NERC CIP Compliance

NERC CIP ComplianceNERC CIP ComplianceNERC CIP ComplianceNERC CIP Compliance

Defining your Electronic Security Perimeter (ESP) and Access Point Security

AgendaAgenda

Specific NERC CIP-005 RequirementsUnderlying fundamentals of the ESP architectureBuilding ESPs using Security Enclaves and DinDVulnerability Assessment MethodologySimple Principles

DisclaimerDisclaimer

CAUTION: Every environment is different and requires a direct correlation. The material contained in this presentation may not represent your corporate or architectural requirements

ADVISORY: Education, consulting and compliance is about correctly interpreting and conveying information - a requirement for this content


Specific NERC CIP-005 Requirements

Specific NERC CIP-005 RequirementsSpecific NERC CIP-005 Requirements

CIP-005-1 – Cyber Security – Electronic Security

Perimeters: Requires the identification and protection of an electronic security perimeter and access points. The electronic security perimeter is to encompass the critical cyber assets identified pursuant to the methodology required by CIP-002-1.


Requirement 1 - Electronic Security Perimeter—Define an ESP and its access points to protect Critical Cyber

Assets Requirement 2 - Electronic Access Controls

—Deny by default—Enable only required ports and services—Securing dial-up access—Documentation—Appropriate Use Banner

Requirement 3 - Monitoring Electronic Access (covered in the SEIM Presentation in two weeks)

Requirement 4 - Cyber Vulnerability Assessment Requirement 5 - Documentation Review and Maintenance

Monitor FERC Order 706 Activity


The following are exempt from Standard CIP-005:—4.2.1 Facilities regulated by the U.S. Nuclear

Regulatory Commission or the Canadian Nuclear Safety Commission.

—4.2.2 Cyber Assets associated with communication networks and data communication links between discrete Electronic Security Perimeters.

—4.2.3 Responsible Entities that, in compliance with Standard CIP-002, identify that they have no Critical Cyber Assets.


Underlying fundamentals of the ESP architecture

Architecting your ESP to provide the appropriate Architecting your ESP to provide the appropriate access control and monitoring capabilitiesaccess control and monitoring capabilitiesArchitecting your ESP to provide the appropriate Architecting your ESP to provide the appropriate access control and monitoring capabilitiesaccess control and monitoring capabilities

Approach, controls, monitoring, assessment and documentation requirements defined in CIP-005

Challenging to define an electronic perimeter around geographically disperse systems collecting information and performing automated and manual control operations

Organizations must think methodically about their approach and intrinsically understand the environment and type of controls

Define an ESP access point access control request, review and response workflow

Define an appropriate trust model for your systems (enclaves) Ensure the adequacy of protection and continued high availability

of authorized access and control

Integrating ESP high availability identity Integrating ESP high availability identity management solutionsmanagement solutions

Integrating ESP high availability identity Integrating ESP high availability identity management solutionsmanagement solutions

Understand your organization’s trust model based upon the enclave approach outlined in the methodology—Select your identity type, system and appropriate audit

trail for each ESP enclave—Define the appropriate administrative and operational

trusts for system access—Separate technical administrative, developers, system

operators and general users —Correlate your physical and cyber identities as

appropriate—Ensure identity integrity throughout the ESP—Define operational procedures to support high

availability access to ensure safety

Control System Network ArchitectureControl System Network ArchitectureControl System Network ArchitectureControl System Network Architecture

Control System Network Control System Network ArchitectureArchitecture

Traditional Isolation of Corporate and Control DomainsTraditional Isolation of Corporate and Control Domains

Source: Idaho National Laboratory, Control Systems Cyber Security: Defense in Depth Strategies (May, 2006)

Overview of Contemporary Control System ArchitecturesOverview of Contemporary Control System Architectures


Database Attack VectorDatabase Attack Vector


Common Security ZonesCommon Security Zones


Firewall Deployment for Common Security ZonesFirewall Deployment for Common Security Zones


Defense in Depth with IDSDefense in Depth with IDS


Corporate IT to Control System IT ComparisonCorporate IT to Control System IT Comparison



Building ESPs using Security Enclaves and DinD

Definition: Security EnclavesDefinition: Security Enclaves

An enclave is, as defined in the Department of Defense Directive (DoDD ) 8500.1 E2.1.16.2, “the collection of computing environments connected by one or more internal networks under the control of a single authority and security policy, including personnel and physical security.“

Terminology Potpourri—Security Zones—DeMilitarized Zones—Transactional Zones

Determine security controls and define system interactions

Review NIST SP 800-53 r2; 800-82

Security Enclave CreationSecurity Enclave Creation

Security enclaves provide the layers of trusted systems which limit untrusted interactions

Enclaves creation can be based upon:—Mission criticality—Operational requirements—Type of application—System users—Trusted versus untrusted interactions

Enclave Split - ServicesEnclave Split - Services

Services are separated among enclavesSeparation of duties

—External DNS / Internal DNS—External Mail / Internal Mail—External Web / Internal Web—External Authentication / Internal Authentication

Split Active Directory Domains—Out Of Band Management Network—Application Proxy

Building Security EnclavesBuilding Security Enclaves

Defined logical ESP access points with enterprise identity management and network integrated firewalls and IDS

High AvailabilityVirtualized Architecture

IDS/EDS

Remote VPN, Contractor,

Identity Mgmt, Uncontrolled ISO

Enclaves

Office Desktop Systems

TestingEnclaves

ControlEnclave

ISO, Identity & Event Mgmt

Enclaves

Site-to-SiteVPN

Firewall

Legend

ESP

RestrictedWAN

WAN

High AvailabilityVirtualized Architecture

High AvailabilityVirtualized Architecture IDS/EDS

IDS/EDS

IDS/EDS

Generating /Sub Station

ControlEnclaves

TestingEnclave

ISOEnclave


Uncontrolled ISOEnclaves

Office Systems

Primary


Uncontrolled ISOEnclaves

Office Systems

Secondary

VPN

Firewall

Legend

ESP

TestingEnclaves

TestingEnclaves

ControlEnclave

ControlEnclave

ISOEnclave

ISOEnclave

Building Security EnclavesBuilding Security Enclaves

Defining Ports and Services Access RulesDefining Ports and Services Access Rules

• Unknown Communication Between Systems– Review levels of system trust

for need of isolation station / proxy

– Work with application vendor to identify requirements

– If necessary, enable connectivity in learning mode

• Do you know who, how, why, where, and when the system communicates across the network?

• Known Communication Between Systems– Review levels of system trust

for need of isolation station / proxy

– Define appropriate access rules

Defense in Depth Security ControlsDefense in Depth Security Controls

• Layers of Protection for Information and Control (I & C)

• Provides security against a single or multiple points of failure

• Common to define Network, Client or Control Node, Server and Operational controls

Build Knowing The Attacks“Man-in-the-Middle”Build Knowing The Attacks“Man-in-the-Middle”

• Attacker reads, inserts and modifies information without either party aware• Physical Layer• Datalink Layer• Network Layer• Application Layer• Social Layer

• Not an exhaustive list of attacks and controls

• What can happen?

• Incorrect information is conveyed to the operator

• Incorrect control settings are sent to the system

• Control is completely taken over by attacker

Defense in Depth : Network Information and Control (I & C)Defense in Depth : Network Information and Control (I & C)

● Touchpoints should: — Be limited to the

absolute minimum, where the purpose of the application may still be satisfied

— Provide limitations for trusted and untrusted access

● Note: This is not an exhaustive list of Defense in Depth solutions

I & CI & C

Encrypted and integrity checkedtraffic

Trafficaccesscontrol

Intrusion Detectionand Prevention

Networkauthentication / authorization

Applicationproxy

Defense in Depth : EMS / OperatorConnectivityDefense in Depth : EMS / OperatorConnectivity

I & CI & C

Event Monitoring

SeparateEMS Enclaves for PDS and QAS

Workstation Dual Homed / EMSDirect Connection

UniqueOperator Login

DHCP Snooping / Port Security / DNSHost Files

● EMS Enclave● Separate

development and quality assurance enclaves

● Island acceptable architecture with dedicated infrastructure

● Note: This is not an exhaustive list of Defense in Depth solutions

Operational Workflow for Managing ESP/PSP Operational Workflow for Managing ESP/PSP Access Requests and ApprovalsAccess Requests and ApprovalsOperational Workflow for Managing ESP/PSP Operational Workflow for Managing ESP/PSP Access Requests and ApprovalsAccess Requests and Approvals

Same workflow for both physical and cyber access

Defines approval process for creation/modification of access and revocation of rights


Defining your ESP Vulnerability Assessment Methodology

Defining an ESP Vulnerability Assessment Defining an ESP Vulnerability Assessment Methodology appropriate for the bulk electric system.Methodology appropriate for the bulk electric system.Defining an ESP Vulnerability Assessment Defining an ESP Vulnerability Assessment Methodology appropriate for the bulk electric system.Methodology appropriate for the bulk electric system.

The ESP Vulnerability Assessment Methodology considers the threat, the cyber asset, adversary type, known vulnerabilities and the consequences of an adversarial success to arrive at a relative risk level and appropriate response. Automated and manual vulnerability analysis is performed by the IT Security department, and the FERC/NERC Compliance departments to identify both effective and ineffective security controls. The results of the assessment are then provided to the FERC/NERC Compliance Director. The results are reviewed and appropriate countermeasures are identified, developed, applied in a test environment, reviewed for acceptance and propagated to production. The methodology is reapplied to determine the relative risk reduction achieved. This iterative process is continued until the most appropriate method for reducing risk to an acceptable level is identified and approved by the FERC/NERC Compliance Director.

Performing a Vulnerability Assessment within and Performing a Vulnerability Assessment within and against your ESPagainst your ESPPerforming a Vulnerability Assessment within and Performing a Vulnerability Assessment within and against your ESPagainst your ESP

Defined in CIP-005 Requirement 4 and CIP-007 Requirements 3 and 8

Typically do not perform tests against live systems—The risk is substantial

Ensure the accurateness of system state with your change management system

Define the appropriate personnel for risk acceptance and mitigation procedures

Create an appropriate set of procedures to —adequately test the response of the system and the

associative controls—migrate the modifications through staging—an appropriate rollback structure

Selecting Vulnerability Management SolutionsSelecting Vulnerability Management SolutionsSelecting Vulnerability Management SolutionsSelecting Vulnerability Management Solutions

Review vulnerability management solutions for the following requirements:—Ability to generate audit trails and appropriate reports / integration with

your situational awareness software—Breadth of supported capabilities to validate networks, applications and

operating systems in your environment—Ability to operate in an *Internet isolated* environment leveraging a

proxy solutions—Interoperate with NIST or CISecurity.org baseline criteria definitions—Support agreement and associative service level capabilities—Incremental patch deployment to categorically identified systems and

applications on a schedule-able basis—Supports the appropriate trust model for your organization’s access

control model—High level of assurance of the system’s accuracy and efficiency for your

environment

Vulnerability Assessment ProcessVulnerability Assessment Process

Network Tests—Remote / Local Scanning using GFI Languard, Nessus and Harris

STAT—Remote / Local PenTesting using Backtrack 2 tools with Metasploit

3 Local Tests

—CISecurity.org Assessment Scoring Tools Reviewing New NIST SCAP Vendors

—Part of Federal Desktop Initiative

Responding to results from your vulnerability Responding to results from your vulnerability assessmentassessmentResponding to results from your vulnerability Responding to results from your vulnerability assessmentassessment

Do not PANIC—However, review high risk results immediately; identify

if other defense in depth controls provide protectionVulnerability assessments should be a dialogue between

the audit team and the systems personnelAppropriately document, notify the vendor for resolution

and receive the update to validate using your patch testing methodology created in CIP-007 Requirement 3


Simple Principles to reflect upon while architecting

Simple PrinciplesSimple Principles

Isolationism provides protection—The more isolated an environment is from others the greater the success of physical and logical security controls assuring continuously accurate information and control


Your conversations will be eavesdropped upon—Any verbal, paper or electronic conversation can be

monitored; you must be accepting of this and utilize the appropriate protective controls to limit your risk

• Assets will be physically stolen or lost– Physical assets, physical assets storing electronic

information and electronic assets will be stolen or lost

– You must limit the impact of any theft of information


Your conversations will be eavesdropped upon—Any verbal, paper or electronic conversation can

be monitored; you must be accepting of this and utilize the appropriate protective controls to limit your risk

• Assets will be physically stolen or lost– Physical assets, physical assets storing electronic

information and electronic assets will be stolen or lost

– You must limit the impact of any theft of information


Build with a moat (control)—Separate trust levels / Security Enclaves—Understand how the moat (control) works

(or) Build with Nightingale Floors * * Nijo Castle Kyoto, Japan


Vulnerabilities are the gateways through which threats manifest themselves

Threats exist—Hackers—Corporations—Nation States

RISK

VULNERABILITY

MISSION

THR

EAT

Risk Assessment RelationshipRisk Assessment Relationship

Owners

Threats Assets

Risks

Vulnerabilities

Threat agents

Countermeasures

Based upon IEEE Standard 15408 (Common Criteria)

leading to

value

wish to minimize

to reduce

that may possess

that may be reduced by

may be aware of

impose

that exploit

give rise to

that increaseto

wish to abuse or damage


Security or risk mitigation controls must be well understood to be properly used—A detailed understanding of the category of the

control DirectivePreventiveCompensatingDetectiveCorrective

NERC CIP Compliance

Documents

Transcript of NERC CIP Compliance