The North American Electric Reliability Corporation (NERC) has published under the Critical Infrastructure Protection program a security standard that is mandatory for every SCADA to manage infrastructure within the electrical system. It has a close resemblance to ISO27002 control objectives. Look for the Critical Infrastructure protection item at NERC website. Let's have a look inside the detail of each document:
The Cyber Asset is dial-up accessible.
Cyber Security - Security Management Controls
Its purpose is to create and mantain Cyber Security Policy, define Leadership of a senior manager to lead an manage the implementation of CIP standards, control exceptions to policy, define and implement access control measures, change control, configuration management and information protection methodologies.
Cyber Security - Personnel and Training
It requires that personnel having authorized cyber or authorized unescorted physical access to Critical Cyber Assets obtained in CIP002-4a, including contractors and service vendors, have an appropriate level of personnel risk assessment, training, and security awareness as defined by the risk assessment model inside the company and in compliance with the Information Security Management System.
Cyber Security - Electronic Security Perimeter
It requires the identification and protection of the Electronic Security Perimeter inside which all Critical Cyber Assets reside. This means placing controls like Firewalls that have specific support for the SCADAprotocols being used, Application Whitelisting, IPS among many others. All those controls cannot induce or modify the protocol flow between all the SCADAentities in place.
Cyber Security - Physical Security of Critical Cyber Assets
This standard is intended to ensure the implementation of a physical security program for the protection of Critical Cyber Assets. This include the implementation of physical controls like special locks, walls, biometric and the monitoring system checking all those controls for anomalies.
Cyber Security - Systems Security Management
It requires Responsible Entities to define methods, processes, and procedures for securing those systems determined to be Critical Cyber Assets inside the Electronic Security Perimeter, like test procedures, security baseline for ports and services, security patch management, malicious software prevention, account management and security status monitoring.
Cyber Security - Incident Reporting and Response Planning
It ensures the identification, classification, response, and reporting of Cyber Security Incidents related to Critical Cyber Assets. For more details on incident response, check NIST Computer Incident Response guide.
Cyber Security - Recovery plans for Critical Cyber Assets
It that recovery plans are put in place for Critical Cyber Assets and that these plans follow established business continuity and disaster recovery techniques and practices
The implementation of the NERC CIP standards needs to be build from the Information Security Management System directives and both of them need to agree in the way controls are implemented.
Manuel Humberto Santander Pelez
SANS Internet Storm Center - Handler
e-mail: msantand at isc dot sans dot org
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.