20140514 - Presenation - 4 - CIP-005_May_V5_SLC
Download
Report
Transcript 20140514 - Presenation - 4 - CIP-005_May_V5_SLC
Mick Neshem
CISA, CISSP, CSSA
Senior Compliance Auditor – Cyber Security
CIP-005-5
Compliance Outreach CIP v5 Roadshow
May 14-15, 2014
Salt Lake City, UT
V5 Open Actions [SAR 1-4]
1.
2.
3.
Modify or remove the IAC in the 17 impacted requirements
[February 3, 2015]
Develop modifications to the CIP standards to address
security controls for Low impact assets
Develop requirements to protect transient electronic devices
-thumb drives, laptops that do not meet BES cyber asset
definition
4.
5.
Create a definition of “communication networks” and develop
new or modified standards that address the protection of
communication networks [February 3, 2015]
Study the application of the 15-minute parameter for
identification of BES Cyber Assets and the impact of this time
constraint on the overall security and reliability of the BES.
SDT Industry Webinar.pdf – April 22, 2014
2
3
FERC Staff Technical Conference
(4/29/14)
• whether additional definitions and/or security controls are
needed to protect Bulk-Power System communications
networks, including remote systems access
• adequacy of the approved CIP version 5 Standards’
protections for Bulk-Power System data being transmitted
over data networks
• functional differences between the respective methods
utilized for identification, categorization, and specification of
appropriate levels of protection for cyber assets using CIP
version 5 Standards as compared with those employed within
the National Institute of Standards and Technology Security
Risk Management Framework.
http://ferc.gov/CalendarFiles/20140227165846-RM13-5-000TC.pdf
4
FERC Technical Conference Update
• Significant discussion regarding
Communications Network
• Cyber Systems use of non routable
communication
• Cyber Security Procurement Processes
• NIST Risk Management Framework and
Cyber Security Framework
5
Terminology
•
•
•
•
•
•
•
•
6
Cyber Asset
BES Cyber Asset (BCA)
BES Cyber Systems (BCS)
Protected Cyber Asset (PCA)
Electronic Security Perimeter (ESP)
External Routable Connectivity (ERC)
Electronic Access Point (EAP)
Dial-up Connectivity
V3 vs. V5 Requirement Count
• CIP v3
o 5 Requirements (Version 3)
o 26 Sub-requirements
• CIP v5
o 2 Requirements (Version 5)
o 8 Parts
7
Applicable Systems
8
Moved
9
Deleted
10
IAC
• 17 CIP Requirements that include IAC (2/3/2015)
• CIP-005-5 contains no Identify, Assess and
Correct language in requirement.
11
CIP-002-5 & CIP-005-5
• CIP-002-5 is the initial identification of the
BES Cyber System
• It is important for the CIP-002-5 and CIP005-5 teams in your organization to work
closely in the identification of BES Cyber
Systems and Impact Rating Criteria (IRC)
• ESP boundaries and High Water Mark
impacts may affect CIP-005-5 architecture
12
High Level Relationships [CIP-002-5]
Control Centers and Backup Control
Centers (RC, BA, TOP or GOP) that
meets CIP-002-5 Attachment 1 Section
1 requirements
BES
Assets
High Impact
Facilities
Medium Impact
Facilities
R1.1
R1.2
BES Cyber
Systems
(BCS)
BES Cyber
Systems
(BCS)
PCA
BES Cyber
BES Cyber
Assets
Assets
BES Cyber
Assets
13
CIP-002-5
Attachment 1
Section 2
requirements
PCA
BES Cyber
BES Cyber
Assets
Assets
BES Cyber
Assets
High Level Relationships [CIP-002-5]
BES
Assets
High Impact
Facilities
R1.1
BES Cyber
Systems
(BCS)
Medium Impact
Facilities
One or more BES Cyber
Assets logically grouped
by a responsible entity
to perform one or more
reliability tasks for a
functional entity
R1.2
BES Cyber
Systems
(BCS)
PCA
BES Cyber
BES Cyber
Assets
Assets
BES Cyber
Assets
14
Programmable
electronic devices,
including the hardware,
software, and data in
those devices
PCA
BES Cyber
BES Cyber
Assets
Assets
BES Cyber
Assets
High Level Relationships [CIP-002-5]
BES Cyber Asset
High Impact
Facilities
R1.1
BES Cyber
Systems
(BCS)
BES Cyber
BES Cyber
Assets
Assets
BES Cyber
Assets
15
BES
- A Cyber
Asset that if rendered unavailable, degraded,
Assetswould, within 15 minutes of its required
or misused
Impact
operation, misoperation,Medium
or non-operation,
adversely
Facilities
impact one or more Facilities,
systems, or equipment,
which, if destroyed, degraded, or otherwise rendered
unavailable when needed, would affect the reliable
R1.2
operation of the Bulk Electric System. Redundancy of
BES Cyber
affected Facilities, systems, and equipment shall not be
Systems
considered when determining adverse impact. Each
(BCS)
BES Cyber Asset is included in one or more BES Cyber
Systems. (A Cyber Asset is not a BES Cyber Asset if, for
30 consecutive calendar days or less, it is directly
Cyber
connected to a networkBES
within
an ESP, a Cyber Asset
BES
Cyber
within an ESP, or to a BESAssets
Cyber
Asset, and it is used
Assets
Cyber maintenance,
for data transfer, vulnerability BES
assessment,
or troubleshooting purposes.) Assets
CIP-005-5 R1 Part 1.1
16
Changes
17
http://www.nerc.com/docs/standards/sar/Mapping_Docu
ment_012913.pdf
CIP-005-5 R1.1 [ESP]
High Impact
BCS
PCA
R1.1
Internal
Routable
Connectivity
?
Medium
Impact BCS
PCA
YES
The logical border surrounding a
network to which BES Cyber
Systems are connected using a
routable protocol.
18
Requires ESP
One or more Cyber Assets connected using a routable
protocol within or on an Electronic Security Perimeter that
is not part of the highest impact BES Cyber System within
the same Electronic Security Perimeter. The impact rating
of Protected Cyber Assets is equal to the highest rated
BES Cyber System in the same ESP. A Cyber Asset is not
a Protected Cyber Asset if, for 30 consecutive calendar
days or less, it is connected either to a Cyber Asset within
the ESP or to the network within the ESP, and it is used for
data transfer, vulnerability assessment, maintenance, or
troubleshooting purposes.
Defined ESP
High BES Cyber System
BCA
PCA
BCA
BCA
PCA
ESP
19
Electronic Security Perimeter
• Version 3 (1/18/2008)
o The logical border surrounding a network to which
Critical Cyber Assets are connected and for which
access is controlled.
• Version 5 (4/1/2016)
o The logical border surrounding a network to which
BES Cyber Systems are connected using a
routable protocol.
20
Electronic Security Perimeter(s) ‘defined’
• ESP defines a zone of protection around the BES
Cyber System
• Helps determine what systems or Cyber Assets
are in scope and what Impact Rating the Cyber
Systems meet, ultimately determines which
requirements are applicable
21
ESPs
• Isolated
• Discrete
• Extended
22
Isolated ESP
• ESP network with no external connectivity
o An ESP (a logical border) is required around every
routable protocol network that contains a BES Cyber
System, even if it is an isolated network and has no
external connectivity
23
Isolated ESP – No External
Communications
EMS Electronic Security Perimeter
File Server Non-BCS Workstations
PCA
PCA
Printer
PCA
PCA
PCA
Switch
CIP-007
CIP-005
BCA/PCARouter
BCA
Printer
Switch
CIP-002
CCA
BCA/PCA
PCA
BCA
BCA
BCA
Workstations
BCA
24
BCA
BCA
EMS
Servers
High Water Mark
• CIP Cyber Security Standards do not
require network segmentation of BES Cyber
Systems by impact classification
• A new concept from tiered impact model
• Many different impact classifications can be
identified within an ESP, however, the
highest level of the BCS within the ESP
sets the High Water Mark for all associated
assets within that ESP
25
High Water Mark
26
High Water Mark
High BES Cyber
System
BCA
Medium BES Cyber
System
PCA
BCA
BCA
EAP
PCA
BCA
EAP
BCA
BCA
PCA
PCA
ESP
ESP
PSP
27
Discrete ESPs
Routable Protocols
Medium BES Cyber
System
EAP
ESP
High BES Cyber System
High BES Cyber System
EAP
ESP
Medium BES Cyber
System
EAP
Low BES Cyber System
ESP
28
Discrete ESPs
29
Extended ESP
High BES Cyber System
Encrypted Tunnel
ESP
ESP
Encrypted Tunnel
Encrypted Tunnel
High BES Cyber System
30
High BES Cyber System
ESP
Extended ESP
High BES Cyber System
Encrypted Tunnel
ESP
ESP
Encrypted Tunnel
Encrypted Tunnel
CORP
EAP
High BES Cyber System
31
High BES Cyber System
ESP
Extended ESP
• “If an entity wishes to state that a wide area
network of sites are within one ESP, regardless of
encryption, then all Cyber Assets (which includes,
e.g., all communication or networking equipment)
within that very large ESP become associated
PCAs and must meet the Requirements of the
highest level BES Cyber System in the ESP. The
standards do not preclude doing this, but there
are implications that Responsible Entities should
take into account”
Final_Petition_CIP_V5.pdf (Jan. 31, 2013, page 45)
32
CIP-005-5 Communication Equipment
• Communications equipment between sites;
o If using routable communication the
communications equipment connecting discrete
ESPs are not in scope (4.2.3.2)
o Extended ESPs will need to include the
communications equipment – not “discrete” ESPs
o Serial communications equipment will be included
as no exclusion exists
o This is TBD by Communication standard work in
progress - wait and see GET INVOLVED
Contact Ryan Stewart at NERC to be added to the
SDT plus list [email protected]
33
BCS Boundaries
Can a BCS span multiple facilities crossing discrete ESPs?
34
BCS Boundaries [Single BCS]
35
BCS Boundaries [Multi BCS]
36
Example EMS ESP [Routable]
EMS Electronic Security Perimeter
Workstations
Printer
EMS WAN
File
Server
CIP-005
Router
Access
Control
Server
Switch
EAP
Firewall
CIP-007
CIP-005
Router
EAP
CorpNet
CCA
Firewall
Switch
Switch
DMZ
CCA
Printer
CCA
CCA
EACM
EACM
CCA
Intermediate
Server
37
CCA
Access
Control
Server
CCA
Workstations
CCA
EMS
Servers
Example EMS ESP [Routable]
EMS Electronic Security Perimeter
All PCA
devices take on
the impact level
of the BCS
File Server Non-BCS Workstations
PCA
PCA
Printer
PCA
PCA
Router
PCA
Switch
CIP-005
DMZ
CIP-005
BCA
Printer
Switch
CIP-002
CCA
BCA/PCA
PCA
BCA
BCA
EACM
EACM
Access
Control
Server
BCA
Workstations
BCA
Intermediate
Server
Firewall
BCA/PCARouter
Firewall
Switch
38
EAP
CIP-007
EAP
CorpNet
EMS WAN
BCA
BCA
EMS
Servers
Example EMS ESP [Multi-BCS ESP]
EMS Electronic Security Perimeter
BCS Server BCS Workstations
BCA
BCA
Printer
EMS WAN
PCA
BCA
Router
BCA
Switch
MEDIUM
CIP-005
CIP-007
EAP
CorpNet
Firewall
CIP-005
BCA/PCARouter
BCA
Firewall
Switch
DMZ
EACM
Printer
BCA
BCA
Workstations
EACM
Access
Control
Server
CCA
BCA/PCA
BCA
BCA
Intermediate
Server
Switch
CIP-002
PCA
CIP-005
39
EAP
BCA
BCA
EMS
Servers
HIGH
Example EMS ESP [High Water Mark
Impact]
EMS Electronic Security Perimeter
All PCA
devices take on
the impact level
of the BCS
File Server Non-BCS Workstations
PCA
PCA
Printer
EMS WAN
PCA
PCA
Router
PCA
Switch
EAP
Firewall
EAP
CorpNet
BCA/PCARouter
BCA
Firewall
Switch
DMZ
Switch
Printer
CCA
BCA/PCA
PCA
BCA
BCA
EACM
EACM
BCA
Intermediate
Server
40
Access
Control
Server
BCA
Workstations
BCA
BCA
EMS
Servers
Non-Routable BCS
• Cyber Assets are subject to the CIP standards based
on their functionality and resultant potential impact to
BES reliability
• BES Cyber Systems and associated BES Cyber
Assets are not dependent upon a routable protocol
(see definitions)
o A BES Cyber System may include non-routable (serial)
devices. End point devices (relays) may be included within
the v5 requirements and identified as BES Cyber Assets,
even if no routable communications exist. Therefore, there
are v5 requirements to be addressed (i.e. CIP-007-5)
41
BCS and ESPs
• Does a BCS require an ESP?
o BCS may not require an ESP
o A BCA with no routable connectivity cannot be part
of an ESP
o The level of protection required depends on the
classification (IRC) of the asset
Still required to apply the protections under CIP-007 that apply
to a BCA/PCA
42
Mixed connectivity BCS
Non-routable BCA
43
Non-Routable BCS
BCS
44
Measures (Part 1.1)
• List of BES Cyber Systems
• List of BES Cyber Assets within each BCS
o A BCA may be included in more than one BCS
• List of Protected Cyber Assets (associated
assets)
• ESP network topology including subnets
• Cyber Asset IP addresses
45
CIP-005-5 R1 Part 1.2
46
Changes
47
CIP-005-5 R1.2 [Electronic AP]
High Impact
BCS
PCA
R1.1
Internal
Routable
Connectivity
?
Medium
Impact BCS
PCA
YES
Requires ESP
The ability to access a BES Cyber
System from a Cyber Asset that is
outside of its associated Electronic
Security Perimeter via a bidirectional routable protocol
connection.
External
Routable
Connectivity
?
YES
R1.2
Requires Electronic
Access Point
48
A Cyber Asset interface on an
Electronic Security Perimeter that
allows routable communication
between Cyber Assets outside an
Electronic Security Perimeter and
Cyber Assets inside an Electronic
Security Perimeter.
Change Rationale (Part 1.2)
• Changed to refer to the defined term
Electronic Access Point (EAP versus ESP
access point) and BES Cyber System
• Where external routable connectivity and
the ESP logical border are defined by the
implementation of Electronic Access Points
(EAPs)
49
Electronic Access Point ‘identified’
•
•
•
•
•
Firewalls
Modems
VPN concentrators
Dual-homed systems
Protocol converters (communications
controllers, FEP, etc.)
• Etc.
50
Unidirectional Gateways
51
External Routable Connectivity
• External Routable Connectivity’ includes
the term ‘bi-directional’
o ‘bi-directional routable protocol connection’
• Systems behind a data diode do not have
External Routable Connectivity
52
Serially Connected Cyber Assets
• Are serially connected Cyber Assets within scope for
Requirements applicable to BES Cyber Systems with
External Routable Connectivity?
o All BES Cyber Assets are in scope of all the CIP
Version 5 standards
o Type of connectivity limits applicability
53
Protocol Conversion
• Non-intelligent Device – thing of the past
o Serial IP conversion
o One to one relationship – one serial port & 1 IP port
o Non-intelligent – no advanced conversion capabilities
• Intelligent Device
o Serial IP conversion
o Multiple serial ports supported with individual port
management
o Advanced conversion and connectivity capabilities per serial
port
Reverse telnet per serial port
Passthru capabilities – direct IP to specific serial device connected
to a serial port on the device
54
Cisco TS [2511] – Reverse Telnet
TCP Port associated
with the specific
serial device
http://www.cisco.com/c/en/us/support/docs/dialaccess/asynchronous-connections/5466-commserver.html#design
http://www.cisco.com/c/en/us/support/docs/dial55 access/asynchronous-connections/177199.html#reversetelnet
DIGI TS
http://ftp1.digi.com/support/documentation/90287
00c.pdf -- (page 113)
56
Protocol Conversion Issues
•
•
•
•
•
•
57
External Routable Connectivity (ERC)
High Water Mark Impacts
Electronic Security Perimeter (ESP)
Electronic Access Point (EAP)
V5 Standard & Guidance
Connectivity versus accessibility
Serial to Field Device
58
Serial to Field Device
59
Serial Communications [standalone
ESPs]
SCADA
WAN
Telecom
Telecom
IP
BCA
serial
serial
BCA
IP
serial
BCA
BCA
Serial/Routable
RTU
Terminal Server
Protocol convertor
FEP
Router/Switch
60
serial
BCA
BCA
BCA
BCA
BCA
Routable Communications [Discrete
ESPs]
SCADA
WAN
IP
IP
Telecom
Telecom
IP
IP
EAP
EAP
EAP
serial
BCA
BCA
serial
BCA
BCA
serial
61
Serial/Routable
RTU
Terminal Server
Protocol convertor
FEP
Router/Switch
BCA
BCA
BCA
BCA
BCA
Single BCS across PSP/ESP [Discrete
ESPs]
SCADA
WAN
IP
IP
Telecom
Telecom
IP
IP
EAP
EAP
EAP
serial
BCA
BCA
serial
BCA
BCA
serial
BCA
62
BCA
BCA
BCA
BCA
Multiple BCS example [Routable –
Discrete ESPs]
SCADA
WAN
IP
IP
Telecom
Telecom
IP
EAP
EAP
Serial – IP
convertor
Serial – IP
convertor
serial
BCA
IP
BCA
BCA
BCA
PCA
serial
63
serial
BCA
Serial – IP
convertor
Medium BCS
IP
EAP
BCA
BCA
BCA
BCA
Medium BCS
PCC Serial WAN Serial Subs
PSP
EMS Electronic Security Perimeter
File Server
Non-BCS Workstations
PCA
Printer
PCA
ESP
PSP
PCA
Medium BCS
RT
BCA
U
BCA
serial
BCA BCA BCA
PCA
PCA
CorpNet
Switch
Medium BCS
EAP
PCA
RT
BCA serial
U
Router
BCA
BCA
BCA BCA BCA
Printer
Switch
High BCS
FEP
CCA
BCA/PCA
PCA
BCA
BCA
BCA
Workstations
BCA
64
BCA
BCA
EMS
Servers
PCC Routable with Serial & IP
substations
EMS Electronic Security Perimeter
File Server
Medium BCS
Non-BCS Workstations
PCA
Printer
PCA
EAP
IP
BCABCA
PCA
IP
IP
IP
PCA
RT
BCA
U
PCA
CorpNet
BCA BCA BCA
Switch
Medium BCS
EAP
EAP
IP
BCA/PCA Router
IP
BCA
serial
EAP
Printer
RT
BCA
U
Switch
High BCS
CCA
BCA/PCA
PCA
serial BCA
BCA BCA
BCA
Low BCS
Serial
BCA
BCABCA
BCA
Workstations
BCA
BCA
EMS
Servers
RT
BCA
ESP
65
Serial
BCA
U
PSP
Serial
BCA BCA BCA
Field Devices - Complexity
• Connection method (serial, Ethernet, etc.)
• Connection protocol (non-routable,
routable)
• Serial convertors/ controllers – IP
accessible requires EAP capabilities if IRA
• End to end serial, no ESP or EAP required
• Be aware of multiple connection types
66
SEL-421 Connectivity capabilities
Ethernet (IP)
67
https://www.selinc.com/SEL-421/
IP Accessible CIP-006-5 ERC Impacts
•
•
•
•
•
•
•
•
•
•
•
68
CIP-006-5
Part 1.2 – physical access controls
Part 1.4 – Monitor for unauthorized PSP access
Part 1.5 – Alarms and alerts on detection of unauthorized
access to PSP
Part 1.6 – PACS systems monitoring
Part 1.7 – PACS alarms
Part 1.8 – Logging of access for authorized unescorted access
Part 1.9 – Retention of access logs for 90 days
Part 2.1 – Visitor escort requirements
Part 2.2 – Visitor logging required
Part 2.3 – Visitor log retention
Span Ports
69
https://supportforums.cisco.com/docs/DOC-32763
Span Ports
• SPAN – typical for IDS sensor
o local
• RSPAN
o Cannot cross any Layer 3 device
• ERSPAN (Cisco proprietary)
o Can monitor traffic across a WAN or different
networks –L3 connectivity
o Look for an identified EAP
70
R1.2 Audit Approach
• V3 Electronic Access Points and routable connectivity concepts
are valid – ESPs expanded to “isolated” ESPs
• Electronic Access Point required for all ESPs with any external
routable connectivity to or from BES cyber assets
• External Routable Connectivity –
o What about “IP Accessible” via routable protocol?
o Routable protocol accessible? – serial IP conversion
o The serial field devices are no longer under a serial exemption,
therefore are included within BCS as a BCA. They are now
included in CIP compliance Standards based on BES criteria
(reliability operating services), regardless of their connectivity
method
o However, be aware of reverse telnet risks (IP Accessible)
associated with protocol conversion devices – may require IRA
and ERC requirements
o Extended ESPs are still a valid ESP configuration
71
Measures (Part 1.2)
• Network Diagrams
• External routable communication paths
• List of all Identified EAPs
72
CIP-005-5 R1 Part 1.3
73
CIP-005-5 R1.3 [Bi-Directional Controls]
High Impact
BCS
PCA
The logical border surrounding a
network to which BES Cyber
Systems are connected using a
routable protocol.
The ability to access a BES Cyber
System from a Cyber Asset that is
outside of its associated Electronic
Security Perimeter via a bidirectional routable protocol
connection.
A Cyber Asset interface on an
Electronic Security Perimeter that
allows routable communication
between Cyber Assets outside an
Electronic Security Perimeter and
Cyber Assets inside an Electronic
Security Perimeter.
74
R1.1
Internal
Routable
Connectivity
?
Medium
Impact BCS
PCA
YES
Requires ESP
R1.2
External
Routable
Connectivity
?
YES
Requires
Electronic Access
Point
R1.3
Requires Bi-directional
controls
One or more Cyber Assets connected using a
routable protocol within or on an Electronic
Security Perimeter that is not part of the
highest impact BES Cyber System within the
same Electronic Security Perimeter. The
impact rating of Protected Cyber Assets is
equal to the highest rated BES Cyber System
in the same ESP. A Cyber Asset is not a
Protected Cyber Asset if, for 30 consecutive
calendar days or less, it is connected either to
a Cyber Asset within the ESP or to the
network within the ESP, and it is used for data
transfer, vulnerability assessment,
maintenance, or troubleshooting purposes.
Change Rationale (Part 1.3)
• Changed to refer to the defined term
Electronic Access Point and to focus on the
entity knowing and having a reason for what
it allows through the EAP in both inbound
and outbound directions
75
Audit Approach (Part 1.3)
• Responsible Entity knows what other Cyber
Assets or ranges of addresses a BES
Cyber System needs to communicate with
and limits the communications to that
known range
• Not required to document the inner
workings of stateful firewalls, where
connections initiated in one direction are
allowed a return path
76
Access Permissions
• “SDT notes the requirement does not
require that all 65535 ports be documented
as this is a ‘deny by default’ requirement
and only the remaining open ports (those
that ‘grant access’) should be documented.”
Final_Petition_CIP_V5.pdf (Jan. 31, 2013, page 46)
77
Measures (Part 1.3)
• Established baseline
• Electronic Access Point(s) configuration(s)
• Utilize ‘remark’ type command
78
ACL Remarks
Object-group network BCS1
Network-object host 10.1.1.3
Network-object host 10.1.1.4
Object-group network BCS2
Network-object host 172.16.1.5
Network-object host 172.16.1.8
access-list 101 remark BCS1 hosts allowed to communicate with BCS2 hosts
access−list 101 remark permit_SSH for EIA
access−list 101 permit tcp host 10.1.1.2 host 172.16.1.10 eq 22
access-list 201 remark ‘deny by default CIP-005-5 R1.3
access-list 101 deny ip any any log
access=-list 201 remark BCS2 hosts allowed to communicate with BCS1
access-list 201 remark permit_iccp
access-list 201 permit tcp host 10.1.1.3 host 172.16.1.5 eq 102
access-list 201 remark ‘deny by default CIP-005-5 R1.3
access-list 201 deny ip any any log
Access-group 101 in interface ethernet 0/0
79
Audit Approach (Part 1.3)
• Requirement does not require that all 65535 ports
be documented as this is a ‘deny by default’
requirement
• Only the remaining open ports (those that ‘grant
access’) should be documented per R1.3
• Does not limit the Responsible Entity from
controlling outbound traffic at the level of
granularity that it deems appropriate and large
ranges of internal addresses may be allowed
80
Identifying Ports and Services for
EAP/EACM
• Is an EAP an EACM in version 5?
o To remove any cross referencing, these Cyber
Assets are now included in the Applicability
column for each cyber security requirement
81
Categorization Criteria
• Electronic Access Control or Monitoring
Systems (“EACMS”)
o Examples include: Electronic Access Points,
Intermediate Devices, authentication servers
(e.g., RADIUS servers, Active Directory
servers, Certificate Authorities), security event
monitoring systems, and intrusion detection
systems
82
CIP-005-5 R1 Part 1.4
83
Changes
84
Change Rationale (Part 1.4)
• Added clarification that dial-up connectivity
should perform authentication so that the
BES Cyber System is not directly
accessible with a phone number only
85
‘Dial-up Connectivity’
• A data communication link that is established when the
communication equipment dials a phone number and
negotiates a connection with the equipment on the other
end of the link
• CIP-005-5 is silent on differentiating Dial-in vs. Dial-out
direction
• Dial-up is generally and historically recognized as a two
way communication service once established
• Requirement R2 (Interactive Remote Access) builds upon
Requirement R1.4 when the session meets the definition
of Interactive Remote Access
86
R1.4 Audit Approach
• Requires authentication for all dial-up
accessible cyber assets
• Authentication – does not require multifactor authentication as in IRA
• Capability does not mean – “because we do
not want to” or “it makes access difficult”,
“our techs wont use it”, etc….
87
CIP-005-5 R1.4 Applicability
• Applies to any access including machine to machine
• CIP-005 R1.4 concerns the security of the ‘network’ level
and requires that there be some form of authentication
before a ‘network’ connection is established to the BES
Cyber System
o R2 only applies to ‘Interactive Remote Access’ which is
user-based
• EAP-like functionality on dialups
o Once a connection is made, then CIP-007 applies as
we’ve moved from the ‘network’ level security to device
level security and any user access has to be
authenticated at the device
88
Measures (Part 1.4)
• “…a documented process…”
• Auditors conducting performance audits
• “…how the Responsible Entity is providing
authenticated access through each dial‐up
connection.”
89
CIP-005-5 R1 Part 1.5
90
Changes
91
CIP-005-5 R1.5 [Malicious Communication
Detection]
High Impact
BCS
Medium
Impact BCS
PCA
PCA
Control
Centers
Electronic
Access
Point
Exists?
Yes
R1.5
Requires Bi-directional
monitoring for malicious
activity
92
Change Rationale
• Per FERC Order No. 706, Paragraphs 496503, ESPs need two distinct security
measures such that the Cyber Assets do not
lose all perimeter protection if one measure
fails or is misconfigured. The Order makes
clear this is not simple redundancy of firewalls,
thus the SDT has decided to add the security
measure of malicious traffic inspection as a
requirement for these ESPs.
93
Audit Approach (Part 1.5)
• Is audit approach to detect 100% of all
malicious communications?
o “Known or suspected”
o Communications that have attributes of known
or suspected malicious communications
94
IDS placement
Routable Protocols
Medium BES Cyber
System
EAP
ESP
High BES Cyber System
High BES Cyber System
EAP
ESP
Medium BES Cyber
System
IDS
Low BES Cyber System
ESP
95
Audit Approach (Part 1.5)
• Direction of the traffic monitored
o both inbound and outbound traffic subject to the detection
• Placement of malicious communications inspection
o specific architecture and placement is not prescribed
• Number of IDS’s
o Applicability is set at the EAP level
o EAPs at Medium Impact BCS Control Centers needs to be
covered by the entity’s method for detecting malicious
communications
• CIP-007-5 Part 4 addresses logging (4.1) and alerting (4.2) for
this malicious communications detection device (EACMS)
96
EAP Malicious Code Prevention
• No TFE language in CIP-007-5 R3 for EACMS
• Requirement has been written at a much higher
level than previous versions
• Guidance has numerous suggested methods up
to and including policy level measures
• Requirement no longer prescriptively requires a
single technology tool for addressing the issue
97
Unified Threat Management (UTM)
• Does the IDS measure have its own
configuration, firmware, module?
• Can the IDS measure operate independent
of a failure or misconfiguration of the
Electronic Access Point?
98
Audit Approach (Part 1.5)
• Isolated networks applicability?
o Isolated networks do not have EAPs
o R1.5 would not be applicable?
o IDS is an EACM … therefore
Detection is only one half of the issue
Addressing or mitigating the detected threat
per CIP-007-5 R4
99
EACMs and PACS
• EACMs and PACS can still be located
outside an ESP
• PACS
o No distinction between “field devices” and
“central servers”
o Protections primarily through the CIP-007
requirements for authorization, access control,
and logging and monitoring for these systems
100
Measures (Part 1.5)
•
•
•
•
101
Dual protection architecture
IDS configuration
Layer 7 firewall configuration
Monitoring evidence
R1 Issues & Pitfalls
• EAP and Intrusion Detection System (IDS)
o Need both technologies not just access control
• Inbound and outbound access controls
o Requires detailed understanding of all traffic
• Bi-directional monitoring
• Multiple ESPs with different impact levels at one
facility
o Intercommunications and High Water Mark
• Extended ESPs may still be a valid ESP
architecture – Technical conference to provide
communications devices security controls may
affect the Extended ESP architecture – stay tuned
102
R2 Interactive Remote Access
103
v5 Interactive Remote Access
• v5 – CIP-005-5 R2 Summary
Requires Intermediate system [proxy/jump host]
Requires encryption to intermediate system
Requires multi-factor authentication at intermediate
system
Strong Procedures are not included as option for
interactive remote access
104
CIP-005-5 R2.1
105
Changes
106
CIP-005-5 R2.1 [Intermediate System]
High Impact
BCS
PCA
User-initiated access by a person employing a remote
access client or other remote access technology using
a routable protocol. Remote access originates from a
Cyber Asset that is not an Intermediate System and
not located within any of the Responsible Entity’s
Electronic Security Perimeter(s) or at a defined
Electronic Access Point (EAP). Remote access may be
initiated from: 1) Cyber Assets used or owned by the
Responsible Entity, 2) Cyber Assets used or owned by
employees, and 3) Cyber Assets used or owned by
vendors, contractors, or consultants. Interactive
remote access does not include system-to-system
process communications.
Interactive
Remote
Access ?
A Cyber Asset or collection of Cyber
Assets performing access control to
restrict Interactive Remote Access to
only authorized users. The
Intermediate System must not be
located inside the Electronic Security
Perimeter.
107
Yes
R2.1
Requires
Intermediate System
for Interactive
Remote Access
Yes
Medium
Impact BCS
External
Routable
Connectivity
?
PCA
R2.1 Audit Approach
• All Interactive Remote Access requires an intermediate system
that “proxies” all traffic into the ESP
o No direct external access from client to internal BES cyber asset
o Source IP address is the IP address of the intermediate system –
no pass through
• System-to system process communications not IRA
o Can this communications be accessed for interactive remote
access?
• System Interactive communication– capabilities are key, not
limited to functional use alone
• Interactive Remote Access includes any cyber asset that is not
within the ESP
o (i.e Corp net, DMZs, Substation, Internet, etc.) and includes bidirectional traffic to/from a lower security zone (non-ESP)
• ESP ESP interactive access does not require R2
108
CIP-005-5 R2.2
109
CIP-005-5 R2.2 [Encrypted communications]
High Impact
BCS
Medium
Impact BCS
PCA
Interactive
Remote
Access ?
Yes
R2.1
Requires
Intermediate System
for Interactive
Remote Access
R2.2
Requires encryption that
terminates at Intermediate System
110
Yes
External
Routable
Connectivity
?
PCA
R2.2 Audit Approach
• Interactive Remote Access requires encryption from
remote client all the way to the intermediate system
• Intermediate system provides decryption of the
encrypted traffic
• ESP remote access only allowed into the ESP from
the intermediate system
o source IP address of the intermediate system
• Restrictive access controls defined for all traffic from
the intermediate system into the ESP
• All Intermediate system communications into the
ESP must traverse an EAP prior to entry into ESP
111
CIP-005-5 R2.3
112
CIP-005-5 R2.3 [Multi-factor Authentication]
High Impact
BCS
Medium
Impact BCS
PCA
Interactive
Remote
Access ?
Yes
External
Routable
Connectivity
?
PCA
Yes
R2.1
Requires
Intermediate System
for Interactive
Remote Access
R2.2
Requires encryption that
terminates at Intermediate System
R2.3
Requires multi-factor
authentication
113
Multi-Factor Authentication -- examples
• Something the individual knows such
as passwords or PINs.
• Something the individual has such as
tokens, digital certificates, or smart
cards;
• Something the individual is such as
fingerprints, iris scans, or other
biometric characteristics.
R2.3 Audit Approach
• Multi-factor authentication is required for all
Interactive Remote Access
• Multi-factor authentication requires at least two
of the following:
o Something you have (tokens)
o Something you know (passwords)
o Something you are (biometrics)
• Multi-factor authentication is required at the
intermediate system –this is in addition to
external corporate VPN access authentication
114
v3 Remote Access [Discreet ESP]
Support
Corp DMZ
Internet
Encrypted
Corp VPN
concentrator 2 Factor
Technical solution
Requires 2-factor
authentication for
ESP access from
both networks
ESP
EAP
Vendor
All internal corp
access into the
ESP is the same
as the “Logical
VPN User”
EMS WAN
Logical
VPN User
CorpNet
EAP
ESP
EMS Console 1-4
Corporate
User
Prod Net
EAP
Mgmt DMZ
ProdAD
2 Factor
115
MgmtAD
Jump Host
EMS
Not required, but
best practice
HMI1 ICCP 1- 2
v5 Remote Access [Discreet ESP]
Support
Requires 2-factor
authentication for
ESP access
Corp DMZ
Internet
Encrypted
Corp VPN
concentrator 2 Factor
EAP
Vendor
All internal corp
access into the
ESP is the same
as the “Logical
VPN User”
Medium
ESP
Logical
VPN User
CorpNet
EAP
EMS WAN
ESP
EMS Console 1-4
Corporate
User
Prod Net
EAP
High
Mgmt DMZ
PCA
ProdAD
2 Factor
116
MgmtAD
Jump Host
REQUIRED
EMS
HMI1 ICCP 1- 2
R2 Issues & Pitfalls
• v5 potential issues:
o Adding an “intermediate system” into current
remote access architectures
o Proxy architecture – how will this affect
access data flows and performance
o Encryption to the intermediate system
o Multi-factor authentication at the intermediate
system
o High water mark security
117
What Do We Do Now?
• Additional ESP identification – routable connectivity of
High and Medium impact Cyber Systems – with no
external routable communications
• Inbound and outbound access controls
o Requires detailed understanding of all traffic
• EAP and IDS – requires both technologies
• Bi-directional monitoring
• Adding an “intermediate system” into current remote
access architectures
• Planning for proxy architecture – how will this affect
access
• Encryption to the intermediate system
• Multi-factor authentication at the intermediate system
118
CIP-005-5 Roadshow Presentation
Revision History
119
CIP-005-5
Change History
Date
By
V1
Initial Presentation developed for SLC V5
Roadshow
2/4/14
M Neshem, M King
V2
Presentation modified for Marina Del Ray
Roadshow. Added drawings, VM slides
added, UTM slides added and modified
slide content
3/18/14
M Neshem, M King
V3
SMUD Outreach presentation modified to
clarify questions received from previous
presentation. Serial relay communications
clarification and additional detailed slides.
SAR additional slide
5/5/14
M Neshem, M King
V4
Updated content and presentation flow for
SLC Roadshow based upon previous
lessons learned. Removed redundant
slides, modified content as needed.
Change order of serial relay topic. Added
Revision table. Updated slides 43 and 44
for clarification
5/14/14
M Neshem, M King
Questions?
Michael (Mick) Neshem CISA, CISSP, CSSA
Senior Compliance Auditor - Cyber Security
Western Electricity Coordinating Council (WECC)
7400 NE 41st Street, Suite 320
Vancouver, WA 98662
[email protected]
(C) 425.891.4671 (O) 801.734.8187