morgan king cissp- issap, cisa senior compliance auditor – cyber security
DESCRIPTION
Morgan King CISSP- ISSAP, CISA Senior Compliance Auditor – Cyber Security. CIP-007-5 Compliance Outreach CIP v5 Roadshow May 14-15, 2014 Salt Lake City, Utah. Agenda. CIP-007-5 Overview New/Redefined Terminology CIP - 007-5 Audit Approach Issues & Pitfalls Questions. - PowerPoint PPT PresentationTRANSCRIPT
Morgan King CISSP-ISSAP, CISA
Senior Compliance Auditor – Cyber Security
CIP-007-5 Compliance Outreach CIP v5 Roadshow
May 14-15, 2014Salt Lake City, Utah
2
• CIP-007-5 Overview• New/Redefined Terminology• CIP-007-5 Audit Approach• Issues & Pitfalls• Questions
Agenda
3
EMS ESP [IP network]
CorpNet
EMS WAN
Firewall
Firewall
Router
Workstations
Workstations
File Server
Access Control Server
EMS Servers
Printer
Printer
Router
Switch
Switch
CCA
CCA
CCA
CCA
CCA
CCA
CCACCA
CIP-007
EMS Electronic Security Perimeter
EAP
CIP-005
CIP-005
Intermediate Server
Access Control Server
EACM
Switch
EACM
DMZ
EAP
4
EMS ESP/BCS [IP network]
BCSCIP-002
CorpNet
EMS WAN
Firewall
Firewall
Router
Non-BCS WorkstationsFile Server
Intermediate Server
Printer
Router
Switch
CIP-007
EMS Electronic Security Perimeter
EAP CIP-005
CIP-005
PCA
PCA
PCAPCA
Workstations
CCA
EMS Servers
PrinterSwitch
BCA
BCA
BCA
BCA
BCA
BCA
BCAPCA BCA/PCA
BCA/PCA
PCA
Access Control Server
EACM
Switch
EACM
EAP
DMZ
All PCA devices take on the impact level
of the BCS
5
Multi-BCS ESP
BCSCIP-002
CorpNet
EMS WAN
Firewall
Firewall
Router
BCS Workstations
BCSBCS Server
Intermediate Server
Printer
Router
Switch
CIP-007
EMS Electronic Security Perimeter
EAP CIP-005
CIP-005
PCA
BCA
BCABCA
Workstations
CCA
EMS Servers
PrinterSwitch
BCA
BCA
BCA
BCA
BCA
BCA
BCAPCA BCA/PCA
BCA/PCA
BCA
Access Control Server
EACM
Switch
EACM
EAP
DMZ
HIGH
MEDIUM
6
EMS ESP [High Water Mark]
BCSCIP-002
CorpNet
EMS WAN
Firewall
Firewall
Router
BCS WorkstationsBCS Server
Intermediate Server
Printer
Router
Switch
CIP-007
EMS Electronic Security Perimeter
EAP CIP-005
CIP-005
PCA
PCA
PCAPCA
Workstations
CCA
EMS Servers
PrinterSwitch
BCA
BCA
BCA
BCA
BCA
BCA
BCAPCA BCA/PCA
BCA/PCA
PCA
Access Control Server
EACM
Switch
EACM
EAP
DMZ
All PCA devices take on the impact level
of the BCS
HIGH
7
V5 Compliance Dates
CIP Version 5 Effective DatesRequirement Effective Date
Effective Date of Standard April 1, 2016Requirement-Specific Effective Dates
CIP-002-5 R2 April 1, 2016CIP-003-5 R1 April 1, 2016
CIP-003-5 R2for medium and high impact BES Cyber Systems April 1, 2016CIP-003-5 R2for low impact BES Cyber Systems April 1, 2017CIP-007-5 Part 4.4 April 15, 2016CIP-010-1 Part 2.1 May 6, 2016CIP-004-5 Part 4.2 July 1, 2016CIP-004-5 Part 2.3 April 1, 2017CIP-004-5 Part 4.3 April 1, 2017CIP-004-5 Part 4.4 April 1, 2017CIP-006-5 Part 3.1 April 1, 2017CIP-008-5 Part 2.1 April 1, 2017CIP-009-5 Part 2.1 April 1, 2017CIP-009-5 Part 2.2 April 1, 2017CIP-010-1 Part 3.1 April 1, 2017CIP-009-5 Part 2.3 April 1, 2018CIP-010-1 Part 3.1 April 1, 2017CIP-010-1 Part 3.2 April 1, 2018CIP-004-5 Part 3.5 Within 7 years after previous
Personnel Risk Assessment
8
• 7 Requirements (Version 3)o 26 sub-requirements
• 5 Requirements (Version 5)o 20 Parts
Requirement Count
9
• CIP-007-5 oR1 Ports and ServicesoR2 Security Patch ManagementoR3 Malicious Code PreventionoR4 Security Event MonitoringoR5 System Access Control
CIP-007-5 Requirements
10
• C-007-3 R1 CIP-010-1 R1.4 & R1.5• C-007-3 R2 CIP-007-5 R1• CIP-007-5 R1.2 – NEW – restrict physical ports• CIP-007-3 R3 CIP-007-5 R2• CIP-007-5 R2.1 – NEW – identify patch sources• CIP-007-3 R4 CIP-007-5 R3• CIP-007-5 R4.3 – NEW – Alerts• CIP-007-3 R5 CIP-007-5 R5• CIP-007-3 R5.1 CIP-004-5 R4.1• CIP-007-3 R5.1.1 CIP-003-5 R5.2• CIP-007-3 R5.1.2 CIP-007 R4.1• CIP-007-3 R5.1.3 CIP-004-5 R4.3• CIP-007-5 R5.7 – NEW – unsuccessful login thresholds and alerts• CIP-007-3 R6 CIP-007-5 R4• CIP-007-3 R7 CIP-011-1 R2• CIP-007-3 R8 CIP-010-1 R3• CIP-007-3 R9 Deleted
CIP-007 V3 to V5 Summary
Project 200806 Cyber Security Order 706 DL_Mapping_Document_012913.pdf
11
Applicable Systems
12
• CIP-007-5 R1-R5 o contain Identify, Assess and Correct language in
requirement.
• 17 requirements that include IAC o Filing deadline Feb. 3, 2015
IAC
13
• Post for 45‐day first comment and ballot June 2–July 17, 2014• Communication Networks (Proposed Resolution)
o Modified requirement Part 1.2 in CIP‐007 More comprehensive coverage of physical ports
• IACo CIP-007, a new R2.5o CIP‐007, update to R4.4
• Transient Devices CIP-010 – New Part 4.1
http://www.nerc.com/pa/Stand/Prjct2014XXCrtclInfraPrtctnVr5RvnsRF/SDT%20Industry%20Webinar.pdf
14
Serial Exemption
Blanket Serial Exemption
15
Substation Serial-Only Communications
16
• BES Cyber System and associated BES Cyber Assets are not dependent upon a routable protocol
• A BES Cyber System may include only serial devices with no routable devices at all
• End point devices (relays) are to be included within the V5 requirements and may be BES Cyber Assets or even BES Cyber System, even if no routable communications exist
• Therefore, there are V5 requirements to be addressed (i.e. CIP-007-5)
Non-Routable BCS
17
• CIP-007-5 Applicable Requirements:oR1.2 Physical PortsoR2 – Patch ManagementoR3 – AV & Malicious code preventionoR4.1, R4.3, R4.4 – LoggingoR5.2 – Default/Generic accountsoR5.4 – Change default passwordsoR5.5 – Password complexity
BCS with External Routable Connectivity
18
oMost of CIP-007 can NOT be performed at a ‘system’ level but at the Cyber Asset level for the following assets: BES Cyber Asset (BCA) EACM PACS PCA
o BCA groupings and BES Cyber Systems are permitted where indicated
CIP-007-5 Asset Level Requirements
19
• PACS systems (CIP-006-5 Part 3.1)• Ports and Services (CIP-007-5 Part 1)• Patch Management (CIP-007-5 Part 2)• Security Event Monitoring (CIP-007-5 Part 4)
• BES Cyber System and/or Cyber Asset (if supported)
• System Access Control (CIP-007-5 Part 5)• local system accounts
V5 Asset Level Requirements
20
• Baseline requirement (CIP-010-1 Part 1.1)• Baseline change managements (CIP-010-1 Part
1.2 – 1.5)• Active monitoring -35 days (CIP-010-1 Part 2.1)• Cyber Vulnerability Assessment (CIP-010-1 Part
3.1, 3.2, 3.4)• Testing of new asset (CIP-010-1 Part 3.3)• System reuse or destruction (CIP-011-1 Part 2)
V5 Asset Level Requirements
21
CIP-007-5 Part 1.1
Asset level requirement
22
• en.able, en.a.ble• Logical network accessible ports
Ports and Services
23
• Control required to be on the device itself or may be positioned inline (in a non-bypassable manner)
• Host based firewalls, TCP_Wrappers or other means on the Cyber Asset to restrict access
• Dynamic portso Port ranges or serviceso 0-65535
• Blocking ports at the EAP does not substitute for the device level requirement
• Know what ports are opened and give a reason for enabling service• Measures
o Listening ports (netstat -boan/-pault)o Configuration files of host-based firewalls
Ports and Services
24
• Netstat: o Netstat -b -o -a -n > netstat_boan.txto Netstat -p -a -u -l -t > netstat_pault.txt
• NMAP scan resultso Nmap -sT -sV –p T:0-65535 <IP_address>
>>nmap_tcp.txto Nmap –sU -sV –p U:0-65535 <IP_address> >>
nmap_udp.txt• #show control-plane host open-ports• #show run all
Tools/commands
25
C:\Documents and Settings\HMI-1>netstat -b -o -a -n > netstat_boan.txt
Active Connections Proto Local Address Foreign Address State PID TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 952 C:\WINDOWS\system32\svchost.exe TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4 [System] TCP 0.0.0.0:6002 0.0.0.0:0 LISTENING 428 [spnsrvnt.exe] TCP 0.0.0.0:7001 0.0.0.0:0 LISTENING 248 [sntlkeyssrvr.exe] TCP 0.0.0.0:7002 0.0.0.0:0 LISTENING 248 [sntlkeyssrvr.exe] TCP 127.0.0.1:1025 0.0.0.0:0 LISTENING 1656 [dirmngr.exe] TCP 127.0.0.1:1029 0.0.0.0:0 LISTENING 2484 [alg.exe] TCP 127.0.0.1:5152 0.0.0.0:0 LISTENING 1764 [jqs.exe] TCP 127.0.0.1:33333 0.0.0.0:0 LISTENING 1856 [PGPtray.exe] TCP 172.16.105.220:139 0.0.0.0:0 LISTENING 4 [System] TCP 127.0.0.1:2111 127.0.0.1:33333 ESTABLISHED 1616 UDP 0.0.0.0:7001 *:* 248 [sntlkeyssrvr.exe] UDP 0.0.0.0:500 *:* 700 [lsass.exe] UDP 0.0.0.0:4500 *:* 700 [lsass.exe] UDP 0.0.0.0:445 *:* 4 [System] UDP 127.0.0.1:123 *:* 1084 c:\windows\system32\WS2_32.dll UDP 172.16.105.220:6001 *:* 428 [spnsrvnt.exe]
Netstat
26
Nmap
EMS1
root@bt:/# nmap -sT -sV -p T:0-65535 172.16.105.151
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-01-18 12:15 ESTNmap scan report for 172.16.105.151Host is up (0.034s latency).Not shown: 65531 closed ports
PORT STATE SERVICE VERSION22/tcp open ssh OpenSSH 5.3p1 Debian 3ubuntu6 (protocol 2.0)80/tcp open http Apache httpd 2.2.14 ((Ubuntu))111/tcp open rpcbind (rpcbind V2) 2 (rpc #100000)42851/tcp open status (status V1) 1 (rpc #100024)MAC Address: 00:0C:29:66:05:65 (VMware)Service Info: OS: Linux
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 13.25 seconds
27
NmapEMS1
root@bt:/# nmap -sU -sV -p U:0-65535 172.16.105.151
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-01-18 12:15 ESTNmap scan report for 172.16.105.151Host is up (7.57s latency).Not shown: 65533 closed ports
PORT STATE SERVICE VERSION68/udp open|filtered dhcpc111/udp open rpcbind
MAC Address: 00:0C:29:66:05:65 (VMware)Nmap done: 1 IP address (1 host up) scanned in 1081.98 seconds
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 123.25 seconds
28
Router Ports/Services
29
What We Expect [Sample only]
Device ID Device Name TCP Ports UDP Ports Service Justification
SAMPLE FORMAT ONLY
30
• Is it required to capture not only the need for a port to be open, but also the authorization request for the port to be opened?o CIP-010-1 Part 1.1
"Develop a baseline configuration, individually or by group, which shall include the following items:
1.1.4. Any logical network accessible ports;’
o need for a port to be open and not an actual authorization request for the port to be opened.
Question
31
• CIP-010-1 Part 1.2 o "Authorize and document changes that deviate
from the existing baseline configuration.”oMeasure:
A change request record and associated electronic authorization (performed by the individual or group with the authority to authorize the change) in a change management system for each change; or"
Authorizations
32
• CIP-010-1 baseline configuration requirementsoCIP-010-1 Part 1.1.4
Develop a baseline configuration of any logical network accessible ports
Documented list of enabled ports • CIP-007-5 Part 1.1 is concerned only with the
enabling of needed ports • Performance (CIP-007-5) versus documentation
(CIP-010-1)
CIP-007-5 / CIP-010-1 Relationship
33
• Failing to maintain the baseline configuration and failing to disable unnecessary ports are two different requirement violationso CIP-007-5 Part 1.1 refers to listings of ports as
evidence, but that evidence could be the same evidence required for CIP-010-1.
o Utilizing a single piece of evidence for proof of compliance with two different requirements is not double jeopardy
Double Jeopardy?
34
• Accurate enablement of required ports, services and port ranges
• Understanding critical data flows and communications within ESP and EAPs
• Logical ports include 65535 TCP & 65535 UDP ports• Managing changes of both logical and physical ports• Initial identification of physical port usage and controls – port
use mapping• VA, approved baselines, and implemented logical ports and
services should always agree (CIP-010-1 and CIP-007-5)• Focus on EAPs inward to ESP Cyber Systems and Cyber
Assets
R1.1 Issues & Pitfalls
35
CIP-007-5 Part 1.2
Asset level requirement
36
CIP-007-5 Part 1.2
Asset level requirement
37
CIP-007-3 CIP-007-5 Change
CIP-007-3 CIP-007-5
Logical Ports only Includes Physical Ports (R1)
38
• Change Bios • Upgrade Firmware • Set Baseline Configuration • Build-out devices that have components
(like servers) • Perform a variety of Administrative functions • Perform emergency repair or failure
recovery when no other port is accessible
Configuration Ports
http://www.tditechnologies.com/whitepaper-nerc-cip-007-5-r1
39
• physical I/O portsoNetworko SerialoUSB ports external to the device casing
Part 1.2 Physical Ports
40
• All ports should be either secured or disabled • Ports can be protected via a common method not
required to be per port• “Protect against the use”
o Requirement is not to be a 100% preventative control
o Last measure in a defense in depth layered control environment to make personnel think before attaching to a BES Cyber System in the highest risk areas
Part 1.2 Physical Ports
41
• Disabling all unneeded physical ports within the Cyber Asset’s configuration
• Prominent signage, tamper tape, or other means of conveying that the ports should not be used without proper authorization
• Physical port obstruction through removable locks
Guidelines
42
Port Locks
http://www.blackbox.com/resource/genPDF/Brochures/LockPORT-Brochure.pdf
43
Physical Access to Ports
http://www.supernap.com/supernap-gallery-fullscreen/
44
• Would a Cyber Asset locked in a cage meet this requirement?
• AnsweroNo, the required control needs to be applied on
the Cyber Asset level
Question
45
• Documented approach to ensure unused physical ports are controlled (identify controls in place)
• Controls in place for ensuring that attempts of physical port usage are identifiedo Think before you plug anything into one of these systemso Controls: 802.1x, physical plugs, port block, signage
• Physical port usage documentation – know what is in use versus existing ports not required
• Site tours may validate physical port documentation
Part 1.2 Physical Ports
46
• A routable device with all of its physical network ports blocked which would have otherwise been identified as routable device, now cannot route.o The ability to communicate outside of itself is
not a determining factor as to whether a Cyber Asset is or is not a BES Cyber Asset or BES Cyber System
o The Cyber Asset’s function as it pertains to BES reliability determines system identification
Physical Ports and Applicable Systems
47
CIP-007-5 Part 2.1
Asset level requirement
48
CIP-007-3 CIP-007-5 Change
CIP-007-3 CIP-007-5
No time frames to implement patches
Patch management required actions and timelines (R2)
49
• Patch management documented process• List of sources monitored for BES Cyber Systems
and/or BES Cyber Assets• List of Cyber Assets and software used for patch
management• Watching and being aware of vulnerabilities within
BES Cyber Systems, whether they are routably connected or not, and mitigating those vulnerabilities
• Applicable to BES Cyber Systems that are accessible remotely as well as standalone systems
Part 2.1 Patch Management Process
50
• Requirement allows entities to focus on a monthly ‘batch’ cycle of patches rather than tracking timelines for every individual patch
• Tracking can be on a monthly basis for all patches released that month rather than on an individual patch basis
• Decision to install/upgrade security patch left to the Responsible Entity to make based on the specific circumstances
Part 2.1 Tracking
51
• Is applicability based on original source of patch (e.g. Microsoft) or the SCADA vendor?o Some may consider it a best practice that
vulnerabilities be mitigated in the shortest timeframe possible, even before the patch is certified by the SCADA vendor.
o Appropriate source dependent on the situation
Tracking for Applicability
52
• Electricity Sector Information Sharing and Analysis Center (ES-ISAC)o https://www.esisac.com/
• Common Vulnerabilities and Exposureso http://cve.mitre.org/
• BugTraqo http://www.securityfocus.com/vulnerabilities
• National Vulnerability Databaseo http://nvd.nist.gov/
• ICS-CERTo http://ics-cert.us-cert.gov/all-docs-feed
Patch Sources
53
Sources
https://ics-cert.us-cert.gov/ICS-CERT-Vulnerability-Disclosure-Policy
54
• Cyber Security focusedoRequirement does not cover patches that are
purely functionality related with no cyber security impact
oCyber Asset Baseline documentation with patch tracking (CIP-010-1 R1.1.5)
oOperating system/firmware, commercially available software or open-source application software, custom software
Patch Update Issues
55
• Hardware vendors do provide security patches and security upgrade to mitigate/eliminate vulnerabilities identified in their drivers and firmware
Cyber Security software patches
56
57
‘that are updateable’
58
• April 2014 there are no more security patches forthcoming for XPo No Software Updates from Windows Updateo No Security Updateso No Security Hotfixeso No Free Support Optionso No Online Technical Content Updates
Windows XP (EOL 4-8-2014)
59
• Are entities required to enter into a very expensive, per-Cyber Asset custom support contract with Microsoft in order to continue to receive support
• $200,000 - $500,000 (2006)• $200,000 cap (2010) • $600,000 - $5 million for first year (2014)
XP Custom Support
http://www.computerworld.com/s/article/9237019/Microsoft_gooses_Windows_XP_s_custom_support_prices_as_deadline_nears?pageNumber=1
60
• April 2014 there are no more security patches forthcoming for XPoNo patches to assess or apply
• No patches issued means no action required• No TFEs in R2 language
o TFEs are not required at any step in the R2 process
• Still required to track, evaluate and install security patches outside of the OS
Windows XP (EOL 4-8-2014)
61
• Document vendor end dates• Document BCS Assets affected• Ensure latest applicable patch is implemented• Deploy mitigation measures for vulnerabilities not
able to patch• Monitor US-CERT, and other vulnerability tracking
sites to be aware of newly identified vulnerabilities that would affect your assets
• Where possible, implement mitigation measures for the newly identified vulnerability
End of Life Systems & Devices
62
• Cyber Assets running the Microsoft Windows XP Embedded SP3 operating system have until January 12, 2016, before support ends for that version of the operating system
• Support for systems built on the Windows Embedded Standard 2009 operating system ends on January 8, 2019. The Windows Embedded operating system normally runs on appliances
Windows XP Embedded
63
CIP-007-5 Part 2.2 Patch Evaluation
Asset level requirement
64
• At least every CIP Month (35 days) evidence of patch release monitoring and evaluation of patches for applicability
• Evaluation Assessmento Determination of Risko Remediation of vulnerabilityo Urgency and timeframe of remediationo Next steps
• Entity makes final determination for their environment if it is more of a reliability risk to patch a running system than the vulnerability presentso Date of patch release, source, evaluation performed, date of performance
and resultso Listing of all applicable security patches
Part 2.2 Patch Evaluation
65
Part 2.2 Patch Evaluation
66
• DHS o “Quarterly Report on Cyber Vulnerabilities of Potential Risk
to Control Systems” http://www.oig.dhs.gov/assets/Mgmt/2013/OIG_13-39_Fe
b13.pdf
o “Recommended Practice for Patch Management of Control Systems” http://ics-cert.us-cert.gov/sites/default/files/recommended
_practices/PatchManagementRecommendedPractice_Final.pdf
Guidelines
67
Vulnerability Footprint
http://ics-cert.us-cert.gov/sites/default/files/recommended_practices/PatchManagementRecommendedPractice_Final.pdf
68
CIP-007-5 Part 2.3
Asset level requirement
69
CIP-007-5 Part 2.3 [Patch Response]
Document Patch Management process &
sources
High Impact BCS
Medium Impact BCS
PCA
R2.1
EACM
PACS
PCA
EACM
PACSDocumented Patch
evaluation (max 35 days)
R2.2
Required patch
identified?
Install patch
NOYESWithin 35 days
Create Mitigation plan
Update Mitigation plan
OR
OR
Implement Plan within time frame
R2.3
Asset level requirement
70
• Evidence of performance of:o Installation of patches
Not an “install every security patch” requirement
o Mitigation plan created – includes specific mitigation/mediation of identified security vulnerability, date of planned implementation and rational for delay
o Mitigation plan update evidenceo Evidence of Mitigation plan completion with dates
Part 2.3 Actions
Note: referenced mitigation plan is a entity plan and not associated at all with the Enforcement Mitigation plans.
71
• Timeframe is 70 days totalo 35 days for tracking and determining
applicability o 35 days for either installing or determining the
mitigation plan
Timeframe
72
• It is compliant with the requirement to state a timeframe of the phrase “End of Life Upgrade”
• Mitigation timeframe is left up to the entity oRequirement is to have a plan
Date of the plan in requirement part 2.3 is what part 2.4 depends upon
oMust work towards that plan
Maximum Timeframes
73
• Timeframes do not have to be designated as a particular calendar day but can have event designations such as “at next scheduled outage of at least two days duration”
Timeframes Guidelines
74
CIP-007-5 Part 2.4
Asset level requirement
75
CIP-007-5 Part 2.4 [Mitigation Plan]
Document Patch Management process &
sources
High Impact BCS
Medium Impact BCS
PCA
R2.1
EACM
PACS
PCA
EACM
PACS
Required patch
identified?
Documented Patch evaluation (max 35 days)
R2.2
Install patch
NOYESWithin 35 days
Create Mitigation plan
Update Mitigation plan
OR
OR
Implement Plan within time frame
CIP SM or Delegate approval
Plan Revision or Extension?
R2.3
R2.4
R2.4
YES
76
• Evidence of CIP Senior Manager’s approval for updates to mitigation plans or extension requestso Per Mitigation plan
• Revising the plan, if done through an approved process such that the revision or extension, must be approved by the CIP Senior Manager or delegate
Part 2.4 Mitigation Plan
77
• Some patches may address vulnerabilities that an entity has already mitigated through existing means and require no action
• Lack of external routable connectivity may be used as a major factor in many applicability decisions and/or mitigation plans where that is the case
Part 2.3 Mitigation
78
• When documenting the remediation plan measures it may not be necessary to document them on a one to one basis
• The remediation plan measures may be cumulative
Part 2.3 Mitigation Guidelines
79
• The ‘implement’ in the overall requirement is for the patch management processo ‘Implement’ in R2.4 (Mitigation Plan) is for the
individual patcho If R2.4 does not have an implement
requirement at the patch level, then the ‘implement’ in the overall requirement only applies to drafting a plan
Part 2.4 Implement
80
• Measures – oRecords of the implementation of the plano Installing the patch/record of the installationoDisabling of any affected serviceo Adding of a signature to an IDSoChange to a host based firewall oRecord of the completion of these changes
Demonstrating implementation of Mitigation Plan
81
Proposed CIP-007 R2.5
82
• Asset level requirements• Know, track, and mitigate the known software vulnerabilities
associated with BES Cyber Assets • Not including a complete listing of BES Cyber Systems and
assets that are applicableo Firmware devices (relays, appliances, etc.)o Infrastructure devices within ESPo OS based systems
• Cyber Asset applications (tools, EMS, support applications, productivity applications, etc.)
• If something is connected to or running on the BES Cyber Assets that releases security patcheso required to be included in the monitoring for patches
R2 Issues & Pitfalls
83
CIP-007-5 Part 3.1
BES Cyber System level requirement
84
CIP-007-3 CIP-007-5 Change
CIP-007-3 CIP-007-5
AV on ALL cyber assets or TFE
Malicious code controls can be at cyber system level, rather than per asset (R3)
85
• Deter OR detect OR prevent - any one or combination will meet the wording of the requiremento Avoids zero-defect language o R3.2 requires ability to detect malicious code
• Methods = processes, procedures, controls• Applicability is at the ‘system’ level
o Methods do not have to be used on every single Cyber Asset
• Allows entities to adapt as the threat adapts while also reducing the need for TFEs
Part 3.1 Malicious Code
86
AV/Anti-Malware
87
Defense-N-Depth
https://www.lumension.com/vulnerability-management/patch-management-software/third-party-applications.aspx
88
• Identifying specific executable and software libraries which should be permitted to execute on a given system
• Preventing any other executable and software libraries from functioning on that system
• Preventing users from being able to change which files can be executed
Application Whitelisting
http://www.asd.gov.au/publications/csocprotect/application_whitelisting.htm
89
• Application File Attributes• Digital Certificates• File Hash• File Ownership• Location• Reference Systems• Signed Security Catalogs• Software Packages
Application Whitelisting
90
Virtual Systems
http://www.vmware.com/products/vshield-endpoint/overview.html
91
• Network isolation techniques• Portable storage media policies• Intrusion Detection/Prevention (IDS/IPS)
solutions
Guidelines
92
• Is an awareness campaign to deter ok?o ‘or’ and ‘deter’ to avoid zero-defect language
• Requirement is not to detect or prevent all malicious code
• Approach is not to require perfection in an imperfect environment with imperfect tools
Part 3.1 Malicious Code
93
• Associated PCAs’ are included at a Cyber Asset (device) level, not system level
• How will the ‘system’ concept apply?oMalware prevention is at a BCS levelo The associated PCA’s could be included by
reference in the documentation an entity supplies for Requirement R3.1
‘Associated PCAs’
94
CIP-007-5 R3.2
BES Cyber System level requirement
95
• Requires processes• No maximum timeframe or method
prescribed for the removal of the malicious code
• Mitigation for the Associated Protected Assets may be accomplished through other applicable systemso Entity can state how the mitigation covers the
associated PCA’s
Part 3.2 Detected Malicious Code
96
CIP-007-5 R3.3
BES Cyber System level requirement
97
• Requires processes that address:• Testing
• Does not imply that the entity is testing to ensure that malware is indeed detected by introducing malware into the environment
• Ensuring that the update does not negatively impact the BES Cyber System before those updates are placed into production
• Installation• No timeframe specified
• Requirement R3.1 allows for any method to be used and does not preclude the use of any technology or tool
Requires process for updates
98
• Specific sub requirement is conditional and only applies to “for those methods identified in requirement part 3.1 that use signatures or patterns”o If an entity has no such methods, the
requirement does not apply. oRequirement does not require signature useoCan an entity rely on AV vendor testing?
Part 3.3 Signatures
99
• Requirement has been written at a much higher level than previous versions
• Requirement no longer prescriptively requires a single technology tool for addressing the issueo TFEs are not required for equipment that does
not run malicious code tools
TFEs
100
• Technical selection and implementation• Coverage for all cyber assets• Combination of solutions• BCS and ESP coverage• Clear documentation demonstrating
coverage• Identification, alerts and response
procedures
R3 Issues & Pitfalls
101
CIP-007-5 Part 4.1
BES Cyber System and/or Asset level requirement
102
CIP-007-3 CIP-007-5 Change
CIP-007-3 CIP-007-5
Security logs Identification of specific log collection events (R4)
Sampling and or summarization not mentioned
Log reviews for High impact Cyber Systems can be summarization or sampling (R4)
CIP-007-3 CIP-007-5
Log reviews every 90 days when applicable
Log reviews for High Impact Cyber Systems must be reviewed every 15 days (R4)
103
• Entity determines which computer generated events are necessary to log, provide alerts and monitor for their particular BES Cyber System environment
• Logging is required for both local access at the BES Cyber Systems themselves, and remote access through the EAP
• Evidence of required logs (4.1.1 4.1.3)o Successful and failed loginso Failed ACCESS attempts
blocked network access attempts successful and unsuccessful remote user access attempts blocked network access attempts from a remote VPN successful network access attempts or network flow information
o Detection of malicious code
Part 4.1 Log Events
104
• Types of events • Requirement does not apply if the device does not log the events
o Devices that cannot log do not require a TFE o logging should be enabled wherever it is available
• 100% availability is not required o Entity must have processes in place to respond to outages in a
timely manner
Part 4.1 Log Events
105
CIP-007-5 Part 4.2
BES Cyber System and/or Cyber Asset (if supported) level requirement
106
• Detected known or potential malware or malicious activity (Part 4.2.1)
• Failure of security event logging mechanisms (Part 4.2.2)
• Alert Formso Email, text, system display and alarming
• Alerting Exampleso Failed login attempt threshold exceededo Virus or malware alerts
Part 4.2 Alerting
107
• Consideration in configuring real-time alerts:o Login failures for critical accountso Interactive login of system accountso Enabling of accountso Newly provisioned accountso System administration or change tasks by an unauthorized
usero Authentication attempts on certain accounts during non-
business hourso Unauthorized configuration changeso Insertion of removable media in violation of a policy
Part 4.2 Alerting Guidelines
108
• Is an alert required for malicious activity if it is automatically quarantined? o Alerts are required for detection of malicious
code regardless of any subsequent mitigation actions taken
Question
109
• Guidance implies that only technical means are allowed for alerting on a ‘detected cyber security event’oRequirement language is the ruling language
and guidance is not auditable and is provided to provide further context, examples or assistance in how entities may want to approach meeting the requirement
oRequirement does not preclude procedural controls
Guidance
110
CIP-007-5 Part 4.3 – Part 4.4
BES Cyber System and/or Cyber Asset (if supported) level requirement
111
• Timeframe:o Response timeframe begins with the alert of the
failure o After something or someone has detected the failure
and has generated an alert as in R4.2 o For the compliance period, the applicable cyber
systems maintain 90 days of logs. (All High BCS as well as Medium BCS at Control Center)
• Retention methods are left to Responsible Entityo On or before April 15, 2016
Part 4.3 ‘Retain Applicable Event Logs’
112
Part 4.3 ‘Retain Applicable Event Log’s’
113
• Is the audit approach to ask for any single day’s logs in past three years?oCompliance evidence requirement is that the
entity be able to show that for the historical compliance period, the applicable cyber systems maintained 90 days of logs
o ‘records of disposition’ of logs after their 90 days is up
Part 4.3 ‘Retain Applicable Event Logs’
114
• Summarization or sampling of logged events o log analysis can be performed top-down
starting with a review of trends from summary reports
oDetermined by the Responsible Entity• Electronic Access Points to ESP’s are EACMs,
this is one of the primary logs that should be reviewed
Part 4.4 Review Logs Guidelines
115
• Purpose is to identify undetected security incidents
• Paragraph 525 of Order 706 o Even if automated systems are used, the manual
review is still requiredo Manually review logs ensure automated tools are tuned
and alerting on real incidents
• What if an entity identifies events in R 4.4 that should have been caught in R4.1 is this a violation?
Part 4.4 Review Logs
116
117
• Ensure all EACMs are identified o “Cyber Assets that perform electronic access control or
electronic access monitoring of the Electronic Security Perimeter(s) or BES Cyber Systems. This includes Intermediate Systems.’ – NERC glossary
• Documentation of log collection architectureo Log collection data flowso Aggregation pointso Analysis processes and/or technologies
• Validation of the required logs and alert configurations
R4 Issues & Pitfalls
118
Cloud Computing
http://www.ipspace.net/Webinars
119
Monitoring-as-a-Service
http://www.symantec.com/content/en/us/enterprise/other_resources/b-nerc_cyber_sercurity_standard_21171699.en-us.pdf
120
CIP-007-5 Part 5.1
BES Cyber System and/or Cyber Asset level requirement
121
CIP-007-3 CIP-007-5 Highlights
CIP-007-3 CIP-007-5
TFE required for devices that cannot meet password requirements
Password requirement may be limited to device capabilities as opposed to filing TFE (R5)
Not specified in V3 Failed access threshold and alerts (R5)
122
• Ensure the BES Cyber System or Cyber Asset authenticates individuals with interactive access oGPO (Group Policy Object)
• Interactive user accessoDoesn’t include read-only
front panel displays, web-based reports
• Procedural Controls
Part 5.1 Enforce Authentication
123
Part 5.1 Enforce Authentication
124
CIP-007-5 Part 5.2
BES Cyber System and/or Cyber Asset level requirement
125
• Identifying the use of account typeso Default and other generic accounts remaining enabled must be
documented o Avoids prescribing an action to address these accounts without
analysis Removing or disabling the account could have reliability
consequences. • Not inclusive of System Accounts• For common configurations, documentation can be performed at a
BES Cyber System or more granular level• Restricting accounts based on least privilege or need to know covered
in CIP-004-5
Part 5.2 Identify Accounts
126
CIP-007-5 Part 5.3
BES Cyber System and/or Cyber Asset level requirement
127
CIP-007-3 Requirement 5.1.2
128
• CIP-004-5 to authorize access o Authorizing access does not equate to knowing
who has access to a shared account
• “authorized” o An individual storing, losing or inappropriately
sharing a password is not a violation of this requirement
• Listing of all shared accounts and personnel with access to each shared account
Part 5.3 Identify Individuals
129
CIP-007-5 Part 5.4
BES Cyber System and/or Cyber Asset level requirement
130
oCases where the entity was not aware of an undocumented default password by the vendor would not be a possible violation
oOnce entity is made known of this default password may require action per CIP-007-5 R2
Part 5.4 Known
131
• When is a default password required to be changed? oNo timeframe specified in requirement
As with all requirements of CIP-007-5, this requirement must be met when a device becomes one of the applicable systems or assets
Part 5.4 Timeframe
132
CIP-007-5 Part 5.5
BES Cyber System and/or Cyber Asset level requirement
133
• Eight characters or max supported• 5.5.2 Three or more different types of chars
or maximum supported
Part 5.5 Passwords
134
• CAN-0017 o Compliance Application Notices do not carry forward to
new versions of the standard
• Requirement explicitly addressed the issue raised by CAN-0017 that either technical or procedural mechanisms can meet the requirement
• Guidelines Sectiono Physical security suffices for local access configuration
if the physical security can record who is in the Physical Security Perimeter and at what time
Part 5.5 Passwords
135
• Password Group Policy Object (GPO) evidence
• Password configuration for all applicable devices
• Where device cannot support the requirement, document why (evidence) and the allowed configurations, and the configuration that is enabled
Part 5.5 Passwords
136
CIP-007-5 Part 5.6
BES Cyber System and/or Cyber Asset level requirement
137
• Password change procedures• Evidence of password changes at least
every CIP Year (15 months)• Disabled Accounts
o Password change is not required because these do not qualify as providing interactive user authentication
Part 5.6 Password Changes
138
CIP-007-5 Part 5.7
BES Cyber System and/or Cyber Asset level requirement
139
• Requirement does not duplicate CIP-007-5 part 4.2 o Part 4.2 alerts for security eventso Part 5.7 alert after threshold is not required to be
configured by the R4.2 Requirement
• TFEso TFE triggering language qualifies both optionso TFE would only be necessary based on failure to
implement either option (operative word ‘or’)
Part 5.7 Authentication Thresholds
140
• Threshold for unsuccessful login attempts o “The threshold of failed authentication attempts
should be set high enough to avoid false-positives from authorized users failing to authenticate.”
• Minimum threshold parameter for account lockout oNo value specified
Part 5.7 Authentication Thresholds
141
• Setting the lockout setting to low can shut out account access – Caution
• TFEs• Password change management• Identification and documentation of device
password limitations• Ensuring all interactive access has
implemented authentication
R5 Issues & Pitfalls
Morgan King CISSP-ISSAP, CISA
Senior Compliance Auditor, Cyber Security
Western Electricity Coordinating Council
Salt Lake City, UT
(C) 801.608.6652 (O)801.819.7675
Questions?