the benefits of network security monitoring for grid-edge
TRANSCRIPT
The Benefits of Network Security Monitoring for Grid-Edge Devices An in-depth analysis of how passive network security monitoring helps asset owners maintain an accurate, up-to-date asset inventory list, while also protecting the grid’s edge from cyber threats.
Contents
Executive Summary 3
1. Introduction 4
2. Approach & Implementation 5 A. Approach 5 B. Example Network Topology 6 C.ReviewofIEDSettingsandConfiguration 6
3. Asset Inventory Tracking 6 A. Overview 6 B. Example Use-Cases Demonstrated 7 C.VulnerabilityIdentification 7 4. Security Monitoring 8 A. Overview 8 B. Example Use-Cases and Scenarios Tested 8 5. Approach Findings, Benefits and Event Grouping 9 6. Conclusion 10 References 11
3
Executive Summary
Amongthemanycybersecuritychallengesassociatedwithprotectingthecriticalinfrastructurepowergrid,twoofthemostchallengingaremaintaininganaccurateassetinventorylistandperformingsecuritymonitoringofdevicesatthegrid’sedge.Notonlyarethesecapabilitiesfundamentaltoavoidregulatoryfinesupwardsofamilliondollarsaday,aswesawrecentlywhenNERCissueda$10millionfine[1],buttheyalsohelpensuretheoverallsecurity,safety,andreliabilityofthegrid. Oftenthoughtofasmutuallyexclusive,thispapershowsthatthroughadvancednetworksecuritymonitoring,assetownerscanmaintain,inreal-time,anaccurateandup-to-dateassetinventorylistwhilealsoprotectingthegrid’sedgefromcyberthreats.Bysteppingthroughthedifferentusecasesforpassivenetworksecuritymonitoring,thepaperdemonstrateshowassetownerscanreachahigherreturnontheirinvestmentinsuchawaythatistechnically,economically,andoperationallyfeasible.
4
Noonewillarguesecuringcriticalinfrastructureisimportantandatoppriorityforcriticalinfrastructureassetowners.AssetownersarefacednotonlywithevolvingregulatoryrequirementssuchastheNorthAmericanElectricReliabilityCorporation’s(NERC)CriticalInfrastructureProtection(CIP)standards[2],butalsogrowingattentionfromcybersecurityresearchersandthreatactorstargetingindustrialcontrolsystem(ICS)technologiesfortheirpersonalmotivations.ThesemotivationscanvaryfrombringingawarenessandhelpingtheICScommunitytocompromisingsystemsforfinancialgainornationstateobjectives.
Originally,controlsystemlocalareanetworks(LAN)werenotconnectedtoanyInternet/Intranetconnecteddevices.Thoughitdidn’tguaranteecompletesecurity,thisdidcreatetheso-calledair-gap,physicallyseparatingthedevicesfromotherInternetconnecteddevices.However,foranincreaseinefficiencyandremotemonitoring/controlcapabilities,thecontrolsystemhadtobeintegratedwithothernetworks.TherecommendednetworkarchitectureforacontrolsystemcombinesthepracticesofITsecuritytothecontrolsystemwiththegoalofadefense-in-depthsecuredenvironment[3].However,simplyapplyingITsecuritymethodstoICSenvironmentscannotbeconsideredanend-allapproachtocybersecurity,especiallysincesolutionslikefirewallscanbemisconfiguredandhavetheirownsetofvulnerabilities.
Withthegrowthinandimplementationofsmartgridtechnologiesthereisoftenambiguityintherolesandresponsibilitiesassociatedwithmaintainingcyber-basedtechnologiesonthegrid’sedge.ElectricutilitiesareoftenfacedwithaskingthemselvesshouldtheresponsibilityforpowergridcybersecurityfallundertheITortelecomdepartmentsorshoulditbegiventothepowersystemengineersandintegrators.Ineithercase,effectivelyimplementingpowersystemautomationcontrolenvironmentsthatarereliable,resilient,andsecureisaninterdisciplinaryengineeringchallengethatinvolvesmultipleregulatorystandards.
Nomatterwhothethreatactorisorwhattheirmotivationsare.Thefirststepinsecuringcriticalinfrastructureisunderstandingwhatexistsfromanassetinventoryperspective.Withoutknowingwhatexistsandwhatyouhavetosecure,allfuturethreatmodelingactivities,strategyandroadmapdevelopment,ormitigation/remediationactivitieswillbeincompleteorlesseffective.Assetinventoryissomethingbothinformationtechnology(IT)andoperationaltechnology(OT)professionalscanagreeisnotaneasytask;historicallyspeakingithasbeenespeciallylaborintensiveforICSassetownerswith“grid-edge”devices(orfielddevices),oftenrequiringphysicalsitevisits.Grid-edgeassetinventorydifficultiesaredrivenbythecomplexandagingheterogeneousenvironmentsmostassetownersoperateinthatspanacrosscity,county,state,orcountrylines.Today,advancementsinnetworksecuritymonitoringandprotocoldeeppacketinspectionallowassetownerstoobtainreal-timeassetinventoryinformationfromdevicescommunicatingoverserialorTCP/IPbasedcommunicationchannelsbyleveragingthebuilt-incapabilitiesofgrid-edgedevices.Thishelpsassetownerstonotonlymanagetheirassetinventory,butalsodetectavarietyofnetwork,security,andoperationalbasedanomalies.
1. Introduction
“Implementing power system automation control environments that are eliable, resilient, and secure is an interdisciplinary engineering challenge that involves multiple regulatory standards.”
5
ELECTRONIC SECURITY PERIMETER (ESP)
REMOTE ENGINEER/ OPERATOR
LOCAL ENGINEER
(a)
(b)
CONTROL SYSTEM: SUBSTATION, POWER PLANT, ETC.
IED 1
ETHERNET LINK
SERIAL LINK
MIRRORED COMMUNICATION
ALERTS & FINDINGS
IED 2 IED 3
ASSET MANAGEMENT
NSM TOOL
SPAN PORTRTU
COMPLIANCE
OPERATIONS
SECURITY
One-way Communication
Example Network Topology Used for Evaluating the NSM Tool
A. Approach Thedevelopedapproachiscenteredonthepremiseofbeingcompletelypassiveandnon-intrusivetothecontrolsystemenvironment.Usingamanagednetworkswitch,asingleportisconfiguredasthespanport.Thisspanormirroringportreplaysthecommunicationtrafficfromalloradesignatedsubsetoftheotherportsontheswitch.Byplacinganetworksecuritymonitoring(NSM)toolonthisspanport,adetailedanalysisofeachcommunicationpacketisperformed.Thisallowsallinboundandoutboundtraffictobemonitoredaswellasthetrafficbetweeneachintelligentelectronicdevice(IED)atthegrid’sedge.
SelectionofthedevicesandtheNSMtoolisbasedonanextensivereviewoftheexistingtechnologiesavailableonthemarkettoday.Whilemostmicroprocessor-basedrelays,remoteterminalunits,andmanagedswitchescanbeimplementedinthisapproach,notallcontrolsystemNSMtoolsarecreatedequal.Therefore,forcompletenessandsothereadercanrecreatetheapproachdemonstrated,theNSMtoolselectedforthisimplementationistheeyeInspect(formerlySilentDefense)softwaresolutionbyForescout.Theprimaryobjectiveofthisimplementationistopassivelyderiveasmuchinformationfromsniffingthenetworkaspossible.ToevaluatetheeffectivenessoftheNSMtoolselected,theextractedinformationisplacedintooneoffourcategories:assetmanagement,security,compliance,andoperations.Eachcategorydescribesabusinessunitthatisresponsibleforthataspectofthegrid,andthereforewillfindvalueinthatinformation.Additionally,someinformationmaybeclassifiedintomultiplecategories.Forinstance,afailedloginonIED1isasecurityeventthatwillalsoneedtobenotedforcompliance.TheNSMtoolselectedhastheabilitytoexportthefindingsviamultipleformatsforauditingpurposesandforthetrackingofassetinformation.Thisallowstheextractedassetinformationtobeimportedintoasystem-wideassetmanagementtoolor,inthecaseofacybersecurityevent,intoasecurityinformationandeventmanagement(SIEM)system.
2. Approach & Implementation
6
B. Example Network Topology TheexamplenetworktopologyimplementedisshowninFigure1andincludes3protectionrelays,aremoteterminalunit(RTU),amanagedswitch,andafirewall.Alldevicesarelogicallydefinedwithinanelectronicsecurityperimeter(ESP).Forservicing,engineersortechniciansaretypicallyallowedtoentertheESPandconnectatransientcyberasset(TSA)totheIEDs[2].Ethernetlink(a)andseriallink(b)showtwooptionsfordirectlycommunicatingwithsuchdevices.Forcontrol,thestandardcontrolsystemprotocolsDNP3andModbusareusedwhilefordiagnosticseachIED’swebinterfacesareenabled.Additionally,avendor’sspecificprotocol,whichisanextensionoftheTelnetprotocol,isusedforcommunicationbetweentheRTUandIEDs.ThemanagedswitchisconfiguredtomirrorallTXandRXtrafficoneveryporttoaSPANport.TheNSMserverhasmultiplenetworkinterfacesandtheoneconnectedtothespanportisconfiguredforRXonly,whiletheSPANportitselfisconfiguredforTXonly.
C. Review of IED Settings and Configuration AssoonastheNSMtoolcameonline,itbegananalyzingallthecommunicationinthecontrolsystemlocalareanetworkincludingallingressandegresstraffic.Usingthisobservedinformation,theNSMtoolbegantoorganizetheobserveddevicesintoanetworkmapaccordingtothePurdueModel[5].Afterjustafewminutes,theNSMtoolhadaccuratelymappedalldevicesandprotocolsthatwhereutilizedoverthenetwork.Toconfirmthis,areviewoftheIEDsettingsfileswasperformed.TheIPinformationcontainedinthesefileswasthenusedtoconfirmthespecificwhitelistedIPsthatwouldbeusedtotriggeranalarmintheNSMtool.
InadditiontotheIPsettingsinformation,thesettingsandconfigurationfilesofeachIEDwasalsoexaminedtodeterminehowtheIEDwasalarmingoncybersecurityevents.RequiredbyIEEEstandardStdC37.240-2014,allIEDsarerequiredtoalarmon:unsuccessfulloginattempts,reboot,configurationchanges,andfirmwarechanges[6].Similartoprotectionsettings,thesecybersecurityalarmsettingsareconfiguredusingthevendor’ssoftware.Anotheroftenoverlooked,similarityisthatthesecyberalarmscanbemappedtoanybinarypointofacontrolsystemprotocol(e.g.DNP3).Additionally,theseandothercyber-relatedalarmsweremappedintheIEDandsentoutviaSyslog.WiththisinformationtheNSMtool’sbuiltinscriptingenginewasusedtopassivelydetectandtriggeraneventalarmformultiplecyber-events,asdescribedindetailinSectionIV.
3. Asset Inventory Tracking
A. Overview Maintaininganaccurateandup-to-datebaselineconfigurationoftenreliesonamanualandhandwrittenprocess.Amoreefficientandlesserror-proneapproachistoleveragetheexistingsystemtoautomaticallyobserveanddocumentchangesastheyaremade.AsnotedinSectionII,theexampletopologyutilizesavendor’sslightvariationoftheTelnetprotocoltocommunicatebetweentheRTUandIEDs.Sincethisinformationistransmittedinplaintextandiscopiedandreplayedoverthespanport,theNSMtoolisabletocaptureandanalyzethisinformation.
Therearenumberofwaystoachievethisfunctionality.DependingonthevendoroftheIED,oneoptionistosettheRTUtoperiodicallypolltherelayforitsstatus,andthereturnedinformationwillcontainfirmwareversion,modelnumber,andtheserialnumberofthedevice.However,basedonthesetpollrate,thisinformationmayonlybepolledeverydayoreveneveryweek.Therefore,amoreresponsiveapproachistohavetheIEDtriggerabinaryalarmuponafirmwarechange.Afterreceivingthealarm,theRTUthenpollstheIEDfortheinformationidentifyingthenewfirmwareversion.ThisprocessthenallowstheNSMtooltoimmediatelydetectandlogthesechanges.OncereceivedbytheNSMtool,thenetworkmapisupdatedtoreflectthelatestconfigurationchangeoftheasset.Thisinformationcanthenbesharedwithasystem-wideassetmanagementtool.
7
ThethreeexampleusecasesbelowdescribevariouswaysanengineerortechnicianwouldbeallowedtoalterthefirmwareonanIEDatthegrid’sedge.It’simportanttonotethattheseactionscouldbeperformedbyanattackerwhohasaccesstothenetworkorbyamaliciousinsider.Theresultsarestillthesameandthedevelopedapproachwillbeabletocapture,detect,andalertuponanyfirmwarechanges.
B. Example Use Cases Demonstrated 1. Remote engineer upgrades firmware on IED 1: There are several applications that may permit a remote engineer tohaveinteractiveaccesstoanIED.Thisaccessallowstheengineertoperformanynumberofcommandsasthoughhewasphysicallyatthedevice.Dependingonhowthisremoteaccessisconfigured,hecouldbeallowedtocommunicatedirectlytotheIED,ortheRTUcanbeconfiguredasanaccesspointrouter.
2. Local engineer upgrades IED 2 firmware via Ethernet connection: Iftheprevioususecaseisnotallowed,anengineerortechnicianmayberequiredtotraveltothesitetoperformthenecessarymaintenance.Whilelocallyinthecontrolhouseorplant,theengineerplugsintothenetworkswitchusinganapprovedtransientcyberasset[2]andlogicallyconnectstotheIED.OnceconnectedtheengineerrunstheupgradecommandanduploadsthefirmwaretotheIED. 3. Local engineer upgrades IED 3 firmware via direct serial connection:Thelastusecaseisunique,sinceitrequiressomeadditionalprogrammingintheRTUinordertofullycapturetheupgrade.Unliketheotherexamples,thiscommunicationisnotbeingperformedoverthenetwork,andthereforewillnotbecaptured.Additionally,thepollingofthedeviceisbeingperformedviaaserialconnectionbetweentheRTUandtherelay.ThispollingisthereforealsonotbeingcapturedbytheNSMtool.ThesolutionhereistotelltheRTUtologthefirmwarechangeofIED3andallassociatedinformationtoSyslog.Thiswaywhentheupdatedassetinformationisplacedonthenetwork,theparsingfeatureoftheNSMtoolisstillabletocaptureandlogtheevent.
C. Vulnerability Identification Byhavinganaccuraterepresentationofthecurrentfirmwareversioninstalledoneachdevice,theNSMtoolwasabletoidentifyknownvulnerabilitiesthatareassociatedwiththatversionofthefirmware,protocols,anddetectedsoftware.Thesevulnerabilitiesarebasedonthecommonvulnerabilityenumeration(CVE)standardandhaveanassociatedriskscoreidentifyingtheimpactthatvulnerabilitycouldhavetothesystem.Thisinformationcanbeusedtodeterminewhenthedeviceneedsservicing.Thisabilitygreatlyreducesthepotentialattacksurfaceandhelpseasetheburdenassociatedwithmeetinganumberofcomplianceandmaintenancerequirements.
8
4. Security Monitoring
A. Overview
Networksecuritymonitoring(NSM)isalongtimebestcybersecuritypracticeofcollecting,analyzing,andescalatingindicationsofcompromise.NSMinICSnetworksisquicklygainingtractionbecausethatitcanbeaccomplishedwithoutimpactingtheunderlyingOTsystems,sincenonewtrafficorcommunicationsarebeingintroduced.Withallnetworktrafficbeingcaptured,theICSNSMtechnologycanleverageitsdeeppacketinspectioncapabilitiestocompletelyparseanICSprotocol.Thisprovidesacompleteunderstandingofwhatactivityisoccurringinreal-time.Throughthesecapabilitiesandaddedsituationalawareness,assetownerscanreducemeantimetodetection,response,andrecoveryforanycyberincidentsoccurringinICSnetworks.Additionally,itprovidesbothITandOTincidentresponderstheabilitytoobtainnetworkpacketcapturescontainingtheexactpacketsandmessagesrelatedtoanincident,resultinginaconciseaudittrail.Byhavinganunderstandingofthecontrolsystemprotocols,theICSNSMtechnologywasabletoautomatically:
• Deriveanetworkwhitelist,includingICS/SCADAprotocolspecificfunctioncodes
• DeriveaICS/SCADAprotocolwhitelistincludingprocessvalues(binaryoranalog)
• Derivetherolethedeviceisperformingintheindustrialcontrolsystem
• Createanetworkmapwithallthenetworkflowsbetweendevices
• Detectknownnetwork-basedindicatorsofcompromisefrommalwareormaliciouscampaigns
• Alert when operational thresholds are reached
• Extract device health information and alert when non-optimal conditions exist
B. Example Use Cases and Scenarios Tested
Rogue device joins ICS network: WithallapproveddevicesaccuratelymappedandplacedinthePurduemodel,thisessentiallycreatesawhitelistofdevicesthatareapprovedtotalktooneanother.AnydevicesthatconnecttothenetworkwillautomaticallybecapturedbytheNSMtool.
Identify network communication failures: Moreofanoperationalaspectofthegrid,theexaminedNSMtoolwasabletodeterminewhencommunicationbetweendevicesceases.Thiscapabilitycanbeextremelyvaluablesinceitcanhelpdiagnoseabrokenlinkordowninterface.
Unauthorized device sends ICS/SCADA operate command: With the whitelisted map created and since the testedNSMtoolunderstandscontrolsystemprotocols,thetoolwasabletosuccessfullydetectwhenanunauthorizeddeviceinitiatesacommandtoagrid-edgedevice.Inthiscase,thetoolwasabletolearnthemaster-slaverelationshipsofthenetworkdevices,andthereforebecomecapableofdetectinganomalies.
Failed or successful remote or local logins into an RTU or IED: Theimplementeddeviceswereconfiguredtosoundanalarmuponeitherasuccessfulorfailedlogin.ThesealarmswerethendetectedbytheNSMtool.
Use of default passwords: BydetectingtheMACaddressofeachdeviceonthenetwork,theNSMtoolisabletodeterminethespecificmanufacturerofthatdevice.Usingabuilt-indatabaseofvendorutilizeddefaultpasswords,theNSMtoolcomparesdetectedusernameandpasswordpairstothisdatabase.Wheneveramatchisfoundanotificationisproducedidentifyingthenetworkeddevicethathasdefaultusernameandpasswords.
1
2
3
4
5
9
Dangerous ICS/SCADA DNP3 function code sent to an RTU: Thereareanumberofbuiltinfunctioncodesthat identify the health of the assets at the grid’s edge. These codes help determine the health of the assets andcanbeusedtodetectanumberofman-in-themiddleattacks.Inbothcases,theNSMtoolaccuratelycapturedandloggedtheseevents.
Malformed ICS protocol packet sent to master: Thesepacketsindicateadvancedlevelsofspoofing.SincetheNSMtoolisawareoftheutilizedcontrolsystemprotocols,itwasabletodetectavarietyofmalformedpackets.
Port scanning or other network profiling activities: AsdemonstratedbyIndustroyer,thefirstmalwarespecificallydesignedtoattackpowersystems,trusteddevicescanbecomerogueandstartinitiatingportscans [7].Thisattackdemonstratedtheneedtobeabletodetectanyportscanning,eventhoughtheseactionsmayoriginatefromadevicethatisalreadylocatedwithinthetrustedcontrolsystemnetwork.
IP spoofing and ARP poisoning: ThereareseveralcontrolsystemprotocolsanddevicesthatarevulnerabletoadvancedlevelsofspoofingandARPpoisoning.ByexaminingeachcommunicationpacketatmultiplelayersoftheOSImodel,theNSMtoolwasabletoalarmontheseevents.
Anomalous utility operator activities (either intentional or accidental): SincethetestedNSMtoolcanbeconfiguredtobecontextuallyawareofthecontrolapplicationandalreadyunderstandstheutilizedprotocols,triggerswerecreatedthatmonitorforsuspiciousorunrealisticoperations.Forinstance,multipleback-to-backbreakeropencommandscanbeclassifiedassuspiciousactivityandthereforewarrantanotification.Thistypeofeventwasalsoobservedinthe2016Ukrainecyberattackthatresultedinthephysical loss of power [7].
5. Approach Findings, Benefits and Event Grouping
Whenleveragedproperly,networksecuritymonitoringofferssubstantialvaluebeyondthatofjustcybersecurity.OtherbusinessunitsthatcanbenefitfromtheinformationproducedbyaNSMtoolinclude:operational, compliance,asset management,andmaintenance.Whenutilizedinthismanner,NSMcanbeusedtoincreasetheoverallreturnoninvestmentofthedevicesthatarealreadyinstalledinthefield,whilealsohelpingeasetheburdenacrossmultipledepartments.Table1shows15sampleeventsoritemsthatwereautomaticallyidentifiedbytheselectedNSMtool.Thoughnotanexhaustivelistofallthetestsperformed,theseexamplesdemonstratethebreadthofinformationthancanbecapturedandsenttovariousdepartmentsorbusinessunits.Forexample,theactofmakingafirmwarechangeandthespecificfirmwareversionthatisinstalledonadevicehasvalueforallfourgroupsidentified.Thesecurityteamneedstoknowthattheactionisbeingperformed,whiletheassetmanagementandcomplianceteamsneedtoknowthefinalversionthatisinstalled.Operationalpersonnelalsowillfindthisinformationhelpfulsinceitconfirmsanyvendorfeatures(likeanaddedprotectionelement)thatmaybeusedforfuturegridenhancements.
“NSM can be used to increase the overall return on investment of the devices that are already installed in the field”
6
7
8
9
10
10
6. Conclusion Implementingnetworksecuritymonitoringinindustrialcontrolsystemnetworksprovidesassetownerstheabilitytoleveragetheirexistinginfrastructureandinvestmentstogainoperational,compliance,assetinventory,network,andcybersecuritybenefits.Byextractingintelligencefromdevicecommunications,ICSassetownerscanconfiguretheirexistingassetstobecome“cyberaware”byenablingbuiltinfeaturesoftennotutilizedorunknowntothem.Bysteppingthroughaseriesofusecasescenarios,thisworkdemonstratedtheutilizationoftechnologyfortheextractionofsecurity,compliance,operational,andassetmanagementinformation.Giventhepassivenatureofthedevelopedapproach,thisworkdemonstrateshowtosafelyextractthisinformationinreal-time,producinganefficientandfeasiblewayofsecuringandmanagingthegrid’sedge.
Example Item/ Event Asset Management Cybersecurity Compliance Operations
DeviceSerialNumber
Settings Changes
FirmwareChanges
NetworkMapping
VulnerabilityTracking
Whitelisting Alerts
Blacklisting Alerts
FailedLogin
Active User
PortScanning
Spoofing
PhysicalEntry
ProtocolErrors
Repeated Control Commands
TimeSynchronizationErrors
Table 1 Sample of Observed Items/Events and Information Categorization
Learn more about how eyeInspect enhances cybersecurity & streamlines compliance for electric utilities.
Read Solution Brief
11
About the Authors
Nathan Wallace Cybirical LLC NathanhasaB.S.inelectricalengineering,aB.S.inphysics,aM.S.inengineering,andaPh.D.inengineeringcyberspacefromLouisianaTechUniversity.HestartedhiscareerwithEntergy’srelaysettingsandconfigurationgroup.Hethenjoinedasmallutilityasanassociateengineer,performingfieldmaintenanceofsystemprotectionandcommunicationequipment.Afterseeingthegrid’sgrowingrelianceoncyber-basedtechnologies,hepursuedagraduatedegreefocusingonpowersystemcybersecurity,wherehealsoworkedasadigitalforensicsexaminer.NathancurrentlyisastaffengineeratAmpiricalandacofounderofAmpirical’ssisterfirmCybirical,whereheistheDirectorofCyberEngineering.HeisamemberoftheIEEEPower&EnergySociety(IEEEPES),ComputerSociety,andcurrentlychairstwostandarddevelopmentgroupsintheIEEEPESPowerSystemCommunications&Cybersecurity(PSCC)TechnicalCommittee.
Brian ProctorForescoutBrianhasspentmostofhiscareer(13+years)asaICS/SCADAcybersecurityengineerandcybersecurityteamleadworkingfortwoprogressiveCaliforniaInvestorOwnedUtilities(IOUs).Heholdsavarietyoftechnicalcertifications,includingtheGlobalIndustrialControlSystemProfessional(GICSP),CertifiedInformationSystemsSecurityProfessional(CISSP),CertifiedinRiskandInformationSystemsControl(CRISC),andiscertifiedinprojectmanagementfromUniversityofCaliforniaatIrvine.In2013,BrianwaspresentedwiththeCriticalInfrastructurePrivateSectorawardfromSecuringoureCity,aSanDiegobasedcybersecuritynon-profitorganization.In2016,Brianwasaco-inventorofaR&Dmagazinetop100awardwinnerforoneofthetopinventionsoftheyearrelatingtoaGPSanti-spoofingmitigationtechnology
[1]https://www.forescout.com/company/blog/largest-nerc-cip-fine-to-date/
[2]NorthAmericanElectricReliabilityCorporation(NERC),Standard:CriticalInfrastructureProtection(CIP)https://www.nerc.com/pa/Stand/
Pages/CIPStandards.aspx
[3]USDept.ofHomelandSecurity,“Recommendedpractice:Improvingindustrialcontrolsystemcybersecuritywithdefense-in-depth
strategies,”2009.
[5]PeterBernusandLaszloNemes(1996)“Aframeworktodefineagenericenterprisereferencearchitectureandmethodology.”Computer
IntegratedManufacturingSystemsVol9(3)p.179-191.
[6]IEEEStandardStdC37.240-2014“IEEEStandardCybersecurityRequirementsforSubstationAutomation,Protection,andControlSystems.”
Approved10Dec.2014.
[7]AntonCherepanov,ESET“Win31/Industroyer–ANewThreatforIndustrialControlSystems.”[Online]https://www.welivesecurity.com/wp-
content/uploads/2017/06/Win32_Industroyer.pdf
Forescout Technologies, Inc.190 W Tasman Dr.San Jose, CA 95134 USA
Toll-Free (US) 1-866-377-8771Tel (Intl) +1-408-213-3191Support +1-708-237-6591
© 2020 Forescout Technologies, Inc. All rights reserved. Forescout Technologies, Inc. is a Delaware corporation. A list of our trademarks and patents can be found at https://www.forescout.com/company/legal/intellectual-property-patents-trademarks. Other brands, products, or service names may be trademarks or service marks of their respective owners. Version 07_20
Learn more at Forescout.com
Want More Information?
TolearnmoreabouteyeInspectanditsbenefitsforelectricutilities,scheduleameetingwithourcyberresilienceexpertsatwww.forescout.com/schedule-your-eyeinspect-demo/