As organizations grappled with NERC CIP version 5, Tripwire learned along the way. In this series, I’ll cover the aspect of CIP that has come up the most in the last year: how to meet the software monitoring requirements.

Software Inventory as a Security Control

It is a simple question at first, but the more we peel back the layers, the more we see what a complicated topic it really is. This discussion may help some electric utilities with their ongoing efforts and provide ideas for companies not regulated by NERC about monitoring their software inventory as a security control.

In the first of this two-part series, we will walk through the background of this topic to illuminate the software inventory challenges you’re facing. Part two takes what we’ve learned and presents practical and auditable approaches for success.

For readers who do not focus on NERC CIP, I still encourage you to keep reading. Being able to identify the possible actors (software) on your system and their level of patching has definite security value. Indeed, software inventory is the CIS #2 control. You have the luxury of implementing controls with a lighter-weight process, no burden of audit and the lessons learned from our electric utility colleagues. Take the fire and leave the ashes!

A Quick NERC CIP Standards Summary

The North American Electric Reliability Council (NERC) is responsible for setting various standards that apply to companies generating or transmitting electricity above certain levels. The standards are intended to help ensure reliability of the electric grid. Only one of the standards, Critical Infrastructure Protection (CIP), relates to cyber assets.

The CIP standard is further broken down into sub-areas also referred to as standards. Standard 10 (CIP-010) contains requirements for configuration management around software, specifically those found in its first requirement. Thus: (Read more...)