In December of 2011, NERC issued Compliance Application Notice (CAN) 0024 “CIP-002 R3 Routable Protocols and Data Diode Devices.” The purpose of a CAN is to provide guidance to auditors who evaluate industry compliance with CIP reliability standards and who make findings that can lead to enforcement actions and monetary fines. CAN-0024 provides instruction for assessing whether the communication characteristics of data diode devices can be used to exclude cyber assets from consideration as Critical Cyber Assets (CCA) when a routable protocol is used when not at a control center.

“Data diodes” are hardware-enforced one-way or unidirectional communications. They permit data to flow from a protected network to an external network, but provide no physical data path for information, remote control attacks, or other cyber-attacks to flow back in to the protected network. Unidirectional hardware is used to provide strong security for connections through an Electronic Security Perimeter (ESP). Routable communications that cross an ESP are of concern under the NERC CIP standards because they can be a vector for attacking a control system.

This whitepaper introduces CIP-002, routable protocols that are used in “routable communications,” and unidirectional communication concepts, and then applies the guidance in the CAN-0024 to three types of commonly-deployed hardware architectures for unidirectional communications. We conclude that Waterfall’s Unidirectional Security Gateways, which do not use routable communications, can be used to exclude Cyber Assets from consideration as Critical Cyber Assets (CCA) in accordance with CAN-0024.

January 2012

View the article

This presentation briefly reviews firewall issues and costs, and introduces Unidirectional Gateways. We explore deployment scenarios in refineries and pipelines, and discuss common deployment issues and solutions for them.

Join us to see how network isolation via Unidirectional Gateways permits the flow of critical business information out of control networks, while providing cost savings, as well as strong protections against threats ranging from errors and omissions to insiders, common malware and even targeted attacks.

Waterfall thanks the National Petroleum Refiners Association (NPRA) for sponsoring this webinar and making this recording available.

Press here to view the recorded webinar.

About the conference:

The Herzliya Conference, the flagship event of the Institute for Policy and Strategy at IDC Herzliya, is a year-long work cycle consisting of the following phases: 

• Preliminary research and analysis conducted by the Herzliya Taskforces and commissioned experts; 
• The Conference, at which major policy statements and initiatives are delivered, and Herzliya Roundtables are held, followed by deliberations and the presentation of specially commissioned reports and studies; 
• Executive Herzliya Reports presented to key policy-makers, summarizing the Conference’s proceedings, findings, and major policy recommendations.  

Conference links:

Conference Website

About the conference:

The U.S. Nuclear Regulatory Commission has approved the Cyber Security Plans and Implementation Schedules for all currently operating commercial nuclear power reactors in the United States.  The NEI Cyber Security Implementation Workshop will assist licensees in implementing the requirements of the Plan and in meeting the milestones in the Implementation Schedule. 

Attendance at day one of the Workshop is restricted to employees of nuclear power plant utilities.  Others will not be permitted to register or attend.  Day one will focus on the activities associated with implementing milestones from the Implementation Schedule that are due to be completed by December 31, 2012. The format will be small break-out sessions that will focus on each of the seven milestones.  Session leaders will facilitate in-depth discussion regarding milestone implementation strategies, acceptance criteria, guidance for conducting audits and assessments, and preparing for inspections of the program. 

Days two and three will be open for general attendance, and will include presentations, panel discussions, and exhibitor fire-talks. 

Conference links: 

Conference Website

Registration

About the conference:

Securing the End-to-End Smart Grid Ecosystem

In the year since Stuxnet first struck, cyber security has become of critical concern for utilities. Securing the emerging smart grid must be an end-to-end, architectural undertaking built into all facets of IT, OT, ICS, communications and infrastructure. Introducing intelligence and two-way communication into the utility network means opening the door to vulnerability, and utilities must proceed with caution.

Organized by The Smart Grid Observer, the one day, 100% online Smart Grid Cyber Security Virtual Summit features a series of in-depth presentations designed to examine the very latest technologies, deployment strategies, best practices, and lessons learned in making smart grid security a reality. Critical questions addressed include:

• Where are the most significant weak points in the smart grid’s security? How should we address them?
• What is the current nature of the cyber security threat? What do we need to worry about?
• What are the latest NERC CIP requirements and how best to comply?
• What are the key technology enablers and advances for smart grid cyber security?
• What are the best practices and strategies for securing AMI?
• How can utilities effectively go about securing software and embedded devices designed for the smart grid?

Topics to be addressed include:

– Securing the end-to-end smart grid ecosystem — the big picture
– Safeguarding customer data and privacy
– Security systems integration and interoperability
– Evaluating, measuring, and testing smart grid security systems
– Standards update and trends
– Lessons from the trenches: utility cyber security case studies
– Managing potential security exposure — determining limits
– HAN security
– Latest vendor offerings and components
– Regulatory trends, developments, and expectations
– Crossing organizational silos to ensure smart grid security
– Network monitoring and anomaly detection

Conference links: 

Conference Website 

Registration

About the conference:

CyberSec, the international information cyber security conference, interacts companies, organizations and governmental bodies with cyber security experts to discuss latest developments in protecting enterprises from upcoming threats.

Topics:

-New techniques in enterprises cyber protection
-Avoiding APT best practices
-Meeting social attacks challenges
-Cloud cyber implications
-Israel 2012 – cyber security for business, governmental and defense segments
-Legal implications with cyber crime and cyber warfare

Conference links: 

Conference Website 

Registration

About the conference:

PennWell Corporation, publisher of WaterWorld, Industrial WaterWorld, and Water & Wastewater International magazines, will once again host its completely online water industry conference and exhibition, VirtualH₂O, on February 21, 2012 (8:00AM – 6:00PM ET).

VirtualH₂O combines virtual tradeshow exhibits and conference presenations to deliver attendees an innovative — and convenient — opportunity to network with and learn from leaders in the water and wastewater industries.

Conference Program:

VirtualH₂O offers attendees access to an expansive array of conference presenations addressing important topics in municipal drinking water, municipal wastewater, industrial water/wastewater, urban water management, and municipal water utility management.
Visitors who attend an entire presentation — even during the archive period — will receive a certificate of attendance, which can be used to apply for Professional Development Hours (PDH) with their respective state organizations.

Conference links: 

Conference Website

Registration

About the conference:

 The World Institute for Nuclear Security (WINS, Atomic Energy of Canada Limited (AECL), Bruce Power and Ontario Power Generation (OPG) are pleased to announce an International Best Practice Workshop on Security of Information Technology (IT) and Instrumentation and Control (IC) Systems.

This workshop will take place at the Delta Chelsea Hotel in Toronto, Ontario, Canada on the 27th -29th of February 2012.

Conference links: 

Conference Announcement

About the conference:

As an industry and as a nation, we must keep our sites secure and informed about the many changing threats to our critical infrastructure. The threats are diverse and increasing and could change the way refiners and petrochemical manufacturers operate. The conference presents current topics of critical importance to assist attendees in keeping themselves up to date on national critical infrastructure security issues—from terrorism to oil field crimes to DHS regulations and policies!

Don’t miss this great opportunity to meet with key government contacts, network with industry security experts and hear from national authorities on the terrorist threat the industry faces today.

Conference links: 

Conference Website

“You can’t attack, if you can’t communicate” is how Andrew Ginter sees it.

This is the concept of unidirectional gateways. There’s a security perimeter around your asset whatever it may be, a factory, a process, a data farm, whatever. Then there’s the outside world of threat, crime, and destruction.

Unidirectional gateways allow one-way communication only over the void where firewalls exist and where firewalls can fail. “Firewalls are only software,” said Ginter, director of industrial security at Waterfall Security Solutions. “Stuxnet could not have spread over the data diodes operating in a unidirectional gateway.”

The only communication to the outside world (the business network, for example) is data moving in one direction and that direction is out of the protected area. Moreover, that is data only, no code, no logic, no compromising intelligence.

Ginter talked about that topic and more during a Tuesday webinar entitled, “NERC Issues CAN-0024: Guidance for Unidirectional, Routable Communications” with Mark Simon, senior consultant with Encari a critical infrastructure protection-consulting firm, and Joel Langill, chief technology officer at SCADAhacker.

NERC has issued CAN-0024, which provides guidance to NERC-CIP auditors as to when unidirectional communications equipment or “data diodes” must come into consideration to facilitate “routable communications.”

NERC is the North American Electric Reliability Corporation. Its mission is to ensure the reliability of the North American bulk power system. CIP stands for critical infrastructure protection.

CAN is Compliance Application Notice and CAN-0024 is “Routable Protocols and Data Diode Devices.”

An increasing number of NERC entities are deploying unidirectional communications equipment, because such equipment provides stronger security to protected cyber assets than firewalls can provide.

“Unidirectional communications enable sandboxing,” Ginter said.

Sandboxing is creating confined execution environments. A sandbox limits, or reduces, the level of access its applications have. In effect, it is a container. Therefore, the scope of potential damage caused by a malicious entity within is minimal.

The CAN-0024 guidance makes it clear that some deployments use routable protocols, and other deployments do not. In some cases, this distinction influences which cyber assets are technically Critical Cyber Assets.

The best discussion of the security advantages of this technology and for helpful visuals and graphics, click here for Ginter’s white paper.

View the article

By Nicholas Sheble

ISS Source, January 25, 2012