5 Replies Latest reply on Jun 24, 2016 4:57 PM by rschroeder

    New version of the NERC CIP standards

    d.shaffer

      New versions of the NERC CIP requirements will come into effect on Apr 1, 2016, and I am looking for some guidance on using LEM to satisfy the following requirement:

       

      Develop a baseline configuration, individually or by group, which shall include the following items:

      1.1.1. Operating system(s) (including version) or firmware where no independent operating system exists;

      1.1.2. Any commercially available or open‐source application software (including version) intentionally installed;

      1.1.3. Any custom software installed;

      1.1.4. Any logical network accessible ports; and

      1.1.5. Any security patches applied.

       

      Can anyone give some advice on whether or not LEM can assist meeting some or all of this

      requirement? Also, does LEM have a standard report that will specify installed software?

        • Re: New version of the NERC CIP standards
          curtisi

          I'm not sure where you got this nice summary, but I went looking here: CIP Standards

           

          And I started looking at the "Subject to Future Enforcement" sections.

           

          In short, I don't think LEM is the tool for this particular part of CIP compliance.  Patch Manager could certainly help you inventory installed software; manage security and critical updates for Microsoft and third-party products; and produce reports to present to auditors showing what devices are(n't) up to date with all current vulnerabilities addressed.  Patch Manager could at least assist with 1.1.1, 1.1.2, 1.1.3 and 1.1.5.  Patch is not a system imaging tool, though.

           

          LEM and NPM could probably help with 1.1.4 in as much as LEM can collect data from network devices connected to those logical ports and alert off of traffic it sees, and NPM could track the performance of those network devices.

           

          However, looking at other sections, there's plenty of work for the LEM to do: things like information protection, change management (and to a more limited degree the vulnerability assessments), incident reporting and response.

           

          • FIM and USB Defender (parts of the LEM Agent) can both help with information protection, as well as auditing who is touching what.
          • Change management is a big reason to have an auditing platform like LEM, since it can track all changes and produce reports and alerts.
          • Vulnerability Assessments: no Solarwinds product will do the same job that something like a Nessus scanner will do.  However, if your LEM is working correctly, you should be able to watch Nessus or a pen-test proceed through the network, and get reporting and information on where you're vulnerable and what sort of things to look for.
          • Incident Alerting is all part of rules and correlations in LEM: if you see X happen, respond with Y and make sure it ends up in mailbox Z and report A.  LEM has that covered.

           

          I hope that helps.

          2 of 2 people found this helpful
            • Re: New version of the NERC CIP standards
              d.shaffer

              There was rumor that TriGeo/LEM was going to have either port scanning capability and/or vulnerability scanning capability. Is that really/still on the roadmap? Not really looking for anything as strong as Nessus withini LEM, but anything to help us better address the 1.1.4 requirement would be helpful. Say something along the lines of scan for "listening" ports and check against a known set of "authorized/white listed" ports...

              1 of 1 people found this helpful
            • Re: New version of the NERC CIP standards
              cyb3rhashlogic

              I am working on tweaking rules for NERC-CIP before the compliance deadline - 1 July 2016. Has anyone created a rule for "Detected Failed Access Attempts." My rule looks for all "Access Attempts", but doesn't single out "Failed". Anyway to do that. Thanks.

              • Re: New version of the NERC CIP standards
                rschroeder

                It's nice to see this information--thank you for the thread.