Cyber Security Services: Event Management and Intrusion Prevention Nuclear Automation Background

Nuclear Automation
Cyber Security Services:
Event Management and Intrusion Prevention
Background
Westinghouse Electric Company LLC and McAfee,
Inc., an Intel Company, have entered into a partner
agreement where Westinghouse may resell the
following list of McAfee® licensed products:
• Enterprise Security Manager (ESM)
• Enterprise Log Manager (ELM)
• Event Receiver (REC)
• Nitro Intrusion Prevention System (IPS)
• Gold Level Support and Maintenance
• Services and Training
Regulatory bodies and industry groups around the
world now require nuclear utilities to introduce new
hardware and software into the plant architecture
to prevent cyber attacks and to collect, monitor
and analyze data for cyber vulnerabilities, threats
and unwarranted activities. Westinghouse is
currently partnered with McAfee to provide a
scalable, comprehensive solution to the nuclear
market.
Description
The McAfee high-performance, powerful Security
Information and Event Management (SIEM)
brings event, threat and risk data together to
provide strong security intelligence, rapid incident
response, seamless log management and
extensible compliance reporting. At the core of
the SIEM offering, ESM consolidates, correlates,
assesses and prioritizes security events for both
third-party and McAfee solutions.
The SIEM provides the ability for Westinghouse
customers to meet monitoring and log correlation
requirements stemming from 10 CFR 73.54
(Nuclear Regulatory Commission Regulatory
Guide [RG] 5.71, Nuclear Energy Institute [NEI]
08-09). This solution collects security event logs
from plant systems (critical digital assets) and
stores the event in a central location. The solution
provides the customer with event sorting and
automated alerting rules.
McAfee Nitroguard is an IPS that actively detects,
analyzes and protects the network from an array
of security attacks, including viruses, worms,
spyware, denial-of-service attacks and other
forms of malware, as well as unknown or zero-day
attacks. It allows the customer to take control of
the network with the ability to maintain multiple
simultaneous intrusion detection system (IDS)
and IPS policies from a single appliance, facilitate
policy tuning with “what if” scenario alerting,
correlate events to network and session activity
using built-in network flow collector and firewalls,
and utilize exploit-, vulnerability- and anomalybased detection.
RG 5.71
NEI 08-09
Title
C.3
E.3
System and Information
Integrity
B.2
D.2
Audit and Accountability
Benefits
Westinghouse offers a basic SIEM solution, single
security level SIEM solution, multiple security level SIEM
solution, integrated IPS solution, basic and nuclear content
configuration support, extended hardware and software
support and on-site training services.
Westinghouse Basic McAfee Configuration:
Westinghouse can perform on-site configuration and
consulting for the McAfee event management and
intrusion prevention products. The Westinghouse basic
configuration for the McAfee appliance includes answering
installation questions and/or performing installation
troubleshooting. Basic configuration includes elements
such as:
• Configure McAfee ESM network connectivity
• Configure login security
• Configure authentication
• Configure users, groups and privileges
• Define data sources
• Configure receiver(s)
• Configure storage pool definitions, where applicable
• Configure McAfee Event Log Manager(s)
• Configure McAfee IPS, where applicable
Westinghouse Nuclear Content Configuration:
Westinghouse can perform on-site configuration on the
McAfee appliance and from the management workstation
to add the Westinghouse Nuclear Content. The
Westinghouse content includes additional configuration
settings, including views and reports to show compliance
with NEI 08-09. Additional configuration includes elements
such as:
• Variables (provide logical grouping of assets)
• Hosts (used for name resolution)
• Zones (for multiple level deployments only)
• Alerts (notify staff of events that require attention)
• Views (provide a dashboard view of live event data)
• Report (provide customized point-in-time event data)
SIEM Considerations
1. Logs and SIEM within plant
a. May have one SIEM to address secure levels (3 and 4)
b. Events may forward to site or corporate
network SIEM
2. Logs on site network
3. Non-nuclear sites
4. Corporate network with both nuclear and
non-nuclear generation
SIEM solution over multiple security levels
Westinghouse Electric Company
1000 Westinghouse Drive
Cranberry Township, PA 16066
www.westinghousenuclear.com
McAfee is a trademark or registered trademark of McAfee, Inc. Other
names may be trademarks of their respective owners.
July 2013
NA-0125
©2015 Westinghouse Electric Company LLC. All Rights Reserved