Joe Andrews, MsIA, CISSP-ISSEP, ISSAP, ISSMP, CISA, PSP Sr ... · 10 • Auditors conduct interview...
Transcript of Joe Andrews, MsIA, CISSP-ISSEP, ISSAP, ISSMP, CISA, PSP Sr ... · 10 • Auditors conduct interview...
CIP-005-3 Mock Audit, Breakout Session September 25, 2013
SALT LAKE CITY, UTAH
Joe Andrews, MsIA, CISSP-ISSEP, ISSAP, ISSMP, CISA, PSP Sr. Compliance Auditor – Cyber Security
2
3
• Registered Entity submitted multiple forms of CIP-005 evidence to WECC, including: o Access Point (AP) and CCA inventory
spreadsheets o Network topology diagrams o Ports and services baselines o Access Point configuration files o Cyber Vulnerability Assessments for two
calendar years, including raw data
BPC Audit - 2013
4
• Review network diagrams and identify access points
CIP-005-3 Requirement 1
5
• Review Access Point documentation (e.g., spreadsheet document)
CIP-005-3 Requirement 1
6
• According to network diagram there are (3) access points (i.e., one layer-3 Firewall and two dial-up gateways), however, the AP spreadsheet annotates only (2) Access Points
CIP-005-3 Access Point Enumeration
7
• Network diagram depicts a dial-up accessible Access Point on ESP #1 (dated: 08/15/11)
• Access Point spreadsheet does not list dial-up accessible Access Point at ESP #1. However, the document was reviewed in 2011, 2012 and 2013.
• May be a possible R1.6 violation – maintain documentation of ESP
Documentation discrepancy
8
• Auditors request: o Access Point: ESP Id, location, make, model
and serial numbers for each AP
o SMEs/divisions responsible for administering the Access Points
o A copy of the Access Point configuration files
Auditors submit Data Request (DR)
9
• BPC has approximately (2) Access Points. One for its primary control center and one for its remote substation o Access Point 1, ESP-1, Primary Control Center, Cisco
ASA 5505, WZAC123456
o Access Point 2 (dial-up), ESP-2, Industrial Defender M-1, TCAC123456
o SMEs are from two different divisions within company: - Primary Control Center (PCC) & Substation 1 (SUB-1)
PCC Team manages PCC and SUB-1 Team manages Substation-1
o Access Point configurations are sent for only (2) Access Points
BPC’s Response to Data Request (DR)
10
• Auditors conduct interview with BPC CIP Compliance Lead and CIP-005-3 SME’s o Q: Why is there a discrepancy in the documentation regarding
the missing dial-up Access Point for ESP-1
o A: It was an oversight due to the separation of duties between the two departments/divisions (i.e., PCC-1 Team and SUB-1 Team. There is actually an additional dial-up Access Point at PCC-1)
o Q: May we have a copy of the configuration file for the dial-up accessible Access Point to ESP-1
o A: Long caucus: “Yes, we can provide that if you submit a formal data request for it
Auditors submit Phone Interview DR
11
• The BPC staff finally discovers the dial-up accessible access point to ESP-1
• However, the Access Point was not properly managed or patched, due to the misidentification of the Access Point on the Access Point spreadsheet
• Cumulative vulnerabilities introduced to: o Access Point (AP) o Critical Cyber Assets that AP entrusted to protect
Problem Scenario
12
• Electronic Security Perimeter not afforded proper protection
• Access Point security controls neglected (e.g., no patch management, ACLs, default configuration parameters)
• Non-compliance with multiple requirements of CIP-005-3, due to misidentification
• Reliable operation of Bulk Electric System affected
if ESP (i.e., Access Point) is compromised
Repercussions for AP non-discovery
13
• Identify the operational and essential applications and functions
• Correlate the associated ports and services with the essential applications and functions (i.e., establish and document system baselines)
• Manual review of configuration and/or automated tools for security testing (e.g., against ACLs and Access Point management and console interfaces)
Authorized Ports and Services
14
• Service listed are SNMP, HTTP, HTTPS & FTP, and only HTTPS is enabled
BPC (AP) Ports and Services Baseline
15
• SNMP = UDP service uses ports 161 – Network Management & Monitoring Tool o (SNMP Version 1 & 2) Attacks can exploit weak community strings
passed in clear text and default passwords are well known “public/private”
• FTP = TCP service that operates on 20/21 – File Transferring o Attacks exploit misconfigured directory permissions and cleartext
passwords
• HTTP = TCP service uses port 80 – unencrypted Web browsing program o Attacks that exploit can target server, browser, scripts that run on
browser
• HTTPS = TCP service uses port 443 – Secure web browsing program o Secure version of HTTP by adding SSL/TLS
Services overview
16
• Auditor will analyze firewall print-out configuration (Offsite and Onsite)
• Visually verify the console CLI firewall configuration (Onsite)
• Visually verify the web GUI configuration (Onsite)
SNMP & HTTP service (problem scenario)
17
Auditors view AP Configuration
18
• # show run = # show running-config o May not show snmp-server enabled
• # show run all = # show running-config all o May show snmp-server enabled (snmp-server
enabled)
• SNMP commands to view snmp server status o # show snmp; show snmp engineid; show snmp
sessions; show snmp server host
• Disable SNMP server/service o # no snmp-server
CISCO IOS Commands
19
20
21
22
• Use iPad to connect to free wireless Access Point
• Get IP address via DHCP on subnet
• Use SNMP walk scanning tool to enumerate hosts configured with the default community string PUBLIC
SNMP “Public” Community String Lab
23
SNMP LAB Demonstration Part 1
24
SNMP LAB Demonstration Part 2
• Enumerate OS • Enumerate Device Type • Enumerate Interfaces • Search vulnerabilities associated with OS/Device • Chart peak times for attack (e.g., stealth shots in the dark)
25
• CVE-2005-3774 o Cisco PIX Firewall Lets Remote Users
Block TCP Connections By Spoofing Packets with Invalid Checksums
Cisco PIX V6.3 Vulnerabilities 1 Common Vulnerabilities and Exposures (CVE) Database Sponsored and managed by Department of Homeland Security (DHS) at www.cve.mitre.org
26
• CVE-2005-4499 o The Downloadable RADIUS ACLs feature in
Cisco PIX and VPN 3000 concentrators, when creating an ACL on the Cisco Secure Access Control Server (CS ACS), generates a random internal name for an ACL that is also used as a hidden user name and password, which allows remote attackers to gain privileges by sniffing the username from the cleartext portion of a RADIUS session, then using the password to log in to another device that uses CS ACS.
Cisco PIX V6.3 Vulnerabilities 2
27
• CVE-2006-3906 o Internet Key Exchange (IKE) version 1
protocol, as implemented on Cisco IOS, VPN 3000 Concentrators, and PIX firewalls, allows remote attackers to cause a denial of service (resource exhaustion) via a flood of IKE Phase-1 packets that exceed the session expiration rate.
Cisco PIX V6.3 Vulnerabilities 3
28
• SNMP required for network management o Change default community string o Assign a specific SNMP-Server
§ Host Name § IP Address
o If possible use Version 3 (username, password, and encryption)
SNMP Management
29
• R2.2 requires the entity to enable only ports and services required for normal operations and monitoring Cyber Assets within the Electronic Security Perimeter, and to document the configuration of those ports and services o BPC’s baseline configuration stated that the SNMP and
the HTTP service was not enabled
• R4.4 requires the entity to perform an annual Cyber Vulnerability Assessment (CVA), which includes checking for default accounts, passwords, and network management strings o This was an issue because two consecutive CVAs
identified the default SNMP community string PUBLIC as a security risk to be remediated
Possible Violation
30
• Perform annual Cyber Vulnerability Assessments (CVA) of the APs to the ESPs o Verify each ESP access point is assessed
annually (i.e., at least once per calendar year) o In order to demonstrate annual compliance,
evidence of CVAs for the two most recent calendar years must be submitted
o Verify Requirements of CIP-005-3 R4.1 through R4.5 are accounted for in the CVA documentation
Cyber Vulnerability Assessment 1
31
• Review to verify required ports and services o Review Access Point (AP) ports &
services baseline o Correlate the ports and services baseline
with the AP configuration (i.e., manually or automated; document the review; maintain AP configuration reviewed and/or automated scan output)
Cyber Vulnerability Assessment 2
32
• Document the manual walk-down or automated discovery of Access Points (i.e., list the device(s) discovered by IP address/hostname)
• Review Access Point system for default
accounts (e.g., Admin), passwords (e.g., blank or Admin), network community strings (e.g., public or private) and
change if possible.
Cyber Vulnerability Assessment 3
33
• Analyze CVA results o Verify if remediation plan exist for any
identified vulnerabilities o Verify progress of remediation plan o Verify actionable milestones of plan
Cyber Vulnerability Assessment 3
34
35
LIVE DEMONSTRATION
CIP-006 Remand: Live Demonstration
36
• End-to-end Encryption examples: o Layer-2 IEEE 802.1AE MACsec GCM-
AES-256 (e.g. switches) o Layer-2 intermediate encryption devices/
appliances o Layer-3 IPSEC o Not required, but recommended for
encryption validation (e.g. FIPS 140-2 compliant Common Criteria: EAL4, EAL5)
Extended ESP Encryption
37
38
Note: Changes to the current version are expected • R1.1 Cyber Assets connected to a network via routable
protocol shall reside within ESP (e.g., BES Cyber System consisting of BES Cyber Assets (CCAs) and associated Protected Cyber Assets (Non-Critical Cyber Assets))
• R1.2 All External Routable Connectivity must be through an Electronic Access Point
• R1.3 Access permissions must be applied for inbound and
outbound traffic, reasons for granting access, and implicit deny by default (e.g., inbound and outbound ACL rules applied)
CIP-005 Version 5: Electronic Security Perimeters (R1)
39
• R1.4 Where technically feasible, authentication will be required for Dial-up Connectivity (e.g., secure modems)
• R1.5 Have one or more methods for detecting known or suspected malicious communications; inbound & outbound
(e.g., IDS/IPS, SIEM, Layer-7 Firewall)
CIP-005 Version 5: Electronic Security Perimeters (R1)
40
• R2.1 Utilize an Intermediate System such that the Cyber Asset initiating access does not directly access an applicable Cyber Asset (e.g., proxy server, jump host, VPN appliance with two-factor authentication)
• R2.2 For all interactive Remote Access sessions use encryption (e.g., VPN IPSEC, SSL/TLS)
CIP-005 Version 5: Electronic Security Perimeters (R2)
41
• R2.3 Require multi-factor authentication for all Interactive Remote Access sessions (e.g., something you know = password, pin; something you have = token, smart card; something you are = fingerprint, iris scan, facial recognition)
CIP-005 Version 5: Electronic Security Perimeters (R2)
42
• Port Scanner (2012), retrieved from the Tech-Faq website on January 2, 2010, from, http://www.tech-faq.com/port-scanner.html
• Straight forward way to configure Cisco Pix firewalls/ASA: introduction to cli (2010). Retrieved from Broadband DSLReports website on January 3, 2012, from, http://www.dslreports.com/faq/15785
• OpManager (2012), Retrieved from the Manage Engine website on January 4, 2012, from, http://www.manageengine.com/network-monitoring/network-mapping.html
References
Joe Andrews, CISSP-ISSEP, ISSAP, ISSMP, CISA Compliance Auditor – Cyber Security Western Electricity Coordinating Council jandrews[@]wecc[.]biz Office: 801.819.7683
Questions?