’t enough on its own
- 20. SLIDE 20 | September 25, 2015 QUESTIONS & CONTACT INFO Robert Landavazo NERC Security Compliance Administrator PNM Resources robert.landavazo@pnmresources.com
- 21. SLIDE 21 | September 25, 2015 ENERGYSEC SESSION DESCRIPTION The Path to Confident Compliance and the Transition to NERC CIP Version 5 – A Case Study Presenters: Robert Landavazo, PNM Resources and Katherine Brocklehurst, Tripwire With countless hours of work to go, PNM was far from ready for its coming audit in just 18 months. Confidence levels in its existing manual, and incomplete security controls, were at an all-time low; and the visibility into control center environments for quantifying its status and progress towards compliance was immeasurable. With Tripwire, PNM’s preparation of the looming CIPv3 audit noticeably improved. With efficient reporting and automation, PNM’s now positioned to hold itself accountable for CIP auditable compliance of more than 3,500 explicit and supporting control points, satisfying CIP-002-3, CIP-004-3, CIP-005-3, CIP-007-3 and CIP- 009-3. In addition, enhanced visibility and better control gave PNM the ability to effectively communicate meaningful and measurable initiatives to executive teams – resulting in increased support for their funding needs. In this session, PNM – New Mexico’s largest electricity provider – will share a case study on its journey towards achieving continuous NERC CIP compliance despite a highly limited headcount, how it saved countless hours of labor-intensive manual effort, and the essential role that automation played in its success.
Editor's Notes
- #3: WILL ROBERT SPEAK TO HOW LONG HE HAS BEEN AT PNM? SHOULD DO OR LIST HERE
- #4: This agenda could be more compelling leaning toward telling a story sort of like this – (it your talk track might actually fit this outline but can’t tell from the bullets – and maybe we tune it up together in our call tomorrow (?) - Business challenges, Compliance Challenges Choices (what solutions were at hand, who got to decide, what were the criteria?) Solution (decided on final solution for what reasons, then what happened….best practices –what worked what did not Business Results, Compliance Results What’s Next for PNM?
- #5: Call out 2 certifications Show of hands who do this?
- #6: This is what is your organization structure—next slide speaks to the why behind this organizational structure Segmented away from IT
- #7: I would put the bottom bullet as second or third to show how the arch and systems stds help align the three groups and even assist in stronger mitigation efforts.
- #8: Add some business implications – if there are any points of color – (like we had a new CIO and the pressure was high, last time we had fines, this time no can….IT and OT were (and have been) somewhat at odds, nothing new there but our leadership was demanding we solve for this together as a team, or whatever. Documentation challenges alone were killing us, or whateveretc etc Again, maybe your talk track is just fine…. Add examples in speaking notes
- #9: ANYTHING NEW? Refit Place Before PNM results KEY MESSAGE – How does the rest of your business manage, track, trend, improve, etc as relates to change? ANSWER: Really large intervals, a lot of change in the meantime, and a lot of work to get back to the desired state Examples: When the help desk tickets get generated – do you expect all of them to be resolved instantly? No, time will pass as they process those tickets. So does your organization get this? Would they understand and agree that change happens, is monitored, and relates to the people, process, and technology in use?
- #10: KEY MESSAGES: Continuously managing the state of security and compliance, you maintain a higher consistency, and can lower costs, increase efficiencies (Orange box) Alternatively, as it relates to both security and compliance, knowing when change happens in real time, continuous monitoring, and automation and integrations all work together to achieve higher levels of continuously secure and compliant systems. Ultimately this lowers cost and increases efficiency. This would be a good thing for most organizations, right?
- #11: I’ll just be interested to hear you talk this through – be sure to think what the implications were for your business, and what was at risk in this condition Speaking notes: frame this with timing was tight , we had tools, we were confident they would do the job…but Why shelved? Lack of expertise Many organizations in a similar situation.
- #12: Prefer to replace with real PNM diagram
- #13: I’ll add ours Highlights of actual PNM results….images coming NEED ROBERT
- #15: We have an integration with SigmaFlow – would be nice to share a detail or two Our TLC Log product can integrate with your physical security systems – card swipes or key fobs, even biometrics – whatever system you’re using – and can even integrate back up to TE ? Dynamic Software Reconciliation (DSR), Whitelist Profiler? (Tripwire Apps [5] Robert – as with in the beginning, as you look forward to leading the compliance/security front for PNM and CIPv5, what are the business drivers you’re also working to fulfill for YOUR bosses and their interests. What are your business goals above and beyond these tools? Speaker notes: call out actual usage scenarios—best practices points
- #16: Secunia VIM for identification & evaluation of security patches Tripwire IP360 for discovery and vulnerability scanning SigmaFlow for compliance workflow management and governance Alert Enterprise for identity management Eaton/Cooper Yukon IMS for substation IED Management
- #18: Aligning tools to v5
- #19: The foundation of security is built on compliance – it isn’t enough on its own