With the acquisition of Tripwire in 2015, Belden expanded its industrial cyber security offerings to include proactive security monitoring and regulatory compliance solutions. While Tripwire is a leading security and compliance vendor in a number of different industries, such as retail, government and financial services, what do their solutions bring to ICS security?

In short Tripwire solutions give visibility into the control network for things like unauthorized/unexpected changes, insecure configurations and identifying assets vulnerable to known exploits. This visibility provides situational awareness so that control engineers can keep the network operational.

Tripwire also provides compliance solutions that reduce costs for audit preparation by automating reporting and the collection of evidence. In particular, Tripwire offers a NERC CIP Solution Suite that helps utilities meet some of the more difficult CIP requirements – CIP-005, CIP-007 and CIP-010.

Let’s examine how Tripwire/Belden solutions are being used by one sector, bulk electricity suppliers, to reduce the costs and complexity associated with NERC CIP compliance as well as improve cyber security defenses.

Electrical substations are vulnerable to both intentional and accidental cyber incidentsTripwire’s solutions provide real-time cyber security awareness that helps keep critical infrastructure like bulk electric systems operational and safe.

An Easier and More Effective Way to Do NERC CIP Compliance

A large operator of electricity distribution networks in the U.S. wanted to make its NERC CIP compliance processes more efficient, enhance network connectivity with its substations and improve cyber security.

To automate the collection of evidence for compliance, the company licensed the Tripwire NERC CIP Solution Suite. This set of software tools helped them automate data collection for the majority of the 32 NERC CIP requirements. Initially implemented for the utility’s energy management system, Tripwire software applied:

  • Change detection
  • Log management
  • Automated configuration assessment
  • Audit-ready reporting

All of this was used to significantly reduce the manual compliance workload. In particular, efficiency around NERC CIP 007, Systems Security Management and Ports & Services requirements was notably improved.

Another benefit of using the Tripwire NERC CIP Solution Suite was improved cyber security through proactive alerts about suspicious events or changes to critical infrastructure.

Improving Substation Connectivity and Cyber Security Protection

The same operator enhanced connectivity to its substations in part by implementing GarrettCom Magnum DX940 routers. These routers provided serial-to-IP terminal services, T1 interfaces for a frame relay wide area network, Ethernet switching and cyber security protection, all in an industrially hardened form. GarrettCom-Routers-Facilitate-Substation-ConnectivitySubstation connectivity is facilitated with industrial routers that combine communication and cyber security features in a small-footprint, rugged device.

Quick Achievement of NERC CIP V5 Compliance for Substation Assets

Now along comes NERC CIP V5 which is making more assets within the substations in-scope for compliance.

This operator quickly leveraged GarrettCom and Tripwire synergies to fold all of the GarrettCom DX940 routers into their existing Tripwire NERC CIP solution. This included configuration change detection, secure configuration assessment and monitoring and analysis of syslog events.

In this case, it was straightforward to extend the automation of NERC CIP compliance processes to the substation level, improve substation cyber protection and provide proactive security monitoring across enterprise and ICS networks.

Proactive ICS Security Management

Tripwire’s tools further enhance reliability by intelligently analyzing changes and identifying potential security threats. For example, if:

  • 4-5 failed login attempts occurred for a particular switch
  • The subsequent login was successful and the IP address of the user was from a suspect location
  • There was a change to the configuration of the switch

This combination of events would lead to an alert being generated and provide the operator with the opportunity to respond very quickly. Rapid incident response is a key way of containing harm, minimizing downtime and maintaining the safety and integrity of the substation as well as the SCADA network.

Tripwire Bottom Line for Control Engineers and OT Professionals

If you work for a North American bulk electricity supplier, find out if your organization has already implemented Tripwire – more than 120 electric utilities have. If so, then implementing industrial networking products from Belden will make it easy to extend the cyber security compliance and proactive monitoring capabilities of the Tripwire product suite to any part of the EMS, substation or generation network.

If you work in another industry, be aware that the combination of Belden industrial networking products with Tripwire proactive security monitoring and compliance solutions provide a very high level of cyber protection. They make implementing Defense in Depth cyber security easier and they provide security visibility across enterprise and industrial networks for enhanced reliability.

If you would like to find out more about Tripwire or Belden solutions, in North America call 1-855-400-9071 or email inetsalesops@belden.com. In other parts of the world, complete the short form on this page and a sales representative will get in contact with you.

What are your NERC CIP compliance challenges? Are you working on substation connectivity? I look forward to hearing your stories.

Related Links

Tripwire Resources for NERC CIP Compliance

Belden Resources for Substation Connectivity