Mick Neshem CISA, CISSP, CSSA Senior Compliance Auditor – Cyber Security CIP-005-5 Compliance...

Mick Neshem CISA, CISSP, CSSA

Senior Compliance Auditor – Cyber Security

CIP-005-5 Compliance Outreach CIP v5 Roadshow

May 14-15, 2014Salt Lake City, UT

2

1. Modify or remove the IAC in the 17 impacted requirements [February 3, 2015]

2. Develop modifications to the CIP standards to address security controls for Low impact assets

3. Develop requirements to protect transient electronic devices -thumb drives, laptops that do not meet BES cyber asset

definition

4. Create a definition of “communication networks” and develop new or modified standards that address the protection of communication networks [February 3, 2015]

5. Study the application of the 15-minute parameter for identification of BES Cyber Assets and the impact of this time constraint on the overall security and reliability of the BES.

V5 Open Actions [SAR 1-4]

SDT Industry Webinar.pdf – April 22, 2014

4

• whether additional definitions and/or security controls are needed to protect Bulk-Power System communications networks, including remote systems access

• adequacy of the approved CIP version 5 Standards’ protections for Bulk-Power System data being transmitted over data networks

• functional differences between the respective methods utilized for identification, categorization, and specification of appropriate levels of protection for cyber assets using CIP version 5 Standards as compared with those employed within the National Institute of Standards and Technology Security Risk Management Framework.

FERC Staff Technical Conference (4/29/14)

http://ferc.gov/CalendarFiles/20140227165846-RM13-5-000TC.pdf

5

• Significant discussion regarding Communications Network

• Cyber Systems use of non routable communication

• Cyber Security Procurement Processes• NIST Risk Management Framework and

Cyber Security Framework

FERC Technical Conference Update

6

• Cyber Asset• BES Cyber Asset (BCA)• BES Cyber Systems (BCS)• Protected Cyber Asset (PCA)• Electronic Security Perimeter (ESP)• External Routable Connectivity (ERC)• Electronic Access Point (EAP)• Dial-up Connectivity

Terminology

7

• CIP v3o 5 Requirements (Version 3)o 26 Sub-requirements

• CIP v5o 2 Requirements (Version 5)o 8 Parts

V3 vs. V5 Requirement Count

8

Applicable Systems

9

Moved

10

Deleted

11

• 17 CIP Requirements that include IAC (2/3/2015)• CIP-005-5 contains no Identify, Assess and

Correct language in requirement.

IAC

12

• CIP-002-5 is the initial identification of the BES Cyber System

• It is important for the CIP-002-5 and CIP-005-5 teams in your organization to work closely in the identification of BES Cyber Systems and Impact Rating Criteria (IRC)

• ESP boundaries and High Water Mark impacts may affect CIP-005-5 architecture

CIP-002-5 & CIP-005-5

13

High Level Relationships [CIP-002-5]

BES Assets

BES Cyber Systems

(BCS)

BES Cyber Assets

High Impact Facilities

Medium Impact Facilities

BES Cyber AssetsBES Cyber

Assets

BES Cyber Systems

(BCS)


AssetsBES Cyber Assets

R1.1 R1.2

Control Centers and Backup Control Centers (RC, BA, TOP or GOP) that

meets CIP-002-5 Attachment 1 Section 1 requirements

CIP-002-5 Attachment 1

Section 2 requirements

PCAPCA

14

High Level Relationships [CIP-002-5]

BES Assets

BES Cyber Systems

(BCS)

BES Cyber Assets




Assets

BES Cyber Systems

(BCS)



R1.1 R1.2

One or more BES Cyber Assets logically grouped by a responsible entity to perform one or more reliability tasks for a functional entity

Programmable electronic devices, including the hardware, software, and data in those devices

PCAPCA

15

High Level Relationships [CIP-002-5]BES Cyber Asset

BES Assets

BES Cyber Systems

(BCS)

BES Cyber Assets




Assets

BES Cyber Systems

(BCS)



R1.1 R1.2

- A Cyber Asset that if rendered unavailable, degraded, or misused would, within 15 minutes of its required operation, misoperation, or non-operation, adversely impact one or more Facilities, systems, or equipment, which, if destroyed, degraded, or otherwise rendered unavailable when needed, would affect the reliable operation of the Bulk Electric System. Redundancy of affected Facilities, systems, and equipment shall not be considered when determining adverse impact. Each BES Cyber Asset is included in one or more BES Cyber Systems. (A Cyber Asset is not a BES Cyber Asset if, for 30 consecutive calendar days or less, it is directly connected to a network within an ESP, a Cyber Asset within an ESP, or to a BES Cyber Asset, and it is used for data transfer, vulnerability assessment, maintenance, or troubleshooting purposes.)

16

CIP-005-5 R1 Part 1.1

17

Changes

http://www.nerc.com/docs/standards/sar/Mapping_Document_012913.pdf



18

CIP-005-5 R1.1 [ESP]

Requires ESP

High Impact BCS

Medium Impact BCS

PCA

Internal Routable

Connectivity?

PCA

R1.1

YES

One or more Cyber Assets connected using a routable protocol within or on an Electronic Security Perimeter that is not part of the highest impact BES Cyber System within the same Electronic Security Perimeter. The impact rating of Protected Cyber Assets is equal to the highest rated BES Cyber System in the same ESP. A Cyber Asset is not a Protected Cyber Asset if, for 30 consecutive calendar days or less, it is connected either to a Cyber Asset within the ESP or to the network within the ESP, and it is used for data transfer, vulnerability assessment, maintenance, or troubleshooting purposes.

The logical border surrounding a network to which BES Cyber Systems are connected using a routable protocol.

19

Defined ESP

ESP

High BES Cyber System

BCA

PCA

PCA

BCA

BCA

Brent Castagnetto

Love this!!! Very basic and we will get more in depth later I'm sure. Good starting slide

20

• Version 3 (1/18/2008)o The logical border surrounding a network to which

Critical Cyber Assets are connected and for which access is controlled.

• Version 5 (4/1/2016)o The logical border surrounding a network to which

BES Cyber Systems are connected using a routable protocol.

Electronic Security Perimeter

21

• ESP defines a zone of protection around the BES Cyber System

• Helps determine what systems or Cyber Assets are in scope and what Impact Rating the Cyber Systems meet, ultimately determines which requirements are applicable

Electronic Security Perimeter(s) ‘defined’

22

• Isolated

• Discrete

• Extended

ESPs

23

• ESP network with no external connectivityo An ESP (a logical border) is required around every

routable protocol network that contains a BES Cyber System, even if it is an isolated network and has no external connectivity

Isolated ESP

24

Isolated ESP – No External Communications

BCSCIP-002

Non-BCS WorkstationsFile Server Printer

Router

SwitchCIP-007

EMS Electronic Security Perimeter

PCA

PCA

PCAPCA

Workstations

CCA

EMS Servers

PrinterSwitch

BCA

BCA

BCA

BCA

BCA

BCA

BCAPCA BCA/PCA

BCA/PCA

PCA CIP-005

25

• CIP Cyber Security Standards do not require network segmentation of BES Cyber Systems by impact classification

• A new concept from tiered impact model• Many different impact classifications can be

identified within an ESP, however, the highest level of the BCS within the ESP sets the High Water Mark for all associated assets within that ESP

High Water Mark

26

High Water Mark

27

High Water Mark

ESP


BCA

PCA

PCA

BCA

BCA

ESP

Medium BES Cyber System

BCA

PCA

PCA

BCA

BCA

PSP

EAPEAP

28

Discrete ESPs

ESP


ESP

ESP



Low BES Cyber System


Routable Protocols

EAP

EAP

EAP

29

Discrete ESPs

30

Extended ESP

Encrypted Tunnel Encrypted Tunnel

Encrypted Tunnel

ESP


ESP


ESP


BES Cyber System

31

Extended ESP

Encrypted Tunnel Encrypted Tunnel

Encrypted Tunnel

ESP


ESP


ESP


EAP

CORP

BES Cyber System

32

• “If an entity wishes to state that a wide area network of sites are within one ESP, regardless of encryption, then all Cyber Assets (which includes, e.g., all communication or networking equipment) within that very large ESP become associated PCAs and must meet the Requirements of the highest level BES Cyber System in the ESP. The standards do not preclude doing this, but there are implications that Responsible Entities should take into account”

Extended ESP

Final_Petition_CIP_V5.pdf (Jan. 31, 2013, page 45)

33

• Communications equipment between sites;o If using routable communication the communications

equipment connecting discrete ESPs are not in scope (4.2.3.2)

o Extended ESPs will need to include the communications equipment – not “discrete” ESPs

o Serial communications equipment will be included as no exclusion exists

o This is TBD by Communication standard work in progress - wait and see GET INVOLVED Contact Ryan Stewart at NERC to be added to the SDT plus list

[email protected]

CIP-005-5 Communication Equipment

34

Can a BCS span multiple facilities crossing discrete ESPs?

BCS Boundaries

35

BCS Boundaries [Single BCS]

36

BCS Boundaries [Multi BCS]

37

Example EMS ESP [Routable]

CorpNet

EMS WAN

Firewall

Firewall

Router

Workstations

Workstations

File Server

Access Control Server

EMS Servers

Printer

Printer

Router

Switch

Switch

CCA

CCA

CCA

CCA

CCA

CCA

CCACCA

CIP-007


EAP

CIP-005

CIP-005

Intermediate Server


EACM

Switch

EACM

DMZ

EAP

38

Example EMS ESP [Routable]

BCSCIP-002

CorpNet

EMS WAN

Firewall

Firewall

Router

Non-BCS WorkstationsFile Server

Intermediate Server

Printer

Router

Switch

CIP-007


EAP CIP-005

CIP-005

PCA

PCA

PCAPCA

Workstations

CCA

EMS Servers

PrinterSwitch

BCA

BCA

BCA

BCA

BCA

BCA

BCAPCA BCA/PCA

BCA/PCA

PCA


EACM

Switch

EACM

EAP

DMZ

All PCA devices take on the impact level

of the BCS

39

Example EMS ESP [Multi-BCS ESP]

BCSCIP-002

CorpNet

EMS WAN

Firewall

Firewall

Router

BCS Workstations

BCSBCS Server

Intermediate Server

Printer

Router

Switch

CIP-007


EAP CIP-005

CIP-005

CIP-005

PCA

BCA

BCABCA

Workstations

CCA

EMS Servers

PrinterSwitch

BCA

BCA

BCA

BCA

BCA

BCA

BCAPCA BCA/PCA

BCA/PCA

BCA


EACM

Switch

EACM

EAP

DMZ

HIGH

MEDIUM

40

Example EMS ESP [High Water Mark Impact]

BCS

CorpNet

EMS WAN

Firewall

Firewall

Router

Non-BCS WorkstationsFile Server

Intermediate Server

Printer

Router

Switch


EAP

PCA

PCA

PCAPCA

Workstations

CCA

EMS Servers

PrinterSwitch

BCA

BCA

BCA

BCA

BCA

BCA

BCAPCA BCA/PCA

BCA/PCA

PCA


EACM

Switch

EACM

EAP

DMZ

All PCA devices take on the impact level

of the BCS

41

• Cyber Assets are subject to the CIP standards based on their functionality and resultant potential impact to BES reliability

• BES Cyber Systems and associated BES Cyber Assets are not dependent upon a routable protocol (see definitions) o A BES Cyber System may include non-routable (serial)

devices. End point devices (relays) may be included within the v5 requirements and identified as BES Cyber Assets, even if no routable communications exist. Therefore, there are v5 requirements to be addressed (i.e. CIP-007-5)

Non-Routable BCS

42

• Does a BCS require an ESP?o BCS may not require an ESPo A BCA with no routable connectivity cannot be part

of an ESPo The level of protection required depends on the

classification (IRC) of the asset Still required to apply the protections under CIP-007 that apply

to a BCA/PCA

BCS and ESPs

43

Mixed connectivity BCS

Non-routable BCA

44

Non-Routable BCS

BCS

45

• List of BES Cyber Systems• List of BES Cyber Assets within each BCS

o A BCA may be included in more than one BCS

• List of Protected Cyber Assets (associated assets)

• ESP network topology including subnets• Cyber Asset IP addresses

Measures (Part 1.1)

46

CIP-005-5 R1 Part 1.2

47

Changes

48

CIP-005-5 R1.2 [Electronic AP]

Requires ESP

High Impact BCS

Medium Impact BCS

PCA

Internal Routable

Connectivity?

PCA

R1.1

YES

External Routable

Connectivity?

Requires Electronic Access Point

YES

R1.2

The ability to access a BES Cyber System from a Cyber Asset that is outside of its associated Electronic Security Perimeter via a bi-directional routable protocol connection. A Cyber Asset interface on an

Electronic Security Perimeter that allows routable communication between Cyber Assets outside an Electronic Security Perimeter and Cyber Assets inside an Electronic Security Perimeter.

49

• Changed to refer to the defined term Electronic Access Point (EAP versus ESP access point) and BES Cyber System

• Where external routable connectivity and the ESP logical border are defined by the implementation of Electronic Access Points (EAPs)

Change Rationale (Part 1.2)

50

• Firewalls• Modems• VPN concentrators• Dual-homed systems• Protocol converters (communications

controllers, FEP, etc.)• Etc.

Electronic Access Point ‘identified’

51

Unidirectional Gateways

52

• External Routable Connectivity’ includes the term ‘bi-directional’ o ‘bi-directional routable protocol connection’

• Systems behind a data diode do not have External Routable Connectivity

External Routable Connectivity

53

• Are serially connected Cyber Assets within scope for Requirements applicable to BES Cyber Systems with External Routable Connectivity?o All BES Cyber Assets are in scope of all the CIP

Version 5 standardso Type of connectivity limits applicability

Serially Connected Cyber Assets

54

• Non-intelligent Device – thing of the pasto Serial IP conversiono One to one relationship – one serial port & 1 IP porto Non-intelligent – no advanced conversion capabilities

• Intelligent Deviceo Serial IP conversiono Multiple serial ports supported with individual port managemento Advanced conversion and connectivity capabilities per serial

port Reverse telnet per serial port Passthru capabilities – direct IP to specific serial device connected to

a serial port on the device

Protocol Conversion

55

Cisco TS [2511] – Reverse Telnet

http://www.cisco.com/c/en/us/support/docs/dial-access/asynchronous-connections/5466-comm-server.html#designhttp://www.cisco.com/c/en/us/support/docs/dial-access/asynchronous-connections/17719-9.html#reversetelnet

TCP Port associated with the specific serial device

http://www.cisco.com/c/en/us/support/docs/dial-access/asynchronous-connections/17719-9.html%23reversetelnet







56

DIGI TS

http://ftp1.digi.com/support/documentation/9028700c.pdf -- (page 113)

http://ftp1.digi.com/support/documentation/9028700c.pdf

http://ftp1.digi.com/support/documentation/9028700c.pdf

57

• External Routable Connectivity (ERC)• High Water Mark Impacts• Electronic Security Perimeter (ESP)• Electronic Access Point (EAP)• V5 Standard & Guidance• Connectivity versus accessibility

Protocol Conversion Issues

58

Serial to Field Device

59

Serial to Field Device

60

Serial Communications [standalone ESPs]

IP IP

BCABCA BCA

BCA BCA

serial

serialserial

TelecomTelecom

SCADAWAN

BCA

serial

Serial/RoutableRTUTerminal ServerProtocol convertorFEPRouter/Switch

BCA BCA

BCA

61

Routable Communications [Discrete ESPs]

SCADAWAN

IP IP

BCABCA BCA

BCABCA

serial

TelecomTelecom

BCABCA BCA

serial

EAP

IPIP

EAPEAP

BCA

serial

Serial/RoutableRTUTerminal ServerProtocol convertorFEPRouter/Switch

62

Single BCS across PSP/ESP [Discrete ESPs]

SCADAWAN

IP IP

BCABCA BCA

BCA BCA

serial

TelecomTelecom

BCABCA BCA

serial

EAP

IPIP

EAPEAP

BCA

BES Cyber System

serial

63

Multiple BCS example [Routable – Discrete ESPs]

IP IP

BCABCA BCA

BCA BCA

serial

IP

Serial – IP convertor



TelecomTelecom

BCABCA BCA

serial

EAP

IPIPSCADA

WAN

Medium BCSMedium BCS

BCA

EAP EAP

PCA

BCA

serial

64

PCC Serial WAN Serial Subs

BCS

CorpNet


Router

Switch


EAP

PCA

PCA

PCAPCA

Workstations

CCA

EMS Servers

PrinterSwitch

BCA

BCA

BCA

BCA

BCA

BCA

BCAPCA

BCA/PCA

PCA

PCA

FEP

RTU

Medium BCS

BCA

BCA

BCA BCA

RTU

Medium BCS

BCA

BCA

BCA BCA

High BCS

serial

serial

BCA

BCA

PSPESP

PSP

65

PCC Routable with Serial & IP substations

BCS

CorpNet


Router

Switch


EAP

PCA

PCA

PCAPCA

Workstations

CCA

EMS Servers

PrinterSwitch

BCA

BCA

BCA

BCA

BCA

BCAPCA

BCA/PCA

BCA/PCA

PCA

Medium BCS

High BCS

RTU

Medium BCS

BCA

BCA

BCA

BCA BCAIP

IP

RTUBCA

BCA

BCA BCAserial

IP

serial

IP

EAP

EAP

EAP

ESP PSP

IP

IP

RTU

Low BCS

BCA

BCA

BCA

BCA BCASerial

Serial

Serial

BCA

BCA

BCA

66

• Connection method (serial, Ethernet, etc.)• Connection protocol (non-routable,

routable)• Serial convertors/ controllers – IP

accessible requires EAP capabilities if IRA• End to end serial, no ESP or EAP required• Be aware of multiple connection types

Field Devices - Complexity

67

SEL-421 Connectivity capabilities

Ethernet (IP)

https://www.selinc.com/SEL-421/

68

• CIP-006-5 • Part 1.2 – physical access controls• Part 1.4 – Monitor for unauthorized PSP access• Part 1.5 – Alarms and alerts on detection of unauthorized access to

PSP• Part 1.6 – PACS systems monitoring• Part 1.7 – PACS alarms• Part 1.8 – Logging of access for authorized unescorted access• Part 1.9 – Retention of access logs for 90 days• Part 2.1 – Visitor escort requirements• Part 2.2 – Visitor logging required• Part 2.3 – Visitor log retention

IP Accessible CIP-006-5 ERC Impacts

69

Span Ports

https://supportforums.cisco.com/docs/DOC-32763

https://supportforums.cisco.com/docs/DOC-32763

70

• SPAN – typical for IDS sensoro local

• RSPAN oCannot cross any Layer 3 device

• ERSPAN (Cisco proprietary)oCan monitor traffic across a WAN or different

networks –L3 connectivityo Look for an identified EAP

Span Ports

71

• V3 Electronic Access Points and routable connectivity concepts are valid – ESPs expanded to “isolated” ESPs

• Electronic Access Point required for all ESPs with any external routable connectivity to or from BES cyber assets

• External Routable Connectivity –o What about “IP Accessible” via routable protocol? o Routable protocol accessible? – serial IP conversion o The serial field devices are no longer under a serial exemption,

therefore are included within BCS as a BCA. They are now included in CIP compliance Standards based on BES criteria (reliability operating services), regardless of their connectivity method

o However, be aware of reverse telnet risks (IP Accessible) associated with protocol conversion devices – may require IRA and ERC requirements

o Extended ESPs are still a valid ESP configuration

R1.2 Audit Approach

72

• Network Diagrams• External routable communication paths• List of all Identified EAPs

Measures (Part 1.2)

73

CIP-005-5 R1 Part 1.3

74

CIP-005-5 R1.3 [Bi-Directional Controls]

Requires ESP

High Impact BCS

Medium Impact BCS

PCA

Internal Routable

Connectivity?

External Routable

Connectivity?

Requires Bi-directional controls

Requires Electronic Access

Point

PCA

R1.1

R1.2

R1.3

YES

YES

One or more Cyber Assets connected using a routable protocol within or on an Electronic Security Perimeter that is not part of the highest impact BES Cyber System within the same Electronic Security Perimeter. The impact rating of Protected Cyber Assets is equal to the highest rated BES Cyber System in the same ESP. A Cyber Asset is not a Protected Cyber Asset if, for 30 consecutive calendar days or less, it is connected either to a Cyber Asset within the ESP or to the network within the ESP, and it is used for data transfer, vulnerability assessment, maintenance, or troubleshooting purposes.

The ability to access a BES Cyber System from a Cyber Asset that is outside of its associated Electronic Security Perimeter via a bi-directional routable protocol connection.

A Cyber Asset interface on an Electronic Security Perimeter that allows routable communication between Cyber Assets outside an Electronic Security Perimeter and Cyber Assets inside an Electronic Security Perimeter.

The logical border surrounding a network to which BES Cyber Systems are connected using a routable protocol.

75

• Changed to refer to the defined term Electronic Access Point and to focus on the entity knowing and having a reason for what it allows through the EAP in both inbound and outbound directions


76

• Responsible Entity knows what other Cyber Assets or ranges of addresses a BES Cyber System needs to communicate with and limits the communications to that known range

• Not required to document the inner workings of stateful firewalls, where connections initiated in one direction are allowed a return path

Audit Approach (Part 1.3)

77

• “SDT notes the requirement does not require that all 65535 ports be documented as this is a ‘deny by default’ requirement and only the remaining open ports (those that ‘grant access’) should be documented.”

Access Permissions

Final_Petition_CIP_V5.pdf (Jan. 31, 2013, page 46)

78

• Established baseline • Electronic Access Point(s) configuration(s)• Utilize ‘remark’ type command

Measures (Part 1.3)

79

Object-group network BCS1

Network-object host 10.1.1.3


Object-group network BCS2



access-list 101 remark BCS1 hosts allowed to communicate with BCS2 hosts

access−list 101 remark permit_SSH for EIA

access−list 101 permit tcp host 10.1.1.2 host 172.16.1.10 eq 22

access-list 201 remark ‘deny by default CIP-005-5 R1.3

access-list 101 deny ip any any log

access=-list 201 remark BCS2 hosts allowed to communicate with BCS1

access-list 201 remark permit_iccp

access-list 201 permit tcp host 10.1.1.3 host 172.16.1.5 eq 102

access-list 201 remark ‘deny by default CIP-005-5 R1.3

access-list 201 deny ip any any log

Access-group 101 in interface ethernet 0/0

ACL Remarks

80

• Requirement does not require that all 65535 ports be documented as this is a ‘deny by default’ requirement

• Only the remaining open ports (those that ‘grant access’) should be documented per R1.3

• Does not limit the Responsible Entity from controlling outbound traffic at the level of granularity that it deems appropriate and large ranges of internal addresses may be allowed


81

• Is an EAP an EACM in version 5?o To remove any cross referencing, these Cyber

Assets are now included in the Applicability column for each cyber security requirement

Identifying Ports and Services for EAP/EACM

82

• Electronic Access Control or Monitoring Systems (“EACMS”)o Examples include: Electronic Access Points,

Intermediate Devices, authentication servers (e.g., RADIUS servers, Active Directory servers, Certificate Authorities), security event monitoring systems, and intrusion detection systems

Categorization Criteria

83

CIP-005-5 R1 Part 1.4

84

Changes

85

• Added clarification that dial-up connectivity should perform authentication so that the BES Cyber System is not directly accessible with a phone number only


86

• A data communication link that is established when the communication equipment dials a phone number and negotiates a connection with the equipment on the other end of the link

• CIP-005-5 is silent on differentiating Dial-in vs. Dial-out direction

• Dial-up is generally and historically recognized as a two way communication service once established

• Requirement R2 (Interactive Remote Access) builds upon Requirement R1.4 when the session meets the definition of Interactive Remote Access

‘Dial-up Connectivity’

87

• Requires authentication for all dial-up accessible cyber assets

• Authentication – does not require multi-factor authentication as in IRA

• Capability does not mean – “because we do not want to” or “it makes access difficult”, “our techs wont use it”, etc….

R1.4 Audit Approach

88

• Applies to any access including machine to machine• CIP-005 R1.4 concerns the security of the ‘network’ level

and requires that there be some form of authentication before a ‘network’ connection is established to the BES Cyber Systemo R2 only applies to ‘Interactive Remote Access’ which is

user-based • EAP-like functionality on dialups

o Once a connection is made, then CIP-007 applies as we’ve moved from the ‘network’ level security to device level security and any user access has to be authenticated at the device

CIP-005-5 R1.4 Applicability

89

• “…a documented process…”• Auditors conducting performance audits• “…how the Responsible Entity is providing

authenticated access through each dial‐up connection.”

Measures (Part 1.4)

90

CIP-005-5 R1 Part 1.5

91

Changes

92

CIP-005-5 R1.5 [Malicious Communication Detection]

High Impact BCS

Medium Impact BCS

PCA

Requires Bi-directional monitoring for malicious

activity

PCA

R1.5

Control Centers

Electronic Access Point

Exists?

Yes

93

• Per FERC Order No. 706, Paragraphs 496-503, ESPs need two distinct security measures such that the Cyber Assets do not lose all perimeter protection if one measure fails or is misconfigured. The Order makes clear this is not simple redundancy of firewalls, thus the SDT has decided to add the security measure of malicious traffic inspection as a requirement for these ESPs.

Change Rationale

94

• Is audit approach to detect 100% of all malicious communications?o “Known or suspected” oCommunications that have attributes of known

or suspected malicious communications


95

IDS placement

ESP


ESP

ESP



Low BES Cyber System


Routable Protocols

IDS

EAP

EAP

96

• Direction of the traffic monitoredo both inbound and outbound traffic subject to the detection

• Placement of malicious communications inspectiono specific architecture and placement is not prescribed

• Number of IDS’s o Applicability is set at the EAP level o EAPs at Medium Impact BCS Control Centers needs to be

covered by the entity’s method for detecting malicious communications

• CIP-007-5 Part 4 addresses logging (4.1) and alerting (4.2) for this malicious communications detection device (EACMS)


97

• No TFE language in CIP-007-5 R3 for EACMS• Requirement has been written at a much higher

level than previous versions• Guidance has numerous suggested methods up

to and including policy level measures• Requirement no longer prescriptively requires a

single technology tool for addressing the issue

EAP Malicious Code Prevention

98

• Does the IDS measure have its own configuration, firmware, module?

• Can the IDS measure operate independent of a failure or misconfiguration of the Electronic Access Point?

Unified Threat Management (UTM)

99

• Isolated networks applicability?o Isolated networks do not have EAPsoR1.5 would not be applicable?o IDS is an EACM … therefore

Detection is only one half of the issue Addressing or mitigating the detected threat

per CIP-007-5 R4


100

• EACMs and PACS can still be located outside an ESP

• PACS oNo distinction between “field devices” and

“central servers”o Protections primarily through the CIP-007

requirements for authorization, access control, and logging and monitoring for these systems

EACMs and PACS

101

• Dual protection architecture• IDS configuration• Layer 7 firewall configuration• Monitoring evidence

Measures (Part 1.5)

102

• EAP and Intrusion Detection System (IDS)o Need both technologies not just access control

• Inbound and outbound access controlso Requires detailed understanding of all traffic

• Bi-directional monitoring• Multiple ESPs with different impact levels at one facility

o Intercommunications and High Water Mark

• Extended ESPs may still be a valid ESP architecture – Technical conference to provide communications devices security controls may affect the Extended ESP architecture – stay tuned

R1 Issues & Pitfalls

103

R2 Interactive Remote Access

104

• v5 – CIP-005-5 R2 Summary Requires Intermediate system [proxy/jump host] Requires encryption to intermediate system Requires multi-factor authentication at intermediate

system Strong Procedures are not included as option for

interactive remote access

v5 Interactive Remote Access

105

CIP-005-5 R2.1

106

Changes

107

CIP-005-5 R2.1 [Intermediate System]

High Impact BCS

Medium Impact BCS

PCA PCA

External Routable

Connectivity?

YesInteractive Remote

Access ?

Requires Intermediate System

for Interactive Remote Access

R2.1

Yes

A Cyber Asset or collection of Cyber Assets performing access control to restrict Interactive Remote Access to only authorized users. The Intermediate System must not be located inside the Electronic Security Perimeter.

User-initiated access by a person employing a remote access client or other remote access technology using a routable protocol. Remote access originates from a Cyber Asset that is not an Intermediate System and not located within any of the Responsible Entity’s Electronic Security Perimeter(s) or at a defined Electronic Access Point (EAP). Remote access may be initiated from: 1) Cyber Assets used or owned by the Responsible Entity, 2) Cyber Assets used or owned by employees, and 3) Cyber Assets used or owned by vendors, contractors, or consultants. Interactive remote access does not include system-to-system process communications.

108

• All Interactive Remote Access requires an intermediate system that “proxies” all traffic into the ESPo No direct external access from client to internal BES cyber asseto Source IP address is the IP address of the intermediate system – no pass

through

• System-to system process communications not IRAo Can this communications be accessed for interactive remote access?

• System Interactive communication– capabilities are key, not limited to functional use alone

• Interactive Remote Access includes any cyber asset that is not within the ESPo (i.e Corp net, DMZs, Substation, Internet, etc.) and includes bi-directional

traffic to/from a lower security zone (non-ESP)

• ESP ESP interactive access does not require R2

R2.1 Audit Approach

109

CIP-005-5 R2.2

110

CIP-005-5 R2.2 [Encrypted communications]

High Impact BCS

Medium Impact BCS

PCA PCAExternal Routable

Connectivity?


Access ?



R2.1

Yes

Requires encryption that terminates at Intermediate System

R2.2

111

• Interactive Remote Access requires encryption from remote client all the way to the intermediate system

• Intermediate system provides decryption of the encrypted traffic

• ESP remote access only allowed into the ESP from the intermediate system o source IP address of the intermediate system

• Restrictive access controls defined for all traffic from the intermediate system into the ESP

• All Intermediate system communications into the ESP must traverse an EAP prior to entry into ESP

R2.2 Audit Approach

112

CIP-005-5 R2.3

113



CIP-005-5 R2.3 [Multi-factor Authentication]

High Impact BCS

Medium Impact BCS

PCA PCAExternal Routable

Connectivity?


Access ?

R2.1

Yes

Requires encryption that terminates at Intermediate System

R2.2

Requires multi-factor authentication

R2.3

Multi-Factor Authentication -- examples• Something the individual knows such

as passwords or PINs. • Something the individual has such as

tokens, digital certificates, or smart cards;

• Something the individual is such as fingerprints, iris scans, or other biometric characteristics.

114

• Multi-factor authentication is required for all Interactive Remote Access

• Multi-factor authentication requires at least two of the following:o Something you have (tokens)o Something you know (passwords)o Something you are (biometrics)

• Multi-factor authentication is required at the intermediate system –this is in addition to external corporate VPN access authentication

R2.3 Audit Approach

115

v3 Remote Access [Discreet ESP]

Jump Host

Prod Net

EMS ICCP 1- 2

EMS Console 1-4

Prod-AD

HMI1

EAP

Corp DMZ

Mgmt DMZ

CorpNet

Internet

Corp VPN concentrator

Support

Vendor

Mgmt-AD

2 Factor

2 Factor

Logical VPN User

Corporate User

EAP

Encrypted

Not required, but best practice

ESP

All internal corp access into the

ESP is the same as the “Logical

VPN User”

Technical solution Requires 2-factor authentication for ESP access from both networks

EAPESP

EMS WAN

116

v5 Remote Access [Discreet ESP]

Jump Host

Prod Net

EMS ICCP 1- 2

EMS Console 1-4

Prod-AD

HMI1

EAP

Corp DMZ

Mgmt DMZ

CorpNet

Internet

Corp VPN concentrator

Support

Vendor

Mgmt-AD

2 Factor

2 Factor

Logical VPN User

Corporate User

EAP

Encrypted

ESP

All internal corp access into the

ESP is the same as the “Logical

VPN User”

Requires 2-factor authentication for ESP access

MediumEAP

ESP EMS WAN

REQUIRED

PCA

HighBES Cyber System

117

• v5 potential issues:o Adding an “intermediate system” into current

remote access architectureso Proxy architecture – how will this affect

access data flows and performanceo Encryption to the intermediate systemoMulti-factor authentication at the intermediate

systemoHigh water mark security

R2 Issues & Pitfalls

118

• Additional ESP identification – routable connectivity of High and Medium impact Cyber Systems – with no external routable communications

• Inbound and outbound access controlso Requires detailed understanding of all traffic

• EAP and IDS – requires both technologies • Bi-directional monitoring • Adding an “intermediate system” into current remote access

architectures• Planning for proxy architecture – how will this affect access• Encryption to the intermediate system• Multi-factor authentication at the intermediate system

What Do We Do Now?

119

CIP-005-5 Change History Date ByV1 Initial Presentation developed for SLC V5

Roadshow2/4/14 M Neshem, M King

V2 Presentation modified for Marina Del Ray Roadshow. Added drawings, VM slides added, UTM slides added and modified slide content

3/18/14 M Neshem, M King

V3 SMUD Outreach presentation modified to clarify questions received from previous presentation. Serial relay communications clarification and additional detailed slides. SAR additional slide


V4 Updated content and presentation flow for SLC Roadshow based upon previous lessons learned. Removed redundant slides, modified content as needed. Change order of serial relay topic. Added Revision table. Updated slides 43 and 44 for clarification


CIP-005-5 Roadshow Presentation Revision History

Michael (Mick) Neshem CISA, CISSP, CSSASenior Compliance Auditor - Cyber Security

Western Electricity Coordinating Council (WECC)

7400 NE 41st Street, Suite 320

Vancouver, WA 98662

[email protected]

(C) 425.891.4671 (O) 801.734.8187

Questions?

Mick Neshem CISA, CISSP, CSSA Senior Compliance Auditor – Cyber Security CIP-005-5 Compliance...

Documents

Transcript of Mick Neshem CISA, CISSP, CSSA Senior Compliance Auditor – Cyber Security CIP-005-5 Compliance...