1 / 142

Morgan King CISSP- ISSAP, CISA Senior Compliance Auditor – Cyber Security

Morgan King CISSP- ISSAP, CISA Senior Compliance Auditor – Cyber Security. CIP-007-5 Compliance Outreach CIP v5 Roadshow May 14-15, 2014 Salt Lake City, Utah. Agenda . CIP-007-5 Overview New/Redefined Terminology CIP - 007-5 Audit Approach Issues & Pitfalls Questions.

gavril
Download Presentation

Morgan King CISSP- ISSAP, CISA Senior Compliance Auditor – Cyber Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Morgan King CISSP-ISSAP, CISASenior Compliance Auditor – Cyber Security CIP-007-5 Compliance Outreach CIP v5 Roadshow May 14-15, 2014 Salt Lake City, Utah

  2. Agenda • CIP-007-5 Overview • New/Redefined Terminology • CIP-007-5 Audit Approach • Issues & Pitfalls • Questions

  3. EMS ESP [IP network] EMS Electronic Security Perimeter Workstations Printer File Server Router Access Control Server Switch EAP CIP-005 Firewall CIP-007 CorpNet CIP-005 Router EAP CCA Firewall Switch DMZ CCA Switch Printer CCA CCA EMS WAN CCA EMS Servers EACM EACM CCA CCA CCA Access Control Server Intermediate Server Workstations

  4. EMS ESP/BCS [IP network] EMS Electronic Security Perimeter All PCA devices take on the impact level of the BCS Non-BCS Workstations File Server Printer PCA PCA PCA PCA Router PCA Switch EAP CIP-005 CIP-007 Firewall CorpNet CIP-005 EAP Router BCA/PCA BCA Firewall Switch CIP-002 Printer DMZ CCA Switch BCS BCA/PCA PCA BCA BCA EMS WAN BCA EMS Servers Workstations EACM EACM BCA BCA BCA Access Control Server Intermediate Server

  5. Multi-BCS ESP EMS Electronic Security Perimeter BCS Workstations BCS Server Printer BCS BCA BCA PCA BCA Router MEDIUM BCA Switch EAP CIP-007 CIP-005 Firewall CorpNet CIP-005 EAP Router BCA/PCA BCA Firewall Switch CIP-002 Printer DMZ CCA Switch BCS BCA/PCA PCA BCA BCA EMS WAN BCA EMS Servers Workstations EACM EACM BCA BCA BCA HIGH Access Control Server Intermediate Server

  6. EMS ESP [High Water Mark] EMS Electronic Security Perimeter All PCA devices take on the impact level of the BCS BCS Workstations BCS Server Printer PCA PCA PCA PCA Router PCA Switch EAP CIP-007 CIP-005 Firewall HIGH CorpNet CIP-005 EAP Router BCA/PCA BCA Firewall Switch CIP-002 Printer DMZ CCA Switch BCS BCA/PCA PCA BCA BCA EMS WAN BCA EMS Servers Workstations EACM EACM BCA BCA BCA Access Control Server Intermediate Server

  7. V5 Compliance Dates

  8. Requirement Count • 7 Requirements (Version 3) • 26 sub-requirements • 5 Requirements (Version 5) • 20 Parts

  9. CIP-007-5 Requirements • CIP-007-5 • R1 Ports and Services • R2 Security Patch Management • R3 Malicious Code Prevention • R4 Security Event Monitoring • R5 System Access Control

  10. CIP-007V3 to V5 Summary • C-007-3 R1  CIP-010-1 R1.4 & R1.5 • C-007-3 R2  CIP-007-5 R1 • CIP-007-5 R1.2 – NEW – restrict physical ports • CIP-007-3 R3  CIP-007-5 R2 • CIP-007-5 R2.1 – NEW – identify patch sources • CIP-007-3 R4  CIP-007-5 R3 • CIP-007-5 R4.3 – NEW – Alerts • CIP-007-3 R5  CIP-007-5 R5 • CIP-007-3 R5.1  CIP-004-5 R4.1 • CIP-007-3 R5.1.1  CIP-003-5 R5.2 • CIP-007-3 R5.1.2  CIP-007 R4.1 • CIP-007-3 R5.1.3  CIP-004-5 R4.3 • CIP-007-5 R5.7 – NEW – unsuccessful login thresholds and alerts • CIP-007-3 R6  CIP-007-5 R4 • CIP-007-3 R7  CIP-011-1 R2 • CIP-007-3 R8  CIP-010-1 R3 • CIP-007-3 R9  Deleted Project 200806 Cyber Security Order 706 DL_Mapping_Document_012913.pdf

  11. Applicable Systems

  12. IAC • CIP-007-5 R1-R5 • contain Identify, Assess and Correct language in requirement. • 17 requirements that include IAC • Filing deadline Feb. 3, 2015

  13. Post for 45‐day first comment and ballot June 2–July 17, 2014 • Communication Networks (Proposed Resolution) • Modified requirement Part 1.2 in CIP‐007 • More comprehensive coverage of physical ports • IAC • CIP-007, a new R2.5 • CIP‐007, update to R4.4 • Transient Devices CIP-010 – New Part 4.1 http://www.nerc.com/pa/Stand/Prjct2014XXCrtclInfraPrtctnVr5RvnsRF/SDT%20Industry%20Webinar.pdf

  14. Serial Exemption Blanket Serial Exemption

  15. Substation Serial-Only Communications

  16. Non-Routable BCS • BES Cyber System and associated BES Cyber Assets are not dependent upon a routable protocol • A BES Cyber System may include only serial devices with no routable devices at all • End point devices (relays) are to be included within the V5 requirements and may be BES Cyber Assets or even BES Cyber System, even if no routable communications exist • Therefore, there are V5 requirements to be addressed (i.e. CIP-007-5)

  17. BCS with External Routable Connectivity • CIP-007-5 Applicable Requirements: • R1.2 Physical Ports • R2 – Patch Management • R3 – AV & Malicious code prevention • R4.1, R4.3, R4.4 – Logging • R5.2 – Default/Generic accounts • R5.4 – Change default passwords • R5.5 – Password complexity

  18. CIP-007-5 Asset Level Requirements • Most of CIP-007 can NOT be performed at a ‘system’ level but at the Cyber Asset level for the following assets: • BES Cyber Asset (BCA) • EACM • PACS • PCA • BCA groupings and BES Cyber Systems are permitted where indicated

  19. V5 Asset Level Requirements • PACS systems (CIP-006-5 Part 3.1) • Ports and Services (CIP-007-5 Part 1) • Patch Management (CIP-007-5 Part 2) • Security Event Monitoring (CIP-007-5 Part 4) • BES Cyber System and/or Cyber Asset (if supported) • System Access Control (CIP-007-5 Part 5) • local system accounts

  20. V5 Asset Level Requirements • Baseline requirement (CIP-010-1 Part 1.1) • Baseline change managements (CIP-010-1 Part 1.2 – 1.5) • Active monitoring -35 days (CIP-010-1 Part 2.1) • Cyber Vulnerability Assessment (CIP-010-1 Part 3.1, 3.2, 3.4) • Testing of new asset (CIP-010-1 Part 3.3) • System reuse or destruction (CIP-011-1 Part 2)

  21. CIP-007-5 Part 1.1 Asset level requirement

  22. Ports and Services • en.able, en.a.ble • Logical network accessible ports

  23. Ports and Services • Control required to be on the device itself or may be positioned inline (in a non-bypassable manner) • Host based firewalls, TCP_Wrappersor other means on the Cyber Asset to restrict access • Dynamic ports • Port ranges or services • 0-65535 • Blocking ports at the EAP does not substitute for the device level requirement • Know what ports are opened and give a reason for enabling service • Measures • Listening ports (netstat -boan/-pault) • Configuration files of host-based firewalls

  24. Tools/commands • Netstat: • Netstat -b -o -a -n > netstat_boan.txt • Netstat-p -a -u -l -t > netstat_pault.txt • NMAP scan results • Nmap -sT-sV –p T:0-65535 <IP_address> >>nmap_tcp.txt • Nmap –sU-sV –p U:0-65535 <IP_address> >> nmap_udp.txt • #show control-plane host open-ports • #show run all

  25. Netstat C:\Documents and Settings\HMI-1>netstat-b -o -a -n > netstat_boan.txt Active Connections Proto Local Address Foreign Address State PID TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 952 C:\WINDOWS\system32\svchost.exe TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4 [System] TCP 0.0.0.0:6002 0.0.0.0:0 LISTENING 428 [spnsrvnt.exe] TCP 0.0.0.0:7001 0.0.0.0:0 LISTENING 248 [sntlkeyssrvr.exe] TCP 0.0.0.0:7002 0.0.0.0:0 LISTENING 248 [sntlkeyssrvr.exe] TCP 127.0.0.1:1025 0.0.0.0:0 LISTENING 1656 [dirmngr.exe] TCP 127.0.0.1:1029 0.0.0.0:0 LISTENING 2484 [alg.exe] TCP 127.0.0.1:5152 0.0.0.0:0 LISTENING 1764 [jqs.exe] TCP 127.0.0.1:33333 0.0.0.0:0 LISTENING 1856 [PGPtray.exe] TCP 172.16.105.220:139 0.0.0.0:0 LISTENING 4 [System] TCP 127.0.0.1:2111 127.0.0.1:33333 ESTABLISHED 1616 UDP 0.0.0.0:7001 *:* 248 [sntlkeyssrvr.exe] UDP 0.0.0.0:500 *:* 700 [lsass.exe] UDP 0.0.0.0:4500 *:* 700 [lsass.exe] UDP 0.0.0.0:445 *:* 4 [System] UDP 127.0.0.1:123 *:* 1084 c:\windows\system32\WS2_32.dll UDP 172.16.105.220:6001 *:* 428 [spnsrvnt.exe]

  26. Nmap EMS1 root@bt:/# nmap -sT -sV -p T:0-65535 172.16.105.151 Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-01-18 12:15 EST Nmap scan report for 172.16.105.151 Host is up (0.034s latency). Not shown: 65531 closed ports PORT STATE SERVICE VERSION 22/tcp open sshOpenSSH 5.3p1 Debian 3ubuntu6 (protocol 2.0) 80/tcp open http Apache httpd 2.2.14 ((Ubuntu)) 111/tcp open rpcbind (rpcbind V2) 2 (rpc #100000) 42851/tcp open status (status V1) 1 (rpc #100024) MAC Address: 00:0C:29:66:05:65 (VMware) Service Info: OS: Linux Service detection performed. Please report any incorrect results at http://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 13.25 seconds

  27. Nmap EMS1 root@bt:/# nmap -sU -sV -p U:0-65535 172.16.105.151 Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-01-18 12:15 EST Nmap scan report for 172.16.105.151 Host is up (7.57s latency). Not shown: 65533 closed ports PORT STATE SERVICE VERSION 68/udpopen|filtereddhcpc 111/udp open rpcbind MAC Address: 00:0C:29:66:05:65 (VMware) Nmapdone: 1 IP address (1 host up) scanned in 1081.98 seconds Service detection performed. Please report any incorrect results at http://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 123.25 seconds

  28. Router Ports/Services

  29. What We Expect [Sample only] SAMPLE FORMAT ONLY

  30. Question • Is it required to capture not only the need for a port to be open, but also the authorization request for the port to be opened? • CIP-010-1 Part 1.1 • "Develop a baseline configuration, individually or by group, which shall include the following items: • 1.1.4. Any logical network accessible ports;’ • need for a port to be open and not an actual authorization request for the port to be opened.

  31. Authorizations • CIP-010-1 Part 1.2 • "Authorize and document changes that deviate from the existing baseline configuration.” • Measure: • A change request record and associated electronic authorization (performed by the individual or group with the authority to authorize the change) in a change management system for each change; or"

  32. CIP-007-5 / CIP-010-1 Relationship • CIP-010-1 baseline configuration requirements • CIP-010-1 Part 1.1.4 • Develop a baseline configuration of any logical network accessible ports • Documented list of enabled ports • CIP-007-5 Part 1.1 is concerned only with the enabling of needed ports • Performance (CIP-007-5) versus documentation (CIP-010-1)

  33. Double Jeopardy? • Failing to maintain the baseline configuration and failing to disable unnecessary ports are two different requirement violations • CIP-007-5 Part 1.1 refers to listings of ports as evidence, but that evidence could be the same evidence required for CIP-010-1. • Utilizing a single piece of evidence for proof of compliance with two different requirements is not double jeopardy

  34. R1.1 Issues & Pitfalls • Accurate enablement of required ports, services and port ranges • Understanding critical data flows and communications within ESP and EAPs • Logical ports include 65535 TCP& 65535 UDP ports • Managing changes of both logical and physical ports • Initial identification of physical port usage and controls – port use mapping • VA, approved baselines, and implemented logical ports and services should always agree (CIP-010-1 and CIP-007-5) • Focus on EAPs inward to ESP Cyber Systems and Cyber Assets

  35. CIP-007-5 Part 1.2 Asset level requirement

  36. CIP-007-5 Part 1.2 Asset level requirement

  37. CIP-007-3  CIP-007-5 Change

  38. Configuration Ports • Change Bios • Upgrade Firmware • Set Baseline Configuration • Build-out devices that have components (like servers) • Perform a variety of Administrative functions • Perform emergency repair or failure recovery when no other port is accessible http://www.tditechnologies.com/whitepaper-nerc-cip-007-5-r1

  39. Part 1.2 Physical Ports • physical I/O ports • Network • Serial • USB ports external to the device casing

  40. Part 1.2 Physical Ports • All ports should be either secured or disabled • Ports can be protected via a common method not required to be per port • “Protect against the use” • Requirement is not to be a 100% preventative control • Last measure in a defense in depth layered control environment to make personnel think before attaching to a BES Cyber System in the highest risk areas

  41. Guidelines • Disabling all unneeded physical ports within the Cyber Asset’s configuration • Prominent signage, tamper tape, or other means of conveying that the ports should not be used without proper authorization • Physical port obstruction through removable locks

  42. Port Locks http://www.blackbox.com/resource/genPDF/Brochures/LockPORT-Brochure.pdf

  43. Physical Access to Ports http://www.supernap.com/supernap-gallery-fullscreen/

  44. Question • Would a Cyber Asset locked in a cage meet this requirement? • Answer • No, the required control needs to be applied on the Cyber Asset level

  45. Part 1.2 Physical Ports • Documented approach to ensure unused physical ports are controlled (identify controls in place) • Controls in place for ensuring that attempts of physical port usage are identified • Think before you plug anything into one of these systems • Controls: 802.1x, physical plugs, port block, signage • Physical port usage documentation – know what is in use versus existing ports not required • Site tours may validate physical port documentation

  46. Physical Ports and Applicable Systems • A routable device with all of its physical network ports blocked which would have otherwise been identified as routable device, now cannot route. • The ability to communicate outside of itself is not a determining factor as to whether a Cyber Asset is or is not a BES Cyber Asset or BES Cyber System • The Cyber Asset’s function as it pertains to BES reliability determines system identification

  47. CIP-007-5 Part 2.1 Asset level requirement

  48. CIP-007-3  CIP-007-5 Change

  49. Part 2.1 Patch Management Process • Patch management documented process • List of sources monitored for BES Cyber Systems and/or BES Cyber Assets • List of Cyber Assets and software used for patch management • Watching and being aware of vulnerabilities within BES Cyber Systems, whether they are routably connected or not, and mitigating those vulnerabilities • Applicable to BES Cyber Systems that are accessible remotely as well as standalone systems

  50. Part 2.1 Tracking • Requirement allows entities to focus on a monthly ‘batch’ cycle of patches rather than tracking timelines for every individual patch • Tracking can be on a monthly basis for all patches released that month rather than on an individual patch basis • Decision to install/upgrade security patch left to the Responsible Entity to make based on the specific circumstances

More Related