cip-005 and zero trust 201602...engineer desktop data historian operator hmi database server...
TRANSCRIPT
![Page 1: CIP-005 and Zero Trust 201602...Engineer Desktop Data Historian Operator HMI Database Server Controller(s) 8 RELIABILITY | ACCOUNTABILITY •Remote access, VPN, Cloud services, Vendor](https://reader036.vdocuments.net/reader036/viewer/2022062602/5ee024d1ad6a402d666b62a5/html5/thumbnails/1.jpg)
CIP-005 and Zero TrustProject 2016-02 Project Update
Project 2016-02 CIP SDT MembersFebruary 2020
![Page 2: CIP-005 and Zero Trust 201602...Engineer Desktop Data Historian Operator HMI Database Server Controller(s) 8 RELIABILITY | ACCOUNTABILITY •Remote access, VPN, Cloud services, Vendor](https://reader036.vdocuments.net/reader036/viewer/2022062602/5ee024d1ad6a402d666b62a5/html5/thumbnails/2.jpg)
RELIABILITY | ACCOUNTABILITY2
Virtualization changes to CIP standards are to ENABLE new methods/models
NOTREQUIRE Them
Disclaimer
![Page 3: CIP-005 and Zero Trust 201602...Engineer Desktop Data Historian Operator HMI Database Server Controller(s) 8 RELIABILITY | ACCOUNTABILITY •Remote access, VPN, Cloud services, Vendor](https://reader036.vdocuments.net/reader036/viewer/2022062602/5ee024d1ad6a402d666b62a5/html5/thumbnails/3.jpg)
RELIABILITY | ACCOUNTABILITY3
• Discuss current security state and issues • Discuss emerging security models (Zero Trust)• CIP-005 changes to allow ESP plus other models
Agenda
![Page 4: CIP-005 and Zero Trust 201602...Engineer Desktop Data Historian Operator HMI Database Server Controller(s) 8 RELIABILITY | ACCOUNTABILITY •Remote access, VPN, Cloud services, Vendor](https://reader036.vdocuments.net/reader036/viewer/2022062602/5ee024d1ad6a402d666b62a5/html5/thumbnails/4.jpg)
RELIABILITY | ACCOUNTABILITY4
• Network Perimeter (ESP) based• Castle & Moat Everything inside the castle = good All the bad is outside the castle The moat (FW) provides separation and controlled access
• Trust is based on your network location Internet, Corporate network, DMZ, ICS network, Controller network Your trust level = Which perimeter are you within Security controls are mostly for North/South traffic (crossing perimeters) All your network peers are same trust level (PCAs in CIP) East/West traffic within the perimeter has no security controls
Current State
![Page 5: CIP-005 and Zero Trust 201602...Engineer Desktop Data Historian Operator HMI Database Server Controller(s) 8 RELIABILITY | ACCOUNTABILITY •Remote access, VPN, Cloud services, Vendor](https://reader036.vdocuments.net/reader036/viewer/2022062602/5ee024d1ad6a402d666b62a5/html5/thumbnails/5.jpg)
RELIABILITY | ACCOUNTABILITY5
Typical Network Model
Internet
CorporateNetworkAccounting
Dept Desktop
DMZNetwork
Control SystemNetwork
Control SystemEngineer Desktop
DataHistorian
OperatorHMI
DatabaseServer
Controller(s)
![Page 6: CIP-005 and Zero Trust 201602...Engineer Desktop Data Historian Operator HMI Database Server Controller(s) 8 RELIABILITY | ACCOUNTABILITY •Remote access, VPN, Cloud services, Vendor](https://reader036.vdocuments.net/reader036/viewer/2022062602/5ee024d1ad6a402d666b62a5/html5/thumbnails/6.jpg)
RELIABILITY | ACCOUNTABILITY6
• Adversaries are intelligent and adaptable• As perimeter model improved -> Attackers adapt and hack the
humans instead (phishing, watering hole attacks, etc.)• Result – the “inside” is also hostile and the model provides for
easy lateral movement (network access controlled at perimeter, not inside)• Ransomware – get on one system inside and then destroy 30,000 PCs
from within your perimeter
Issues
![Page 7: CIP-005 and Zero Trust 201602...Engineer Desktop Data Historian Operator HMI Database Server Controller(s) 8 RELIABILITY | ACCOUNTABILITY •Remote access, VPN, Cloud services, Vendor](https://reader036.vdocuments.net/reader036/viewer/2022062602/5ee024d1ad6a402d666b62a5/html5/thumbnails/7.jpg)
RELIABILITY | ACCOUNTABILITY7
Typical Security Breach
Internet
CorporateNetworkAccounting
Dept Desktop
DMZNetwork
Control SystemNetwork
Control SystemEngineer Desktop
DataHistorian
OperatorHMI
DatabaseServer
Controller(s)
![Page 8: CIP-005 and Zero Trust 201602...Engineer Desktop Data Historian Operator HMI Database Server Controller(s) 8 RELIABILITY | ACCOUNTABILITY •Remote access, VPN, Cloud services, Vendor](https://reader036.vdocuments.net/reader036/viewer/2022062602/5ee024d1ad6a402d666b62a5/html5/thumbnails/8.jpg)
RELIABILITY | ACCOUNTABILITY8
• Remote access, VPN, Cloud services, Vendor access, etc.• The true perimeter is very dynamic now• The data historian – may be a cloud service in the future• VPN – the purpose is to essentially “put a remote machine on the local
network”
• “Inside” and “outside” a perimeter – is there a another better way to think about network security models?
Other Perimeter Issues
![Page 9: CIP-005 and Zero Trust 201602...Engineer Desktop Data Historian Operator HMI Database Server Controller(s) 8 RELIABILITY | ACCOUNTABILITY •Remote access, VPN, Cloud services, Vendor](https://reader036.vdocuments.net/reader036/viewer/2022062602/5ee024d1ad6a402d666b62a5/html5/thumbnails/9.jpg)
RELIABILITY | ACCOUNTABILITY9
Virtualization Enables Other Models
Virtualized environments are enabling new and different ways to think about network security to address these issues
Security controls – network or host
Network – isolation, but lose context
Host – context but not isolation
Enter the Hypervisor with ubiquitous context
![Page 10: CIP-005 and Zero Trust 201602...Engineer Desktop Data Historian Operator HMI Database Server Controller(s) 8 RELIABILITY | ACCOUNTABILITY •Remote access, VPN, Cloud services, Vendor](https://reader036.vdocuments.net/reader036/viewer/2022062602/5ee024d1ad6a402d666b62a5/html5/thumbnails/10.jpg)
RELIABILITY | ACCOUNTABILITY10
• New and evolving security strategy that fundamentally changes networking from implicit trust to zero trust
• The basic premise is there is no implicit trust granted to systems based on their physical or network location Treats EVERY network as hostile (thus the zero trust name) DOESN’T CARE what network address you have or where you are DOES CARE who you are as a person or process, the state of your machine,
whether you are authorized RIGHT NOW for what type of access to the particular data or resource
ALL traffic is encrypted/protected because no network is trusted
• ONLY authorized communications are allowed
Zero Trust Architecture
![Page 11: CIP-005 and Zero Trust 201602...Engineer Desktop Data Historian Operator HMI Database Server Controller(s) 8 RELIABILITY | ACCOUNTABILITY •Remote access, VPN, Cloud services, Vendor](https://reader036.vdocuments.net/reader036/viewer/2022062602/5ee024d1ad6a402d666b62a5/html5/thumbnails/11.jpg)
RELIABILITY | ACCOUNTABILITY11
Security Breaches in Zero Trust
This Photo by Unknown Author is licensed under CC BY-NC-ND
![Page 12: CIP-005 and Zero Trust 201602...Engineer Desktop Data Historian Operator HMI Database Server Controller(s) 8 RELIABILITY | ACCOUNTABILITY •Remote access, VPN, Cloud services, Vendor](https://reader036.vdocuments.net/reader036/viewer/2022062602/5ee024d1ad6a402d666b62a5/html5/thumbnails/12.jpg)
RELIABILITY | ACCOUNTABILITY12
• Assumes ANY network is hostile - NO implicit trust• Access granted only when access needed and only for duration
of access• Authorize the user and device at the time access is needed• Protects resources and data, not network segments• Network location is no longer a prime component of security
posture• Attacker reconnaissance and lateral movement mitigated• This is a fundamentally different model than ESP
Zero Trust Model
![Page 13: CIP-005 and Zero Trust 201602...Engineer Desktop Data Historian Operator HMI Database Server Controller(s) 8 RELIABILITY | ACCOUNTABILITY •Remote access, VPN, Cloud services, Vendor](https://reader036.vdocuments.net/reader036/viewer/2022062602/5ee024d1ad6a402d666b62a5/html5/thumbnails/13.jpg)
RELIABILITY | ACCOUNTABILITY13
• Network segments and perimeters replaced with policies and zones
• Based on “need to know” preconfigured access policies• Protects access to data, assets, applications, and services, not
network segments• Policies can include machines, users, processes, services
regardless of where they are on a network.• “Policy not Topology”
Policies and Zones
![Page 14: CIP-005 and Zero Trust 201602...Engineer Desktop Data Historian Operator HMI Database Server Controller(s) 8 RELIABILITY | ACCOUNTABILITY •Remote access, VPN, Cloud services, Vendor](https://reader036.vdocuments.net/reader036/viewer/2022062602/5ee024d1ad6a402d666b62a5/html5/thumbnails/14.jpg)
RELIABILITY | ACCOUNTABILITY14
• Individuals in AD group “Historian_Access” on a device with OS=“Windows” can only use TLS-Version =“1.2” encrypted communication to access workloads with Tag= “Control_Historian_APP”
• This policy defines allowed communications• With no reference to where anything is on a network• An encrypted temporary “network” is established between
the user wherever they are to the historian app wherever it is
• No other communication allowed• Policy is enforced end to end and everywhere in-between
Policy Example
![Page 15: CIP-005 and Zero Trust 201602...Engineer Desktop Data Historian Operator HMI Database Server Controller(s) 8 RELIABILITY | ACCOUNTABILITY •Remote access, VPN, Cloud services, Vendor](https://reader036.vdocuments.net/reader036/viewer/2022062602/5ee024d1ad6a402d666b62a5/html5/thumbnails/15.jpg)
RELIABILITY | ACCOUNTABILITY15
• Current• 1.1 All applicable Cyber Assets connected to a network via a
routable protocol shall reside within a defined ESP.• 1.2 All External Routable Connectivity must be through an
identified Electronic Access Point.
• Proposed• 1.1 Have one or more methods for allowing only needed and
controlled communications to and from applicable systems either individually or as a group and logically isolating all other communications.
CIP-005
![Page 16: CIP-005 and Zero Trust 201602...Engineer Desktop Data Historian Operator HMI Database Server Controller(s) 8 RELIABILITY | ACCOUNTABILITY •Remote access, VPN, Cloud services, Vendor](https://reader036.vdocuments.net/reader036/viewer/2022062602/5ee024d1ad6a402d666b62a5/html5/thumbnails/16.jpg)
RELIABILITY | ACCOUNTABILITY16
• Typically not “either/or” network models• Hybrid environments will be the norm• Security objectives allow for current/future/hybrid models
Hybrid Models
![Page 17: CIP-005 and Zero Trust 201602...Engineer Desktop Data Historian Operator HMI Database Server Controller(s) 8 RELIABILITY | ACCOUNTABILITY •Remote access, VPN, Cloud services, Vendor](https://reader036.vdocuments.net/reader036/viewer/2022062602/5ee024d1ad6a402d666b62a5/html5/thumbnails/17.jpg)
RELIABILITY | ACCOUNTABILITY17
• PCA• Current – One or more Cyber Assets connected using a
routable protocol within or on an ESP…• Proposed – Cyber Assets that are not logically isolated from a
BES Cyber System…• 4.2.3.2 Exemption
• Current – Cyber Assets associated with communication networks and data communication links between discrete ESPs.
• Proposed – Cyber Assets associated with communication links logically isolated from BES Cyber Systems or SCI.
ESP Conforming Changes
![Page 18: CIP-005 and Zero Trust 201602...Engineer Desktop Data Historian Operator HMI Database Server Controller(s) 8 RELIABILITY | ACCOUNTABILITY •Remote access, VPN, Cloud services, Vendor](https://reader036.vdocuments.net/reader036/viewer/2022062602/5ee024d1ad6a402d666b62a5/html5/thumbnails/18.jpg)
RELIABILITY | ACCOUNTABILITY18
Questions and Answers
Jordan MalloryNERC Senior Standards Developer for Project 2016-02 CIP [email protected]