NERC CIP 007 5 R1 White Paper
-
Upload
wdjohnson1 -
Category
Technology
-
view
904 -
download
3
description
Transcript of NERC CIP 007 5 R1 White Paper
![Page 1: NERC CIP 007 5 R1 White Paper](https://reader035.fdocuments.in/reader035/viewer/2022081715/54b1d8254a79595f7b8b45b3/html5/thumbnails/1.jpg)
CIP-007-5 R1 DRAFT: Understanding the Importance and Relevance of Configuration Ports to Utility Cyber Security
Whitepaper
![Page 2: NERC CIP 007 5 R1 White Paper](https://reader035.fdocuments.in/reader035/viewer/2022081715/54b1d8254a79595f7b8b45b3/html5/thumbnails/2.jpg)
©2011 – TDi Technologies, Inc. www.tditechnologies.com P a g e | 2
Configuration ports on critical and non-critical cyber assets are often misunderstood
and overlooked in the overall cyber security strategy. This paper discusses the
importance of configuration ports in the overall cyber security strategy and how they
apply to the NERC-CIP standard. An Industry Advisory from NERC with additional
details on this subject is available here:
http://www.nerc.com/fileUploads/File/Events%20Analysis/A-2008-05-13-1.pdf
The NERC-CIP standard is the primary knowledge resource used by the Utility industry
to ensure our nation’s power grid is protected from unintentional (accidental) and
intentional (malicious) disruption. While the NERC-CIP standard takes a
comprehensive approach to cyber security, there remain areas where the specific
implications of security vulnerabilities are not understood by the industry at large.
This whitepaper looks at the specific area of Configuration Ports as covered by NERC-
CIP-007-5.
Configuration ports exist on almost every hardware device in the IT infrastructure.
These physical ports provide a special level of privilege access that can be used to:
1) Change Bios
2) Upgrade Firmware
3) Set Baseline Configuration
4) Build-out devices that have components (like servers)
5) Perform a variety of Administrative functions
6) Perform emergency repair or failure recovery when no other port is accessible
Item six in the list above is very telling in respect to the important role these ports
play in the cyber security strategy. Except for power supply or catastrophic electronic
component failure, configuration ports are active at all times – even when conditions
have degraded a device to the point that no other port can accept communications.
They are the default emergency access point for every IT device.
Per CIP-007-5 all ports should be either secured or disabled. This obviously includes
configuration ports. However, most IT devices do not allow the disabling of these
CIP-007-5 R1 DRAFT: Understanding the
Importance and Relevance of Configuration
Ports to Utility Cyber Security
Purpose
Introduction
What are Configuration Ports?
![Page 3: NERC CIP 007 5 R1 White Paper](https://reader035.fdocuments.in/reader035/viewer/2022081715/54b1d8254a79595f7b8b45b3/html5/thumbnails/3.jpg)
©2011 – TDi Technologies, Inc. www.tditechnologies.com P a g e | 3
ports nor should these ports be disabled as they serve important purposes, including
being the primary emergency access port. Instead, these ports must be secured.
Most configuration ports are serial or TCP/IP. Most modern server hardware provides
the configuration interface through a baseboard management controller with a
TCP/IP interface that directly falls under the “routable protocol” definition in the
standard.
The baseboard management
controller is a standalone,
independent computer built into
the server architecture and it is
fully operational anytime power is
supplied to the device chassis.
Common vendor names for
baseboard management
controllers include iLo2 (HP),
DRAC (DELL), and ALOM, ILOM
(SUN/ORACLE).
While configuration ports have
been part of IT device design for
decades, the baseboard management controller is a rapidly evolving form of modern
configuration port capability. Modern server architectures with blades and blade
chassis normally come with baseboard management controllers on the individual
blades as well as on the chassis itself.
Many networking devices such as routers and fabric switches, storage controllers
along with specific-purpose appliances like firewalls and terminal servers often have
a serial configuration port. The operation and availability (power to chassis) is the
same as with servers. The primary difference is the type of communications protocol.
Configuration port functionality is also replicated in most virtual machine designs
with virtual consoles, or virtual serial consoles that can be accessed from the
physical baseboard management controller of the physical host they reside on or via
Secure Shell Network Connection. This allows remote configuration of the virtual
guest operating system/machine, which in most cases is not logged or audited.
Types of Configuration Ports
![Page 4: NERC CIP 007 5 R1 White Paper](https://reader035.fdocuments.in/reader035/viewer/2022081715/54b1d8254a79595f7b8b45b3/html5/thumbnails/4.jpg)
©2011 – TDi Technologies, Inc. www.tditechnologies.com P a g e | 4
Configuration ports are often not connected to anything until they are needed, such
as a catastrophic failure. When configuration ports are not connected (port is left
open) access is achieved by connecting a computer to the configuration port, which
requires the person connecting to the port to be physically present where the device
resides.
More often configuration ports are networked in some manner with the network for
these ports commonly referred to as an out-of-band or management network. This
out-of-band network is typically segregated from the normal or production network for
additional security due to the highly sensitive nature of configuration ports.
As noted above, configuration ports are often used under a variety of operating
conditions, including situations where the configuration port is the only accessible
port on a device. This presents a problem for cyber security approaches that rely on
normal networking to be active (this includes all locally installed agent software)
because their security capabilities are disabled during conditions where access is
likely to occur over the configuration port.
The key takeaways of access and use of configuration ports are:
1) Configuration ports either cannot or should not be disabled
2) Security over unconnected (networked) configuration ports is limited to physical
security
3) Traditional cyber security approaches cannot secure configuration ports at all times
4) Access of the configuration ports is not audited or logged.
5) Authentication is often independent of the production methods mostly because
during an outage the production method of authentication may not be available.
A significant influence on the severity of the threat an access port presents to the
Utility organization is the privileged capabilities the port presents to its user.
Configuration ports present an extremely high set of privileges that can be used to
change almost anything on the target device. This level of privilege is why access to
configuration ports is often referred to as having the “keys to the kingdom.”
The list of severe security threats over configuration ports is impossible to fully
document due to the range of privileged commands these ports provide to its users.
Some of the more obvious threats are:
communication ports can be changed or added
Access and Use of Configuration Ports
Severity of the Cyber Security Threat
![Page 5: NERC CIP 007 5 R1 White Paper](https://reader035.fdocuments.in/reader035/viewer/2022081715/54b1d8254a79595f7b8b45b3/html5/thumbnails/5.jpg)
©2011 – TDi Technologies, Inc. www.tditechnologies.com P a g e | 5
data can be copied
malware can be installed at multiple levels (Bios, Firmware, OS)
user accounts and privileges can be added, changed or deleted
device configuration can be changed
ports are “discoverable” making them targets for malicious actors
The simple fact is configuration points are an extremely high security issue that can
be exploited under a variety of scenarios where other security technologies,
techniques, and practices cannot detect an active exploit.
In addition, many baseboard management controllers now allow side-band access
that allows them to be accessed even when their dedicated port is not connected to
anything. With side-band access, the baseboard management controller can use
other TCP/IP ports on the device enabling the baseboard management controller to
be accessed even while its
dedicated port remains
unconnected.
This means that the threats
identified above may remain in
force even when the out-of-band
network is in place and properly
segregated from the production
network (depending on the
specifics of the baseboard
management controller by
vendor, and possibility its
configuration). This also
increases the risk of these ports
being improperly secured,
discovered, and compromised.
The best practice guidance for configuration ports is that they should be treated just
like any other security concern in regards to active monitoring and control. The steps
that should be taken include:
1) Insure that all configuration ports are connected to an out-of-band or management
specific network
2) Segregate the out-of-band network from the normal or production network(s)
Best Practice Guidance
![Page 6: NERC CIP 007 5 R1 White Paper](https://reader035.fdocuments.in/reader035/viewer/2022081715/54b1d8254a79595f7b8b45b3/html5/thumbnails/6.jpg)
©2011 – TDi Technologies, Inc. www.tditechnologies.com P a g e | 6
3) Institute role-based access and control over all configuration ports (restrict access,
least privilege)
4) Encrypt communications to configuration ports (where supported by devices)
5) Use proper or multi-factor authentication to configuration ports
6) Persistently monitor all configuration ports to ensure all access meets the security
policy
7) Log all access to configuration ports by each actor
8) Log all privileged user activity over configuration ports
9) Alert and ALARM on specific messages or events detected on the access port.
One reference that can help in assessing or designing a secure out-of-band network
is available from the Defense Information System Agency:
http://iase.disa.mil/stigs/downloads/pdf/network_management_security_guidance_at-a-
glance_v8r1.pdf
Various hardware and software solutions exist for managing the out-of-band network
per the best practice guidance provided above. These solutions should be evaluated
against existing security policies and wherever possible be capable of directly
supporting them programmatically to limit the scope of manual policy enforcement.
This whitepaper was written to help address a security vulnerability that is often
overlooked and misunderstood in the Utility industry. The recommendations provided
are believed to be accurate in their applicability and support for the DRAFT NERC-CIP-
007-5 R1. The additional areas of the DRAFT NERC-CIP-xxx-5 standard that we will be
discussing in upcoming whitepapers includes: CIP-005, 007 (additional sections),
008, 010, and 011.
This whitepaper was written and produced by TDi Technologies, a software vendor
that provides an out-of-band software solution to the Utility industry and other vertical
markets. The information presented here represents our best understanding of the
security issues associated with configuration ports, which is a problem area our
company focuses on. The whitepaper is intended to provide useful and educational
content that can assist Utility companies in providing secure, dependable power to
our Nation without interruption.
If you would like to receive additional whitepapers on NERC-CIP from us as they
become available, please email us at [email protected].
About This Whitepaper
Full Disclosure
Future Whitepapers