Simplify Your Transition to and Compliance with NERC CIP Version 5

Simplify Your Transition to and Compliance with NERC CIP Version 5 Tufin Orchestration Suite™ helps covered entities meet explicit network security management requirements for BES Cyber Systems

www.tufin.com

Executive Summary

Over 50 million people in large swaths of the Midwestern and Northeastern sections of the United States as well as the Canadian province of Ontario experienced one of the largest electricity blackouts in the countries' history in August 2003. In response to the outage, the North American Electric Reliability Corporation (NERC) developed the Urgent Action 1200 standards, followed by the Critical Infrastructure Protection (CIP) standards that are designed to prevent future outages in the electrical grid traversing the United States, Canada and portions of Mexico. Many of the companies that operate North America's Bulk Electric System (BES) are compelled to comply with the standards. In the U.S., the Federal Energy Regulatory Commission (FERC) oversees compliance with the standards, often through Regional Authorities.

Currently, BES entities must comply with NERC CIP Version 3 (V3) Standards, although mandatory compliance is being superseded by NERC CIP Version 5 (V5). Covered entities have until April 1, 2016 to adopt or transition to V5. This new version of the standards bolsters requirements to categorize and protect important Cyber Assets, which have become a target for cyber terrorism. A recent analysis of U.S. federal energy records by USA TODAY found that some part of the nation's power grid is struck by a cyber or physical attack about once every four days.1 This makes strict adherence to NERC CIP a critical step in protecting North America's power grid.

Under NERC CIP V5, covered entities are required to identify and categorize critical Cyber Assets and to regularly perform a risk analysis of those assets. Entities must implement a policy and process for monitoring and changing the configuration of critical assets, and for documenting the changes as an audit trail. Further, entities must establish and control an electronic security perimeter (ESP) that creates a secure zone for Cyber Assets connected to a network, and must utilize secure remote access management. Network ports and services must be tightly controlled to guard against cyber attacks and other security incidents.

These are sophisticated requirements that demand automation tools to achieve the objectives. Tufin Orchestration Suite addresses these particular needs and helps covered entities meet the challenges of transitioning from NERC CIP V3 to V5 and complying with the new standards. This white paper outlines the specific aspects of NERC CIP V5 that Tufin can address to protect BES network Cyber Systems.

About NERC CIP V5

NERC is committed to protecting the Bulk Power System against cyber security compromises that could lead to misoperation, instability or outages. On November 22, 2013, FERC approved Version 5 of the Critical Infrastructure Protection Cyber Security Standards (CIP V5), which represent significant progress in mitigating cyber risks to the power grid.

1 Steve Reilly, USA TODAY, "Bracing For A Big Power Grid Attack: 'One Is Too Many'," March 24, 2015

Simplify Your Transition to and Compliance with NERC CIP Version 5 2/14

The standards cover cyber security as well as some aspects of physical security. Those standards that are subject to enforcement under CIP V5 include:

CIP-002-5.1 Cyber Security — BES Cyber System Categorization

CIP-003-5 Cyber Security — Security Management Controls

CIP-004-5.1 Cyber Security — Personnel & Training

CIP-005-5 Cyber Security — Electronic Security Perimeter(s)

CIP-006-5 Cyber Security — Physical Security of BES Cyber Systems

CIP-007-5 Cyber Security — System Security Management

CIP-008-5 Cyber Security — Incident Reporting and Response Planning

CIP-009-5 Cyber Security — Recovery Plans for BES Cyber Systems Cyber Security — Configuration Change Management and CIP-010-1 Vulnerability Assessments

CIP-011-1 Cyber Security — Information Protection

CIP-014-1 Physical Security Note: The hyperlinks above go to PDF files delivered by NERC.

Electric generating facilities have a complex infrastructure that consists of traditional industrial controls as well as computer networking systems that utilize the common Internet Protocol (IP). These systems are generally separate but may have select interface points. For the purpose of this white paper, we are discussing the requirements of the IP / BES network side of the infrastructure.

Major Changes in NERC CIP V5 over V3

Two of the major changes in CIP V5 over V3 are the breadth of the covered entities which now must adhere to the standards, and what assets are included in the regulation. For example, in CIP V3, only those generation facilities determined to be Critical Assets by their owner/operators are required to comply with the standards. As a result, many assets have been excluded from regulation and a broad swath of generation facilities were basically exempt from compliance obligations under the CIP V3 standards. By comparison, CIP V5 uses a tiered classification system that brings all Bulk Electric System generating facilities into scope for at least some of the regulations. Consequently, many organizations will be

Simplify Your Transition to and Compliance with NERC CIP Version 5 3/14

adopting the NERC CIP standards for the first time, while others will be transitioning from V3 to V5 and broadening the scope of their compliance efforts. What is a Cyber Asset? NERC CIP V5 uses a new approach to identifying Cyber Assets that qualify for protection under the standards. First of all, A fundamental component of NERC defines "BES Cyber Assets" as "those Cyber Assets that, each version of the CIP Reliability if rendered unavailable, degraded, or misused, would Standards is the identification of adversely impact the reliable operation of the BES within 15 Cyber Assets that responsible minutes of the activation or exercise of the compromise." entities must protect under the Furthermore, Cyber Assets now will be grouped into "Cyber CIP Reliability Standards. Systems" which may be comprised of many individual assets. The purpose of this grouping is to facilitate security policies The NERC Glossary defines Cyber and processes that can be applied to the system as a whole; Assets as “programmable electric for example, monitoring for malware across a specific devices, including the hardware, subnet. Cyber Systems are to be assigned a High, Medium or software, and data in those Low Impact Rating based on the characteristics of the facility devices.” A programmable they support. electronic device is a device that has a microprocessor and field- CIP V5 has a new regulation pertaining to systems change updateable firmware, software, management. Covered entities are required to develop and or logic. “Field Updateable” deploy rigorous and structured change management would include devices that have practices. For example, organizations must establish a policy a management port, web for every network change, and every change made must be interface, or any external logged so there is recorded evidence of what was done. interface that would allow the introduction of a firmware, The Challenges of Adopting or Transitioning to software, or logic update by a customer or field-service CIP V5 technician.

Where Cyber Assets on the IP network are concerned, there Examples of Cyber Assets are are several challenges in adopting or transitioning to the new servers, workstations, routers, standards. They broadly fall into the areas of grouping assets switches, firewalls, distributed and enforcement of the standards. control system (DCS) controllers, programmable logic controllers, One of the main challenges is to identify and assess the Cyber and other devices involved in the Assets. NERC CIP V5 encourages grouping the assets operation of a generating together, typically by a common function or by a common station. Local Area Network. Grouping assets allows them to have common policies and a single point of security enforcement. Thus, a covered entity has several needs:

 Collect and maintain a precise inventory of the assets  Know where the assets are (i.e., on which subnets of the overall network)  Understand what business applications the security devices must communicate with (and thus what policies should be developed and enforced)

Many organizations attempt to track this complex information on a spreadsheet, but a manual method can't keep up with the numerous devices and their configurations and

Simplify Your Transition to and Compliance with NERC CIP Version 5 4/14

policy changes. Automation is an absolute must in order to attain and then maintain compliance with NERC CIP V5.

Policy enforcement across the entire network is another challenge. The NERC CIP V5 standards refer to "electronic security perimeters" for certain Cyber Assets. Basically this is network segmentation, with strict policies set up to protect the designated "NERC zones" that must be isolated from other segments, such as those subnets that allow communication with external networks or with the Internet in general. Covered entities have the following needs pertaining to policy enforcement:

 Document all of the network segments, including what assets are in each  Set and enforce policies that determine what cross network segment communication is allowed and what is absolutely prohibited  Understand what happens when changes to devices or policies are made...before they are made (i.e., will a change violate the NERC CIP V5 or other policy?)  Get authorization for all configuration and policy changes  Document all changes

Where changes are concerned, NERC CIP V5 requires that they be authorized, analyzed for risk, and well documented. The documentation must include why the change was requested, who made the request, and who approved it.

Again, policy enforcement requires automation to speed up processes, increase accuracy, reduce risk and ensure continuous compliance.

Considerations for Cloud Computing

For organizations adopting private or public cloud technologies, there is nothing in the NERC CIP V5 regulations that precludes the use of cloud computing, as long as the CIP Cyber Security Standards can be met while utilizing cloud-based resources. In fact, the cloud can be a cost-effective, flexible part of a utility's computing ecosystem, just as it is for many other businesses and industries worldwide. A main consideration for NERC CIP V5 compliance is that the tools that are used to inventory and document Cyber Assets/Cyber Systems and to enforce required policies be able to work in both the physical environment of the data center and the virtualized environment of the cloud.

The Tufin Orchestration Suite Solution

Tufin Orchestration Suite meets these important needs for network security, automation and continuous compliance across physical, virtual and hybrid environments. The Suite provides visibility into all of the applications on the network and their relationships to each other and to the network security devices. The Tufin solution then builds and maintains a dynamic model of the network topology, including all network segments, regardless of whether they are local to the covered entity's data center, in the cloud or in a hybrid environment. The Suite's Unified Security Policy (USP) provides the ability to centrally manage all of the organizational security policies via a single interface, through a single pane of glass management system. An analytics engine thoroughly explores the possibilities of

Simplify Your Transition to and Compliance with NERC CIP Version 5 5/14

risk and ensures that all future changes in the network are aligned with the centralized policies, and any new violations that might be introduced to the network are alerted on. What's more, all asset inventory and change management information is fully documented. In short, the Tufin solution facilitates the grouping of Cyber Assets as well as the security policy enforcement process across the entire IP network environment.

The Suite is composed of several components that interact with each other as well as with the network infrastructure and the business applications to analyze the risk of changes and then send the changes throughout the infrastructure once approved. Tufin Orchestration Suite also supports application programming interfaces (APIs) to communicate with other important elements of the computing environment, such as an IT service management system. The architecture of the Suite’s components is illustrated in Figure 1.

Figure 1: Tufin Orchestration Suite Solution enables Security Policy Orchestration for NERC CIP V5 Compliance

Briefly, here's a description of what each of these components does.

 The Business Application & Services component allows a covered entity to model its business applications and services, defining the network resources they require in order to work. This layer is able to identify and inventory a covered entity's Cyber Assets and make note of which applications the security devices must communicate with.

 The Security & Compliance component holds the covered entity's Unified Security Policy for the IP network. The Unified Security Policy (described in more detail below) defines the desired (or required) security policies that must be enforced in the organization. These include segmentation policies, best practices policies, regulatory compliance policies, and any other security policies the organization wants to comply with internally. The explicit NERC CIP policies can be defined at this layer of the solution.

Simplify Your Transition to and Compliance with NERC CIP Version 5 6/14

 The Network & Security Automation component enables change automation in the network. This component performs the actual security automation activities, while checking with the Security & Compliance component to ensure that these automated changes are not breaking or violating the desired security and NERC CIP compliance policies.

 The Network Abstraction component hides the network complexities from the other components. It maps and holds the network topology and interacts with the different networking and security technologies running in the network.

 The RESTful APIs component enables full programmability to any of the suite's components, allowing easy integration with other enterprise systems and technologies.

It's important to note that all of these components operate across cloud-based as well as internal applications and systems.

One of the most important elements of the Tufin solution is the Unified Security Policy. The Unified Security Policy provides the ability to centrally manage all of the organizational security policies in a single place. The Unified Security Policy automates the complicated process of managing policies, the complex rule bases and a constant influx of change requests for multi-vendor/multi-technology networks. The Unified Security Policy controls the actual versus desired network segmentation, highlighting policy violations before a change is made on the network so as not to break compliance or expose the network to unnecessary risk. It ensures that all future changes in the network are aligned with the centralized policies and any new violations introduced to the network are alerted on.

The Unified Security Policy gives a simple visual representation of the network segmentation across a multi-vendor array of firewalls, routers and other devices existing across an organization's network. The represented zones can be on a physical, virtual or hybrid network. Figure 2 shows the user interface of the Unified Security Policy, demonstrating the NERC matrix with restricted services. The colored blocks represent the communication permissions between different segments, or zones, of the overall network. It's possible to tell with a glance what services, if any, are permitted between segments.

Figure 2: The Unified Security Policy matrix provides a single pane of glass for managing BES network security NERC CIP V5 policies as well as other policies

Simplify Your Transition to and Compliance with NERC CIP Version 5 7/14

How the Tufin Solution Helps Entities Meet NERC CIP V5 Requirements

Tufin Orchestration Suite provides the toolbox for a smooth and simple migration and management for transitioning to and complying with NERC CIP V5 network security requirements. The solution components shown above in Figure 1 work together to shorten the time to go through the migration process, manage the newly documented Cyber Assets, manage the NERC CIP policies a covered entity puts in place, and help the organization enforce the requirements whenever a network change is needed.

Tufin's solution helps organizations address specific NERC CIP V5 requirements, as described below.

CIP-002-5 – Cyber Security – BES Cyber System Categorization

Part R1 Requirements2 Each Responsible Entity shall implement a process that considers each of the following assets for purposes of parts 1.1 through 1.3: [Violation Risk Factor: High][Time Horizon: Operations Planning]

Identify each of the high impact BES Cyber Systems according to Attachment 1, Section 1, if 1.1 any, at each asset;

1.2 Identify each of the medium impact BES Cyber Systems according to Attachment 1, Section 2, if any, at each asset; and

1.3 Identify each asset that contains a low impact BES Cyber System according to Attachment 1, Section 3, if any (a discrete list of low impact BES Cyber Systems is not required).

Note: For the impact rating criteria for the specifications above, view Attachment 1 (beginning on page 14) of CIP‐002‐5.1 — Cyber Security — BES Cyber System Categorization.

How Tufin's Solution Meets Requirements for CIP-002-5 Cyber Security – BES Cyber System Categorization

Regardless of the "Impact Rating" of the assets – High, Medium or Low – Tufin's solution maps the network topology and can identify all devices and applications and their current connectivity. Application connectivity dependencies end-to-end across the network, as shown in Figure 3.

2 Cyber Security — BES Cyber System Categorization, P. 6

Simplify Your Transition to and Compliance with NERC CIP Version 5 8/14

Figure 3: Tufin maps application connectivity dependencies across the network

This mapping process helps to create the asset groupings so that policies can be applied and maintained according to the respective groups. The groupings are visually represented in a Unified Security Policy matrix, making it easy to identify any violations of the NERC CIP (or other) policies that must be observed. And, when there is a new access request, even before the change is applied, Tufin can perform risk analysis to check the access to see if it will create a policy violation. This whole process is logged so that if a security incident were to occur, the log would be available to investigate the reason for the incident.

In addition, Tufin can help remediate an existing application within a network segment whose connections violate the new NERC CIP V5 requirements. Tufin can help reengineer the existing application and, based on the new requirement, build up the proper connections as needed.

CIP-005-5 – Cyber Security – Electronic Security Perimeter

Table R1 Requirements3

All applicable Cyber Assets connected to a network via a routable protocol shall reside 1.1 within a defined electronic security perimeter (ESP).

1.2 All External Routable Connectivity must be through an identified Electronic Access Point (EAP).

1.3 Require inbound and outbound access permissions, including the reason for granting access, and deny all other access by default.

3 Cyber Security — Electronic Security Perimeter(s), P. 7-10

Simplify Your Transition to and Compliance with NERC CIP Version 5 9/14

1.5 Have one or more methods for detecting known or suspected malicious communications for both inbound and outbound communications.

2.1 Utilize an Intermediate System such that the Cyber Asset initiating Interactive Remote Access does not directly access an applicable Cyber Asset.

How Tufin's Solution Meets Requirements for CIP-005-5 – Cyber Security – Electronic Security Perimeter

The requirements outlined above mostly pertain to the firewall environment in the network. The Tufin Unified Security Policy covers these requirements in various ways. First of all, there is visibility of the network segmentation via the Unified Security Policy matrix. It shows if there are any policy violations that breach the defined electronic security perimeter around regulated Cyber Assets and provides real-time alerts on such violations. Tufin provides rule documentation and change management tracking.

An example of an on-screen display of rule violations is shown in Figure 4.

Figure 4: Dashboard showing violations of NERC CIP V5 Compliance

CIP-007-5 – Cyber Security — System Security Management

Table R1 Requirements4

Where technically feasible, enable only logical network accessible ports that have been determined to be needed by the Responsible Entity, including port ranges or services 1.1 where needed to handle dynamic ports. If a device has no provision for disabling or restricting logical ports on the device then those ports that are open are deemed needed.

4 Cyber Security — System Security Management, P. 7

Simplify Your Transition to and Compliance with NERC CIP Version 5 10/14

How Tufin's Solution Meets Requirements for CIP-007-5 – Cyber Security — System Security Management

Again, this requirement pertains to management of the firewall environment of the network. As specified above, the Tufin Unified Security Policy provides a range of capabilities to detect and visually represent the connections going through all firewalls in the network, and to manage the policies and alert on violations of rules. Tufin can perform risk analysis on proposed changes to firewall rules to ensure that the changes don't result in the violation of NERC CIP or other regulations.

CIP-010-1 – Cyber Security — Configuration Change Management and Vulnerability Assessments

Table R1 Requirements5

1.2 Authorize and document changes that deviate from the existing baseline configuration. 1.3 For a change that deviates from the existing baseline configuration, update the baseline configuration as necessary within 30 calendar days of completing the change. 1.4 For a change that deviates from the existing baseline configuration: 1.4.1. Prior to the change, determine required cyber security controls in CIP-005 and CIP-007 that could be impacted by the change; 1.4.2. Following the change, verify that required cyber security controls determined in 1.4.1 are not adversely affected; and 1.4.3. Document the results of the verification. 2.1 Monitor at least once every 35 calendar days for changes to the baseline configuration (as described in Requirement R1, Part 1.1). Document and investigate detected unauthorized changes.

How Tufin's Solution Meets Requirements for CIP-010-1 – Cyber Security — Configuration Change Management and Vulnerability Assessments These requirements generally pertain to device configuration change management—a specialty of Tufin Orchestration Suite. Tufin has built-in workflow process automation to support gathering approval for a requested change and conducting a pre-change risk assessment to determine whether making the change will cause a violation of policy, as shown in Figure 5.

5 Cyber Security — Configuration Change Management and Vulnerability Assessments, P. 6-8, 10

Simplify Your Transition to and Compliance with NERC CIP Version 5 11/14

Figure 5: The Tufin automated workflow process can look ahead for policy violations before a change is executed

Post-change, the risk position is validated once again. The Unified Security Policy matrix, as well as a dashboard and various reports, always provide clear visibility into the covered entity's current security posture. Tufin provides real-time monitoring of the security configuration and real-time alerts on violations that might occur. Additionally, every action pertaining to security configuration and change management is fully logged and held for an audit trail, as shown in Figure 6.

Figure 6: Tufin keeps an accurate audit trail to document all policy changes

Simplify Your Transition to and Compliance with NERC CIP Version 5 12/14

Centralized Management of the Entire Environment

Tufin Orchestration Suite provides a centralized management system with a single pane of glass to manage and control security across hybrid cloud and physical networks. The dashboard, as shown in Figure 7, provides an overview of the current network status. Built- in pivot tables deliver multiple views of the network, and drill-down details are available behind every data point.

Figure 7: Tufin provides unified security management and control from a single pane of glass

Conclusion

Tufin is able to help organizations meet the challenges associated with network configuration and change management that are part of the requirements of NERC CIP V5. The Tufin solution performs the critical task of identifying Cyber Assets, their existing application connections and device configurations. This aids in grouping assets so that policies can be consistently evaluated, applied and monitored.

Tufin helps organizations focus on NERC CIP V5 compliance and evidence of compliance for audits. Every network change is documented in an audit trail. There is a risk assessment before every change is made. The workflow process requires business approval for changes before they can be made. And, there is validation of completion of the entire process.

The automated workflow process helps an organization reduce its need for education and training, manual work, and the tedious work of capturing evidence of what is happening.

Simplify Your Transition to and Compliance with NERC CIP Version 5 13/14

In summary, Tufin Orchestration Suite is an essential tool for organizations that need to transition to or adopt and demonstrate compliance with NERC CIP V5.

About Tufin

As the market leader of award-winning Security Policy Orchestration solutions, Tufin provides enterprises with the ability to streamline the management of network security policies across complex, heterogeneous environments. With more than 1,500 customers, Tufin automatically designs, provisions, analyzes and audits end-to-end network security configuration changes – from the application layer down to the network layer – accurately and securely. It assures business continuity with a tight security posture, rapid service delivery and regulatory compliance across physical/on-premise, private, public and hybrid cloud environments. Industries served include finance, telecom, energy and utilities, healthcare, retail, education, government, manufacturing, transportation and auditors. Tufin partners with leading vendors including Amazon Web Services, BMC, Blue Coat, Check Point, Cisco, F5 Networks, Fortinet, Intel Security, Juniper Networks, OpenStack, Palo Alto Networks, VMware and more, and is known for technological innovation and dedicated customer service.

Tufin, Unified Security Policy, Tufin Orchestration Suite and the Tufin logo are trademarks of Tufin. All other product names mentioned herein are trademarks or registered trademarks of their respective owners.

Simplify Your Transition to and Compliance with NERC CIP Version 5 14/14