NERC CIP Compliance Defining your Electronic Security Perimeter (ESP) and Access Point Security.
-
date post
18-Dec-2015 -
Category
Documents
-
view
224 -
download
3
Transcript of NERC CIP Compliance Defining your Electronic Security Perimeter (ESP) and Access Point Security.
NERC CIP ComplianceNERC CIP ComplianceNERC CIP ComplianceNERC CIP Compliance
Defining your Electronic Security Perimeter (ESP) and Access Point Security
AgendaAgenda
Specific NERC CIP-005 RequirementsUnderlying fundamentals of the ESP architectureBuilding ESPs using Security Enclaves and DinDVulnerability Assessment MethodologySimple Principles
DisclaimerDisclaimer
CAUTION: Every environment is different and requires a direct correlation. The material contained in this presentation may not represent your corporate or architectural requirements
ADVISORY: Education, consulting and compliance is about correctly interpreting and conveying information - a requirement for this content
NERC CIP ComplianceNERC CIP ComplianceNERC CIP ComplianceNERC CIP Compliance
Specific NERC CIP-005 Requirements
Specific NERC CIP-005 RequirementsSpecific NERC CIP-005 Requirements
CIP-005-1 – Cyber Security – Electronic Security
Perimeters: Requires the identification and protection of an electronic security perimeter and access points. The electronic security perimeter is to encompass the critical cyber assets identified pursuant to the methodology required by CIP-002-1.
Specific NERC CIP-005 RequirementsSpecific NERC CIP-005 Requirements
Requirement 1 - Electronic Security Perimeter—Define an ESP and its access points to protect Critical Cyber
Assets Requirement 2 - Electronic Access Controls
—Deny by default—Enable only required ports and services—Securing dial-up access—Documentation—Appropriate Use Banner
Requirement 3 - Monitoring Electronic Access (covered in the SEIM Presentation in two weeks)
Requirement 4 - Cyber Vulnerability Assessment Requirement 5 - Documentation Review and Maintenance
Monitor FERC Order 706 Activity
Specific NERC CIP-005 RequirementsSpecific NERC CIP-005 Requirements
The following are exempt from Standard CIP-005:—4.2.1 Facilities regulated by the U.S. Nuclear
Regulatory Commission or the Canadian Nuclear Safety Commission.
—4.2.2 Cyber Assets associated with communication networks and data communication links between discrete Electronic Security Perimeters.
—4.2.3 Responsible Entities that, in compliance with Standard CIP-002, identify that they have no Critical Cyber Assets.
NERC CIP ComplianceNERC CIP ComplianceNERC CIP ComplianceNERC CIP Compliance
Underlying fundamentals of the ESP architecture
Architecting your ESP to provide the appropriate Architecting your ESP to provide the appropriate access control and monitoring capabilitiesaccess control and monitoring capabilitiesArchitecting your ESP to provide the appropriate Architecting your ESP to provide the appropriate access control and monitoring capabilitiesaccess control and monitoring capabilities
Approach, controls, monitoring, assessment and documentation requirements defined in CIP-005
Challenging to define an electronic perimeter around geographically disperse systems collecting information and performing automated and manual control operations
Organizations must think methodically about their approach and intrinsically understand the environment and type of controls
Define an ESP access point access control request, review and response workflow
Define an appropriate trust model for your systems (enclaves) Ensure the adequacy of protection and continued high availability
of authorized access and control
Integrating ESP high availability identity Integrating ESP high availability identity management solutionsmanagement solutions
Integrating ESP high availability identity Integrating ESP high availability identity management solutionsmanagement solutions
Understand your organization’s trust model based upon the enclave approach outlined in the methodology—Select your identity type, system and appropriate audit
trail for each ESP enclave—Define the appropriate administrative and operational
trusts for system access—Separate technical administrative, developers, system
operators and general users —Correlate your physical and cyber identities as
appropriate—Ensure identity integrity throughout the ESP—Define operational procedures to support high
availability access to ensure safety
Control System Network ArchitectureControl System Network ArchitectureControl System Network ArchitectureControl System Network Architecture
Control System Network Control System Network ArchitectureArchitecture
Traditional Isolation of Corporate and Control DomainsTraditional Isolation of Corporate and Control Domains
Source: Idaho National Laboratory, Control Systems Cyber Security: Defense in Depth Strategies (May, 2006)
Overview of Contemporary Control System ArchitecturesOverview of Contemporary Control System Architectures
Source: Idaho National Laboratory, Control Systems Cyber Security: Defense in Depth Strategies (May, 2006)
Database Attack VectorDatabase Attack Vector
Source: Idaho National Laboratory, Control Systems Cyber Security: Defense in Depth Strategies (May, 2006)
Common Security ZonesCommon Security Zones
Source: Idaho National Laboratory, Control Systems Cyber Security: Defense in Depth Strategies (May, 2006)
Firewall Deployment for Common Security ZonesFirewall Deployment for Common Security Zones
Source: Idaho National Laboratory, Control Systems Cyber Security: Defense in Depth Strategies (May, 2006)
Defense in Depth with IDSDefense in Depth with IDS
Source: Idaho National Laboratory, Control Systems Cyber Security: Defense in Depth Strategies (May, 2006)
Corporate IT to Control System IT ComparisonCorporate IT to Control System IT Comparison
Source: Idaho National Laboratory, Control Systems Cyber Security: Defense in Depth Strategies (May, 2006)
NERC CIP ComplianceNERC CIP ComplianceNERC CIP ComplianceNERC CIP Compliance
Building ESPs using Security Enclaves and DinD
Definition: Security EnclavesDefinition: Security Enclaves
An enclave is, as defined in the Department of Defense Directive (DoDD ) 8500.1 E2.1.16.2, “the collection of computing environments connected by one or more internal networks under the control of a single authority and security policy, including personnel and physical security.“
Terminology Potpourri—Security Zones—DeMilitarized Zones—Transactional Zones
Determine security controls and define system interactions
Review NIST SP 800-53 r2; 800-82
Security Enclave CreationSecurity Enclave Creation
Security enclaves provide the layers of trusted systems which limit untrusted interactions
Enclaves creation can be based upon:—Mission criticality—Operational requirements—Type of application—System users—Trusted versus untrusted interactions
Enclave Split - ServicesEnclave Split - Services
Services are separated among enclavesSeparation of duties
—External DNS / Internal DNS—External Mail / Internal Mail—External Web / Internal Web—External Authentication / Internal Authentication
Split Active Directory Domains—Out Of Band Management Network—Application Proxy
Building Security EnclavesBuilding Security Enclaves
Defined logical ESP access points with enterprise identity management and network integrated firewalls and IDS
High AvailabilityVirtualized Architecture
IDS/EDS
Remote VPN, Contractor,
Identity Mgmt, Uncontrolled ISO
Enclaves
Office Desktop Systems
TestingEnclaves
ControlEnclave
ISO, Identity & Event Mgmt
Enclaves
Site-to-SiteVPN
Firewall
Legend
ESP
RestrictedWAN
WAN
High AvailabilityVirtualized Architecture
High AvailabilityVirtualized Architecture IDS/EDS
IDS/EDS
IDS/EDS
Generating /Sub Station
ControlEnclaves
TestingEnclave
ISOEnclave
Remote VPN, Contractor,
Uncontrolled ISOEnclaves
Office Systems
Primary
Remote VPN, Contractor,
Uncontrolled ISOEnclaves
Office Systems
Secondary
VPN
Firewall
Legend
ESP
TestingEnclaves
TestingEnclaves
ControlEnclave
ControlEnclave
ISOEnclave
ISOEnclave
Building Security EnclavesBuilding Security Enclaves
Defining Ports and Services Access RulesDefining Ports and Services Access Rules
• Unknown Communication Between Systems– Review levels of system trust
for need of isolation station / proxy
– Work with application vendor to identify requirements
– If necessary, enable connectivity in learning mode
• Do you know who, how, why, where, and when the system communicates across the network?
• Known Communication Between Systems– Review levels of system trust
for need of isolation station / proxy
– Define appropriate access rules
Defense in Depth Security ControlsDefense in Depth Security Controls
• Layers of Protection for Information and Control (I & C)
• Provides security against a single or multiple points of failure
• Common to define Network, Client or Control Node, Server and Operational controls
Build Knowing The Attacks“Man-in-the-Middle”Build Knowing The Attacks“Man-in-the-Middle”
• Attacker reads, inserts and modifies information without either party aware• Physical Layer• Datalink Layer• Network Layer• Application Layer• Social Layer
• Not an exhaustive list of attacks and controls
• What can happen?
• Incorrect information is conveyed to the operator
• Incorrect control settings are sent to the system
• Control is completely taken over by attacker
Defense in Depth : Network Information and Control (I & C)Defense in Depth : Network Information and Control (I & C)
● Touchpoints should: — Be limited to the
absolute minimum, where the purpose of the application may still be satisfied
— Provide limitations for trusted and untrusted access
● Note: This is not an exhaustive list of Defense in Depth solutions
I & CI & C
Encrypted and integrity checkedtraffic
Trafficaccesscontrol
Intrusion Detectionand Prevention
Networkauthentication / authorization
Applicationproxy
Defense in Depth : EMS / OperatorConnectivityDefense in Depth : EMS / OperatorConnectivity
I & CI & C
Event Monitoring
SeparateEMS Enclaves for PDS and QAS
Workstation Dual Homed / EMSDirect Connection
UniqueOperator Login
DHCP Snooping / Port Security / DNSHost Files
● EMS Enclave● Separate
development and quality assurance enclaves
● Island acceptable architecture with dedicated infrastructure
● Note: This is not an exhaustive list of Defense in Depth solutions
Operational Workflow for Managing ESP/PSP Operational Workflow for Managing ESP/PSP Access Requests and ApprovalsAccess Requests and ApprovalsOperational Workflow for Managing ESP/PSP Operational Workflow for Managing ESP/PSP Access Requests and ApprovalsAccess Requests and Approvals
Same workflow for both physical and cyber access
Defines approval process for creation/modification of access and revocation of rights
NERC CIP ComplianceNERC CIP ComplianceNERC CIP ComplianceNERC CIP Compliance
Defining your ESP Vulnerability Assessment Methodology
Defining an ESP Vulnerability Assessment Defining an ESP Vulnerability Assessment Methodology appropriate for the bulk electric system.Methodology appropriate for the bulk electric system.Defining an ESP Vulnerability Assessment Defining an ESP Vulnerability Assessment Methodology appropriate for the bulk electric system.Methodology appropriate for the bulk electric system.
The ESP Vulnerability Assessment Methodology considers the threat, the cyber asset, adversary type, known vulnerabilities and the consequences of an adversarial success to arrive at a relative risk level and appropriate response. Automated and manual vulnerability analysis is performed by the IT Security department, and the FERC/NERC Compliance departments to identify both effective and ineffective security controls. The results of the assessment are then provided to the FERC/NERC Compliance Director. The results are reviewed and appropriate countermeasures are identified, developed, applied in a test environment, reviewed for acceptance and propagated to production. The methodology is reapplied to determine the relative risk reduction achieved. This iterative process is continued until the most appropriate method for reducing risk to an acceptable level is identified and approved by the FERC/NERC Compliance Director.
Performing a Vulnerability Assessment within and Performing a Vulnerability Assessment within and against your ESPagainst your ESPPerforming a Vulnerability Assessment within and Performing a Vulnerability Assessment within and against your ESPagainst your ESP
Defined in CIP-005 Requirement 4 and CIP-007 Requirements 3 and 8
Typically do not perform tests against live systems—The risk is substantial
Ensure the accurateness of system state with your change management system
Define the appropriate personnel for risk acceptance and mitigation procedures
Create an appropriate set of procedures to —adequately test the response of the system and the
associative controls—migrate the modifications through staging—an appropriate rollback structure
Selecting Vulnerability Management SolutionsSelecting Vulnerability Management SolutionsSelecting Vulnerability Management SolutionsSelecting Vulnerability Management Solutions
Review vulnerability management solutions for the following requirements:—Ability to generate audit trails and appropriate reports / integration with
your situational awareness software—Breadth of supported capabilities to validate networks, applications and
operating systems in your environment—Ability to operate in an *Internet isolated* environment leveraging a
proxy solutions—Interoperate with NIST or CISecurity.org baseline criteria definitions—Support agreement and associative service level capabilities—Incremental patch deployment to categorically identified systems and
applications on a schedule-able basis—Supports the appropriate trust model for your organization’s access
control model—High level of assurance of the system’s accuracy and efficiency for your
environment
Vulnerability Assessment ProcessVulnerability Assessment Process
Network Tests—Remote / Local Scanning using GFI Languard, Nessus and Harris
STAT—Remote / Local PenTesting using Backtrack 2 tools with Metasploit
3 Local Tests
—CISecurity.org Assessment Scoring Tools Reviewing New NIST SCAP Vendors
—Part of Federal Desktop Initiative
Responding to results from your vulnerability Responding to results from your vulnerability assessmentassessmentResponding to results from your vulnerability Responding to results from your vulnerability assessmentassessment
Do not PANIC—However, review high risk results immediately; identify
if other defense in depth controls provide protectionVulnerability assessments should be a dialogue between
the audit team and the systems personnelAppropriately document, notify the vendor for resolution
and receive the update to validate using your patch testing methodology created in CIP-007 Requirement 3
NERC CIP ComplianceNERC CIP ComplianceNERC CIP ComplianceNERC CIP Compliance
Simple Principles to reflect upon while architecting
Simple PrinciplesSimple Principles
Isolationism provides protection—The more isolated an environment is from others the greater the success of physical and logical security controls assuring continuously accurate information and control
Simple PrinciplesSimple Principles
Your conversations will be eavesdropped upon—Any verbal, paper or electronic conversation can be
monitored; you must be accepting of this and utilize the appropriate protective controls to limit your risk
• Assets will be physically stolen or lost– Physical assets, physical assets storing electronic
information and electronic assets will be stolen or lost
– You must limit the impact of any theft of information
Simple PrinciplesSimple Principles
Your conversations will be eavesdropped upon—Any verbal, paper or electronic conversation can
be monitored; you must be accepting of this and utilize the appropriate protective controls to limit your risk
• Assets will be physically stolen or lost– Physical assets, physical assets storing electronic
information and electronic assets will be stolen or lost
– You must limit the impact of any theft of information
Simple PrinciplesSimple Principles
Build with a moat (control)—Separate trust levels / Security Enclaves—Understand how the moat (control) works
(or) Build with Nightingale Floors * * Nijo Castle Kyoto, Japan
Simple PrinciplesSimple Principles
Vulnerabilities are the gateways through which threats manifest themselves
Threats exist—Hackers—Corporations—Nation States
RISK
VULNERABILITY
MISSION
THR
EAT
Risk Assessment RelationshipRisk Assessment Relationship
Owners
Threats Assets
Risks
Vulnerabilities
Threat agents
Countermeasures
Based upon IEEE Standard 15408 (Common Criteria)
leading to
value
wish to minimize
to reduce
that may possess
that may be reduced by
may be aware of
impose
that exploit
give rise to
that increaseto
wish to abuse or damage
Simple PrinciplesSimple Principles
Security or risk mitigation controls must be well understood to be properly used—A detailed understanding of the category of the
control DirectivePreventiveCompensatingDetectiveCorrective