ROOM A
9:00 - 11:00 am
Workshop 1: Network Cyber Hygiene to Strengthen Resiliency
Learning objectives:
1. Foundational knowledge of networking concepts, firewalls, and risks
2. Step-by-step cyber hygiene workflow and technology to verify firewall policies
3. Most frequent firewall policy risks and how to prevent them
4. Clear understanding of NERC CIP requirements: CIP-003 and CIP-005
Description:
The size and complexity of networks that are providing connectivity to the bulk electric system keep increasing. Protecting mission-critical assets requires constant vigilance and a robust cyber hygiene workflow to ensure that networks are correctly segmented and configured at any point in time. This hands-on workshop will provide the knowledge and technical understanding to build a best-in-class CIP firewall verification workflow as part of network cyber hygiene practice. Attendees will gain a clear understanding of CIP-003 and CIP-005 requirements and learn how to establish an automated and independent policy verification process. Through access to a realistic network environment and the NP-View platform, attendees will be able to practice ruleset review scenarios to learn how to identify and document the most frequent risks, including:
- Lack of egress access control
- Lack of correct justification
- Overly permissive rules and insecure services
- Overly complex access lists
The workshop will also provide step-by-step instructions to prepare clear reports and to
measure progress through a set of risk-based cybersecurity and compliance maturity indicators.
Workshop Schedule and Outline:
9:00 - 10:00 am
1. Introduction and training objectives
2. CIP-003 and CIP-005 requirements
3. Networking concepts and how firewalls work
4. Accessing the NP-View training platform
10:00 - 11:00 am
1. Hands-on practice: reviewing firewall access rules
2. Identifying the most frequent firewall policy risks
3. Verifying interactive remote access with path analysis
4. Reporting template and preparing for a NERC CIP audit
Dr. Robin BerthierCEO
Network Perception
profile
Joseph BaxterDirector, Solutions Engineering
Network Perception
profile
11:00 - 11:30 am
Coffee Break
ROOM A
11:30 am - 1:30 pm
Workshop 2: The Auditor's Perspective
Learning Objectives:
1. Philosophy - Understanding the auditor's restrictions and responsibilities
2. Process - Audit stages, inventories, sampling, data collection, additional requests, etc.
3. Problem - What constitutes quality evidence to sufficiently demonstrate compliance
4. Preference - Clean artifacts, clear evidence, and an exacting culture of compliance
Description:
Create an advantage in every audit by understanding the process, practices, and evidence from the perspective of the auditor. Each entity in the critical infrastructure space understands regulation, but often that understanding does not extend the legal and ethical responsibilities their auditors face to find sufficient evidence of compliance.
This workshop will teach a simple compliance framework, hierarchically down from Program, Policy, Process, Procedure, and Practice. Attendees will complete group strategy exercises, breaking down a single real-world regulatory requirement into a workable and universal process designed to create compliance artifacts at each stop. Attendees will use their new process to analyze sample procedures created by two fictitious business units, ensuring that each procedure produces all the compliance artifacts required.
With this greater understanding of process and procedural audit, attendees will be able to create an "approval rubric" for use in conjunction with their process. Then, armed with this rubric, the workshop attendees will become the auditors - comparing sample data to the compliance requirement and determining the sufficiency of evidence. Is there evidence of compliance? Or is there a potential non-compliance finding to report?
Workshop Schedule and Outline:
11:30 - 12:30 pm
1. Introduction and Agenda
2. Five-P Compliance Structure
3. Idealized Audit Process - Internal, Independent, External (Regulator)
4. Better Processes Mean Better Compliance
5. Exercise: Example Requirement - CIP-005 Requirement 1.2
6. Accessing the NP-View Training Platform
12:30 - 1:30 pm (working lunch)
1. Be the Auditor: Procedures 1 and 2
2. Rubrics Should Be Documented
3. Exercise: Approval Rubric Creation
4. Be the Auditor: Review firewall justifications for quality
5. How to document and discuss audit findings
6. Operationalizing a process in a compliance program
Joseph BaxterDirector, Solutions Engineering
Network Perception
profile
ROOM B
11:30 - 12:45 pm
Supply Chain Cyber Security and NERC CIP-013 Compliance for Electric Utilities
This session will focus on the issues related to cyber securing the supply chains of electrical utilities. Specifically, it will cover the NERC CIP-013 reliability standard and its requirements. The requirements are: Develop, Implement and Continuously Monitor the supply chain cyber security risk management plans for high and medium impact BES Cyber Systems.
Perhaps the biggest cybersecurity risk today is the risk posed by supply chain cyberattacks. SolarWinds and the Log4j attacks are two well-known examples, but there are many more. Software supply chain attacks are at least doubling every year. According to HelpNet Security, "..in 2022, supply chain attacks surpassed the number of malware-based attacks by 40%." Electric utilities are faced with a special challenge, because of their need to comply with NERC CIP-013.
The big challenge of supply chain cybersecurity is that, in principle, the utility has to secure not only its own environment but the environments of all its suppliers of software and intelligent devices. This can be accomplished through an effective risk management program. We will discuss how electrical utilities can implement NERC CIP-013 standard through developing, implementing, and continuously monitoring such a risk management program. However, our methodology will cover full spectrum of supply chain cyber security.
Ramesh ReddiPresident and Chief Technology Officer
CybSecBCML, Inc.
profile
Tom AlrichPrincipal Consultant
Tom Alrich LLC
profile
12:45 - 1:45 pm
Lunch Break
ROOM A
1:45 pm - 3:45 pm
Workshop 3: Why Two Sides of Visibility Matter More Now Than Ever
Learning Objectives:
1. Philosophy -- How adding network access visibility can bolster your incident response efforts and increase cyber resiliency.
2. Process -- Enhancing Network Visibility, Incident Response Plans, Post Incident, etc.
3. Problem/Solution -- Traditional intrusion detection systems (IDS) may contain visibility gaps from a network access (firewall/router) perspective. Be better equipped to respond to incidents that are detected in your OT networks by enhancing IDS with network access modeling.
4. Take Away - Leveraging network access modeling to enhance your incidence response procedures.
Description:
Our OT network has been breached!!! Do we know where the threat can pivot to next? Is the network correctly segmented? How many steps away from hitting our crown jewels? These are questions that traditional intrusion detection systems have a hard time answering. We may be able to understand what has been compromised and what anomalous behaviors threat actors are exhibiting, however, in order to be resilient to breaches, knowing the answer to these key questions can greatly reduce the risk (and stress) of handling a network incident. How do we accomplish that? By layering in Network Access Modeling.
In this workshop we will go over two complimentary sides of network visibility -- Network Traffic Monitoring & Network Access Modeling -- and how to create strategies and incident response plans around these two to better respond to OT network intrusion incidents and build a more cyber resilient program. A case study will be reviewed on how these two controls could have helped prevent one of the most widely known incidents: The Colonial Pipeline Shutdown.
Attendees will have the opportunity to go through a table top exercise and use Network Access Modeling to be better respond to a theoretical breach and gain a better understanding and appreciation of how the Two Sides of Network Visibility will help your team build resiliency during incidents!
Kes JeciusSenior Solutions Engineer
Network Perception
profile
David CarmonaRegional Sales Manager
Network Perception
profile