CIP-005-5 Lessons Learned CIPUG
January 29, 2015 Anaheim, Ca
Morgan King
CISSP-ISSAP, CISA
Senior Compliance Auditor, Cyber Security
W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L
Lessons Learned
• External Routable Connectivity • Interactive Remote Access • Mixed Trust Authentication Environments • Intrusion Detection Systems at the EAP • Virtualization
– Network – Server – SAN
2
W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L
External Routable Connectivity Lesson Learned Purpose
• In the application of the CIP v5 standards to Medium Impact BES Cyber Systems, where there are serial-to-IP converters used in the communication, can the standards be approached that serial devices could either have, or not have, External Routable Connectivity?
3
W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L
If External Routable Connectivity
• CIP-004-7, All requirements • CIP-005-5, R1.2, R2.1, R2.2, R2.3 • CIP-006-6, All requirements except R1.1 • CIP-007-7, R1.1, R4.2, R5.1, R5.3, R5.6
4
W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L
Classification of BES Cyber Systems
• External Routable Connectivity • Electronic Security Perimeter • Electronic Access Control or Monitoring
Systems • High Impact BES Cyber Systems with External
Routable Connectivity • Medium Impact BES Cyber Systems with
External Routable Connectivity
5
W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L
ERC Defined
• “The ability to access a BES Cyber System from
a Cyber Asset that is outside of its associated Electronic Security Perimeter via a bi-directional routable protocol connection.”
6
W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L
‘Access’
• Medium Impact BES Cyber Systems with External Routable Connectivity – Only applies to medium impact BES Cyber Systems with External Routable Connectivity. This also excludes Cyber Assets in the BES Cyber Systems that cannot be directly accessed through External Routable Connectivity.
7
W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L
‘Its Associated’
• Can a serially connected BES Cyber Asset with
no Electronic Security Perimeter, based on connectivity, still be considered logically associated with an Electronic Security Perimeter?
8
W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L
‘Via’/Uses a routable protocol 9
W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L
Serial Connections
• Pure serial connections, i.e. ones that do not transit via IP at any point, are out of scope for this discussion.
10
W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L
No External Routable Connectivity? 11
W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L
No External Routable Connectivity? 12
W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L
External Routable Connectivity
• Scenario #1 – Cyber Assets that are connected by a simple serial-to-
IP conversion that in essence extends non-routable communication through the use of serial-to-IP conversion.
• Scenario #2 – a “break” in the ERC communication that would
exclude serially connected devices from having ERC, but require the serial-to-IP converter to be designated as an Electronic Access Control or Monitoring System (EACMS).
13
W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L
MI BES Cyber System with ERC 14
W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L
MI BES Cyber System with ERC 15
W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L
MI BES Cyber System without ERC 16
W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L
Cyber Asset at a Control Center
• CIP-007, Requirement R1, Part 1.2 – Protect the physical ports on the BES Cyber Systems
• CIP-007, Requirement R4, Part 4.3 – Retain access logs for 90 days
• CIP-007, Requirement R5, Part 5.3 – Authenticate interactive user access
• CIP-007, Requirement R5, Part 5.7 – Limit unsuccessful authentication attempts or
generate alerts after a threshold of unsuccessful authentication attempts
17
W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L
ERC Considerations
• Is the BES Cyber System accessible to or from Cyber Assets outside of the BES Cyber System Network?
• Do data protocols, whether or not they are themselves routable, transit via routable protocols at any point between the end device (Protection Relay, RTU, etc…) and the remote Cyber Asset?
• Would the misuse or disruption of those routable protocols or BES Cyber Assets have an adverse impact on the BES within 15 minutes?
18
W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L
Lesson Learned Interactive Remote Access
• User-initiated Interactive Remote Access by a person using routable protocol, such as through a VPN connection.
• Access originating from outside any of the Responsible Entity’s Electronic Security Perimeters (ESPs).
• Access not originating from an Intermediate System or Electronic Access Points (EAP).
• Access through a remote access client or other remote access technology using a routable protocol.
19
W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L
IRA Requires
• Use an Intermediate System such that the Cyber Asset initiating Interactive Remote Access does not directly access an applicable Cyber Asset (Part 2.1);
• Use encryption that terminates at an Intermediate System for all Interactive Remote Access (Part 2.2); and
• Use multi-factor (i.e., at least two) authentication to manage all IRA sessions (Part 2.3).
20
W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L
Intermediate System
• Ensure IRA originates only from the Intermediate System and not from the Cyber Asset accessing the Intermediate System.
• Intermediate System can be used to access Cyber Assets of different impact ratings
• Place the Intermediate System in a defined, protected network with both ingress and egress filtering rules in place.
• Encryption between the Cyber Asset initiating communication and the Intermediate System.
21
W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L
Interactive Remote Access
Is System-to-System process communication IRA?
22
W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L
Management Interfaces 23
W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L
Management Interfaces 24
W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L
Out of Band Management 25
W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L
Out of Band Management 26
W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L
Documenting IRA
• Create a diagram which identifies each of the network zones entering the ESP
• Identify where user access takes place • Determine which applications need to be on the
Intermediate System to allow the user to interactively access the BES Cyber Assets and Protected Cyber Assets within the ESP.
• Document the data flows throughout the network environment to illustrate all access through the ESP.
27
W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L
IRA 28
W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L
Mixed Trust Authentication Environments
• Implementation where a BES Cyber System shares an authentication mechanism with a corporate system.
• Not prohibited by the CIP version 5 Reliability Standards, such environments could increase an entity’s compliance obligation.
29
W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L
Mixed Trust Authentication Environments
30
W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L
Non-Mixed Trust Authentication Environments
31
W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L
EACM and Mixed Trust Authentication Environments
32
W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L
Lesson Learned Intrusion Detection Systems at the EAP
33
W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L
Lesson Learned Intrusion Detection Systems at the EAP
34
W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L
A
A
B
Figure 1 Figure 2
Lesson Learned Intrusion Detection Systems at the EAP
35
W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L
Lesson Learned Intrusion Detection Systems at the EAP • To meet this requirement, Order No. 706 stated that it is in
the public interest to require a responsible entity to implement “two or more distinct security measures when constructing an electronic security perimeter.”51 The Commission believes that a responsible entity cannot meet the goal of defense in depth as required by the Commission with a single electronic device, because a single electronic device is easier to bypass than multiple devices. Therefore, we clarify that two or more separate and distinct electronic devices are necessary to implement the Commission’s defense in depth requirements.
36
W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L
ORDER DENYING REHEARING AND GRANTING CLARIFICATION ORDER NO. 706-A(Issued May 16, 2008)
Lesson Learned Network Virtualization
37
W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L
Lesson Learned Network Virtualization
38
W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L
Layer-2 switch
Layer-2 switch
Figure 1
Figure 2
Vlan 5
Vlan 3
Vlan 3
Vlan 5
Lesson Learned Server Virtualization
39
W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L
Virtualized Cyber Assets • The guest machine in itself is a PED and meets all criteria from the
definition from the PED LL. • The guest machine is also then considered a Cyber Asset and meets
all criteria for Cyber Asset glossary term. • If the Cyber Asset meets the definition of a BCA, then the guest
machine becomes a BCA. • Once a guest machine becomes a BCA, the Hypervisor then
becomes a BCA due to the command, control, and ultimate functionality over the guest machine, in this case a (BCA).
• All other guest machines on the Hypervisor then also become PCAs due to the Hypervisor having complete command, control, and ultimate functionality over the guest machine.
• The Hypervisor, and all of its guest machines are then considered a BCS.
40
W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L
Lesson Learned Server Virtualization
41
W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L
Lesson Learned Storage Virtualization
42
W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L
BCA
BCA
BCA BCA
Lesson Learned Storage Virtualization
43
W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L
BCA
BCA
BCA
Lesson Learned Storage Virtualization
44
W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L
• Controls deployed in the SAN infrastructure governing access to data storage services utilized by BES Cyber Assets
• Controls applied to the SAN Storage Array and Storage Controller governing access to data storage services utilized by BES Cyber Assets
• Controls applied to the Fibre Channel transport path governing access to fabric services
• Identification of SAN resources and mapping of SAN Cyber Asset components to an ESP boundary
Contact Info Morgan King, CISSP-ISSAP, CISA
Senior Compliance Auditor - Cyber Security Western Electricity Coordinating Council (WECC) [email protected] Office 801.819.7675 Mobile: 801.608.6652
W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L
Top Related