CIP-007-5 R1 DRAFT: Understanding the Importance and Relevance of Configuration Ports to Utility Cyber Security

Whitepaper

©2011 – TDi Technologies, Inc. www.tditechnologies.com P a g e | 2

Configuration ports on critical and non-critical cyber assets are often misunderstood

and overlooked in the overall cyber security strategy. This paper discusses the

importance of configuration ports in the overall cyber security strategy and how they

apply to the NERC-CIP standard. An Industry Advisory from NERC with additional

details on this subject is available here:

http://www.nerc.com/fileUploads/File/Events%20Analysis/A-2008-05-13-1.pdf

The NERC-CIP standard is the primary knowledge resource used by the Utility industry

to ensure our nation’s power grid is protected from unintentional (accidental) and

intentional (malicious) disruption. While the NERC-CIP standard takes a

comprehensive approach to cyber security, there remain areas where the specific

implications of security vulnerabilities are not understood by the industry at large.

This whitepaper looks at the specific area of Configuration Ports as covered by NERC-

CIP-007-5.

Configuration ports exist on almost every hardware device in the IT infrastructure.

These physical ports provide a special level of privilege access that can be used to:

1) Change Bios

2) Upgrade Firmware

3) Set Baseline Configuration

4) Build-out devices that have components (like servers)

5) Perform a variety of Administrative functions

6) Perform emergency repair or failure recovery when no other port is accessible

Item six in the list above is very telling in respect to the important role these ports

play in the cyber security strategy. Except for power supply or catastrophic electronic

component failure, configuration ports are active at all times – even when conditions

have degraded a device to the point that no other port can accept communications.

They are the default emergency access point for every IT device.

Per CIP-007-5 all ports should be either secured or disabled. This obviously includes

configuration ports. However, most IT devices do not allow the disabling of these

CIP-007-5 R1 DRAFT: Understanding the

Importance and Relevance of Configuration

Ports to Utility Cyber Security

Purpose

Introduction

What are Configuration Ports?

©2011 – TDi Technologies, Inc. www.tditechnologies.com P a g e | 3

ports nor should these ports be disabled as they serve important purposes, including

being the primary emergency access port. Instead, these ports must be secured.

Most configuration ports are serial or TCP/IP. Most modern server hardware provides

the configuration interface through a baseboard management controller with a

TCP/IP interface that directly falls under the “routable protocol” definition in the

standard.

The baseboard management

controller is a standalone,

independent computer built into

the server architecture and it is

fully operational anytime power is

supplied to the device chassis.

Common vendor names for

baseboard management

controllers include iLo2 (HP),

DRAC (DELL), and ALOM, ILOM

(SUN/ORACLE).

While configuration ports have

been part of IT device design for

decades, the baseboard management controller is a rapidly evolving form of modern

configuration port capability. Modern server architectures with blades and blade

chassis normally come with baseboard management controllers on the individual

blades as well as on the chassis itself.

Many networking devices such as routers and fabric switches, storage controllers

along with specific-purpose appliances like firewalls and terminal servers often have

a serial configuration port. The operation and availability (power to chassis) is the

same as with servers. The primary difference is the type of communications protocol.

Configuration port functionality is also replicated in most virtual machine designs

with virtual consoles, or virtual serial consoles that can be accessed from the

physical baseboard management controller of the physical host they reside on or via

Secure Shell Network Connection. This allows remote configuration of the virtual

guest operating system/machine, which in most cases is not logged or audited.

Types of Configuration Ports

©2011 – TDi Technologies, Inc. www.tditechnologies.com P a g e | 4

Configuration ports are often not connected to anything until they are needed, such

as a catastrophic failure. When configuration ports are not connected (port is left

open) access is achieved by connecting a computer to the configuration port, which

requires the person connecting to the port to be physically present where the device

resides.

More often configuration ports are networked in some manner with the network for

these ports commonly referred to as an out-of-band or management network. This

out-of-band network is typically segregated from the normal or production network for

additional security due to the highly sensitive nature of configuration ports.

As noted above, configuration ports are often used under a variety of operating

conditions, including situations where the configuration port is the only accessible

port on a device. This presents a problem for cyber security approaches that rely on

normal networking to be active (this includes all locally installed agent software)

because their security capabilities are disabled during conditions where access is

likely to occur over the configuration port.

The key takeaways of access and use of configuration ports are:

1) Configuration ports either cannot or should not be disabled

2) Security over unconnected (networked) configuration ports is limited to physical

security

3) Traditional cyber security approaches cannot secure configuration ports at all times

4) Access of the configuration ports is not audited or logged.

5) Authentication is often independent of the production methods mostly because

during an outage the production method of authentication may not be available.

A significant influence on the severity of the threat an access port presents to the

Utility organization is the privileged capabilities the port presents to its user.

Configuration ports present an extremely high set of privileges that can be used to

change almost anything on the target device. This level of privilege is why access to

configuration ports is often referred to as having the “keys to the kingdom.”

The list of severe security threats over configuration ports is impossible to fully

document due to the range of privileged commands these ports provide to its users.

Some of the more obvious threats are:

communication ports can be changed or added

Access and Use of Configuration Ports

Severity of the Cyber Security Threat

©2011 – TDi Technologies, Inc. www.tditechnologies.com P a g e | 5

data can be copied

malware can be installed at multiple levels (Bios, Firmware, OS)

user accounts and privileges can be added, changed or deleted

device configuration can be changed

ports are “discoverable” making them targets for malicious actors

The simple fact is configuration points are an extremely high security issue that can

be exploited under a variety of scenarios where other security technologies,

techniques, and practices cannot detect an active exploit.

In addition, many baseboard management controllers now allow side-band access

that allows them to be accessed even when their dedicated port is not connected to

anything. With side-band access, the baseboard management controller can use

other TCP/IP ports on the device enabling the baseboard management controller to

be accessed even while its

dedicated port remains

unconnected.

This means that the threats

identified above may remain in

force even when the out-of-band

network is in place and properly

segregated from the production

network (depending on the

specifics of the baseboard

management controller by

vendor, and possibility its

configuration). This also

increases the risk of these ports

being improperly secured,

discovered, and compromised.

The best practice guidance for configuration ports is that they should be treated just

like any other security concern in regards to active monitoring and control. The steps

that should be taken include:

1) Insure that all configuration ports are connected to an out-of-band or management

specific network

2) Segregate the out-of-band network from the normal or production network(s)

Best Practice Guidance

©2011 – TDi Technologies, Inc. www.tditechnologies.com P a g e | 6

3) Institute role-based access and control over all configuration ports (restrict access,

least privilege)

4) Encrypt communications to configuration ports (where supported by devices)

5) Use proper or multi-factor authentication to configuration ports

6) Persistently monitor all configuration ports to ensure all access meets the security

policy

7) Log all access to configuration ports by each actor

8) Log all privileged user activity over configuration ports

9) Alert and ALARM on specific messages or events detected on the access port.

One reference that can help in assessing or designing a secure out-of-band network

is available from the Defense Information System Agency:

http://iase.disa.mil/stigs/downloads/pdf/network_management_security_guidance_at-a-

glance_v8r1.pdf

Various hardware and software solutions exist for managing the out-of-band network

per the best practice guidance provided above. These solutions should be evaluated

against existing security policies and wherever possible be capable of directly

supporting them programmatically to limit the scope of manual policy enforcement.

This whitepaper was written to help address a security vulnerability that is often

overlooked and misunderstood in the Utility industry. The recommendations provided

are believed to be accurate in their applicability and support for the DRAFT NERC-CIP-

007-5 R1. The additional areas of the DRAFT NERC-CIP-xxx-5 standard that we will be

discussing in upcoming whitepapers includes: CIP-005, 007 (additional sections),

008, 010, and 011.

This whitepaper was written and produced by TDi Technologies, a software vendor

that provides an out-of-band software solution to the Utility industry and other vertical

markets. The information presented here represents our best understanding of the

security issues associated with configuration ports, which is a problem area our

company focuses on. The whitepaper is intended to provide useful and educational

content that can assist Utility companies in providing secure, dependable power to

our Nation without interruption.

If you would like to receive additional whitepapers on NERC-CIP from us as they

become available, please email us at info@tditechnologies.com.

About This Whitepaper

Full Disclosure

Future Whitepapers