hypervisor and storage system - nerc 201602... · 5/28/2020 · project 2016-02 modifications to...
TRANSCRIPT
![Page 1: Hypervisor and Storage System - NERC 201602... · 5/28/2020 · Project 2016-02 Modifications to the CIP Standards. CIP SDT Members. May 28, 2020. 2. ... Agenda • Hypervisor What](https://reader036.vdocuments.net/reader036/viewer/2022070922/5fba374e5be72160d55093d3/html5/thumbnails/1.jpg)
RELIABILITY | RESILIENCE | SECURITY
Hypervisor and Storage SystemProject 2016-02 Modifications to the CIP Standards
CIP SDT MembersMay 28, 2020
![Page 2: Hypervisor and Storage System - NERC 201602... · 5/28/2020 · Project 2016-02 Modifications to the CIP Standards. CIP SDT Members. May 28, 2020. 2. ... Agenda • Hypervisor What](https://reader036.vdocuments.net/reader036/viewer/2022070922/5fba374e5be72160d55093d3/html5/thumbnails/2.jpg)
RELIABILITY | RESILIENCE | SECURITY2
It is NERC’s policy and practice to obey the antitrust laws and to avoid all conduct that unreasonably restrains competition. This policy requires the avoidance of any conduct that violates, or that might appear to violate, the antitrust laws. Among other things, the antitrust laws forbid any agreement between or among competitors regarding prices, availability of service, product design, terms of sale, division of markets, allocation of customers or any other activity that unreasonably restrains competition. It is the responsibility of every NERC participant and employee who may in any way affect NERC’s compliance with the antitrust laws to carry out this commitment.
NERC Antitrust
![Page 3: Hypervisor and Storage System - NERC 201602... · 5/28/2020 · Project 2016-02 Modifications to the CIP Standards. CIP SDT Members. May 28, 2020. 2. ... Agenda • Hypervisor What](https://reader036.vdocuments.net/reader036/viewer/2022070922/5fba374e5be72160d55093d3/html5/thumbnails/3.jpg)
RELIABILITY | RESILIENCE | SECURITY3
Participants are reminded that this meeting is public. Notice of the meeting was widely distributed. Participants should keep in mind that the audience may include members of the press and representatives of various governmental authorities, in addition to the expected participation by industry stakeholders.
NERC Public Disclaimer
![Page 4: Hypervisor and Storage System - NERC 201602... · 5/28/2020 · Project 2016-02 Modifications to the CIP Standards. CIP SDT Members. May 28, 2020. 2. ... Agenda • Hypervisor What](https://reader036.vdocuments.net/reader036/viewer/2022070922/5fba374e5be72160d55093d3/html5/thumbnails/4.jpg)
RELIABILITY | RESILIENCE | SECURITY4
Please use the Q&A feature in WebEx to ask any relevant questions during the presentation. We will be holding questions until the end of the presentation.
Questions
![Page 5: Hypervisor and Storage System - NERC 201602... · 5/28/2020 · Project 2016-02 Modifications to the CIP Standards. CIP SDT Members. May 28, 2020. 2. ... Agenda • Hypervisor What](https://reader036.vdocuments.net/reader036/viewer/2022070922/5fba374e5be72160d55093d3/html5/thumbnails/5.jpg)
RELIABILITY | RESILIENCE | SECURITY5
Agenda
• Hypervisor What is a Hypervisor
Benefits of Hypervisor
Challenges for CIP Compliance
Changes Made
• Storage What is a storage system
Benefits of storage
Challenges for CIP Compliance
Changes Made
• Hyper-Converged
![Page 6: Hypervisor and Storage System - NERC 201602... · 5/28/2020 · Project 2016-02 Modifications to the CIP Standards. CIP SDT Members. May 28, 2020. 2. ... Agenda • Hypervisor What](https://reader036.vdocuments.net/reader036/viewer/2022070922/5fba374e5be72160d55093d3/html5/thumbnails/6.jpg)
RELIABILITY | RESILIENCE | SECURITY6
What is a Hypervisor?
• The Hypervisor is the core software that provides server virtualization.
• Two basic types Bare metal
o IBM PowerVM
o VMWare ESXi
o Xen
o Microsoft Hyper-V
Hosted
o Virtualbox
o VMWare workstation
![Page 7: Hypervisor and Storage System - NERC 201602... · 5/28/2020 · Project 2016-02 Modifications to the CIP Standards. CIP SDT Members. May 28, 2020. 2. ... Agenda • Hypervisor What](https://reader036.vdocuments.net/reader036/viewer/2022070922/5fba374e5be72160d55093d3/html5/thumbnails/7.jpg)
RELIABILITY | RESILIENCE | SECURITY7
Benefits of a Hypervisor
Hypervisors provide many benefits
• Efficiency
• Security
• Disaster Recovery
• Software Mobility
• Separation of the hardware/software Lifecycle
![Page 8: Hypervisor and Storage System - NERC 201602... · 5/28/2020 · Project 2016-02 Modifications to the CIP Standards. CIP SDT Members. May 28, 2020. 2. ... Agenda • Hypervisor What](https://reader036.vdocuments.net/reader036/viewer/2022070922/5fba374e5be72160d55093d3/html5/thumbnails/8.jpg)
RELIABILITY | RESILIENCE | SECURITY8
Hypervisor Challenges
• Some of the challenges for CIP Compliance: Definitional Construct
Security Gaps
![Page 9: Hypervisor and Storage System - NERC 201602... · 5/28/2020 · Project 2016-02 Modifications to the CIP Standards. CIP SDT Members. May 28, 2020. 2. ... Agenda • Hypervisor What](https://reader036.vdocuments.net/reader036/viewer/2022070922/5fba374e5be72160d55093d3/html5/thumbnails/9.jpg)
RELIABILITY | RESILIENCE | SECURITY9
Hypervisor Challenges
BES Cyber Asset
Hypervisor
BES Cyber Asset
ProtectedCyber Asset
Change to BES Cyber Asset
CA IncludesHardware
CA IncludesSoftware
No 15 minute impact to the BES
Cyber AssetsProgrammable electronic
devices, including the hardware, software, and
data in those devices.
![Page 10: Hypervisor and Storage System - NERC 201602... · 5/28/2020 · Project 2016-02 Modifications to the CIP Standards. CIP SDT Members. May 28, 2020. 2. ... Agenda • Hypervisor What](https://reader036.vdocuments.net/reader036/viewer/2022070922/5fba374e5be72160d55093d3/html5/thumbnails/10.jpg)
RELIABILITY | RESILIENCE | SECURITY10
Hypervisor Challenges
Software (VM)
Hypervisor
BES Cyber Asset
Software (VM)
CIP-007 Requirements
VM
Hypervisor
BES Cyber Asset
VM
CIP-007 Requirements
CIP-007Requirements
CIP-007Requirements
VM treated as Software VM treated as CA
![Page 11: Hypervisor and Storage System - NERC 201602... · 5/28/2020 · Project 2016-02 Modifications to the CIP Standards. CIP SDT Members. May 28, 2020. 2. ... Agenda • Hypervisor What](https://reader036.vdocuments.net/reader036/viewer/2022070922/5fba374e5be72160d55093d3/html5/thumbnails/11.jpg)
RELIABILITY | RESILIENCE | SECURITY11
Hypervisor Changes
• Some of the changes made to support Hypervisors: Virtual Cyber Asset (VCA): A logical instance of an operating system or
firmware hosted on Shared Cyber Infrastructure. (Subject of a future webinar)
Shared Cyber Infrastructure (SCI) : One or more programmable electronic devices (excluding Management Modules) and their software that share their computer or storage resources with one or more Virtual Cyber Assets or other Cyber Assets; including Management Systems used to initialize, deploy, or configure the SCI.
SCI applicability Example:
o “SCI hosting High or Medium Impact BCS or their associated PACS, EACMS, or PCA.”
![Page 12: Hypervisor and Storage System - NERC 201602... · 5/28/2020 · Project 2016-02 Modifications to the CIP Standards. CIP SDT Members. May 28, 2020. 2. ... Agenda • Hypervisor What](https://reader036.vdocuments.net/reader036/viewer/2022070922/5fba374e5be72160d55093d3/html5/thumbnails/12.jpg)
RELIABILITY | RESILIENCE | SECURITY12
Hypervisor Changes
BCA
EACMS PCA PACS
CA VCA
SCI
BCSFunc
tion
Form
Cloud of Applicability
![Page 13: Hypervisor and Storage System - NERC 201602... · 5/28/2020 · Project 2016-02 Modifications to the CIP Standards. CIP SDT Members. May 28, 2020. 2. ... Agenda • Hypervisor What](https://reader036.vdocuments.net/reader036/viewer/2022070922/5fba374e5be72160d55093d3/html5/thumbnails/13.jpg)
RELIABILITY | RESILIENCE | SECURITY13
Hypervisor Changes
*NEW CIP-005 Requirement R1 Part 1.2 (Applicable to SCI) Affinity – Protect from side-channel attacks by preventing sharing of
CPU/Memory
“1.2.1. Management Systems may only share CPU and memory with other Management Systems and its associated SCI, per system capability.
Controlled Communications – Limit communication to management
1.2.2. Have one or more methods for permitting only needed and controlled communications to and from its Management Interfaces and Management Systems, logically isolating all other communications.
Denied Tenant Communication
1.2.3. Deny communications from BES Cyber Systems and their associated PCAs to the Management Interfaces and Management Systems.”
![Page 14: Hypervisor and Storage System - NERC 201602... · 5/28/2020 · Project 2016-02 Modifications to the CIP Standards. CIP SDT Members. May 28, 2020. 2. ... Agenda • Hypervisor What](https://reader036.vdocuments.net/reader036/viewer/2022070922/5fba374e5be72160d55093d3/html5/thumbnails/14.jpg)
RELIABILITY | RESILIENCE | SECURITY14
Hypervisor Changes
*NEW CIP-007 Requirement R1 Part 1.3 (Applicable to SCI)
Alternative to Ports and Services for Shared Cyber Infrastructure
“Enable only services that have been determined to be needed by the Responsible Entity, per system capability.”
![Page 15: Hypervisor and Storage System - NERC 201602... · 5/28/2020 · Project 2016-02 Modifications to the CIP Standards. CIP SDT Members. May 28, 2020. 2. ... Agenda • Hypervisor What](https://reader036.vdocuments.net/reader036/viewer/2022070922/5fba374e5be72160d55093d3/html5/thumbnails/15.jpg)
RELIABILITY | RESILIENCE | SECURITY15
What is a Storage System
• Resources shared are consumed by another device outside of itself.
• In general, consists of: One or more Storage controllers
o These can be hardware or software
Disks
o Spinning disks (traditional Hard Drives)
o Solid State disks (Flash)
• Examples are SAN, NAS, DAS, & Cloud
![Page 16: Hypervisor and Storage System - NERC 201602... · 5/28/2020 · Project 2016-02 Modifications to the CIP Standards. CIP SDT Members. May 28, 2020. 2. ... Agenda • Hypervisor What](https://reader036.vdocuments.net/reader036/viewer/2022070922/5fba374e5be72160d55093d3/html5/thumbnails/16.jpg)
RELIABILITY | RESILIENCE | SECURITY16
Benefits of a Storage System
• Some of the benefits realized by the use of storage system: Deduplication
Compression
Snapshots
Centralized management of data
Advances capabilities:
o Continuous Backup
o Business Continuity
o Disaster Recovery
o Cloud extension
![Page 17: Hypervisor and Storage System - NERC 201602... · 5/28/2020 · Project 2016-02 Modifications to the CIP Standards. CIP SDT Members. May 28, 2020. 2. ... Agenda • Hypervisor What](https://reader036.vdocuments.net/reader036/viewer/2022070922/5fba374e5be72160d55093d3/html5/thumbnails/17.jpg)
RELIABILITY | RESILIENCE | SECURITY17
Storage System Challenges
• Some of the challenges for CIP compliance: Definitional Construct
Where is your data?
Security Gaps
• NOTE: Deduplication
![Page 18: Hypervisor and Storage System - NERC 201602... · 5/28/2020 · Project 2016-02 Modifications to the CIP Standards. CIP SDT Members. May 28, 2020. 2. ... Agenda • Hypervisor What](https://reader036.vdocuments.net/reader036/viewer/2022070922/5fba374e5be72160d55093d3/html5/thumbnails/18.jpg)
RELIABILITY | RESILIENCE | SECURITY18
Changes made for Storage System
• Some of the Changes made to support Storage Systems: SCI Definition
SCI Applicability
CIP-005 Requirement R1 Part 1.2
CIP-007 Requirement R1 Part 1.3
NOTE: CIP-011
![Page 19: Hypervisor and Storage System - NERC 201602... · 5/28/2020 · Project 2016-02 Modifications to the CIP Standards. CIP SDT Members. May 28, 2020. 2. ... Agenda • Hypervisor What](https://reader036.vdocuments.net/reader036/viewer/2022070922/5fba374e5be72160d55093d3/html5/thumbnails/19.jpg)
RELIABILITY | RESILIENCE | SECURITY19
• Hyper-converged infrastructure (HCI) is a software-defined IT infrastructure that virtualizes all of the elements of conventional "hardware-defined" systems. It includes: Hypervisor Software-defined storage Virtualized networking (software-defined networking)
• The software defined storage is often local disks within the physical servers. Most hardware vendors have their own flavor of this available now. Some examples of this are: NetApp HCI Cisco Hyperflex Nutanix DellEMC VxRail
Hyper-Converged
![Page 20: Hypervisor and Storage System - NERC 201602... · 5/28/2020 · Project 2016-02 Modifications to the CIP Standards. CIP SDT Members. May 28, 2020. 2. ... Agenda • Hypervisor What](https://reader036.vdocuments.net/reader036/viewer/2022070922/5fba374e5be72160d55093d3/html5/thumbnails/20.jpg)
RELIABILITY | RESILIENCE | SECURITY20
• Because of how the HCI Storage System is designed, separating systems of differing impact may not be possible.
• Where is your data?• Deduplication
Hyper-Converged Challenges
![Page 21: Hypervisor and Storage System - NERC 201602... · 5/28/2020 · Project 2016-02 Modifications to the CIP Standards. CIP SDT Members. May 28, 2020. 2. ... Agenda • Hypervisor What](https://reader036.vdocuments.net/reader036/viewer/2022070922/5fba374e5be72160d55093d3/html5/thumbnails/21.jpg)
RELIABILITY | RESILIENCE | SECURITY21
• Hypervisor What is a Hypervisor
Benefits of Hypervisor
Challenges for CIP Compliance
Changes Made
• Storage What is a storage system
Benefits of storage
Challenges for CIP Compliance
Changes Made
• Hyper-Converged
What we Covered
![Page 22: Hypervisor and Storage System - NERC 201602... · 5/28/2020 · Project 2016-02 Modifications to the CIP Standards. CIP SDT Members. May 28, 2020. 2. ... Agenda • Hypervisor What](https://reader036.vdocuments.net/reader036/viewer/2022070922/5fba374e5be72160d55093d3/html5/thumbnails/22.jpg)
RELIABILITY | RESILIENCE | SECURITY22
• Informal Discussion Via the Q&A feature Chat only goes to the host, not panelists Respond to stakeholder questions
• Other Some questions may require future team consideration Please reference slide number, standard section, etc., if applicable Team will address as many questions as possible Webinar and chat comments are not a part of the official project record Questions regarding compliance with existing Reliability Standards should
be directed to ERO Enterprise compliance staff, not the Standard Drafting Team.
Q&A Objectives
![Page 23: Hypervisor and Storage System - NERC 201602... · 5/28/2020 · Project 2016-02 Modifications to the CIP Standards. CIP SDT Members. May 28, 2020. 2. ... Agenda • Hypervisor What](https://reader036.vdocuments.net/reader036/viewer/2022070922/5fba374e5be72160d55093d3/html5/thumbnails/23.jpg)
RELIABILITY | RESILIENCE | SECURITY23