160 likes | 355 Views
Brent Castagnetto, CBRM, CBRA, MABR Manager, Cyber Security Audits . CAR-005 and CIP-006 “Diet” ESP Audit Approach WECC Open Webinar February 21 st 2013 . Agenda . CAR-005 Audit Approach CIP-006 R2.2 PACS “Diet” ESP. What is CAR-005?. NERC CIP-005 Compliance Analysis Report.
E N D
Brent Castagnetto, CBRM, CBRA, MABR Manager, Cyber Security Audits CAR-005 and CIP-006 “Diet” ESP Audit Approach WECC Open Webinar February 21st 2013
Agenda • CAR-005 Audit Approach • CIP-006 R2.2 PACS “Diet” ESP
What is CAR-005? • NERC CIP-005 Compliance Analysis Report. • Posted in May 2012 • Intended to provide practical information and suggestions surrounding CIP-005
What is CAR-005? • Specific issues were raised related to non routable communication beyond ESP boundaries. (See pages 11 & 12) • What is the current WECC approach on CAR-005?
CAR-005 Audit Approach, Know Thy Self • Front End Processors (FEP) that are serially connected directly to field devices that an entityowns and or operates may not be considered Access Points under Version 3 of CIP-005. • Know the backend architecture of your ICS network!
CAR-005 Audit Approach, Know Thy Self • It may be necessary to classify Front End Processors as Cyber Assets within your ESP. • Know the backend architecture of your ICS network!
CAR-005 Audit Approach • ICS components with serial and/or dial-up interfaces may be Access Points: - A Front End Processor (FEP) or CCA serially connected to a component of another network beyond your control (e.g., another entity) - A FEP or media converter device that uses the internet (e.g. IP; VPN, SSL) to communicate • Know the backend architecture of your ICS network!
CAR-005 Audit Approach • Inquiring minds want to know! • During an audit the WECC Cyber Security Team will ask questions about each entities back end non-routable architecture. CIP-005 sub teams will work with you during the offsite and onsite weeks to understand all communication paths traversing your ESP
PACS “Diet” ESP CIP-006-3 R2.2 • CIP-006-3 R2.2 reads: • Cyber Assets that authorize and/or log access to the Physical Security Perimeter(s) shall be afforded the protective measures specified in Standard CIP-005-3 R2 and R3.
PACS “Diet” ESP CIP-006-3 R2.2 • “Diet” or “Sugar Free” drinks are missing something. Some people say you have the same taste, but none of the sugar. • “Diet” ESP requires compliance with CIP-005 R2 & R3 ESP Diet ESP
PACS “Diet” ESP CIP-006-3 R2.2 • CIP-005-3 R2 reads: • The Responsible Entity shall implement and document the organizational processes and technical and procedural mechanisms for control of electronic access at all electronic access points to the Electronic Security Perimeter(s) • R2.4 states specifically: Where external interactive access into the Electronic Security Perimeter has been enabled, the Responsible Entity shall implement strong procedural or technical controls at the access points to ensure authenticity of the accessing party, where technically feasible.
PACS “Diet” ESP CIP-006-3 R2.2 • NERC FAQ on CIP-005 clarifies what is intended as “strong procedural or technical controls” • Strong technical and procedural controls normally require use of at least two of the following three factors: (1) something the person knows, (2) something the person has, and (3) something the person is. “What a person knows” is typically a password, pass phrase or some personal identification number (PIN). “What a person has” is typically a physical device such as an electronic authentication token or smart card, and “what a person is” is usually some biometric characteristic such as a fingerprint or iris pattern. NERC CIP-005 FAQ pg. 7
PACS “Diet” ESP CIP-006-3 R2.2 • PACS “Diet” ESP Example diagram
References • NERC Industry Advisory: remote access guidance (2011). Retrieved from the North American Electric Reliability Corporate website on January 7, 2012, from, http://www.nerc.com/fileUploads/File/Events%20Analysis/A-2011-08-24-1-Remote_Access_Guidance-Final.pdf • NERC Guidance for Secure Interactive Remote Access (2011). Retrieved from the North American Electric Reliability Corporate website on January 7, 2012, from, http://www.nerc.com/fileUploads/File/Events%20Analysis/FINAL-Guidance_for_Secure_Interactive_Remote_Access.pdf • NERC CIP-005 FAQ www.nerc.com/.../Revised_CIP-005-1_FAQs_20090217.pdf • NERC CIP-005 Compliance Analysis Report http://www.nerc.com/fileUploads/File/Standards/Revised_CIP-005-1_FAQs_20090217.pdf • WECC_SLC CIP-101_CIP-005_JA http://www.wecc.biz/compmtg/20121218cip/default.aspx?InstanceID=1 *Links retrieved 2/19/2012
Brent Castagnetto, CBRM, CBRA, MABR Manager, Cyber Security Audits Western Electricity Coordinating Council bcastagnetto@wecc.biz Office: 801.819.7627 Questions?