mick neshem cisa , cissp, cssa senior compliance auditor – cyber security
DESCRIPTION
Mick Neshem CISA , CISSP, CSSA Senior Compliance Auditor – Cyber Security. CIP-005-5 Compliance Outreach CIP v5 Roadshow May 14-15, 2014 Salt Lake City, UT. V5 Open Actions [SAR 1-4]. Modify or remove the IAC in the 17 impacted requirements [ February 3, 2015] - PowerPoint PPT PresentationTRANSCRIPT
Mick Neshem CISA, CISSP, CSSA
Senior Compliance Auditor – Cyber Security
CIP-005-5 Compliance Outreach CIP v5 Roadshow
May 14-15, 2014Salt Lake City, UT
2
1. Modify or remove the IAC in the 17 impacted requirements [February 3, 2015]
2. Develop modifications to the CIP standards to address security controls for Low impact assets
3. Develop requirements to protect transient electronic devices -thumb drives, laptops that do not meet BES cyber asset
definition
4. Create a definition of “communication networks” and develop new or modified standards that address the protection of communication networks [February 3, 2015]
5. Study the application of the 15-minute parameter for identification of BES Cyber Assets and the impact of this time constraint on the overall security and reliability of the BES.
V5 Open Actions [SAR 1-4]
SDT Industry Webinar.pdf – April 22, 2014
3
4
• whether additional definitions and/or security controls are needed to protect Bulk-Power System communications networks, including remote systems access
• adequacy of the approved CIP version 5 Standards’ protections for Bulk-Power System data being transmitted over data networks
• functional differences between the respective methods utilized for identification, categorization, and specification of appropriate levels of protection for cyber assets using CIP version 5 Standards as compared with those employed within the National Institute of Standards and Technology Security Risk Management Framework.
FERC Staff Technical Conference (4/29/14)
http://ferc.gov/CalendarFiles/20140227165846-RM13-5-000TC.pdf
5
• Significant discussion regarding Communications Network
• Cyber Systems use of non routable communication
• Cyber Security Procurement Processes• NIST Risk Management Framework and
Cyber Security Framework
FERC Technical Conference Update
6
• Cyber Asset• BES Cyber Asset (BCA)• BES Cyber Systems (BCS)• Protected Cyber Asset (PCA)• Electronic Security Perimeter (ESP)• External Routable Connectivity (ERC)• Electronic Access Point (EAP)• Dial-up Connectivity
Terminology
7
• CIP v3o 5 Requirements (Version 3)o 26 Sub-requirements
• CIP v5o 2 Requirements (Version 5)o 8 Parts
V3 vs. V5 Requirement Count
8
Applicable Systems
9
Moved
10
Deleted
11
• 17 CIP Requirements that include IAC (2/3/2015)• CIP-005-5 contains no Identify, Assess and
Correct language in requirement.
IAC
12
• CIP-002-5 is the initial identification of the BES Cyber System
• It is important for the CIP-002-5 and CIP-005-5 teams in your organization to work closely in the identification of BES Cyber Systems and Impact Rating Criteria (IRC)
• ESP boundaries and High Water Mark impacts may affect CIP-005-5 architecture
CIP-002-5 & CIP-005-5
13
High Level Relationships [CIP-002-5]
BES Assets
BES Cyber Systems
(BCS)
BES Cyber Assets
High Impact Facilities
Medium Impact Facilities
BES Cyber AssetsBES Cyber
Assets
BES Cyber Systems
(BCS)
BES Cyber AssetsBES Cyber
AssetsBES Cyber Assets
R1.1 R1.2
Control Centers and Backup Control Centers (RC, BA, TOP or GOP) that
meets CIP-002-5 Attachment 1 Section 1 requirements
CIP-002-5 Attachment 1
Section 2 requirements
PCAPCA
14
High Level Relationships [CIP-002-5]
BES Assets
BES Cyber Systems
(BCS)
BES Cyber Assets
High Impact Facilities
Medium Impact Facilities
BES Cyber AssetsBES Cyber
Assets
BES Cyber Systems
(BCS)
BES Cyber AssetsBES Cyber
AssetsBES Cyber Assets
R1.1 R1.2
One or more BES Cyber Assets logically grouped by a responsible entity to perform one or more reliability tasks for a functional entity
Programmable electronic devices, including the hardware, software, and data in those devices
PCAPCA
15
High Level Relationships [CIP-002-5]BES Cyber Asset
BES Assets
BES Cyber Systems
(BCS)
BES Cyber Assets
High Impact Facilities
Medium Impact Facilities
BES Cyber AssetsBES Cyber
Assets
BES Cyber Systems
(BCS)
BES Cyber AssetsBES Cyber
AssetsBES Cyber Assets
R1.1 R1.2
- A Cyber Asset that if rendered unavailable, degraded, or misused would, within 15 minutes of its required operation, misoperation, or non-operation, adversely impact one or more Facilities, systems, or equipment, which, if destroyed, degraded, or otherwise rendered unavailable when needed, would affect the reliable operation of the Bulk Electric System. Redundancy of affected Facilities, systems, and equipment shall not be considered when determining adverse impact. Each BES Cyber Asset is included in one or more BES Cyber Systems. (A Cyber Asset is not a BES Cyber Asset if, for 30 consecutive calendar days or less, it is directly connected to a network within an ESP, a Cyber Asset within an ESP, or to a BES Cyber Asset, and it is used for data transfer, vulnerability assessment, maintenance, or troubleshooting purposes.)
16
CIP-005-5 R1 Part 1.1
17
Changes
http://www.nerc.com/docs/standards/sar/Mapping_Document_012913.pdf
18
CIP-005-5 R1.1 [ESP]
Requires ESP
High Impact BCS
Medium Impact BCS
PCA
Internal Routable
Connectivity?
PCA
R1.1
YES
One or more Cyber Assets connected using a routable protocol within or on an Electronic Security Perimeter that is not part of the highest impact BES Cyber System within the same Electronic Security Perimeter. The impact rating of Protected Cyber Assets is equal to the highest rated BES Cyber System in the same ESP. A Cyber Asset is not a Protected Cyber Asset if, for 30 consecutive calendar days or less, it is connected either to a Cyber Asset within the ESP or to the network within the ESP, and it is used for data transfer, vulnerability assessment, maintenance, or troubleshooting purposes.
The logical border surrounding a network to which BES Cyber Systems are connected using a routable protocol.
19
Defined ESP
ESP
High BES Cyber System
BCA
PCA
PCA
BCA
BCA
20
• Version 3 (1/18/2008)o The logical border surrounding a network to which
Critical Cyber Assets are connected and for which access is controlled.
• Version 5 (4/1/2016)o The logical border surrounding a network to which
BES Cyber Systems are connected using a routable protocol.
Electronic Security Perimeter
21
• ESP defines a zone of protection around the BES Cyber System
• Helps determine what systems or Cyber Assets are in scope and what Impact Rating the Cyber Systems meet, ultimately determines which requirements are applicable
Electronic Security Perimeter(s) ‘defined’
22
• Isolated
• Discrete
• Extended
ESPs
23
• ESP network with no external connectivityo An ESP (a logical border) is required around every
routable protocol network that contains a BES Cyber System, even if it is an isolated network and has no external connectivity
Isolated ESP
24
Isolated ESP – No External Communications
BCSCIP-002
Non-BCS WorkstationsFile Server Printer
Router
SwitchCIP-007
EMS Electronic Security Perimeter
PCA
PCA
PCAPCA
Workstations
CCA
EMS Servers
PrinterSwitch
BCA
BCA
BCA
BCA
BCA
BCA
BCAPCA BCA/PCA
BCA/PCA
PCA CIP-005
25
• CIP Cyber Security Standards do not require network segmentation of BES Cyber Systems by impact classification
• A new concept from tiered impact model• Many different impact classifications can be
identified within an ESP, however, the highest level of the BCS within the ESP sets the High Water Mark for all associated assets within that ESP
High Water Mark
26
High Water Mark
27
High Water Mark
ESP
High BES Cyber System
BCA
PCA
PCA
BCA
BCA
ESP
Medium BES Cyber System
BCA
PCA
PCA
BCA
BCA
PSP
EAPEAP
28
Discrete ESPs
ESP
High BES Cyber System
ESP
ESP
High BES Cyber System
Medium BES Cyber System
Low BES Cyber System
Medium BES Cyber System
Routable Protocols
EAP
EAP
EAP
29
Discrete ESPs
30
Extended ESP
Encrypted Tunnel Encrypted Tunnel
Encrypted Tunnel
ESP
High BES Cyber System
ESP
High BES Cyber System
ESP
High BES Cyber System
BES Cyber System
31
Extended ESP
Encrypted Tunnel Encrypted Tunnel
Encrypted Tunnel
ESP
High BES Cyber System
ESP
High BES Cyber System
ESP
High BES Cyber System
EAP
CORP
BES Cyber System
32
• “If an entity wishes to state that a wide area network of sites are within one ESP, regardless of encryption, then all Cyber Assets (which includes, e.g., all communication or networking equipment) within that very large ESP become associated PCAs and must meet the Requirements of the highest level BES Cyber System in the ESP. The standards do not preclude doing this, but there are implications that Responsible Entities should take into account”
Extended ESP
Final_Petition_CIP_V5.pdf (Jan. 31, 2013, page 45)
33
• Communications equipment between sites;o If using routable communication the communications
equipment connecting discrete ESPs are not in scope (4.2.3.2)
o Extended ESPs will need to include the communications equipment – not “discrete” ESPs
o Serial communications equipment will be included as no exclusion exists
o This is TBD by Communication standard work in progress - wait and see GET INVOLVED Contact Ryan Stewart at NERC to be added to the SDT plus list
CIP-005-5 Communication Equipment
34
Can a BCS span multiple facilities crossing discrete ESPs?
BCS Boundaries
35
BCS Boundaries [Single BCS]
36
BCS Boundaries [Multi BCS]
37
Example EMS ESP [Routable]
CorpNet
EMS WAN
Firewall
Firewall
Router
Workstations
Workstations
File Server
Access Control Server
EMS Servers
Printer
Printer
Router
Switch
Switch
CCA
CCA
CCA
CCA
CCA
CCA
CCACCA
CIP-007
EMS Electronic Security Perimeter
EAP
CIP-005
CIP-005
Intermediate Server
Access Control Server
EACM
Switch
EACM
DMZ
EAP
38
Example EMS ESP [Routable]
BCSCIP-002
CorpNet
EMS WAN
Firewall
Firewall
Router
Non-BCS WorkstationsFile Server
Intermediate Server
Printer
Router
Switch
CIP-007
EMS Electronic Security Perimeter
EAP CIP-005
CIP-005
PCA
PCA
PCAPCA
Workstations
CCA
EMS Servers
PrinterSwitch
BCA
BCA
BCA
BCA
BCA
BCA
BCAPCA BCA/PCA
BCA/PCA
PCA
Access Control Server
EACM
Switch
EACM
EAP
DMZ
All PCA devices take on the impact level
of the BCS
39
Example EMS ESP [Multi-BCS ESP]
BCSCIP-002
CorpNet
EMS WAN
Firewall
Firewall
Router
BCS Workstations
BCSBCS Server
Intermediate Server
Printer
Router
Switch
CIP-007
EMS Electronic Security Perimeter
EAP CIP-005
CIP-005
CIP-005
PCA
BCA
BCABCA
Workstations
CCA
EMS Servers
PrinterSwitch
BCA
BCA
BCA
BCA
BCA
BCA
BCAPCA BCA/PCA
BCA/PCA
BCA
Access Control Server
EACM
Switch
EACM
EAP
DMZ
HIGH
MEDIUM
40
Example EMS ESP [High Water Mark Impact]
BCS
CorpNet
EMS WAN
Firewall
Firewall
Router
Non-BCS WorkstationsFile Server
Intermediate Server
Printer
Router
Switch
EMS Electronic Security Perimeter
EAP
PCA
PCA
PCAPCA
Workstations
CCA
EMS Servers
PrinterSwitch
BCA
BCA
BCA
BCA
BCA
BCA
BCAPCA BCA/PCA
BCA/PCA
PCA
Access Control Server
EACM
Switch
EACM
EAP
DMZ
All PCA devices take on the impact level
of the BCS
41
• Cyber Assets are subject to the CIP standards based on their functionality and resultant potential impact to BES reliability
• BES Cyber Systems and associated BES Cyber Assets are not dependent upon a routable protocol (see definitions) o A BES Cyber System may include non-routable (serial)
devices. End point devices (relays) may be included within the v5 requirements and identified as BES Cyber Assets, even if no routable communications exist. Therefore, there are v5 requirements to be addressed (i.e. CIP-007-5)
Non-Routable BCS
42
• Does a BCS require an ESP?o BCS may not require an ESPo A BCA with no routable connectivity cannot be part
of an ESPo The level of protection required depends on the
classification (IRC) of the asset Still required to apply the protections under CIP-007 that apply
to a BCA/PCA
BCS and ESPs
43
Mixed connectivity BCS
Non-routable BCA
44
Non-Routable BCS
BCS
45
• List of BES Cyber Systems• List of BES Cyber Assets within each BCS
o A BCA may be included in more than one BCS
• List of Protected Cyber Assets (associated assets)
• ESP network topology including subnets• Cyber Asset IP addresses
Measures (Part 1.1)
46
CIP-005-5 R1 Part 1.2
47
Changes
48
CIP-005-5 R1.2 [Electronic AP]
Requires ESP
High Impact BCS
Medium Impact BCS
PCA
Internal Routable
Connectivity?
PCA
R1.1
YES
External Routable
Connectivity?
Requires Electronic Access Point
YES
R1.2
The ability to access a BES Cyber System from a Cyber Asset that is outside of its associated Electronic Security Perimeter via a bi-directional routable protocol connection. A Cyber Asset interface on an
Electronic Security Perimeter that allows routable communication between Cyber Assets outside an Electronic Security Perimeter and Cyber Assets inside an Electronic Security Perimeter.
49
• Changed to refer to the defined term Electronic Access Point (EAP versus ESP access point) and BES Cyber System
• Where external routable connectivity and the ESP logical border are defined by the implementation of Electronic Access Points (EAPs)
Change Rationale (Part 1.2)
50
• Firewalls• Modems• VPN concentrators• Dual-homed systems• Protocol converters (communications
controllers, FEP, etc.)• Etc.
Electronic Access Point ‘identified’
51
Unidirectional Gateways
52
• External Routable Connectivity’ includes the term ‘bi-directional’ o ‘bi-directional routable protocol connection’
• Systems behind a data diode do not have External Routable Connectivity
External Routable Connectivity
53
• Are serially connected Cyber Assets within scope for Requirements applicable to BES Cyber Systems with External Routable Connectivity?o All BES Cyber Assets are in scope of all the CIP
Version 5 standardso Type of connectivity limits applicability
Serially Connected Cyber Assets
54
• Non-intelligent Device – thing of the pasto Serial IP conversiono One to one relationship – one serial port & 1 IP porto Non-intelligent – no advanced conversion capabilities
• Intelligent Deviceo Serial IP conversiono Multiple serial ports supported with individual port managemento Advanced conversion and connectivity capabilities per serial
port Reverse telnet per serial port Passthru capabilities – direct IP to specific serial device connected to
a serial port on the device
Protocol Conversion
55
Cisco TS [2511] – Reverse Telnet
http://www.cisco.com/c/en/us/support/docs/dial-access/asynchronous-connections/5466-comm-server.html#designhttp://www.cisco.com/c/en/us/support/docs/dial-access/asynchronous-connections/17719-9.html#reversetelnet
TCP Port associated with the specific serial device
56
DIGI TS
http://ftp1.digi.com/support/documentation/9028700c.pdf -- (page 113)
57
• External Routable Connectivity (ERC)• High Water Mark Impacts• Electronic Security Perimeter (ESP)• Electronic Access Point (EAP)• V5 Standard & Guidance• Connectivity versus accessibility
Protocol Conversion Issues
58
Serial to Field Device
59
Serial to Field Device
60
Serial Communications [standalone ESPs]
IP IP
BCABCA BCA
BCA BCA
serial
serialserial
TelecomTelecom
SCADAWAN
BCA
serial
Serial/RoutableRTUTerminal ServerProtocol convertorFEPRouter/Switch
BCA BCA
BCA
61
Routable Communications [Discrete ESPs]
SCADAWAN
IP IP
BCABCA BCA
BCABCA
serial
TelecomTelecom
BCABCA BCA
serial
EAP
IPIP
EAPEAP
BCA
serial
Serial/RoutableRTUTerminal ServerProtocol convertorFEPRouter/Switch
62
Single BCS across PSP/ESP [Discrete ESPs]
SCADAWAN
IP IP
BCABCA BCA
BCA BCA
serial
TelecomTelecom
BCABCA BCA
serial
EAP
IPIP
EAPEAP
BCA
BES Cyber System
serial
63
Multiple BCS example [Routable – Discrete ESPs]
IP IP
BCABCA BCA
BCA BCA
serial
IP
Serial – IP convertor
Serial – IP convertor
Serial – IP convertor
TelecomTelecom
BCABCA BCA
serial
EAP
IPIPSCADA
WAN
Medium BCSMedium BCS
BCA
EAP EAP
PCA
BCA
serial
64
PCC Serial WAN Serial Subs
BCS
CorpNet
Non-BCS WorkstationsFile Server Printer
Router
Switch
EMS Electronic Security Perimeter
EAP
PCA
PCA
PCAPCA
Workstations
CCA
EMS Servers
PrinterSwitch
BCA
BCA
BCA
BCA
BCA
BCA
BCAPCA
BCA/PCA
PCA
PCA
FEP
RTU
Medium BCS
BCA
BCA
BCA BCA
RTU
Medium BCS
BCA
BCA
BCA BCA
High BCS
serial
serial
BCA
BCA
PSPESP
PSP
65
PCC Routable with Serial & IP substations
BCS
CorpNet
Non-BCS WorkstationsFile Server Printer
Router
Switch
EMS Electronic Security Perimeter
EAP
PCA
PCA
PCAPCA
Workstations
CCA
EMS Servers
PrinterSwitch
BCA
BCA
BCA
BCA
BCA
BCAPCA
BCA/PCA
BCA/PCA
PCA
Medium BCS
High BCS
RTU
Medium BCS
BCA
BCA
BCA
BCA BCAIP
IP
RTUBCA
BCA
BCA BCAserial
IP
serial
IP
EAP
EAP
EAP
ESP PSP
IP
IP
RTU
Low BCS
BCA
BCA
BCA
BCA BCASerial
Serial
Serial
BCA
BCA
BCA
66
• Connection method (serial, Ethernet, etc.)• Connection protocol (non-routable,
routable)• Serial convertors/ controllers – IP
accessible requires EAP capabilities if IRA• End to end serial, no ESP or EAP required• Be aware of multiple connection types
Field Devices - Complexity
67
SEL-421 Connectivity capabilities
Ethernet (IP)
https://www.selinc.com/SEL-421/
68
• CIP-006-5 • Part 1.2 – physical access controls• Part 1.4 – Monitor for unauthorized PSP access• Part 1.5 – Alarms and alerts on detection of unauthorized access to
PSP• Part 1.6 – PACS systems monitoring• Part 1.7 – PACS alarms• Part 1.8 – Logging of access for authorized unescorted access• Part 1.9 – Retention of access logs for 90 days• Part 2.1 – Visitor escort requirements• Part 2.2 – Visitor logging required• Part 2.3 – Visitor log retention
IP Accessible CIP-006-5 ERC Impacts
69
Span Ports
https://supportforums.cisco.com/docs/DOC-32763
70
• SPAN – typical for IDS sensoro local
• RSPAN oCannot cross any Layer 3 device
• ERSPAN (Cisco proprietary)oCan monitor traffic across a WAN or different
networks –L3 connectivityo Look for an identified EAP
Span Ports
71
• V3 Electronic Access Points and routable connectivity concepts are valid – ESPs expanded to “isolated” ESPs
• Electronic Access Point required for all ESPs with any external routable connectivity to or from BES cyber assets
• External Routable Connectivity –o What about “IP Accessible” via routable protocol? o Routable protocol accessible? – serial IP conversion o The serial field devices are no longer under a serial exemption,
therefore are included within BCS as a BCA. They are now included in CIP compliance Standards based on BES criteria (reliability operating services), regardless of their connectivity method
o However, be aware of reverse telnet risks (IP Accessible) associated with protocol conversion devices – may require IRA and ERC requirements
o Extended ESPs are still a valid ESP configuration
R1.2 Audit Approach
72
• Network Diagrams• External routable communication paths• List of all Identified EAPs
Measures (Part 1.2)
73
CIP-005-5 R1 Part 1.3
74
CIP-005-5 R1.3 [Bi-Directional Controls]
Requires ESP
High Impact BCS
Medium Impact BCS
PCA
Internal Routable
Connectivity?
External Routable
Connectivity?
Requires Bi-directional controls
Requires Electronic Access
Point
PCA
R1.1
R1.2
R1.3
YES
YES
One or more Cyber Assets connected using a routable protocol within or on an Electronic Security Perimeter that is not part of the highest impact BES Cyber System within the same Electronic Security Perimeter. The impact rating of Protected Cyber Assets is equal to the highest rated BES Cyber System in the same ESP. A Cyber Asset is not a Protected Cyber Asset if, for 30 consecutive calendar days or less, it is connected either to a Cyber Asset within the ESP or to the network within the ESP, and it is used for data transfer, vulnerability assessment, maintenance, or troubleshooting purposes.
The ability to access a BES Cyber System from a Cyber Asset that is outside of its associated Electronic Security Perimeter via a bi-directional routable protocol connection.
A Cyber Asset interface on an Electronic Security Perimeter that allows routable communication between Cyber Assets outside an Electronic Security Perimeter and Cyber Assets inside an Electronic Security Perimeter.
The logical border surrounding a network to which BES Cyber Systems are connected using a routable protocol.
75
• Changed to refer to the defined term Electronic Access Point and to focus on the entity knowing and having a reason for what it allows through the EAP in both inbound and outbound directions
Change Rationale (Part 1.3)
76
• Responsible Entity knows what other Cyber Assets or ranges of addresses a BES Cyber System needs to communicate with and limits the communications to that known range
• Not required to document the inner workings of stateful firewalls, where connections initiated in one direction are allowed a return path
Audit Approach (Part 1.3)
77
• “SDT notes the requirement does not require that all 65535 ports be documented as this is a ‘deny by default’ requirement and only the remaining open ports (those that ‘grant access’) should be documented.”
Access Permissions
Final_Petition_CIP_V5.pdf (Jan. 31, 2013, page 46)
78
• Established baseline • Electronic Access Point(s) configuration(s)• Utilize ‘remark’ type command
Measures (Part 1.3)
79
Object-group network BCS1
Network-object host 10.1.1.3
Network-object host 10.1.1.4
Object-group network BCS2
Network-object host 172.16.1.5
Network-object host 172.16.1.8
access-list 101 remark BCS1 hosts allowed to communicate with BCS2 hosts
access−list 101 remark permit_SSH for EIA
access−list 101 permit tcp host 10.1.1.2 host 172.16.1.10 eq 22
access-list 201 remark ‘deny by default CIP-005-5 R1.3
access-list 101 deny ip any any log
access=-list 201 remark BCS2 hosts allowed to communicate with BCS1
access-list 201 remark permit_iccp
access-list 201 permit tcp host 10.1.1.3 host 172.16.1.5 eq 102
access-list 201 remark ‘deny by default CIP-005-5 R1.3
access-list 201 deny ip any any log
Access-group 101 in interface ethernet 0/0
ACL Remarks
80
• Requirement does not require that all 65535 ports be documented as this is a ‘deny by default’ requirement
• Only the remaining open ports (those that ‘grant access’) should be documented per R1.3
• Does not limit the Responsible Entity from controlling outbound traffic at the level of granularity that it deems appropriate and large ranges of internal addresses may be allowed
Audit Approach (Part 1.3)
81
• Is an EAP an EACM in version 5?o To remove any cross referencing, these Cyber
Assets are now included in the Applicability column for each cyber security requirement
Identifying Ports and Services for EAP/EACM
82
• Electronic Access Control or Monitoring Systems (“EACMS”)o Examples include: Electronic Access Points,
Intermediate Devices, authentication servers (e.g., RADIUS servers, Active Directory servers, Certificate Authorities), security event monitoring systems, and intrusion detection systems
Categorization Criteria
83
CIP-005-5 R1 Part 1.4
84
Changes
85
• Added clarification that dial-up connectivity should perform authentication so that the BES Cyber System is not directly accessible with a phone number only
Change Rationale (Part 1.4)
86
• A data communication link that is established when the communication equipment dials a phone number and negotiates a connection with the equipment on the other end of the link
• CIP-005-5 is silent on differentiating Dial-in vs. Dial-out direction
• Dial-up is generally and historically recognized as a two way communication service once established
• Requirement R2 (Interactive Remote Access) builds upon Requirement R1.4 when the session meets the definition of Interactive Remote Access
‘Dial-up Connectivity’
87
• Requires authentication for all dial-up accessible cyber assets
• Authentication – does not require multi-factor authentication as in IRA
• Capability does not mean – “because we do not want to” or “it makes access difficult”, “our techs wont use it”, etc….
R1.4 Audit Approach
88
• Applies to any access including machine to machine• CIP-005 R1.4 concerns the security of the ‘network’ level
and requires that there be some form of authentication before a ‘network’ connection is established to the BES Cyber Systemo R2 only applies to ‘Interactive Remote Access’ which is
user-based • EAP-like functionality on dialups
o Once a connection is made, then CIP-007 applies as we’ve moved from the ‘network’ level security to device level security and any user access has to be authenticated at the device
CIP-005-5 R1.4 Applicability
89
• “…a documented process…”• Auditors conducting performance audits• “…how the Responsible Entity is providing
authenticated access through each dial‐up connection.”
Measures (Part 1.4)
90
CIP-005-5 R1 Part 1.5
91
Changes
92
CIP-005-5 R1.5 [Malicious Communication Detection]
High Impact BCS
Medium Impact BCS
PCA
Requires Bi-directional monitoring for malicious
activity
PCA
R1.5
Control Centers
Electronic Access Point
Exists?
Yes
93
• Per FERC Order No. 706, Paragraphs 496-503, ESPs need two distinct security measures such that the Cyber Assets do not lose all perimeter protection if one measure fails or is misconfigured. The Order makes clear this is not simple redundancy of firewalls, thus the SDT has decided to add the security measure of malicious traffic inspection as a requirement for these ESPs.
Change Rationale
94
• Is audit approach to detect 100% of all malicious communications?o “Known or suspected” oCommunications that have attributes of known
or suspected malicious communications
Audit Approach (Part 1.5)
95
IDS placement
ESP
High BES Cyber System
ESP
ESP
High BES Cyber System
Medium BES Cyber System
Low BES Cyber System
Medium BES Cyber System
Routable Protocols
IDS
EAP
EAP
96
• Direction of the traffic monitoredo both inbound and outbound traffic subject to the detection
• Placement of malicious communications inspectiono specific architecture and placement is not prescribed
• Number of IDS’s o Applicability is set at the EAP level o EAPs at Medium Impact BCS Control Centers needs to be
covered by the entity’s method for detecting malicious communications
• CIP-007-5 Part 4 addresses logging (4.1) and alerting (4.2) for this malicious communications detection device (EACMS)
Audit Approach (Part 1.5)
97
• No TFE language in CIP-007-5 R3 for EACMS• Requirement has been written at a much higher
level than previous versions• Guidance has numerous suggested methods up
to and including policy level measures• Requirement no longer prescriptively requires a
single technology tool for addressing the issue
EAP Malicious Code Prevention
98
• Does the IDS measure have its own configuration, firmware, module?
• Can the IDS measure operate independent of a failure or misconfiguration of the Electronic Access Point?
Unified Threat Management (UTM)
99
• Isolated networks applicability?o Isolated networks do not have EAPsoR1.5 would not be applicable?o IDS is an EACM … therefore
Detection is only one half of the issue Addressing or mitigating the detected threat
per CIP-007-5 R4
Audit Approach (Part 1.5)
100
• EACMs and PACS can still be located outside an ESP
• PACS oNo distinction between “field devices” and
“central servers”o Protections primarily through the CIP-007
requirements for authorization, access control, and logging and monitoring for these systems
EACMs and PACS
101
• Dual protection architecture• IDS configuration• Layer 7 firewall configuration• Monitoring evidence
Measures (Part 1.5)
102
• EAP and Intrusion Detection System (IDS)o Need both technologies not just access control
• Inbound and outbound access controlso Requires detailed understanding of all traffic
• Bi-directional monitoring• Multiple ESPs with different impact levels at one facility
o Intercommunications and High Water Mark
• Extended ESPs may still be a valid ESP architecture – Technical conference to provide communications devices security controls may affect the Extended ESP architecture – stay tuned
R1 Issues & Pitfalls
103
R2 Interactive Remote Access
104
• v5 – CIP-005-5 R2 Summary Requires Intermediate system [proxy/jump host] Requires encryption to intermediate system Requires multi-factor authentication at intermediate
system Strong Procedures are not included as option for
interactive remote access
v5 Interactive Remote Access
105
CIP-005-5 R2.1
106
Changes
107
CIP-005-5 R2.1 [Intermediate System]
High Impact BCS
Medium Impact BCS
PCA PCA
External Routable
Connectivity?
YesInteractive Remote
Access ?
Requires Intermediate System
for Interactive Remote Access
R2.1
Yes
A Cyber Asset or collection of Cyber Assets performing access control to restrict Interactive Remote Access to only authorized users. The Intermediate System must not be located inside the Electronic Security Perimeter.
User-initiated access by a person employing a remote access client or other remote access technology using a routable protocol. Remote access originates from a Cyber Asset that is not an Intermediate System and not located within any of the Responsible Entity’s Electronic Security Perimeter(s) or at a defined Electronic Access Point (EAP). Remote access may be initiated from: 1) Cyber Assets used or owned by the Responsible Entity, 2) Cyber Assets used or owned by employees, and 3) Cyber Assets used or owned by vendors, contractors, or consultants. Interactive remote access does not include system-to-system process communications.
108
• All Interactive Remote Access requires an intermediate system that “proxies” all traffic into the ESPo No direct external access from client to internal BES cyber asseto Source IP address is the IP address of the intermediate system – no pass
through
• System-to system process communications not IRAo Can this communications be accessed for interactive remote access?
• System Interactive communication– capabilities are key, not limited to functional use alone
• Interactive Remote Access includes any cyber asset that is not within the ESPo (i.e Corp net, DMZs, Substation, Internet, etc.) and includes bi-directional
traffic to/from a lower security zone (non-ESP)
• ESP ESP interactive access does not require R2
R2.1 Audit Approach
109
CIP-005-5 R2.2
110
CIP-005-5 R2.2 [Encrypted communications]
High Impact BCS
Medium Impact BCS
PCA PCAExternal Routable
Connectivity?
YesInteractive Remote
Access ?
Requires Intermediate System
for Interactive Remote Access
R2.1
Yes
Requires encryption that terminates at Intermediate System
R2.2
111
• Interactive Remote Access requires encryption from remote client all the way to the intermediate system
• Intermediate system provides decryption of the encrypted traffic
• ESP remote access only allowed into the ESP from the intermediate system o source IP address of the intermediate system
• Restrictive access controls defined for all traffic from the intermediate system into the ESP
• All Intermediate system communications into the ESP must traverse an EAP prior to entry into ESP
R2.2 Audit Approach
112
CIP-005-5 R2.3
113
Requires Intermediate System
for Interactive Remote Access
CIP-005-5 R2.3 [Multi-factor Authentication]
High Impact BCS
Medium Impact BCS
PCA PCAExternal Routable
Connectivity?
YesInteractive Remote
Access ?
R2.1
Yes
Requires encryption that terminates at Intermediate System
R2.2
Requires multi-factor authentication
R2.3
Multi-Factor Authentication -- examples• Something the individual knows such
as passwords or PINs. • Something the individual has such as
tokens, digital certificates, or smart cards;
• Something the individual is such as fingerprints, iris scans, or other biometric characteristics.
114
• Multi-factor authentication is required for all Interactive Remote Access
• Multi-factor authentication requires at least two of the following:o Something you have (tokens)o Something you know (passwords)o Something you are (biometrics)
• Multi-factor authentication is required at the intermediate system –this is in addition to external corporate VPN access authentication
R2.3 Audit Approach
115
v3 Remote Access [Discreet ESP]
Jump Host
Prod Net
EMS ICCP 1- 2
EMS Console 1-4
Prod-AD
HMI1
EAP
Corp DMZ
Mgmt DMZ
CorpNet
Internet
Corp VPN concentrator
Support
Vendor
Mgmt-AD
2 Factor
2 Factor
Logical VPN User
Corporate User
EAP
Encrypted
Not required, but best practice
ESP
All internal corp access into the
ESP is the same as the “Logical
VPN User”
Technical solution Requires 2-factor authentication for ESP access from both networks
EAPESP
EMS WAN
116
v5 Remote Access [Discreet ESP]
Jump Host
Prod Net
EMS ICCP 1- 2
EMS Console 1-4
Prod-AD
HMI1
EAP
Corp DMZ
Mgmt DMZ
CorpNet
Internet
Corp VPN concentrator
Support
Vendor
Mgmt-AD
2 Factor
2 Factor
Logical VPN User
Corporate User
EAP
Encrypted
ESP
All internal corp access into the
ESP is the same as the “Logical
VPN User”
Requires 2-factor authentication for ESP access
MediumEAP
ESP EMS WAN
REQUIRED
PCA
HighBES Cyber System
117
• v5 potential issues:o Adding an “intermediate system” into current
remote access architectureso Proxy architecture – how will this affect
access data flows and performanceo Encryption to the intermediate systemoMulti-factor authentication at the intermediate
systemoHigh water mark security
R2 Issues & Pitfalls
118
• Additional ESP identification – routable connectivity of High and Medium impact Cyber Systems – with no external routable communications
• Inbound and outbound access controlso Requires detailed understanding of all traffic
• EAP and IDS – requires both technologies • Bi-directional monitoring • Adding an “intermediate system” into current remote access
architectures• Planning for proxy architecture – how will this affect access• Encryption to the intermediate system• Multi-factor authentication at the intermediate system
What Do We Do Now?
119
CIP-005-5 Change History Date ByV1 Initial Presentation developed for SLC V5
Roadshow2/4/14 M Neshem, M King
V2 Presentation modified for Marina Del Ray Roadshow. Added drawings, VM slides added, UTM slides added and modified slide content
3/18/14 M Neshem, M King
V3 SMUD Outreach presentation modified to clarify questions received from previous presentation. Serial relay communications clarification and additional detailed slides. SAR additional slide
5/5/14 M Neshem, M King
V4 Updated content and presentation flow for SLC Roadshow based upon previous lessons learned. Removed redundant slides, modified content as needed. Change order of serial relay topic. Added Revision table. Updated slides 43 and 44 for clarification
5/14/14 M Neshem, M King
CIP-005-5 Roadshow Presentation Revision History
Michael (Mick) Neshem CISA, CISSP, CSSASenior Compliance Auditor - Cyber Security
Western Electricity Coordinating Council (WECC)
7400 NE 41st Street, Suite 320
Vancouver, WA 98662
(C) 425.891.4671 (O) 801.734.8187
Questions?