BATTLE-TESTED CYBERSECURITYBATTLE-TESTED CYBERSECURITY

SOLUTION BRIEFSOLUTION BRIEF

CyberX.io

HIGHLIGHTSHOW CYBERX STREAMLINES HOW CYBERX STREAMLINES NERC CIP COMPLIANCENERC CIP COMPLIANCE

CyberX’s agentless IoT/OT security platform is continuously helping utility companies ensure that the bulk electric system (BES) is secure and reliable. Some of the world’s largest and most complex energy utilities depend on CyberX to safeguard their control centers and substations, including 3 of the top 10 US energy utilities.

All North American electric utilities must comply with NERC CIP regulations. With industry-leading asset discovery, risk & vulnerability management, and threat monitoring, CyberX streamlines NERC CIP compliance and provides built-in automation that replaces manual methods which are complex, time-consuming, and prone to human error.

Furthermore, CyberX also offers customizable dashboards that enable you to demonstrate compliance with CIP standards for auditors.

This document outlines how CyberX supports each of the CIP standards.

CyberX provides built-in automation that streamlines NERC CIP compliance across CIP standards CIP-002 through CIP-011.

CYBERX SUPPORTS NERC CIP COMPLIANCE FOR STANDARDS CIP-002 THROUGH CIP-011:

• CIP-002: Automatically inventories all OT devices and discovers asset details.

• CIP-003: Facilitates implementation & documentation of security policies.

• CIP-004: Provides vulnerability assessments, continuous monitoring, and threat modeling.

• CIP-005: Automatically maps device communications.

• CIP-006: Ensures that physical security devices are isolated and uninfected by malware.

• CIP-007: Detects IoT/OT vulnerabilities and threats.

• CIP-008: Automates IR processes and integrates with SOC solutions.

• CIP-009: Ensures backups, integrates with ticketing systems, and provides detailed event log.

• CIP-010: Provides automated vulnerability assessments.

• CIP-011: Identifies unauthorized retrieval of asset information.

ABOVE: CyberX offers customizable dashbords to demonstrate compliance for CIP-002 through CIP-011.

2

SOLUTION BRIEF: How CyberX Streamlines NERC CIP Compliance

CyberX.io

CIP-002: BES CYBER SYSTEM IDENTIFICATION & CATEGORIZATION

• Creates an accurate inventory of all systems and devices in the OT network (pictured on right, within customizable CIP-002 dashboard).

• Categorizes devices by type, which enables asset owners to easily categorize them as having high, medium, or low impact.

• Creates a network map with an inventory of all subnets and connections between them, which informs potential scope of devices (pictured on right).

• Immediately identifies when new devices have been added to the network.

• Enables creation of audit reports and dashboards that fully document your compliance.

CIP-003: SECURITY MANAGEMENT CONTROLS

• Facilitates implementation and documentation of cybersecurity policies for High/Medium and Low Impact BES cyber systems, including policies regarding:

• Electronic Security Perimeters (ESPs), including Interactive Remote Access.

• Physical security via monitoring devices such as CCTV cameras.

• System security management.• Incident reporting and response planning.• Configuration change management and vulnerability

assessments.• Information protection.

CIP-004: TRAINING AND PERSONNEL SECURITY

• Supports Security Awareness via vulnerability assessment reports highlighting areas that need to be addressed, prioritized by risk.

• Supports Security Awareness via automated ICS threat modeling and attack vector visualization showing the most likely paths of targeted attacks on critical assets.

• Supports Access Management Program via continuous monitoring to immediately identify unauthorized access.

• Supports Access Management Program via continuous asset inventory to immediately identify open ports and weak authentication that can be used for unauthorized access.

How CyberX Supports CIP Standards:

ABOVE: CyberX’s CIP-002 dashboard depicts a filterable & searchable inventory of all assets, subnets, connections, and unauthorized devices.

BELOW: CyberX automatically generates a network map of all assets and the connections between them.

3

SOLUTION BRIEF: How CyberX Streamlines NERC CIP Compliance

CyberX.io

CIP-OO5: ELECTRONIC SECURITY PERIMETER

• Automated creation of network map (pictured on pg 2) verifies that all cyber assets connected to a network via a routable protocol reside within a defined ESP.

• For systems with External Routable Connectivity, the platform documents that connectivity occurs via an identified Electronic Access Point (EAP).

• For systems with Interactive Remote Access (e.g., VPN access), the platform documents that: access is only provided via an Intermediate System (e.g., Remote Access Server); only specific protocols are allowed to be used from computers and networks that are not company-owned; only encrypted ports are accessible on the intermediate systems; ports and services not required for the operation of applications are disabled.

• Immediate alerts when unauthorized remote access is identified.

CIP-OO6: PHYSICAL SECURITY OF BES CYBER SYSTEMS

• Ensures that physical security devices are isolated from cyber systems.

• Ensures that physical security devices are not compromised by malware.

CIP-007: SECURITY SYSTEMS MANAGEMENT

• Verifies that only authorized logical ports are enabled.

• Tracks status and processes related to security patch management.

• Generates risk-based recommendations for mitigating vulnerabilities addressed by each security patch.

• Supports development and implementation of compensating controls to be used when assets cannot be patched, such as continuous monitoring.

• Supports development and implementation of least privilege network access and network segmentation rules to minimize ability of malicious code to deploy and propagate.

• Identifies presence of anti-virus programs to protect against malicious code at the endpoint level.

• Generates alerts and event logs to support Security Event Monitoring, with a self-learning system that does not require rules or signatures. (Contextual alert pictured on left.)

• Identifies the use of weak authentication used for System Access Control.

• Mitigates the threat of detected malicious code by enabling responders to perform investigations efficiently – via an alert timeline dashboard and intuitive data mining interface – in order to implement an effective containment strategy that minimizes disruption.

• Generates alerts after a threshold of unsuccessful authentication attempts.

• Detects other potential indicators of malicious activity such as: network scanning; configuration changes to controllers; issuing of risky commands to controllers (such as “PLC STOP”).

• Detects known malware such as TRITON, Black Energy, Havex, WannaCry, NotPetya, etc.

• Integrates with standard firewalls to immediately block sources of malicious traffic and prevent its propagation.

ABOVE: CyberX’s CIP-005 dashboard depicts unauthorized devices and connections.

BELOW: CyberX contextual alert, which includes event details, relevant asset information, mitigation recommandations, and the ability to drill directly down to the relevant PCAP.

4

SOLUTION BRIEF: How CyberX Streamlines NERC CIP Compliance

CyberX.io

CIP-008: INCIDENT REPORTING AND RESPONSE PLANNING

• Implements automated process for identifying, classifying, and responding to Cyber Security Incidents. For example, in the CyberX platform, incidents are classified according to both severity level (Critical, Major, etc.) and type of alert (Anomaly, Malware, Baseline Deviation, Protocol Violation, Operational).

• Integrates with standard SIEMs such as IBM QRadar for coordinating centralized incident response (pictured above).

• Supports PCAP replay function for testing incident response procedures.

• Optional onsite incident response and remote malware analysis services, delivered by ICS cyber experts with expertise defending against the most sophisticated nation-state threats.

CIP-009: RECOVERY PLANS FOR BES CYBER SYSTEMS

• Ensures that backups are occurring on a regular basis.

• Event Log and detailed alerts are used to document events during a recovery plan test or actual recovery, for documenting lessons learned and updating recovery plans

• Integrates with standard ticketing and orchestration systems to streamline recovery procedures.

CIP-010: CONFIGURATION CHANGE MANAGEMENT AND VULNERABILITY ASSESSMENTS

• Asset management to develop baseline configurations including Operating System, firmware revision level, logical network accessible ports, applications and services, patches.

• Continuous monitoring with real-time alerting to identify configuration changes.

• Continuous and automated vulnerability assessments (via non-intrusive passive monitoring) to identify critical vulnerabilities such as unauthorized Internet or subnet connections, weak firewall rules, weak authentication, unpatched devices, open ports, known malware.

• Continuous monitoring to alert on unauthorized devices such as laptops belonging to third-parties.

• Automated ICS threat modeling (attack vectors) to simulate the effect of certain changes to ensure that CIP-005 and CIP-007 controls are not adversely affected.

CIP-011: INFORMATION PROTECTION

• Continuous monitoring and real-time alerting to identify unauthorized retrieval of BES Cyber System asset information such as via network queries.

ABOVE: CyberX’s vulnerability assessment provides prioritized vulnerabilities and an overall risk score for your environment.

BELOW: CyberX’s CIP-010 dashboard shows you unauthorized connections, an inventory of firmware, and configuration change alerts.

Beyond ComplianceCyberX supports and streamlines many of the key aspects of NERC CIP compliance. However, beyond compliance, CyberX strengthens the overall security posture of energy utilities, allowing them to accelerate digitization and Industry 4.0 initiatives without risking safety and security.

CyberX detects threats faster and with more accuracy, streamlines investigations and incident response, integrates with existing security stacks (SIEMs, SOAR, etc.), and produces detailed audit trails and customized reports to demonstrate compliance – all of which are key not only to addressing NERC CIP compliance, but to IoT/OT security as a whole.

We know what it takes.Funded by Norwest Venture Partners, Qualcomm Ventures and other leading venture firms, CyberX delivers the only cybersecurity platform built by blue-team experts with a track record of defending critical national infrastructure. That difference is the foundation for the most widely deployed platform for continuously reducing IoT/OT risk and preventing costly outages, safety and environmental incidents, theft of intellectual property, and operational inefficiencies.

CyberX delivers the only IoT/OT security platform addressing all five requirements of the NIST CSF and all four requirements of Gartner’s Adaptive Security Architecture. CyberX is also the only IoT/OT security company to have been awarded a patent for its M2M-aware threat analytics and machine learning technology.

Customers choose CyberX because it’s the simplest, most mature, and most interoperable solution for auto-discovering their assets, identifying critical vulnerabilities and attack vectors, and continuously monitoring their IoT/OT networks for malware and targeted attacks. What’s more, CyberX provides the most seamless integration with existing SOC workflows for unified IT/OT security governance.

For more information, visit CyberX.io or follow @CyberX_Labs.

BATTLE-TESTED CYBERSECURITYBATTLE-TESTED CYBERSECURITY

ABOUT CYBERX