Uploaded image for project: 'Cloud Infrastructure Security & Compliance'
  1. Cloud Infrastructure Security & Compliance
  2. CMP-921

Provide NERC CIP compliance profile for utility customers

XMLWordPrintable

    • Support NERC Compliance for utility customers
    • False
    • False
    • Done
    • OCPPLAN-6820 - Support NERC Compliance for utility customers
    • OCPPLAN-6820Support NERC Compliance for utility customers
    • 100
    • 100% 100%
    • Undefined

      Epic Goal

      The North American Electric Reliability Corporation (NERC) is a nonprofit regulatory authority whose mission is to ensure the reliability of the North American bulk power system. NERC is subject to oversight by the US Federal Energy Regulatory Commission (FERC) and governmental authorities in Canada. In 2006, FERC granted the Electric Reliability Organization (ERO) designation to NERC in accordance with the Energy Policy Act of 2005 (US Public Law 109-58). NERC develops and enforces reliability standards known as NERC Critical Infrastructure Protection (CIP) standards.

      The goal for this epic is to provide an initial NERC CIP compliance profile for use with the Compliance Operator. This initial profile will not necessarily provide complete coverage for NERC CIP.  As much of NERC CIP can be mapped to NIST SP800-53 controls that we have already worked on, the goal is to have the initial profile include rules that are already implemented in the ComplianceAsCode project.  Implementing new rules is out of scope.

      An analysis to map NIST SP800-53 controls to NERC CIP was already conducted, which is summarized in the following spreadsheet:

      https://docs.google.com/spreadsheets/d/14DHN0MiWwiKbyfstrOKQmDbfJEXEQOygrD00v-HbTrA/edit#gid=933961710

      Additional content can be found here https://jenkins.complianceascode.io/view/SCAP%20Security%20Guide/job/scap-security-guide-stats/HTML_20Guides/

      Why is this important?

      Currently, we have two customers that request this profile:

      1. ERCOT supplies power to more than 25 million Texas customers and represents 90 percent of the state's electric load.
      2. Hydro-Québec -  is a public utility that manages the generation, transmission and distribution of electricity in the Canadian province of Quebec, as well as the export of power to portions of the Northeast United States

       

      Acceptance Criteria

      • The Compliance Operator ships with a NERC CIP profile.
      • The profile contains the appropriate existing implemented OpenSCAP checks from NIST SP800-53 as defined in the mapping spreadsheet
      • We have the appropriate Remediations for checks that can be auto-remediated (were already implemented).
      • We have successfully running automated testing / CI for the profile
      • Compliance Operator documentation is updated to indicate that we provide a profile for NERC CIP, along with a basic description of the profile.
      • Progress tracking tooling is created to track coverage for profile development

      Documentation Needs

      This epic will be addressed by adding a new SCAP profile that is used by compliance-operator.  SCAP content already includes human-readable guidance documentation that explain all of the rules and remediations that are contained in a profile.  Engineering will be developing this detailed guidance as a part of the profile development.  As such, the documentation needs in our official OpenShift docs for this should be minimal.

      The Compliance Operator documentation needs to list the "NERC CIP" profile in the list of provided profiles in the "Understanding the Compliance Operator" section (adding this table is described in CMP-888). The profile name, human-readable title/description, and reference link to be used in the table should all be obtained using "oc get compliance.profile" once development for this epic is complete.

      Quality Assurance Needs

      This epic concerns the addition of a new "NERC CIP" profile that is used by the compliance-operator. As such, this profile must be tested to ensure the following:

      • The rules are able to get the necessary information
      • The rules generate appropriate remediations
      • The remediations indeed address the found gaps (defines by the rules)
      • The cluster is in a working state after the remediations have been applied

      A proposed test is as follows:

      • In a clean cluster, install the compliance-operator
      • Run a scan for the new profile(s)
      • Apply all the suggested remediations
      • Apply manual fixes as suggested by the results (e.g. configure a relevant IdP, use signed images only, etc.)
      • Re-scan
      • Verify that the rules which had issues were fixed and are now in a compliant state
      • Run a smoke test to verify that the cluster is still usable

      Dependencies (internal and external)

      • N/A

      Previous Work (Optional):

      1. CMP-915 - Research Spike

      Done Checklist

      • CI - CI is running, tests are automated and merged.
      • Release Enablement <link to Feature Enablement Presentation>
      • DEV - Upstream code and tests merged: <link to meaningful PR or GitHub Issue>
      • DEV - Upstream documentation merged: <link to meaningful PR or GitHub Issue>
      • DEV - Downstream build attached to advisory: <link to errata>
      • QE - Test plans in Polarion: <link or reference to Polarion>
      • QE - Automated tests merged: <link or reference to automated tests>
      • DOC - Downstream documentation merged: <link to meaningful PR>

            josorior@redhat.com Juan Antonio Osorio (Inactive)
            dcaspin@redhat.com Doron Caspin
            Hongyan Li Hongyan Li
            Votes:
            1 Vote for this issue
            Watchers:
            8 Start watching this issue

              Created:
              Updated:
              Resolved: