Managing NERC CIP Patching Process With Tripwire Enterprise and Tripwire


One of the hardest parts of managing an organization’s cybersecurity is patch management.
Just as one patch cycle is completed, another set of patches are released. When compounded with the highly regulated energy industry, governed by the NERC CIP Standards, the task becomes even more daunting. Fortunately, Fortra’s Tripwire Enterprise (TE) and Tripwire State Analyzer (TSA) can ease the process.

Some of the specified requirements align directly with the capabilities of TE, For example, the rationale section of CIP-010-4 R1 states that “the configuration change management processes are intended to prevent unauthorized modifications to BES Cyber Systems”. Modification of any item within an applicable Cyber Asset’s “baseline configuration”, such as OS patching, provides the triggering mechanism for when entities must apply change management processes.  

Each part of the Standards are intertwined, so as part of this process, an entity is to identify and verify Security Controls from CIP-005 and CIP-007 that could be impacted when there is a baseline configuration change. Historically, for most organizations, this is a time-consuming and largely manual, recurring process that is heavily scrutinized by auditors. In order to best achieve compliance, a systematic approach is required.

Step 1 – Determine scope of patched assets

Identify the target hosts where patches will be installed and catalog them as part of the Change Request (CR). Generally, these host groups will have common OS or function and should be “tagged” in TE and TSA. One optional practice is to create Assessments scoped to these “patching groups”, as well as platform family.

Step 2 – Ensure current software is authorized and CIP-related changes promoted

The target hosts should be reviewed to ensure that all CIP-010 baseline attributes and CIP-005/7 controls are authorized and compliant with no drift from the last patch cycle. See sample screenshots below.

  • Ensure that TE check tasks for TSA Query Rules and NERC CIP elements have been executed within last 24 hours.
  • Check the TSA console to ensure “0” Unauthorized Software and Open Ports.  If required, update Allowlists to address Unauthorized items.
  • Check the TE NERC CIP Test Results Summary dashboard to ensure all controls “Passing”. 
  • Check the TE 35-Day Change Process Compliance Report for CIP-related elements to ensure that no “Unauthorized” entries exist. If required, promote outstanding changes that are valid.

Step 3 – Generate “Pre-change” CIP Baseline and Security Controls evidence reports

Execute either a TE report task to email reports or a TE check task to write reports to a file share for affected assets. TSA includes multiple report formatting options that affect the size and appearance of CIP-010 baseline reports. Tripwire Professional Services can help you determine best fit based on organizational preferences for process, evidence report repositories, and report format.

Step 4 – Apply patches and subsequently re-run TE check tasks from Step 2.

Step 5 – Verify expected changes to software baseline and authorize.

In the TSA GUI, new or updated software will show up as “Unauthorized” in the Assessment panel.

  • Review unauthorized Software items and authorize them in the Allowlist.  Generally, best practice is to authorize for the entire “asset group”.
  • Re-run assessments for Software and Open Ports for assets within the change scope and verify that it displays “0” Unauthorized. 

Step 6 – Ensure CIP Security Controls were not affected by patch

  • Check the TE NERC CIP Test Results Summary dashboard to ensure all security controls are still in a “Passing” state.

Step 7 – Promote TE Unpromoted NERC CIP changes.

Updates to the TSA Allowlist in Step 5 will generate TE element changes for Software – Allowed “TSA Output Elements” –  which will be detected in the 35-Day Change Process Compliance Report.  This capability requires configuration of a Severity Override action during implementation.

  • Using drill-down reports, these elements should be promoted in Elements View using the Change Request number as the Approval ID. This promotion provides an auditable record of CIP-010 baseline changes.

Step 8 – Generate “Post-change” CIP Baseline and Security Controls evidence reports.

Essentially, this is the same process as when generating the Baseline and Security Controls evidence reports Step 3.  New reporting should indicate expected changes to the software baseline, but everything else should reflect the same information as pre-patch state.  Customers may also choose to generate a “Detailed Changes” report for affected Software “TSA Output Elements”.

Conclusion

The methods outlined above have been implemented by many electrical utilities, enabling an efficient, repeatable process.  In the future, changes in NERC CIP regulations will likely require more organizations to adhere to the CIP-010 Configuration Change Management standard. Fortra’s Tripwire Enterprise is a proven product solution, and Fortra’s consulting expertise can empower you to experience a smooth implementation and on-going operation of this capability.  



Source link

Leave a Comment