Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

CIP-007 R3 Malicious Code Prevention

by David Schwalenberg
March 30, 2016

The North American Electric Reliability Corporation (NERC) is a not-for-profit international regulatory authority whose mission is to assure the reliability of the bulk power system in North America. NERC Reliability Standards define the reliability requirements for planning and operating the North American bulk power system, which serves more than 334 million people. NERC is committed to protecting the bulk power system against cyber security compromises that could lead to misoperation or instability. The NERC Critical Infrastructure Protection (CIP) Standards provide a cyber security framework for the identification and protection of Bulk Electric System (BES) Cyber Systems, to support the reliable operation of the North American bulk power system.

The purpose of CIP-007 R3 (Malicious Code Prevention) is to "deter, detect, or prevent malicious code" and "mitigate the threat of detected malicious code". Malware and viruses are a huge threat and Supervisory Control and Data Acquisition (SCADA) systems are not immune. New malware is identified daily and virus writers are constantly tweaking their malware to keep it from being detected. Using malicious code, potentially massive attacks can be accomplished with relative ease, negatively impacting the reliable operation of the BES. Network defenders need to use a defense-in-depth approach to both protect against malware infections and also discover and address any malware that gets through the defenses.

For organizations that are required to be CIP compliant, SecurityCenter Continuous View (CV) can lead the way to compliance. This dashboard can assist in identifying malware already on the network, and viewing events such as virus detections and interactions with known hostile IP addresses that may indicate the presence of malware. The Log Correlation Engine (LCE) is constantly updated with lists of IP addresses and URLs associated with known botnets; as the LCE processes logs, it alerts if one of these hostile IP addresses or URLs is seen. The top IP addresses on the network associated with virus detection events are also displayed, as well as the users most associated with virus events. This enables an analyst to determine on which hosts malware is found and which users may be engaging in activity that exposes the network to viruses; knowing this information can assist in improving network defenses. The dashboard presents indicators for malware-related activity and concerns, and also presents the current antivirus status, including the percentage of hosts on which the installed antivirus is not working properly. This dashboard can assist in monitoring for malicious code and activity on SCADA systems on the network, which will aid in meeting the CIP-007 R3 requirements and measures. Analysts can also use this dashboard to easily drill down and gain more detailed information.

The CIP standards recommend categorizing BES Cyber Assets into different impact categories. An asset's impact category is based on the adverse impact to BES reliability that would occur if the asset was unavailable, degraded, or misused. Once the impact categories of systems have been determined, asset groups in SecurityCenter CV can be used to group together machines in each impact category. Asset groups can then be applied to this dashboard to narrow the focus and enable more accurate reporting on systems in specific impact categories. For more information on using assets with dashboards, see How to Add Assets in SecurityCenter and How to Use Assets with Dashboards. Alternatively, if the assets are in separate subnets, then subnet filters can be easily applied to narrow the focus of this dashboard.

This dashboard and its components are available in the SecurityCenter Feed, a comprehensive collection of dashboards, reports, Assurance Report Cards, and assets. The dashboard can be easily located in the SecurityCenter Feed under the category Compliance & Configuration Assessment. The dashboard requirements are:

  • SecurityCenter 5.2.0
  • Nessus 6.5.4
  • PVS 4.4.0
  • LCE 4.6.1

Many other malware- and antivirus-focused dashboards are also available in the Threat Detection & Vulnerability Assessments feed category. These dashboards can assist an analyst in further investigating malware activity. Some suggested dashboards are Malware Detection, Virus Trending, Malicious Process Detection, and Spam Monitoring. The Virus Trending and Spam Monitoring dashboards both contain components that break out malware detections by product. The Malware Hunter dashboard can be used to hunt for malware on the network. For CSV (comma-separated value) reports that can be imported and run within SecurityCenter to assist with malware detection, see Malware Detection CSV Reports and More Malware Detection CSV Reports.

Tenable's SecurityCenter Continuous View (CV) is the market-defining continuous network monitoring solution. For Supervisory Control and Data Acquisition (SCADA) systems, where reliability and not interfering with normal operations is a concern, SecurityCenter CV includes passive vulnerability detection with Tenable’s Passive Vulnerability Scanner (PVS), as well as log correlation with Tenable’s Log Correlation Engine (LCE). Where possible, active vulnerability detection and compliance scanning with Nessus can also be done. Using SecurityCenter CV, an organization will obtain the most comprehensive and integrated view of its SCADA network.

The following components are included in this dashboard:

  • Prioritize Hosts - Top Hosts Infected with Malware: This table displays the top hosts on the network that have actively or passively detected malware infections.
  • Targeted Event Monitoring - Virus Events in Last 72 Hours: The Virus Events in Last 72 Hours table lists the virus events by count detected in the last three days.
  • CSF - Threatlist Events in Last 72 Hours: This table displays threatlist events detected in the last three days and sorted by count. Events that are normalized by LCE to the event type “threatlist” include logs that indicate systems communicating with hostile IP addresses and domains that are participating in known botnets.
  • Malware Detection - Top IPs with Malware Events: This component displays a pie chart of the IP addresses with the most malware-related vulnerabilities detected.
  • Virus Trending - Users Most Associated with Virus Events within Last 7 Days: The component displays those users most associated with virus activity within the last 7 days.
  • CSF - Malware-Related Concerns: This matrix displays warning indicators for potential malware-related events and vulnerabilities detected on the network, such as virus and threatlist event spikes, botnet interactions, malicious processes and web content, bad Windows autoruns, multiple system crashes, and detections of spam and mobile code.
  • Verizon 2015 DBIR - Antivirus: This matrix assists the organization in monitoring its antivirus deployment.