1 / 44

NERC CIP Compliance

NERC CIP Compliance. Defining your Electronic Security Perimeter (ESP) and Access Point Security. Agenda. Specific NERC CIP-005 Requirements Underlying fundamentals of the ESP architecture Building ESPs using Security Enclaves and DinD Vulnerability Assessment Methodology

marv
Download Presentation

NERC CIP Compliance

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. NERC CIP Compliance Defining your Electronic Security Perimeter (ESP) and Access Point Security

  2. Agenda • Specific NERC CIP-005 Requirements • Underlying fundamentals of the ESP architecture • Building ESPs using Security Enclaves and DinD • Vulnerability Assessment Methodology • Simple Principles

  3. Disclaimer • CAUTION: Every environment is different and requires a direct correlation. The material contained in this presentation may not represent your corporate or architectural requirements • ADVISORY: Education, consulting and compliance is about correctly interpreting and conveying information - a requirement for this content

  4. NERC CIP Compliance Specific NERC CIP-005 Requirements

  5. Specific NERC CIP-005 Requirements • CIP-005-1 – Cyber Security – Electronic Security • Perimeters: Requires the identification and protection of an electronic security perimeter and access points. The electronic security perimeter is to encompass the critical cyber assets identified pursuant to the methodology required by CIP-002-1.

  6. Specific NERC CIP-005 Requirements • Requirement 1 - Electronic Security Perimeter • Define an ESP and its access points to protect Critical Cyber Assets • Requirement 2 - Electronic Access Controls • Deny by default • Enable only required ports and services • Securing dial-up access • Documentation • Appropriate Use Banner • Requirement 3 - Monitoring Electronic Access (covered in the SEIM Presentation in two weeks) • Requirement 4 - Cyber Vulnerability Assessment • Requirement 5 - Documentation Review and Maintenance • Monitor FERC Order 706 Activity

  7. Specific NERC CIP-005 Requirements • The following are exempt from Standard CIP-005: • 4.2.1 Facilities regulated by the U.S. Nuclear Regulatory Commission or the Canadian Nuclear Safety Commission. • 4.2.2 Cyber Assets associated with communication networks and data communication links between discrete Electronic Security Perimeters. • 4.2.3 Responsible Entities that, in compliance with Standard CIP-002, identify that they have no Critical Cyber Assets.

  8. NERC CIP Compliance Underlying fundamentals of the ESP architecture

  9. Architecting your ESP to provide the appropriate access control and monitoring capabilities • Approach, controls, monitoring, assessment and documentation requirements defined in CIP-005 • Challenging to define an electronic perimeter around geographically disperse systems collecting information and performing automated and manual control operations • Organizations must think methodically about their approach and intrinsically understand the environment and type of controls • Define an ESP access point access control request, review and response workflow • Define an appropriate trust model for your systems (enclaves) • Ensure the adequacy of protection and continued high availability of authorized access and control

  10. Integrating ESP high availability identity management solutions • Understand your organization’s trust model based upon the enclave approach outlined in the methodology • Select your identity type, system and appropriate audit trail for each ESP enclave • Define the appropriate administrative and operational trusts for system access • Separate technical administrative, developers, system operators and general users • Correlate your physical and cyber identities as appropriate • Ensure identity integrity throughout the ESP • Define operational procedures to support high availability access to ensure safety

  11. Control System Network Architecture Control System Network Architecture

  12. Traditional Isolation of Corporate and Control Domains Source: Idaho National Laboratory, Control Systems Cyber Security: Defense in Depth Strategies (May, 2006)

  13. Overview of Contemporary Control System Architectures Source: Idaho National Laboratory, Control Systems Cyber Security: Defense in Depth Strategies (May, 2006)

  14. Database Attack Vector Source: Idaho National Laboratory, Control Systems Cyber Security: Defense in Depth Strategies (May, 2006)

  15. Common Security Zones Source: Idaho National Laboratory, Control Systems Cyber Security: Defense in Depth Strategies (May, 2006)

  16. Firewall Deployment for Common Security Zones Source: Idaho National Laboratory, Control Systems Cyber Security: Defense in Depth Strategies (May, 2006)

  17. Defense in Depth with IDS Source: Idaho National Laboratory, Control Systems Cyber Security: Defense in Depth Strategies (May, 2006)

  18. Corporate IT to Control System IT Comparison Source: Idaho National Laboratory, Control Systems Cyber Security: Defense in Depth Strategies (May, 2006)

  19. NERC CIP Compliance Building ESPs using Security Enclaves and DinD

  20. Definition: Security Enclaves • An enclave is, as defined in the Department of Defense Directive (DoDD ) 8500.1 E2.1.16.2, “the collection of computing environments connected by one or more internal networks under the control of a single authority and security policy, including personnel and physical security.“ • Terminology Potpourri • Security Zones • DeMilitarized Zones • Transactional Zones • Determine security controls and define system interactions • Review NIST SP 800-53 r2; 800-82

  21. Security Enclave Creation • Security enclaves provide the layers of trusted systems which limit untrusted interactions • Enclaves creation can be based upon: • Mission criticality • Operational requirements • Type of application • System users • Trusted versus untrusted interactions

  22. Enclave Split - Services • Services are separated among enclaves • Separation of duties • External DNS / Internal DNS • External Mail / Internal Mail • External Web / Internal Web • External Authentication / Internal Authentication • Split Active Directory Domains • Out Of Band Management Network • Application Proxy

  23. ISO, Identity & Event Mgmt Enclaves Remote VPN, Contractor,Identity Mgmt, Uncontrolled ISO Enclaves TestingEnclaves Office Desktop Systems Control Enclave Building Security Enclaves • Defined logical ESP access points with enterprise identity management and network integrated firewalls and IDS Legend Site-to-SiteVPN Firewall ESP High AvailabilityVirtualized Architecture RestrictedWAN IDS/EDS

  24. TestingEnclaves TestingEnclaves Control Enclaves ISO Enclave Testing Enclave ISO Enclave ISO Enclave Remote VPN, Contractor, Uncontrolled ISO Enclaves Remote VPN, Contractor, Uncontrolled ISO Enclaves Office Systems Control Enclave Control Enclave Office Systems Building Security Enclaves Legend VPN IDS/EDS Firewall ESP Primary Generating / Sub Station High AvailabilityVirtualized Architecture Secondary High AvailabilityVirtualized Architecture WAN IDS/EDS IDS/EDS

  25. Defining Ports and Services Access Rules • Do you know who, how, why, where, and when the system communicates across the network? • Unknown Communication Between Systems • Review levels of system trust for need of isolation station / proxy • Work with application vendor to identify requirements • If necessary, enable connectivity in learning mode • Known Communication Between Systems • Review levels of system trust for need of isolation station / proxy • Define appropriate access rules

  26. Defense in Depth Security Controls • Layers of Protection for Information and Control (I & C) • Provides security against a single or multiple points of failure • Common to define Network, Client or Control Node, Server and Operational controls

  27. Build Knowing The Attacks“Man-in-the-Middle” • Attacker reads, inserts and modifies information without either party aware • Physical Layer • Datalink Layer • Network Layer • Application Layer • Social Layer • Not an exhaustive list of attacks and controls • What can happen? • Incorrect information is conveyed to the operator • Incorrect control settings are sent to the system • Control is completely taken over by attacker

  28. Defense in Depth : Network Information and Control (I & C) • Touchpoints should: • Be limited to the absolute minimum, where the purpose of the application may still be satisfied • Provide limitations for trusted and untrusted access • Note: This is not an exhaustive list of Defense in Depth solutions Encrypted and integrity checked traffic Traffic access control Intrusion Detection and Prevention I & C Network authentication / authorization Application proxy

  29. Defense in Depth : EMS / OperatorConnectivity • EMS Enclave • Separate development and quality assurance enclaves • Island acceptable architecture with dedicated infrastructure • Note: This is not an exhaustive list of Defense in Depth solutions Event Monitoring DHCP Snooping / Port Security / DNS Host Files SeparateEMS Enclaves for PDS and QAS I & C Workstation Dual Homed / EMSDirect Connection UniqueOperator Login

  30. Operational Workflow for Managing ESP/PSP Access Requests and Approvals • Same workflow for both physical and cyber access • Defines approval process for creation/modification of access and revocation of rights

  31. NERC CIP Compliance Defining your ESP Vulnerability Assessment Methodology

  32. Defining an ESP Vulnerability Assessment Methodology appropriate for the bulk electric system. • The ESP Vulnerability Assessment Methodology considers the threat, the cyber asset, adversary type, known vulnerabilities and the consequences of an adversarial success to arrive at a relative risk level and appropriate response. Automated and manual vulnerability analysis is performed by the IT Security department, and the FERC/NERC Compliance departments to identify both effective and ineffective security controls. The results of the assessment are then provided to the FERC/NERC Compliance Director. The results are reviewed and appropriate countermeasures are identified, developed, applied in a test environment, reviewed for acceptance and propagated to production. The methodology is reapplied to determine the relative risk reduction achieved. This iterative process is continued until the most appropriate method for reducing risk to an acceptable level is identified and approved by the FERC/NERC Compliance Director.

  33. Performing a Vulnerability Assessment within and against your ESP • Defined in CIP-005 Requirement 4 and CIP-007 Requirements 3 and 8 • Typically do not perform tests against live systems • The risk is substantial • Ensure the accurateness of system state with your change management system • Define the appropriate personnel for risk acceptance and mitigation procedures • Create an appropriate set of procedures to • adequately test the response of the system and the associative controls • migrate the modifications through staging • an appropriate rollback structure

  34. Selecting Vulnerability Management Solutions • Review vulnerability management solutions for the following requirements: • Ability to generate audit trails and appropriate reports / integration with your situational awareness software • Breadth of supported capabilities to validate networks, applications and operating systems in your environment • Ability to operate in an *Internet isolated* environment leveraging a proxy solutions • Interoperate with NIST or CISecurity.org baseline criteria definitions • Support agreement and associative service level capabilities • Incremental patch deployment to categorically identified systems and applications on a schedule-able basis • Supports the appropriate trust model for your organization’s access control model • High level of assurance of the system’s accuracy and efficiency for your environment

  35. Vulnerability Assessment Process • Network Tests • Remote / Local Scanning using GFI Languard, Nessus and Harris STAT • Remote / Local PenTesting using Backtrack 2 tools with Metasploit 3 • Local Tests • CISecurity.org Assessment Scoring Tools • Reviewing New NIST SCAP Vendors • Part of Federal Desktop Initiative

  36. Responding to results from your vulnerability assessment • Do not PANIC • However, review high risk results immediately; identify if other defense in depth controls provide protection • Vulnerability assessments should be a dialogue between the audit team and the systems personnel • Appropriately document, notify the vendor for resolution and receive the update to validate using your patch testing methodology created in CIP-007 Requirement 3

  37. NERC CIP Compliance Simple Principles to reflect upon while architecting

  38. Simple Principles • Isolationism provides protection • The more isolated an environment is from others the greater the success of physical and logical security controls assuring continuously accurate information and control

  39. Simple Principles • Your conversations will be eavesdropped upon • Any verbal, paper or electronic conversation can be monitored; you must be accepting of this and utilize the appropriate protective controls to limit your risk • Assets will be physically stolen or lost • Physical assets, physical assets storing electronic information and electronic assets will be stolen or lost • You must limit the impact of any theft of information

  40. Simple Principles • Your conversations will be eavesdropped upon • Any verbal, paper or electronic conversation can be monitored; you must be accepting of this and utilize the appropriate protective controls to limit your risk • Assets will be physically stolen or lost • Physical assets, physical assets storing electronic information and electronic assets will be stolen or lost • You must limit the impact of any theft of information

  41. Simple Principles • Build with a moat (control) • Separate trust levels / Security Enclaves • Understand how the moat (control) works • (or) Build with Nightingale Floors * * Nijo Castle Kyoto, Japan

  42. Simple Principles • Vulnerabilities are the gateways through which threats manifest themselves • Threats exist • Hackers • Corporations • Nation States VULNERABILITY THREAT RISK MISSION

  43. Risk Assessment Relationship value Owners wish to minimize to reduce impose Countermeasures that may possess that may be reduced by may be aware of Vulnerabilities that exploit leading to Threat agents give rise to Risks that increase Assets Threats to wish to abuse or damage Based upon IEEE Standard 15408 (Common Criteria)

  44. Simple Principles • Security or risk mitigation controls must be well understood to be properly used • A detailed understanding of the category of the control • Directive • Preventive • Compensating • Detective • Corrective

More Related