virtualization, cloud and cip - wecc · •cip-005-5 part 2.2 –for all interactive remote access...

Virtualization, Cloud and CIP

Morgan King CISSP-ISSAP, CISA

Senior Compliance Auditor, Cyber Security

WECC Compliance Workshop – Boise ID – March 29, 2018

W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

Impact to Reliability

Leveraging emerging technologies to afford greater resiliency and security.

2


WECC Approach

In the absence of clear and unequivocal guidance from NERC and/or FERC…

3


V5TAG Standard Authorization Request (SAR)

4


• Virtualization

– The CIP V5 standards do not specifically address virtualization. Because of the increasing use of virtualization in industrial control system environments, V5TAG asked that the SDT consider CIP-005 and the definitions of Cyber Asset and Electronic Access Point regarding permitted architecture and the security risks of network, server and storage virtualization technologies.

Problem

• No virtualization concepts in CIP– CIP definitions are “device” centric

• No NERC guidance documents for virtualization and Cloud

• Cyber Asset definition

• Electronic Security Perimeter

5


Physical Isolation

6


Logical Isolation

7


Electronic Access Controls

8


SDT Progress

• Concepts for Virtualization and Definitions Unofficial Comment Form– Cyber Asset Definition– Centralized Management Systems (CMS)– Electronic Security Zones (ESZ)– Electronic Access Gateway (EAG)– Electronic Access Control System (EACS)– Electronic Access Monitoring Systems

• Risk Map– Attack surface, Architecture and configuration, Management console, VM network visibility,

Hypervisor security, Resource starvation

• Webinars– Server and storage virtualization

9


SDT - Virtualization

• The SDT identified the following areas that it intends to address as part of its work on virtualization:– Determine the level to which mixing Cyber Asset classes is permitted (CIP-applicable with non-CIP

applicable, EACMS/PACS with BCS, Low/Medium/High BCS, EACMS/PACS with non-CIP applicable, etc.). • Clarify in requirements/definitions/guidance the permitted architectures and controls necessary to

permit them.– Address the treatment of components typically associated with virtualization

• hypervisor, management control, and physical hardware– Address treatment of each class of virtualization (server, network including SDN, and storage) including

identifying any differences in treatment between classes.– Address VLANs, particularly the scenario in which there is a switch that has at least one VLAN inside the ESP

and one VLAN outside the ESP.– Address monitoring-only EACMS and whether the risk profile of these systems is such that they should be

treated differently than other EACMS.

10


Best Path Forward

• Option 1: Draft a new SAR to address virtualization • Option 2: Request CIPC to review virtualization and draft a report on areas that

need to be considered by the CIP SDT• Option 3: Create a Virtualization ad-hoc group to review virtualization and draft a

report on areas that need to be considered by the CIP SDT• Option 4: SDT work on drafting a virtualization white paper and posting to

industry for comment (state risk issues, etc.) • Option 5: Modify requirement(s) • Option 6: Develop new requirement(s) • Option 7: Develop CIP-015• Option 8: Draft Implementation Guidance • Option 9: Draft best practices

11


The Cloud and CIP

12


The Cloud

13


Cloud Computing

• BES Cyber System Information in Cloud– Compliance management

• BES Cyber Systems / EACMs in Cloud– Software-as-a-Service (SaaS)– Platform-as-a-Service (PaaS)– Infrastructure-as-a-Service (IaaS)

• Anything-As-a-Service (XaaS)– Monitoring-as-a-Service (MaaS)– Authentication-as-a-Service (AaaS)– Malware-as-a-Service (MaaS)– Storage-as-a-Service (SaaS)

14


Managing The Cloud

15


BES Cyber System Information

• Information about the BES Cyber System that could be used to gain unauthorized access or pose a security threat to the BES Cyber System. BES Cyber System Information does not include individual pieces of information that by themselves do not pose a threat or could not be used to allow unauthorized access to BES Cyber Systems, such as, but not limited to, device names, individual IP addresses without context, ESP names, or policy statements. Examples of BES Cyber System Information may include, but are not limited to, security procedures or security information about BES Cyber Systems, Physical Access Control Systems, and Electronic Access Control or Monitoring Systems that is not publicly available and could be used to allow unauthorized access or unauthorized distribution; collections of network addresses; and network topology of the BES Cyber System.

16


Encryption

• CIP-005-5 Part 2.2– For all Interactive Remote Access sessions, utilize encryption that terminates at

an Intermediate System.

• CIP-006-6 Part 1.10– Encryption of data that transits such cabling and components;

• FERC Order 822– The Commission directs NERC to develop modifications to CIP-006-6 to require

protections for communication network components and data communicated between all bulk electric system Control Centers according to the risk posed to the bulk electric system.

• CIP-012-1– Unauthorized discloser or modification of data

17


Storage and Transit of BCSI in Cloud

• Documented process– What are the risks for encryption in memory, applications, storage,

transmission?

• Encryption– Sufficient strength to address the risks

– Logical key control and authentication• How are encryption keys managed, stored, and revocated?

• Ensuring unauthorized users do not have access to BCSI through the encrypted data in transit or at rest on the cloud service provider infrastructure

18


Use of BCSI in Cloud

19


Monitoring-as-a-Service (MaaS)

20


Authentication-as-a-Service (AaaS)

21



• Can an entity demonstrate compliance through a third-party audit – (e.g., SSAE 16 SOC2) Does a SOC2 report, show compliance for:– certifications and accreditations (FedRAMP and CJIS)

• CIP-004-6, Part 2.1.5– Training content on: Handling of BES Cyber System Information and its storage

• CIP-004-6 R4 Part 4.1.3:– Vendor has a policy and process whereby only the personnel who perform

system administration functions have physical access to the datacenter.– Similarly, only the personnel who perform system administration functions would

have electronic access to the servers containing the entity’s BCSI

22



• CIP-004-6 R4 Part 4.4

– Can/will the vendor demonstrate the authorized access to the storage locations containing the entity’s BCSI is reviewed at least once every 15 calendar months in accordance with the CIP Standards. The entity would rely upon a third-party audit of vendor IT General Controls specific to this Requirement Part

23



• CIP-004-6 R5 Part 5.3:

– Can/will the vendor demonstrate that physical and electronic access to the datacenter where the servers and/or storage devices containing the entity’s BCSI, and/or the servers and data storage devices themselves, is revoked by the end of the next calendar day following termination of a staff member with access, as demonstrated by the third-party audit

24



• CIP-011-2 R1 Part 1.2:– Secure data handling controls, which includes encryption of stored data and

encrypted electronic data exchange (e.g., secure web browser),

• CIP-011-2 R2 Part 2.1:– Can/will the vendor be able to demonstrate that data on any media containing

the entity’s BCSI would be appropriately rendered irretrievable prior to any reuse of the media, as confirmed by third-party audit

• CIP-011-2 R2 Part 2.2:– Can/will the vendor be able to demonstrate that data on any media containing

the entity’s BCSI would be appropriately rendered irretrievable prior to any disposal of the media, as confirmed by third-party audit

25


Critical Infrastructure Protection Committee (CIPC)

26


Compliance Guidance Policy

27


Contact Information

Morgan King

(801)819-7675 – Office

(801)608-6652 – Cell

[email protected]

28


References

29


Slide 4 : NERC, Standard Authorization Request (SAR)

Slide 5: NERC, CIP Modifications SDT

Slide 6-8: NERC, CIP Modifications SDT Virtualization Webinars

Slide 13: NASA, Office of the Inspector General Report, 2017

Slide 14 : Control-as-a-Service

Slide 15: (XaaS)

Slide 16: NERC Glossary of Terms, January 2018

Slide 17: FERC Order 822, Para 59

Slide 19: Trend Micro, 2013, Scada in the Cloud

Slide 27: NERC, Compliance Guidance Policy

Slide 22 https://oig.nasa.gov/audits/reports/FY17/IG-17-010.pdf

Slide 27, 28 http://www.nerc.com/pa/CI/Documents/roundtable%20-%20cloud%20computing%20slides%20%20(20161116).pdf

Slide 29 http://www.nerc.com/pa/Stand/Pages/Webinars.aspx

http://www.nerc.com/pa/Stand/Project 201602 Modifications to CIP Standards DL/SAR_CIP_822_directives_V5TAG_03232016.pdf

http://www.nerc.com/pa/Stand/Project 201602 Modifications to CIP Standards DL/2016-02_Virtualization_Unofficial Comment Form_10062017.docx

http://www.nerc.com/pa/Stand/Pages/Webinars.aspx

https://oig.nasa.gov/audits/reports/FY17/IG-17-010.pdf

http://www.definethecloud.net/wpcontent/uploads/2013/06/image4.png

https://cmatskas.com/monitoring-applications-and-infrastructure-on-azure/

http://www.nerc.com/files/glossary_of_terms.pdf

https://www.ferc.gov/whats-new/comm-meet/2016/012116/E-2.pdf

https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp-scada-in-the-cloud.pdf

http://www.nerc.com/pa/comp/Resources/ResourcesDL/Compliance_Guidance_Policy_FINAL_Board_Accepted_Nov_5_2015.pdf

https://oig.nasa.gov/audits/reports/FY17/IG-17-010.pdf

http://www.nerc.com/pa/CI/Documents/roundtable - cloud computing slides (20161116).pdf

http://www.nerc.com/pa/Stand/Pages/Webinars.aspx