joe andrews, msia, cissp-issep, issap, issmp, cisa, psp sr ... · 9/24/2013 · nve demonstrated...
TRANSCRIPT
Joe Andrews, MsIA, CISSP-ISSEP, ISSAP, ISSMP, CISA, PSP
Sr. Compliance Auditor – Cyber Security
CIP-005-3 Audit Approach, ESP Diagrams, Industry Best Practices
September 24 – 25, 2013 SALT LAKE CITY, UTAH
2
• Joseph A. Andrews o 21 years DoD IT & Information Security / Network
Engineering (Federal Civilian) § Senior Information Systems Security Engineer § Information Assurance Program Manager § Network Security Engineer § Information Systems Security Officer § Etc..
o Academic § Master of Science in Information Security & Assurance § Bachelor of Science in IT/Information Security § Professional Certifications: CISSP-ISSEP, ISSAP, ISSMP,
CISA, PSP, CAP, GCIH, C|CISO, C|EH, CNDA, CBRM, CGEIT, CompTIA Security +
Speaker Introduction
3
• R1. Identify and document Critical Cyber Assets (CCAs) residing within an Electronic Security Perimeter (ESP) including Access Points (AP) to the ESP
• R2. Implement and document ESP access controls (i.e., Access Points; deny by default, ports & services, appropriate use banner)
• R3. Monitor and log access to the ESP
• R4. Conduct annual Cyber Vulnerability Assessment (CVA) of the Access Points to the ESP
• R5. Review, update, maintain CIP-005-3 relevant documentation
CIP-005-3 Requirements Overview
4
5
• Provides network segmentation and restricted access to Critical Cyber Assets within the SCADA and Process Control Network from the Enterprise/Corporate Network and any other untrusted networks and sources.
• It is the Access Point, which establishes the Electronic Security Perimeter.
R1. Electronic Security Perimeter (ESP)
6
• An information system, device or appliance that provides access to and/or through (e.g., ingress or egress traffic) the ESP (e.g., Firewall, Gateway, Control device w/modem (TCP, UDP; Telnet, SSH, SSL, VPN, HTTP[s]))
• May provide access control, monitoring, alerting and/or logging of access to and/or through the ESP o may require intermediary device(s) for some of
this functionality: Electronic Access Control and Monitoring (EACM) devices
R1. Access Point (AP)
7
ESP Graphical Depiction
8
ESP w/ DMZ Graphical Depiction
9
• An Electronic Security Perimeter that is typically located in a single geographical location, which may be protected by a single Physical Security Perimeter (PSP) that may or may not traverse multiple rooms, albeit, the cabling infrastructure is protected by the PSP and all rooms are afforded the protections of CIP-006.
Discreet Electronic Security Perimeter
10
11
• A single Electronic Security Perimeter that may be located in multiple geographical locations, or multiple rooms in the same facility location, protected by one or more Physical Security Perimeters (PSP), albeit, the cabling infrastructure may traverse multiple facility rooms or areas outside of an established PSP.
Extended Electronic Security Perimeter
12
13
ESP-1 (Actual) Front Rack View
14
ESP-1 Front Rack View (CCAs Labeled)
15
Access Point Graphical Depiction
16
Access Point GUI & CLI INTERFACE
17
18
• ICS components with serial and/or dial-up interfaces can be Access Points: o A Front End Processor (FEP) or CCA serially
connected to a component of another network beyond your control (e.g., another entity)
o A FEP or media converter device that uses the internet (e.g.,IP;VPN, SSL, AES) to communicate
o • Know the backend architecture of your ICS
network!
R1. CAR-005
19
20
21
22
Contrary to popular belief: VLANs were originally created as a network performance and organization feature, not a Security feature. • Dynamic Trunking protocol (DTP) abuse o Cisco proprietary, no authentication, switches are in
default auto-negotiate, sniff all VLAN traffic • Trunking protocol (802.1q and ISL) abuse o PVLAN hopping, Double 802.1q VLAN tagging
• Virtual Trunking protocol (VTP) abuse • Common spanning tree (CST) abuse • Multiple other attacks
YERSINIA (VLAN Exploit Tool)
23
• Legacy SCADA Networks o Radio and Leased Line communication o RTUs serially connected to Radio Modem or Leased
Line Modem o Radio Modem or Leased Line Modem Connected to
Front End Processor (FEP) at control station • Secure IP VPN (Vendors are pushing) o IP network communications o RTU connected to multi-homed and multi-protocol
devices (MPLS/Frame/IP; Fiber, Ethernet, VSAT) o Front End Processors are multi-homed and multi-
protocol capable and scalable devices
Trend: Legacy Networks to IP VPN
24
25
26
• It’s cheaper o One to one hardware solutions are more expensive
• It’s scalable & reliable (redundancy) o Multi-homed, multi-protocol and network agnostic
systems are scalable, while eliminating single points of failure
• It’s safer o VPN-IPSEC, AES256 versus unencrypted legacy
serial communications • It’s still IP! o Susceptible to the same vulnerabilities plaguing
traditional network architectures o We’re not against it, we just need to check it
Legacy Networks to IP VPN - WHY?
27
• Spanish Cyber Security Researcher Leonardo Nve demonstrated at BlackHat the exploitation of (i.e., gaining access to and impersonating legitimate users) satellite internet connections using less than $75 worth of tools, which can be purchased on Ebay.
- (1) Skystar “2” PCI satellite receiver card, open source Linux DVB software app, and the free network data analysis tool
Wireshark.
Hacking Satellite
28
• US Satellites hacked by Chinese Military! • The hactivist group Anonymous Hacks
NASA Satellite! • Anonymous hacks Turkish Satellite
provider! • Three states have demonstrated the ability
to physically damage satellites by intercepting them: the US, Russia and China
EXTRA! EXTRA! Read all about it!
29
• Verify Critical Cyber Asset (CCA) list
• Verify Electronic Security Perimeter (ESP) designation documentation
• Verify Access Points of ESP documentation
• Cross reference CCA, ESP and AP documentation with network diagrams
R1. CCA, ESP and AP Enumeration
30
• Access Point Configuration Analysis Checks o Appropriate Use Banner configured (Not on radar and Not Applicable for CIP-V5) o Deny by default statement
§ An automatic implicit “deny all” statement after explicit statements is standard for most new firewalls
o SNMP community string default (i.e. “PUBLIC”) o Access Control List is restrictive (e.g., No entire Class A IP range left open 255.255.0.0
(65K IP addresses) and justification for entire Class C) o Authorized ports and services
R2. Access Point Checks
31
• Validate electronic & manual 24/7 monitoring, logging and alerting
(Including dial-up accessible CCAs with non-routable protocols) o Validate electronic and/or manual logs o Verify implemented technical solutions that are
responsible for alerting appropriate personnel (i.e., SMTP, SIEM, Log Server, etc.)
R3. AP Monitoring, Logging, & Alerting
32
• Remote Access Guidance o Use encrypted access controls for
remote access o Use multi-factor authentication o Consider Proxy device as VPN
termination point o Implement logging and monitoring o etc…
NERC Industry Advisories
33
• Guidance for Secure Remote Access o Secure interactive remote access
concepts o Security practices and proposed solutions
for secure interactive remote access o Assessing the implementation of
interactive remote access controls o Network architecture decisions
NERC Guidance
34
• Validate vulnerability assessment process documentation
• CVA criteria must address: o Authorized ports and services o Discovery of all Access Points to ESP o Review of controls, default accounts,
passwords and network mgmt community strings (PUBLIC)
o For vulnerabilities discovered, establish a remediation action plan, and ensure the
execution of the action plan
R4. Annual Cyber Vulnerability Assessment (CVA) of APs to ESP
35
• The CVA summary report should specifically identify, by unique identifiers, the Access Points that were assessed.
• The auditors will ask for any raw evidence relevant to the assessment.
(e.g., automated scans, Access Point configurations)
R4 Cyber Vulnerability Assessment
36
• Auditors will cross reference the Access Point ports and services baseline with configuration
• Excess ports and services found during the CVA should be added to the CVA mitigation/remediation plan
R4 Cyber Vulnerability Assessment
37
Auditors will review of Action Items
Action Item Status Completion Date DON’T LEAVE BLANK!!
38
• Documentation reflect current configurations
• Documentation updated within 90 days of change to network or security controls
• Retain relevant access logs for at least 90 calendar days, however, in the instance of a Cyber Security Incident the retention window is approximately 3 years
R5. Documentation Review and Maintenance
39
• NERC Industry Advisory: remote access guidance (2011). Retrieved from the North American Electric Reliability Corporate website on January 7, 2012, from, http://www.nerc.com/fileUploads/File/Events%20Analysis/A-2011-08-24-1-Remote_Access_Guidance-Final.pdf
• NERC Guidance for Secure Interactive Remote Access (2011). Retrieved from the North American
Electric Reliability Corporate website on January 7, 2012, from, http://www.nerc.com/fileUploads/File/Events%20Analysis/FINAL-Guidance_for_Secure_Interactive_Remote_Access.pdf
References
Joe Andrews, CISSP-ISSEP, ISSAP, ISSMP, CISA Sr. Compliance Auditor – Cyber Security Western Electricity Coordinating Council jandrews[@]wecc[.]biz Office: 801.819.7683
Questions?