Joe Andrews, MsIA, CISSP-ISSEP, ISSAP, ISSMP, CISA, PSP Sr ... · 10 • Auditors conduct interview...

CIP-005-3 Mock Audit, Breakout Session September 25, 2013

SALT LAKE CITY, UTAH

Joe Andrews, MsIA, CISSP-ISSEP, ISSAP, ISSMP, CISA, PSP Sr. Compliance Auditor – Cyber Security

3

•  Registered Entity submitted multiple forms of CIP-005 evidence to WECC, including: o Access Point (AP) and CCA inventory

spreadsheets o  Network topology diagrams o  Ports and services baselines o  Access Point configuration files o Cyber Vulnerability Assessments for two

calendar years, including raw data

BPC Audit - 2013

4

•  Review network diagrams and identify access points

CIP-005-3 Requirement 1

5

•  Review Access Point documentation (e.g., spreadsheet document)

CIP-005-3 Requirement 1

6

•  According to network diagram there are (3) access points (i.e., one layer-3 Firewall and two dial-up gateways), however, the AP spreadsheet annotates only (2) Access Points

CIP-005-3 Access Point Enumeration

7

•  Network diagram depicts a dial-up accessible Access Point on ESP #1 (dated: 08/15/11)

•  Access Point spreadsheet does not list dial-up accessible Access Point at ESP #1. However, the document was reviewed in 2011, 2012 and 2013.

•  May be a possible R1.6 violation – maintain documentation of ESP

Documentation discrepancy

8

•  Auditors request: o  Access Point: ESP Id, location, make, model

and serial numbers for each AP

o  SMEs/divisions responsible for administering the Access Points

o  A copy of the Access Point configuration files

Auditors submit Data Request (DR)

9

•  BPC has approximately (2) Access Points. One for its primary control center and one for its remote substation o  Access Point 1, ESP-1, Primary Control Center, Cisco

ASA 5505, WZAC123456

o  Access Point 2 (dial-up), ESP-2, Industrial Defender M-1, TCAC123456

o  SMEs are from two different divisions within company: - Primary Control Center (PCC) & Substation 1 (SUB-1)

PCC Team manages PCC and SUB-1 Team manages Substation-1

o  Access Point configurations are sent for only (2) Access Points

BPC’s Response to Data Request (DR)

10

•  Auditors conduct interview with BPC CIP Compliance Lead and CIP-005-3 SME’s o  Q: Why is there a discrepancy in the documentation regarding

the missing dial-up Access Point for ESP-1

o  A: It was an oversight due to the separation of duties between the two departments/divisions (i.e., PCC-1 Team and SUB-1 Team. There is actually an additional dial-up Access Point at PCC-1)

o  Q: May we have a copy of the configuration file for the dial-up accessible Access Point to ESP-1

o  A: Long caucus: “Yes, we can provide that if you submit a formal data request for it

Auditors submit Phone Interview DR

11

•  The BPC staff finally discovers the dial-up accessible access point to ESP-1

•  However, the Access Point was not properly managed or patched, due to the misidentification of the Access Point on the Access Point spreadsheet

•  Cumulative vulnerabilities introduced to: o Access Point (AP) o Critical Cyber Assets that AP entrusted to protect

Problem Scenario

12

•  Electronic Security Perimeter not afforded proper protection

•  Access Point security controls neglected (e.g., no patch management, ACLs, default configuration parameters)

•  Non-compliance with multiple requirements of CIP-005-3, due to misidentification

•  Reliable operation of Bulk Electric System affected

if ESP (i.e., Access Point) is compromised

Repercussions for AP non-discovery

13

•  Identify the operational and essential applications and functions

•  Correlate the associated ports and services with the essential applications and functions (i.e., establish and document system baselines)

•  Manual review of configuration and/or automated tools for security testing (e.g., against ACLs and Access Point management and console interfaces)

Authorized Ports and Services

14

•  Service listed are SNMP, HTTP, HTTPS & FTP, and only HTTPS is enabled

BPC (AP) Ports and Services Baseline

15

•  SNMP = UDP service uses ports 161 – Network Management & Monitoring Tool o  (SNMP Version 1 & 2) Attacks can exploit weak community strings

passed in clear text and default passwords are well known “public/private”

•  FTP = TCP service that operates on 20/21 – File Transferring o  Attacks exploit misconfigured directory permissions and cleartext

passwords

•  HTTP = TCP service uses port 80 – unencrypted Web browsing program o  Attacks that exploit can target server, browser, scripts that run on

browser

•  HTTPS = TCP service uses port 443 – Secure web browsing program o  Secure version of HTTP by adding SSL/TLS

Services overview

16

•  Auditor will analyze firewall print-out configuration (Offsite and Onsite)

•  Visually verify the console CLI firewall configuration (Onsite)

•  Visually verify the web GUI configuration (Onsite)

SNMP & HTTP service (problem scenario)

17

Auditors view AP Configuration

18

•  # show run = # show running-config o  May not show snmp-server enabled

•  # show run all = # show running-config all o  May show snmp-server enabled (snmp-server

enabled)

•  SNMP commands to view snmp server status o  # show snmp; show snmp engineid; show snmp

sessions; show snmp server host

•  Disable SNMP server/service o  # no snmp-server

CISCO IOS Commands

22

•  Use iPad to connect to free wireless Access Point

•  Get IP address via DHCP on subnet

•  Use SNMP walk scanning tool to enumerate hosts configured with the default community string PUBLIC

SNMP “Public” Community String Lab

23

SNMP LAB Demonstration Part 1

24

SNMP LAB Demonstration Part 2

•  Enumerate OS •  Enumerate Device Type •  Enumerate Interfaces •  Search vulnerabilities associated with OS/Device •  Chart peak times for attack (e.g., stealth shots in the dark)

25

•  CVE-2005-3774 o Cisco PIX Firewall Lets Remote Users

Block TCP Connections By Spoofing Packets with Invalid Checksums

Cisco PIX V6.3 Vulnerabilities 1 Common Vulnerabilities and Exposures (CVE) Database Sponsored and managed by Department of Homeland Security (DHS) at www.cve.mitre.org

26

•  CVE-2005-4499 o  The Downloadable RADIUS ACLs feature in

Cisco PIX and VPN 3000 concentrators, when creating an ACL on the Cisco Secure Access Control Server (CS ACS), generates a random internal name for an ACL that is also used as a hidden user name and password, which allows remote attackers to gain privileges by sniffing the username from the cleartext portion of a RADIUS session, then using the password to log in to another device that uses CS ACS.

Cisco PIX V6.3 Vulnerabilities 2

27

•  CVE-2006-3906 o  Internet Key Exchange (IKE) version 1

protocol, as implemented on Cisco IOS, VPN 3000 Concentrators, and PIX firewalls, allows remote attackers to cause a denial of service (resource exhaustion) via a flood of IKE Phase-1 packets that exceed the session expiration rate.

Cisco PIX V6.3 Vulnerabilities 3

28

•  SNMP required for network management o Change default community string o Assign a specific SNMP-Server

§ Host Name §  IP Address

o  If possible use Version 3 (username, password, and encryption)

SNMP Management

29

•  R2.2 requires the entity to enable only ports and services required for normal operations and monitoring Cyber Assets within the Electronic Security Perimeter, and to document the configuration of those ports and services o BPC’s baseline configuration stated that the SNMP and

the HTTP service was not enabled

•  R4.4 requires the entity to perform an annual Cyber Vulnerability Assessment (CVA), which includes checking for default accounts, passwords, and network management strings o This was an issue because two consecutive CVAs

identified the default SNMP community string PUBLIC as a security risk to be remediated

Possible Violation

30

•  Perform annual Cyber Vulnerability Assessments (CVA) of the APs to the ESPs o  Verify each ESP access point is assessed

annually (i.e., at least once per calendar year) o  In order to demonstrate annual compliance,

evidence of CVAs for the two most recent calendar years must be submitted

o  Verify Requirements of CIP-005-3 R4.1 through R4.5 are accounted for in the CVA documentation

Cyber Vulnerability Assessment 1

31

•  Review to verify required ports and services o Review Access Point (AP) ports &

services baseline o Correlate the ports and services baseline

with the AP configuration (i.e., manually or automated; document the review; maintain AP configuration reviewed and/or automated scan output)


32

•  Document the manual walk-down or automated discovery of Access Points (i.e., list the device(s) discovered by IP address/hostname)

•  Review Access Point system for default

accounts (e.g., Admin), passwords (e.g., blank or Admin), network community strings (e.g., public or private) and

change if possible.


33

•  Analyze CVA results o  Verify if remediation plan exist for any

identified vulnerabilities o  Verify progress of remediation plan o  Verify actionable milestones of plan


35

LIVE DEMONSTRATION

CIP-006 Remand: Live Demonstration

36

•  End-to-end Encryption examples: o Layer-2 IEEE 802.1AE MACsec GCM-

AES-256 (e.g. switches) o  Layer-2 intermediate encryption devices/

appliances o  Layer-3 IPSEC o Not required, but recommended for

encryption validation (e.g. FIPS 140-2 compliant Common Criteria: EAL4, EAL5)

Extended ESP Encryption

38

Note: Changes to the current version are expected •  R1.1 Cyber Assets connected to a network via routable

protocol shall reside within ESP (e.g., BES Cyber System consisting of BES Cyber Assets (CCAs) and associated Protected Cyber Assets (Non-Critical Cyber Assets))

•  R1.2 All External Routable Connectivity must be through an Electronic Access Point

•  R1.3 Access permissions must be applied for inbound and

outbound traffic, reasons for granting access, and implicit deny by default (e.g., inbound and outbound ACL rules applied)

CIP-005 Version 5: Electronic Security Perimeters (R1)

39

•  R1.4 Where technically feasible, authentication will be required for Dial-up Connectivity (e.g., secure modems)

•  R1.5 Have one or more methods for detecting known or suspected malicious communications; inbound & outbound

(e.g., IDS/IPS, SIEM, Layer-7 Firewall)


40

•  R2.1 Utilize an Intermediate System such that the Cyber Asset initiating access does not directly access an applicable Cyber Asset (e.g., proxy server, jump host, VPN appliance with two-factor authentication)

•  R2.2 For all interactive Remote Access sessions use encryption (e.g., VPN IPSEC, SSL/TLS)


41

•  R2.3 Require multi-factor authentication for all Interactive Remote Access sessions (e.g., something you know = password, pin; something you have = token, smart card; something you are = fingerprint, iris scan, facial recognition)


42

•  Port Scanner (2012), retrieved from the Tech-Faq website on January 2, 2010, from, http://www.tech-faq.com/port-scanner.html

•  Straight forward way to configure Cisco Pix firewalls/ASA: introduction to cli (2010). Retrieved from Broadband DSLReports website on January 3, 2012, from, http://www.dslreports.com/faq/15785

•  OpManager (2012), Retrieved from the Manage Engine website on January 4, 2012, from, http://www.manageengine.com/network-monitoring/network-mapping.html

References

Joe Andrews, CISSP-ISSEP, ISSAP, ISSMP, CISA Compliance Auditor – Cyber Security Western Electricity Coordinating Council jandrews[@]wecc[.]biz Office: 801.819.7683

Questions?

Joe Andrews, MsIA, CISSP-ISSEP, ISSAP, ISSMP, CISA, PSP Sr ... · 10 • Auditors conduct interview...

Documents

Transcript of Joe Andrews, MsIA, CISSP-ISSEP, ISSAP, ISSMP, CISA, PSP Sr ... · 10 • Auditors conduct interview...