InfoSec News

The North American Electric Reliability Corporation (NERC) has published under the Critical Infrastructure Protection program a security standard that is mandatory for every SCADA to manage infrastructure within the electrical system. It has a close resemblance to ISO27002 control objectives. Look for the Critical Infrastructure protection item at NERC website. Let's have a look inside the detail of each document:

The Cyber Asset is dial-up accessible.

Cyber Security - Security Management Controls
Its purpose is to create and mantain Cyber Security Policy, define Leadership of a senior manager to lead an manage the implementation of CIP standards, control exceptions to policy, define and implement access control measures, change control, configuration management and information protection methodologies.

Cyber Security - Personnel and Training
It requires that personnel having authorized cyber or authorized unescorted physical access to Critical Cyber Assets obtained in CIP002-4a, including contractors and service vendors, have an appropriate level of personnel risk assessment, training, and security awareness as defined by the risk assessment model inside the company and in compliance with the Information Security Management System.

Cyber Security - Electronic Security Perimeter
It requires the identification and protection of the Electronic Security Perimeter inside which all Critical Cyber Assets reside. This means placing controls like Firewalls that have specific support for the SCADAprotocols being used, Application Whitelisting, IPS among many others. All those controls cannot induce or modify the protocol flow between all the SCADAentities in place.

Cyber Security - Physical Security of Critical Cyber Assets
This standard is intended to ensure the implementation of a physical security program for the protection of Critical Cyber Assets. This include the implementation of physical controls like special locks, walls, biometric and the monitoring system checking all those controls for anomalies.

Cyber Security - Systems Security Management
It requires Responsible Entities to define methods, processes, and procedures for securing those systems determined to be Critical Cyber Assets inside the Electronic Security Perimeter, like test procedures, security baseline for ports and services, security patch management, malicious software prevention, account management and security status monitoring.

Cyber Security - Incident Reporting and Response Planning
It ensures the identification, classification, response, and reporting of Cyber Security Incidents related to Critical Cyber Assets. For more details on incident response, check NIST Computer Incident Response guide.

Cyber Security - Recovery plans for Critical Cyber Assets

It that recovery plans are put in place for Critical Cyber Assets and that these plans follow established business continuity and disaster recovery techniques and practices

The implementation of the NERC CIP standards needs to be build from the Information Security Management System directives and both of them need to agree in the way controls are implemented.

Manuel Humberto Santander Pelez

SANS Internet Storm Center - Handler



e-mail: msantand at isc dot sans dot org (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Electronics manufacturer Foxconn maintains that workers making iPhones at a Chinese factory did not strike on Friday and that production wasn't affected, according to published reports.
In the week ending 6 October - Linux kernel 3.6 released, 64-bit ARM support coming in Linux 3.7, Oracle's plans for Java, 4.5 million routers are hacked, Android malware can create 3D room maps and Jolla plans to launch a MeeGo-powered phone

Mike Elgan is a digital nomad. Almost all his worldly possessions are in storage and he's living for now in Sparta, Greece. But living the digital nomad life isn't what you think.
Internet Storm Center Infocon Status