CIP-005-5

David Cerasoli, CISSP Senior CIP Analyst

3/25/2015 1

March 24 – 25, 2015

Important Terminology • BES Cyber System (BCS) • BES Cyber Asset (BCA) • Dial-up Connectivity • Electronic Access Control or Monitoring Systems (EACMS) • Electronic Access Point (EAP) • Electronic Security Perimeter (ESP) • External Routable Connectivity (ERC) • Interactive Remote Access (IRA) • Intermediate System • Protected Cyber Asset (PCA)

3/25/2015 2

Applicability

BA, DP, GO, GOP, IA, RC, TO and TOPs with High or Medium Impact BES

Cyber Systems, and associated Protected Cyber Assets (PCA).

3/25/2015 3

The Major Changes • All BES Cyber Systems connected to a network

via a routable protocol must be within an ESP • An Electronic Access Point is defined as an

interface instead of an asset • Outbound access permissions are required • Authentication is explicitly required for Dial-up

Connectivity

3/25/2015 4

The Major Changes • Need one or more methods for detecting

malicious communication for inbound and outbound communications

• Direct remote access to assets within the ESP is no longer allowed, access must be through an Intermediate System

• Two-factor authentication is now explicitly required for Interactive Remote Access

3/25/2015 5

The Major Changes • Logging, monitoring and alerting

requirements have been moved to CIP-007-5 • Vulnerability Assessment requirements have

been moved to CIP-010-1 • Documentation review and maintenance

requirements have been moved to CIP-010-1

3/25/2015 6

Requirement R1 Each Responsible Entity shall implement one or more documented processes that collectively

include each of the applicable requirement parts in CIP-005-5 Table R1 – Electronic Security

Perimeter.

3/25/2015 7

Part 1.1 All applicable Cyber Assets connected to a network via a routable protocol shall reside within a defined ESP. • Your BES Cyber System may be required to reside

within an ESP even if it is not connected to the outside world, i.e., an air gapped BES Cyber System may still need to be in an ESP

• One way to demonstrate compliance with Part 1.1 is to maintain a list of Cyber Assets that identifies which ESP each asset resides in

3/25/2015 8

The Three Types of ESPs 1. Isolated ESP: an ESPs that are not connected to

other networks by a routable protocol, or at all 2. Discrete ESPs: the “classic” ESP 3. Extended ESPs: an ESP that encapsulates

multiple network segments connected by a WAN

Every asset within the ESP must be protected to the level of the highest impact BES Cyber System

in that ESP

3/25/2015 9

Isolated ESP

3/25/2015 10

Discrete ESP

3/25/2015 11

Extended ESP

3/25/2015 12

Lesson Learned Virtual Server and Network Environments

How can virtual environments that physically reside inside and outside an ESP be secured and considered compliant? This Lesson Learned has not been published yet. Currently the most conservative route is to avoid a mixed trust environment. So our suggestion is to place any assets that host BES Cyber Assets within an ESP. Also, any network devices with VLANs that are inside an ESP should reside entirely (all physical and logical interfaces) in an ESP.

3/25/2015 13

Lesson Learned Mixed Trust Authentication Environments

How should mixed‐trust authentication systems be managed to ensure compliance, e.g., corporate AD system authenticates access to EMS? Mixed trust is not prohibited. However, it could increase compliance burden because the asset performing authentication would be considered an EACMS and thus subject to the CIP Standards.

3/25/2015 14

Part 1.2 All External Routable Connectivity (ERC) must be through an identified Electronic Access Point (EAP). • Network diagrams are a good way to identify

your EAPs and communication paths • The big question: what is considered ERC?

3/25/2015 15

Lesson Learned Serial Devices with ERC

Are serial based systems with local serial connections considered to have ERC if they are remotely accessible via a routable protocol? This issue may be referred to the SDT for clarification. For now we suggest that you consider any assets from your EAP to the protocol converter to have ERC.

3/25/2015 16

Part 1.3 Require inbound and outbound access permissions, including the reason for granting access, and deny all other access by default. • Outbound access permissions now required • You can document the reason for granting

access directly in your rulebase, ACLs, etc. • See CIP-010 for additional documentation

requirements 3/25/2015 17

Part 1.4 Where technically feasible, perform authentication when establishing Dial-up Connectivity with applicable Cyber Assets. • Authentication is now explicitly required • An example of an acceptable method of

authentication includes dial-back modems • This requirement part is eligible for a TFE • One way to demonstrate compliance is to

document the authentication process

3/25/2015 18

FAQ If Part 1.4 applies, what other standards have to be applied to that device? Does it revert back to all Medium Impact standards? Or just this one? Dial-up connectivity is a specific connection mechanism applied to High and Medium Impact BES Cyber Systems under CIP-005 R1 Part 1.4. All other CIP V5 standards applicable to High and Medium Impact BES Cyber Systems would apply, depending on impact classification of the specific BES Cyber System and a lack of unique criteria on the "Applicable Systems" column to specifically exclude the BES Cyber System.

3/25/2015 19

Part 1.5 Have one or more methods for detecting known or suspected malicious communications for both inbound and outbound communications. • This is a completely new requirement • Not simply redundancy, Part 1.5 requires a

separate control in addition to the access permissions required by Part 1.3

• Will likely be implemented by an IDS / IPS 3/25/2015 20

Placement of IDS / IPS Should the IDS / IPS reside inside or outside the ESP? This question will be answered by an FAQ or Lesson Learned, which is still in development. Part 1.5 is applicable to the Electronic Access Point. Also, inbound and outbound communication must be inspected. So our suggestion is to place your IDS / IPS in location that will enable it to inspect all inbound and outbound communication.

3/25/2015 21

FAQ If an entity implements a vendor appliance as the perimeter firewall, can the optional module that performs the IDS/IPS function reside on the same appliance? Yes. Although the technical guidance mentions “two distinct security measures”, R1.5 does not actually require the use of an additional asset to accomplish the detection of malicious inbound and outbound communications.

3/25/2015 22

Requirement R2 Each Responsible Entity allowing Interactive Remote Access to BES Cyber Systems shall implement one or

more documented processes that collectively include the applicable requirement parts, where technically feasible,

in CIP-005-5 Table R2 – Interactive Remote Access Management.

As with R1, implement the requirement parts that are

applicable to your BES Cyber System

R2 and all of its requirement parts are eligible for a TFE 3/25/2015 23

Lesson Learned Interactive Remote Access

What needs to be considered to determine whether an electronic connection is Interactive Remote Access (IRA)? IRA is user initiated remote access originating from outside the ESP. System-to-system communication, scheduled jobs and remote access from one ESP to another is not considered IRA.

3/25/2015 24

FAQ Are serial based systems with local serial connections considered for IRA if they are remotely accessible via a routable protocol? Yes, the definition of IRA considers accessibility not connectivity.

3/25/2015 25

FAQ For virtual systems where a desktop/laptop is used to log in to a jump box should the desktop/laptop have the same physical controls as the assets it is accessing? In this scenario, the desktop/laptop would not be considered part of a BES Cyber System, provided the system is outside of the ESP and is accessing assets in the ESP in accordance with the requirements for Interactive Remote Access, i.e., through a jump host with two factor authentication.

3/25/2015 26

Part 2.1 Utilize an Intermediate System such that the Cyber Asset initiating Interactive Remote Access does not directly access an applicable Cyber Asset. • Direct remote access to assets within the ESP is no

longer allowed • The remote system should connect to an Intermediate

System that is outside the ESP, then the Intermediate System connects to the asset in the ESP

• Dial-up can be a form of IRA, but is not necessarily IRA

3/25/2015 27

Part 2.2 For all Interactive Remote Access sessions, utilize encryption that terminates at an Intermediate System. • CIP-005-3 did not require the use of encryption • Now you are required to encrypt communication

between a remote system and the Intermediate System

3/25/2015 28

Part 2.3 Require multi‐factor authentication for all Interactive Remote Access sessions. • This is a substantial change from CIP-005-3, which required

“strong procedural or technical controls” • Multi-factor authentication consists of at least two of the

following: – “Something you have”, e.g., the ubiquitous RSA Token – “Something you know”, e.g., a password – “Something you are”, e.g., your iris

• Multi-factor authentication is required at the Intermediate System

3/25/2015 29

Great Example of Evidence In our experience one of the best ways to demonstrate compliance with IRA requirements is to create a document that describe each IRA use case and the assets that support each use case. Also, diagrams that show the data flows through the network are usually very helpful.

3/25/2015 30

FAQ If an entity has any BES Cyber Assets that can be classified as an EACMS, should they be classified as a BES Cyber Asset or an EACMS? It should be classified as a BES Cyber Asset and be included in a BES Cyber System.

3/25/2015 31

3/25/2015 32