© ABB | Slide 1 NERC CIP Version 5 webinar series “Access management and malicious software controls” 10/29/2014 October 29, 2014

© ABB | Slide 2 Joseph Baxter CISSP/CISA/CISM/CGEIT/MCDBA/MCSE:S NERC CIP Lead – HVDC / FACTS (919) About the presenter(s) October 29, 2014 Before coming to ABB, Joseph Baxter completed several years as a NERC CIP Auditor for the SERC region, with special emphasis on the technical side of cyber security. He has both audited and been audited in the realm of CIP, and brings over fifteen years of Information Security experience gleaned from the Financial Sector to bear on the problems facing Grid Security today.

© ABB | Slide 3 Security programs October 29, 2014 Program, Plan, Policy, Process, Procedure, Practice  Don’t let NERC do this for you  This is your Cyber Security Program, not theirs - take control!  Separation of Duties and Reporting Structure legitimize this effort Risk Analysis Document Program Implement Controls Audit Controls Remediate Findings

© ABB | Slide 4 Quality evidence  Record (get it down)  Retrieve (find it fast)  Reference (do it once)  Report (show it well)  Repeat (keep it up) October 29, 2014 Documentation is king

© ABB | Slide 5 Audience question #1 October 29, 2014 Malicious Software Prevention

© ABB | Slide 6 Malicious code prevention October 29, 2014 A choice in strategy  Traditional antivirus  Requires processing power  Can corrupt databases  Requires constant update  Often falls into the category of “Cure more painful than the disease”

© ABB | Slide 7 Hardening vs Antivirus October 29, 2014 A 2x2 matrix choice  Answers are pretty obvious  However the question isn’t binary  A hybrid approach might work Antivirus Partial Coverage Antivirus Full Coverage Hardening Partial Coverage Hardening Full Coverage

© ABB | Slide 8 Hardening controls October 29, 2014 Out of the box  AppLocker in Active Directory + Group Policy Object lockdowns  AppArmor in Linux  Not comprehensive, but does it have to be?  Policy plays a role  What is really required?

© ABB | Slide 9 Audience question #2 October 29, 2014 Technical Feasibility Exceptions

© ABB | Slide 10 Access management October 29, 2014 A few changes for good  Nothing to see here…  Widely applicable to Highs and Mediums  Interactive User Access  Where Technically Feasible

© ABB | Slide 11 Remote access October 29, 2014 Line in the sand  Lots of confusion here  Keep the hot side hot  Keep the cold side cold  Multifactor requirements

© ABB | Slide 12 Cyber vulnerability assessments October 29, 2014 Had little to do with vulnerabilities  But now things are different  The word ‘vulnerability’ actually matters again  But that doesn’t have to be all it does  Check up on your Security Hardening Controls

© ABB | Slide 13 Questions? This is the point to review and answer any questions in the panel. If you have a question, please type your question in now. October 29, 2014

© ABB | Slide 14  Change management Wednesday, October 15, 2014 at 2:00 p.m. Learn about change management and the fact that this will be the largest area of recurring effort. You will gain understanding of why Patch Management is not a solution to meet your NERC CIP updates and why Version 3 no longer applies. Register now:  Baseline management Wednesday, October 22, 2014 at 2:00 p.m. Learn what a baseline and testing are, why automation is key and what is required to meet Version 5 compliance. Register now:  Cyber asset grouping Thursday, October 23, 2014 at 12:00 p.m. (Power generation specific) Learn process approaches to CIP R1 as it pertains to BES cyber asset categorization. Register now: Additional NERC CIP educational webinars October 29, 2014 (All webinars are Eastern Time)

© ABB | Slide 15  Access management and malicious software controls Wednesday, October 29, 2014 at 2:00 p.m. Learn how to access control fits with CIP and why account management is not effortless. Register now:  Low assets and future CIP versions Wednesday, November 5, 2014 at 2:00 p.m. (Power generation specific) Learn the compliance requirements for entities with low assets and audit worksheets as well as future standard activities. Register now:  Identification and review of critical transmission assets Wednesday, November 12, 2014 at 2:00 p.m. Learn how to approach the guidelines and criteria highlighted by NERC to fulfill the risk assessment goal. Register now: Additional NERC CIP educational webinars October 29, 2014 (All webinars are Eastern Time)

© ABB | Slide 16  Theme: Preparing for the power evolution  Date: November 6, 2014 – 11 a.m. – 6 p.m. EST  Why should you attend? 25 educational webinars, dozens of scheduled chats and interviews and more than 100 white papers available for download from knowledgeable subject matter experts.  Earn Professional Development Hours (PDH) Download an official attendance certificate for every live webinar session you attend to get credit for your learning time  No travel or registration costs!  Can’t attend the day of? That’s fine. All webinars will be recorded and will be available for on-demand viewing after the live event.  Register now: Automation & Power World (APW) October 29, 2014 Power SmartStream Digital Conference

© ABB | Slide 17  Theme: Harnessing the power of change  Date: March 2-5, 2015 in Houston, Texas  Location: George R. Brown Convention Center  Why should you attend?  Listen to interesting and topical keynote presentations  Chose from over 300 industry and solution-focused educational sessions and panel discussions  Network with ABB experts and your peers  Earn Professional Development Hours (PDH)  Completely free!  Check the website for updates: Automation & Power World (APW) October 29, 2014 LIVE conference – APW 2015

© ABB | Slide 18 Survey Please take a few moments to answer the survey questions. Thank you. October 29, 2014