cip$101:(cip$005$5(auditapproach,(esp(diagrams,( …...2014/09/24 ·...
TRANSCRIPT
CIP-‐101: CIP-‐005-‐5 Audit Approach, ESP Diagrams, and Industry Best Prac@ces Overview
September 24 – 25, 2014 Henderson, NV
Joe Andrews, MSc.IA, CISSP-‐ISSEP,
ISSAP, ISSMP, CISA, PSP Sr. Compliance Auditor – Cyber Security
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
Speaker Introduc@on • Joseph A. Andrews
o 4 years Cri@cal Infrastructure -‐ Cyber Security o 21 years DoD Cyber Security / Network Security Engineering (Federal
Civilian) § Senior Informa@on Systems Security Engineer § Informa@on Assurance Program Manager § Network Security Engineer § Informa@on Systems Security Officer § Etc..
o Academic § Master of Science in Informa@on Security & Assurance § Bachelor of Science in IT/Informa@on Security § Professional Cer@fica@ons: CISSP-‐ISSEP, ISSAP, ISSMP, CISA, PSP, CAP,
CSSA, GCIH, C|CISO, C|EH, CNDA, CBRM, CGEIT, CompTIA Security +
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
PRESENATION DIAGRAMS DISCLAIMER • The network diagrams depicted within this presenta@on are only provided as examples to illustrate topics of discussion and are not meant to be prescrip@ve regarding any specific applica@ons to compliance.
• WECC does not promote any par@cular brand of network appliance or computer. Various vendor models are used only for demonstra@on purposes.
3
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
CIP Version 5 -‐ Founda@on • Borrows from NIST Risk Management Framework o System-‐centric (e.g., BCS) approach to security
assessment, security control iden@fica@on and implementa@on
-‐ Establishing Cyber System boundaries based on security categorizaCon (e.g., criCcality – High, Medium or Low), then apply risk management strategy and processes
-‐ Common security control inheritance o Con@nuous monitoring
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
Terminology
• BES Cyber Asset (BCA) • BES Cyber Systems (BCS) • Protected Cyber Asset (PCA) • Electronic Security Perimeter (ESP) • External Routable Connec@vity (ERC) • Electronic Access Point (EAP) • Interac@ve Remote Access (IRA) • Dial-‐up Connec@vity
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
Requirement Count
• 5 Requirements (Version 3) – 26 Sub-‐requirements
• 2 Requirements (Version 5) – 8 Parts
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
CIP-‐005-‐5 R1 Requirements Overview • R1. Each Responsible En@ty shall implement one or more documented
processes that collec@vely include each of the applicable requirement parts in CIP-‐005-‐5 Table R1 – Electronic Security Perimeter.
o R1.1 All applicable Cyber Assets connected to a network via a routable protocol shall reside within a defined ESP.
o R1.2 All External Routable Connec@vity must be through an iden@fied Electronic Access Point (EAP).
o R1.3 Require inbound and outbound access permissions, including the reason for gran@ng access, and deny all other access by defa
o R1.4 Where technically feasible, perform authen@ca@on when establishing Dial-‐up Connec@vity with applicable Cyber Assets.
o R1.5 Have one or more methods for detec@ng known or suspected malicious communica@ons for both inbound and outbound communica@ons.
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
CIP-‐005-‐5 R2 Requirements Overview • R2. Each Responsible En@ty allowing Interac@ve Remote
Access to BES Cyber Systems shall implement one or more documented processes that collec@vely include the applicable requirement parts, where technically feasible, in CIP-‐005-‐5 Table R2 – Interac@ve Remote Access Management.
o R2.1 All applicable Cyber Assets connected to a network via a routable protocol shall reside within a defined ESP.
o R2.2 For all Interac@ve Remote Access sessions, u@lize encryp@on that terminates at an Intermediate System.
o R2.3 Require mul@-‐factor authen@ca@on for all Interac@ve Remote Access sessions.
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
9
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
Electronic Security Perimeter (ESP)
• Provides network segmenta@on and restricted access to Cyber Assets within the SCADA and Process Control Network from the Enterprise/Corporate Network and any other untrusted networks and sources (e.g, unauthorized mobile sources/systems).
• It is the Electronic Access Point, which establishes the Electronic Security Perimeter.
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
Electronic Access Point (EAP) • An interface of a Cyber System, device or appliance that provides access to and/or through (e.g., ingress and egress traffic) an ESP (e.g., Firewall, Gateway, Control device w/modem (TCP, UDP; Telnet, SSH, SSL, VPN, HTTP[s]), which the Cyber Assets with routable connec@vity must reside within the ESP.
• May provide access control, monitoring, aler@ng and/or logging of access to and/or through the ESP o may require intermediary device(s) for some of this funcConality: Electronic Access Control and Monitoring (EACM) devices
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
BES Cyber Asset (BCA) Defini@on -‐ FERC Approved Date: 11/22/2013 Effec@ve Date: 4/1/2016
• A Cyber Asset that if rendered unavailable, degraded, or misused would, within 15 minutes of its required opera@on, misopera@on, or non-‐opera@on, adversely impact one or more Facili@es, systems, or equipment, which, if destroyed, degraded, or otherwise rendered unavailable when needed, would affect the reliable opera@on of the Bulk Electric System. Redundancy of affected Facili@es, systems, and equipment shall not be considered when determining adverse impact. Each BES Cyber Asset is included in one or more BES Cyber Systems. (A Cyber Asset is not a BES Cyber Asset if, for 30 consecuAve calendar days or less, it is directly connected to a network within an ESP, a Cyber Asset within an ESP, or to a BES Cyber Asset, and it is used for data transfer, vulnerability assessment, maintenance, or troubleshoo@ng purposes.)
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
• Cyber Assets are subject to the CIP standards based on their func@onality and resultant poten@al impact to BES reliability.
• BES Cyber Systems and associated BES Cyber Assets are not dependent upon a routable protocol (see defini@ons).
• A BES Cyber System may include non-‐routable (serial) devices.
• End point devices (relays) may be included within the v5 requirements and iden@fied as BES Cyber Assets, even if no routable communica@ons exist.
• There are v5 requirements to be addressed (i.e. CIP-‐007-‐5)
Non-‐Routable BCA/BCS
BCA and BCS CIP-‐005-‐5 Applicability
• All applicable Cyber Assets mee@ng the BES Cyber Asset defini@on criteria connected to a network via a routable protocol
14
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
BES Cyber System (BCS) Defini@on -‐ FERC Approved Date: 11/22/2013 Effec@ve Date: 4/1/2016
• One or more BES Cyber Assets logically grouped by a responsible en@ty to perform one or more reliability tasks for a func@onal en@ty.
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
Protected Cyber Asset
• One or more Cyber Assets connected using a routable protocol within or on an Electronic Security Perimeter that is not part of the highest impact BES Cyber System within the same Electronic Security Perimeter. The impact ra@ng of Protected Cyber Assets is equal to the highest rated BES Cyber System in the same ESP. A Cyber Asset is not a Protected Cyber Asset if, for 30 consecu@ve calendar days or less, it is connected either to a Cyber Asset within the ESP or to the network within the ESP, and it is used for data transfer, vulnerability assessment, maintenance, or troubleshoo@ng purposes.
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
EACM Electronic Access Control or Monitoring • Cyber Assets that perform electronic access control or electronic access monitoring of the Electronic Security Perimeter(s) or BES Cyber Systems.
• This includes but is not limited to EAPs, Intermediate Devices, authen@ca@on servers (RADIUS/TACACS), Ac@ve Directory Servers, Cer@ficate Authori@es, Security Event Monitoring systems, IDS/IPS, etc..
19
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
20
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
BCS (HIGH WATERMARK) • An example of the high water applica@on would be a Protected Cyber Asset (PCA) that is physically and logically connected (e.g., same subnet) to the same ESP of an interconnected BES Cyber Asset (BCA) or BES Cyber System (BCS), which results in the lower security category PCA inheri@ng the same security category and subsequent NERC CIP security control requirements of the BCA or BCS.
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
Discreet Electronic Security Perimeter
• An Electronic Security Perimeter that is typically located in a single geographical loca@on, which may be protected by a single Physical Security Perimeter (PSP) that may or may not traverse mul@ple rooms, albeit, the cabling infrastructure is protected by the PSP and all rooms are afforded the protec@ons of CIP-‐006.
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
Extended Electronic Security Perimeter
• A single Electronic Security Perimeter that may be located in mul@ple geographical loca@ons, or mul@ple rooms in the same facility loca@on, protected by one or more Physical Security Perimeters (PSP), albeit, the cabling infrastructure may traverse mul@ple facility rooms or areas outside of an established PSP.
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
CIP-‐006 REMAND
• NERC contends wiring is not included within defini@on of Cyber Asset, so it should be excluded from CIP compliance measures.
• FERC states “15. …We do not agree that the network cabling (i.e., wires) that gives a communica@on network its networking capability would be exempt from the CIP Reliability Standards…”
• CIP-‐006-‐6 language now includes protec@on for Cyber Asset cabling
31
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
CIP-‐006-‐5 R1.10 Alterna@ve Controls • End-‐to-‐end Encryp@on examples: -‐ Layer-‐2 IEEE 802.1AE MACsec GCM-‐AES-‐256 (e.g. switches) -‐ Layer-‐2 intermediate encrypCon devices/appliances -‐ Layer-‐3 IPSEC -‐ Not required, but recommended for encrypCon validaCon e.g. FIPS 140-‐2 compliant Common Criteria: EAL4, EAL5
• Physical Security Controls examples: -‐ Special locks -‐ Key control – Authorized personnel
• Circuit monitoring w/ supplemental controls
32
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
36
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
37
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
YERSINIA (VLAN Exploit Tool) Contrary to popular belief: VLANs were originally created as a network performance and organiza@on feature, not a Security feature. • Dynamic Trunking protocol (DTP) abuse o Cisco proprietary, no authenCcaCon, switches are in default auto-‐negoCate, sniff all VLAN traffic
• Trunking protocol (802.1q and ISL) abuse o PVLAN hopping, Double 802.1q VLAN tagging
• Virtual Trunking protocol (VTP) abuse • Common spanning tree (CST) abuse • Mul@ple other aoacks • Broadcast storm traffic has been known to disrupt layer-‐2 switches and misconfigure VLANS
W ESTERN E LECTRICITY C OORDINATING C OUNCIL hop://www.yersinia.net/index.htm
Trend: Legacy Networks to IP VPN • Legacy SCADA Networks o Radio and Leased Line communicaCon o RTUs serially connected to Radio Modem or Leased Line Modem
o Radio Modem or Leased Line Modem Connected to Front End Processor (FEP) at control station
• Secure IP VPN (Vendors are pushing) o IP network communicaCons o RTU connected to mulC-‐homed and mulC-‐protocol devices (MPLS/Frame/IP; Fiber, Ethernet, VSAT)
o Front End Processors are mulC-‐homed and mulC-‐protocol capable and scalable devices
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
Legacy Networks to IP VPN -‐ WHY? • It’s cheaper o One to one hardware soluCons are more expensive
• It’s scalable & reliable (redundancy) o MulC-‐homed, mulC-‐protocol and network agnosCc systems are scalable, while eliminaCng single points of failure
• It’s safer o VPN-‐IPSEC, AES256 versus unencrypted legacy serial communicaCons
• It’s sAll IP! o SuscepCble to the same vulnerabiliCes plaguing tradiConal network architectures
o We’re not against it, we just need to check it
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
Hacking Satellite
• Spanish Cyber Security Researcher Leonardo Nve demonstrated at BlackHat the exploita@on of (i.e., gaining access to and impersonaCng legiCmate users) satellite internet connec@ons using less than $75 worth of tools, which can be purchased on Ebay.
-‐ (1) Skystar “2” PCI satellite receiver card, open source Linux DVB sojware app, and the free network data analysis tool
Wireshark. W ESTERN E LECTRICITY C OORDINATING C OUNCIL
EXTRA! EXTRA! Read all about it!
• US Satellites hacked by Chinese Military! • The hac@vist group Anonymous Hacks NASA Satellite!
• Anonymous hacks Turkish Satellite provider! • Three states have demonstrated the ability to physically damage satellites by intercep@ng them: the US, Russia and China
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
NERC Industry Advisories • Remote Access Guidance o Use encrypted access controls for remote
access o Use mulC-‐factor authenCcaCon o Consider Proxy device as VPN terminaCon
point o Implement logging and monitoring o etc…
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
NERC Guidance • Guidance for Secure Remote Access o Secure interacCve remote access concepts o Security pracCces and proposed soluCons for secure interacCve remote access
o Assessing the implementaCon of interacCve remote access controls
o Network architecture decisions
CIP-‐005-‐5 R1 Part 1.1 • All Cyber Assets with routable connec@vity shall reside within a defined ESP
Measures (Part 1.1)
• List of BES Cyber Systems • List of BES Cyber Assets within each BCS • List of Protected Cyber Assets (associated assets)
• ESP network topology including subnets • Cyber Asset IP addresses
49
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
CIP-‐005-‐5 R1 Part 1.2 50
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
• External routable connec@vity must be through an iden@fied EAP
External Routable Connec@vity
• External Routable Connec@vity’ includes the term ‘bi-‐direc@onal’ • ‘bi-‐direc@onal routable protocol connec@on’ • Systems behind a data diode do not have External Routable Connec@vity
51
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
52
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
Measures (Part 1.2)
• Network Diagrams • External routable communica@on paths • List of all Iden@fied EAPs
53
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
CIP-‐005-‐5 R1 Part 1.3 54
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
• Inbound and outbound access permissions must be applied, including a documented reason for access and deny all other access
Audit Approach (Part 1.3)
• Inbound and outbound access permissions must be configured for all EAPs
• Not required to document the inner workings of stateful firewalls, where connec@ons ini@ated in one direc@on are allowed a return path
• EAP must incorporate an access control model that denies access by default
55
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
Measures (Part 1.3)
• Established baseline • Electronic Access Point(s) configura@on(s) • U@lize ‘remark’ type command
56
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
CIP-‐005-‐5 R1 Part 1.4 57
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
• Authen@ca@on is required for all Dial-‐up connec@vity access, where technically feasible
Change Ra@onale (Part 1.4)
• Added clarifica@on that dial-‐up connec@vity should perform authen@ca@on so that the BES Cyber System is not directly accessible with a phone number only.
58
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
Audit Approach (Part 1.4)
• Authen@ca@on required for all dial-‐up accessible Cyber Assets o Secure modem with authen@ca@on feature
(e.g., username, password) o Documented process describing how
authen@ca@on is accomplished (e.g., dial-‐back, user challenge authen@ca@on, temporary modem plugin)
• Authen@ca@on – does not require mul@-‐factor authen@ca@on as in interac@ve remote access
59
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
CIP-‐005-‐5 R1 Part 1.5 60
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
• Having one or more methods for detec@ng malicious communica@ons for inbound and outbound ESP traffic
CIP-‐005-‐5 R1.5 Change Ra@onale
• Per FERC Order No. 706, Paragraphs 496-‐503, ESPs need two dis@nct security measures such that the Cyber Assets do not lose all perimeter protec@on if one measure fails or is misconfigured. The Order makes clear this is not simple redundancy of firewalls, thus the SDT has decided to add the security measure of malicious traffic inspec@on as a requirement for these ESPs.
61
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
Audit Approach (Part 1.5) • Direc@on of the traffic monitored – both inbound and outbound traffic subject to the applica@on of a malicious code detec@on mechanism
• Placement of malicious communica@ons inspec@on – specific architecture and placement is not prescribed
• Number of malicious code detec@on mechanisms (e.g. IDS) – Applicability is set at the EAP level
• Aler@ng is addressed through CIP-‐007-‐5 R4
62
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
CIP-‐005-‐5 R2.1 63
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
• Intermediate system(s) are required for Interac@ve Remote Access (IRA), to ensure direct access to Cyber Asset(s) is prohibited
R2.1 Audit Approach
• All Interac@ve Remote Access requires an Intermediate System that “proxies” all traffic into the ESP – No direct external access from client to internal BES cyber asset
– Source IP address is the IP address of the intermediate system
– NERC Remote Access guidance documenta@on • System-‐to system process communica@ons not considered IRA – can this communica@on be accessed for Interac@ve Remote Access?
64
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
CIP-‐005-‐5 R2.2 65
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
• Interac@ve Remote Access sessions must be encrypted and terminated at the intermediate system.
R2.2 Audit Approach
• Interac@ve Remote Access requires encryp@on from remote client all the way to the intermediate system
• Interac@ve Remote Access only allowed into the ESP from the intermediate system source IP address of the intermediate system
• All Intermediate system communica@ons into the ESP must traverse an EAP prior to entry into ESP
• Restric@ve access controls must be defined for all traffic from the intermediate system into the ESP, and traffic must be unencrypted before entry into the ESP, to ensure data can be inspected
66
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
CIP-‐005-‐5 R2.3 67
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
• IRA requires mul@-‐factor authen@ca@on
R2.3 Audit Approach
• Mul@-‐factor authen@ca@on is required for all Interac@ve Remote Access
• Mul@-‐factor authen@ca@on requires at least two of the following: – Something you have (tokens) – Something you know (passwords) – Something you are (biometrics)
• Mul@-‐factor authen@ca@on is required at the intermediate system –this is in addi@on to external corporate VPN access authen@ca@on
68
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
References • NERC Industry Advisory: remote access guidance (2011). Retrieved from the North American Electric
Reliability Corporate website on January 7, 2012, from, hop://www.nerc.com/fileUploads/File/Events%20Analysis/A-‐2011-‐08-‐24-‐1-‐Remote_Access_Guidance-‐Final.pdf
• NERC Guidance for Secure Interac@ve Remote Access (2011). Retrieved from the North American Electric
Reliability Corporate website on January 7, 2012, from, hop://www.nerc.com/fileUploads/File/Events%20Analysis/FINAL-‐Guidance_for_Secure_Interac@ve_Remote_Access.pdf
Contact
Joe Andrews, MSc.IA, CISSP-‐ISSEP, ISSAP, ISSMP, CISA, PSP Sr. Compliance Auditor – Cyber Security Western Electricity Coordina@ng Council jandrews[@]wecc[.]biz Office: 801.819.7683