CIP-005-5 Lessons Learned CIPUG

January 29, 2015 Anaheim, Ca

Morgan King

CISSP-ISSAP, CISA

Senior Compliance Auditor, Cyber Security

W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

Lessons Learned

• External Routable Connectivity • Interactive Remote Access • Mixed Trust Authentication Environments • Intrusion Detection Systems at the EAP • Virtualization

– Network – Server – SAN

2

W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

External Routable Connectivity Lesson Learned Purpose

• In the application of the CIP v5 standards to Medium Impact BES Cyber Systems, where there are serial-to-IP converters used in the communication, can the standards be approached that serial devices could either have, or not have, External Routable Connectivity?

3

W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

If External Routable Connectivity

• CIP-004-7, All requirements • CIP-005-5, R1.2, R2.1, R2.2, R2.3 • CIP-006-6, All requirements except R1.1 • CIP-007-7, R1.1, R4.2, R5.1, R5.3, R5.6

4

W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

Classification of BES Cyber Systems

• External Routable Connectivity • Electronic Security Perimeter • Electronic Access Control or Monitoring

Systems • High Impact BES Cyber Systems with External

Routable Connectivity • Medium Impact BES Cyber Systems with

External Routable Connectivity

5

W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

ERC Defined

• “The ability to access a BES Cyber System from

a Cyber Asset that is outside of its associated Electronic Security Perimeter via a bi-directional routable protocol connection.”

6

W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

‘Access’

• Medium Impact BES Cyber Systems with External Routable Connectivity – Only applies to medium impact BES Cyber Systems with External Routable Connectivity. This also excludes Cyber Assets in the BES Cyber Systems that cannot be directly accessed through External Routable Connectivity.

7

W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

‘Its Associated’

• Can a serially connected BES Cyber Asset with

no Electronic Security Perimeter, based on connectivity, still be considered logically associated with an Electronic Security Perimeter?

8

W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

‘Via’/Uses a routable protocol 9

W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

Serial Connections

• Pure serial connections, i.e. ones that do not transit via IP at any point, are out of scope for this discussion.

10

W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

No External Routable Connectivity? 11

W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

No External Routable Connectivity? 12

W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

External Routable Connectivity

• Scenario #1 – Cyber Assets that are connected by a simple serial-to-

IP conversion that in essence extends non-routable communication through the use of serial-to-IP conversion.

• Scenario #2 – a “break” in the ERC communication that would

exclude serially connected devices from having ERC, but require the serial-to-IP converter to be designated as an Electronic Access Control or Monitoring System (EACMS).

13

W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

MI BES Cyber System with ERC 14

W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

MI BES Cyber System with ERC 15

W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

MI BES Cyber System without ERC 16

W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

Cyber Asset at a Control Center

• CIP-007, Requirement R1, Part 1.2 – Protect the physical ports on the BES Cyber Systems

• CIP-007, Requirement R4, Part 4.3 – Retain access logs for 90 days

• CIP-007, Requirement R5, Part 5.3 – Authenticate interactive user access

• CIP-007, Requirement R5, Part 5.7 – Limit unsuccessful authentication attempts or

generate alerts after a threshold of unsuccessful authentication attempts

17

W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

ERC Considerations

• Is the BES Cyber System accessible to or from Cyber Assets outside of the BES Cyber System Network?

• Do data protocols, whether or not they are themselves routable, transit via routable protocols at any point between the end device (Protection Relay, RTU, etc…) and the remote Cyber Asset?

• Would the misuse or disruption of those routable protocols or BES Cyber Assets have an adverse impact on the BES within 15 minutes?

18

W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

Lesson Learned Interactive Remote Access

• User-initiated Interactive Remote Access by a person using routable protocol, such as through a VPN connection.

• Access originating from outside any of the Responsible Entity’s Electronic Security Perimeters (ESPs).

• Access not originating from an Intermediate System or Electronic Access Points (EAP).

• Access through a remote access client or other remote access technology using a routable protocol.

19

W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

IRA Requires

• Use an Intermediate System such that the Cyber Asset initiating Interactive Remote Access does not directly access an applicable Cyber Asset (Part 2.1);

• Use encryption that terminates at an Intermediate System for all Interactive Remote Access (Part 2.2); and

• Use multi-factor (i.e., at least two) authentication to manage all IRA sessions (Part 2.3).

20

W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

Intermediate System

• Ensure IRA originates only from the Intermediate System and not from the Cyber Asset accessing the Intermediate System.

• Intermediate System can be used to access Cyber Assets of different impact ratings

• Place the Intermediate System in a defined, protected network with both ingress and egress filtering rules in place.

• Encryption between the Cyber Asset initiating communication and the Intermediate System.

21

W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

Interactive Remote Access

Is System-to-System process communication IRA?

22

W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

Management Interfaces 23

W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

Management Interfaces 24

W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

Out of Band Management 25

W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

Out of Band Management 26

W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

Documenting IRA

• Create a diagram which identifies each of the network zones entering the ESP

• Identify where user access takes place • Determine which applications need to be on the

Intermediate System to allow the user to interactively access the BES Cyber Assets and Protected Cyber Assets within the ESP.

• Document the data flows throughout the network environment to illustrate all access through the ESP.

27

W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

IRA 28

W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

Mixed Trust Authentication Environments

• Implementation where a BES Cyber System shares an authentication mechanism with a corporate system.

• Not prohibited by the CIP version 5 Reliability Standards, such environments could increase an entity’s compliance obligation.

29

W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

Mixed Trust Authentication Environments

30

W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

Non-Mixed Trust Authentication Environments

31

W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

EACM and Mixed Trust Authentication Environments

32

W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

Lesson Learned Intrusion Detection Systems at the EAP

33

W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

Lesson Learned Intrusion Detection Systems at the EAP

34

W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

A

A

B

Figure 1 Figure 2

Lesson Learned Intrusion Detection Systems at the EAP

35

W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

Lesson Learned Intrusion Detection Systems at the EAP • To meet this requirement, Order No. 706 stated that it is in

the public interest to require a responsible entity to implement “two or more distinct security measures when constructing an electronic security perimeter.”51 The Commission believes that a responsible entity cannot meet the goal of defense in depth as required by the Commission with a single electronic device, because a single electronic device is easier to bypass than multiple devices. Therefore, we clarify that two or more separate and distinct electronic devices are necessary to implement the Commission’s defense in depth requirements.

36

W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

ORDER DENYING REHEARING AND GRANTING CLARIFICATION ORDER NO. 706-A(Issued May 16, 2008)

Lesson Learned Network Virtualization

37

W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

Lesson Learned Network Virtualization

38

W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

Layer-2 switch

Layer-2 switch

Figure 1

Figure 2

Vlan 5

Vlan 3

Vlan 3

Vlan 5

Lesson Learned Server Virtualization

39

W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

Virtualized Cyber Assets • The guest machine in itself is a PED and meets all criteria from the

definition from the PED LL. • The guest machine is also then considered a Cyber Asset and meets

all criteria for Cyber Asset glossary term. • If the Cyber Asset meets the definition of a BCA, then the guest

machine becomes a BCA. • Once a guest machine becomes a BCA, the Hypervisor then

becomes a BCA due to the command, control, and ultimate functionality over the guest machine, in this case a (BCA).

• All other guest machines on the Hypervisor then also become PCAs due to the Hypervisor having complete command, control, and ultimate functionality over the guest machine.

• The Hypervisor, and all of its guest machines are then considered a BCS.

40

W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

Lesson Learned Server Virtualization

41

W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

Lesson Learned Storage Virtualization

42

W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

BCA

BCA

BCA BCA

Lesson Learned Storage Virtualization

43

W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

BCA

BCA

BCA

Lesson Learned Storage Virtualization

44

W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

• Controls deployed in the SAN infrastructure governing access to data storage services utilized by BES Cyber Assets

• Controls applied to the SAN Storage Array and Storage Controller governing access to data storage services utilized by BES Cyber Assets

• Controls applied to the Fibre Channel transport path governing access to fabric services

• Identification of SAN resources and mapping of SAN Cyber Asset components to an ESP boundary

Contact Info Morgan King, CISSP-ISSAP, CISA

Senior Compliance Auditor - Cyber Security Western Electricity Coordinating Council (WECC) mking@wecc.biz Office 801.819.7675 Mobile: 801.608.6652

W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L