550 likes | 557 Views
Help compliance personnel become familiar with the processes to identify and manage essential Cyber Assets associated with BES Cyber Systems, ensuring appropriate access controls and adequate data protection.
E N D
Identifying and Managing Essential Cyber Assets: Closing the Loop on the BCS Dr. Joseph B. Baugh Senior Compliance Auditor – Cyber Security WECC Reliability and Security Workshop San Diego CA – October 23, 2018 Western Electricity Coordinating Council
The Parable of the Essential Cyber Asset Western Electricity Coordinating Council
External Users Western Electricity Coordinating Council
Help compliance personnel become more familiar with the processes to identify all essential Cyber Assets associated with each of the BES Cyber Systems [BCS] identified under CIP-002-5.1a to ensure appropriate access controls and ensure data flows into and out of the BCS are adequately managed and protected Reliability & Security Objective Western Electricity Coordinating Council
During recent audits, the CIP team has found several instances of Potential Noncompliance relative to legacy configuration files on EACMS, poor management of Intermediate Systems, failure to properly identify and protect PACS elements, and other issues associated with managing essential Cyber Assets CIP Team Observations Western Electricity Coordinating Council
Develop an ability to discuss essential Cyber Assets with entity Subject Matter Experts [SMEs] and develop a stronger CIP compliance program that contributes to better reliability and security in the Western Interconnection Key Takeaway Western Electricity Coordinating Council
If half the attendees in this room worked closely with their SMEs to correctly identify and manage all essential Cyber Assets, the reliability and security of the BES would be improved This may also result in an ancillary impact of better compliance performance at audit and fewer Self-Reports What May Change Western Electricity Coordinating Council
Some may be thinking to themselves, “If these essential Cyber Assets are not specifically spelled out in the CIP Standards, why should I care about them?” • Most essential Cyber Assets are included in the CIP Standards, either directly or indirectly • All help “close the loop on BES Cyber Systems [BCS]” • The CIP Team has noted issues in past audits • Don’t be this entity, “Oops, I should have closed the loop on my BCS!” Why Should You Care? Western Electricity Coordinating Council
Examine essential Cyber Asset types in detail • What is it? • Where are they generally located? • Associated Standards • How are they configured? • What are common examples? • What are common problems and pitfalls that may lead to noncompliance? • Group Exercise • Review • Questions • Summary Agenda Western Electricity Coordinating Council
An essential Cyber Asset is NOT a defined term, but relates to several common Cyber Assets used to protect and/or access a High or Medium BCS, some of which are defined terms What is an Essential Cyber Asset? EACMS include EAP, IS, IDS/IPS. We can also add Gateways, Modems, TCA, and RM to our list of essential Cyber Assets Western Electricity Coordinating Council
Physical Access Control System [PACS] Electronic Access Control and Monitoring System [EACMS] Intermediate Systems [IS] Intrusion Detection Systems / Intrusion Protection Systems [IDS/IPS] Serial Gateways Dial-up Gateways & Modems Transient Cyber Assets [TCA] Removable Media [RM] Types of Essential Cyber Assets Western Electricity Coordinating Council
Some graphics used in conjunction with the following essential cyber asset type slides are intended for illustrative purposes only and represent common cyber asset types observed by the CIP team during site visits to remote locations However, the use of openly accessible graphics or other materials under the Fair Use Act should not be construed as an endorsement, support, or promotion by the WECC CIP Team for any specific vendor or specific essential Cyber Asset product Disclaimer Western Electricity Coordinating Council
Physical Access Control System [PACS] Cyber Assets that control, alert, or log access to the Physical Security Perimeter(s), exclusive of locally mounted hardware or devices at the Physical Security Perimeter such as motion sensors, electronic lock control mechanisms, and badge readers. (NERC, Glossary, p. 22) PACS – What Is It? Local Devices (Readers, Cameras, Door Sensors) PSP-Like Security Perimeter PACS Server Direct Connection PACS Panel PACS Workstation Typical PACS configuration
Where are PACS generally located? • Physically within the confines of a defined Physical Security Perimeter (PSP) • Physically outside the confines of a defined PSP, but secured • PACS must be provided certain physical security protections • CIP-006-6 Parts R1.1, R1.6, and R1.7 • Guidance & Technical Basis provides some relief for these for PACS devices residing within a defined PSP PACS – Where is It? Western Electricity Coordinating Council
Which Standards are associated with PACS? • Primarily CIP-006-6 • All Requirements where PACS are associated with applicable BCS, including: • CIP-004-6 R2, R3, R4, R5 (Parts 5.1, 5.2, 5.3) • CIP-006-6 R1 (Parts 1.1, 1.6, 1.7), R3 • CIP-007-6 R1 Part 1.1, R2, R3, R4 (Parts 4.1, 4.2, 4.3), R5 • CIP-009-6 R1, R2 (Parts 2.1, 2.2), R3 • CIP-010-2 R1 (Parts 1.1 – 1.4), R3 (Parts 3.1, 3.4) • CIP-011-2 R1, R2 PACS – Associated Standards Western Electricity Coordinating Council
PACS should be configured to meet specific physical security issues for each entity or at each PSP, but in general: • Typical system components include application host server(s), intelligent access control panel(s) and personal computers (aka: workstations) used to perform systems and access administration, alarm monitoring and/or badge provisioning • Workstations may utilize a client or web based interface • Workstation communication paths may include an intermediate jump host PACS – Typical Configuration Western Electricity Coordinating Council
The CIP-006 team has noted common failures to address these issues: • Identify PACS client workstations as PACS assets • Ensure all PACS Cyber Assets are identified, classified, and protected • Ensure PACS located outside PSPs are secured and monitored with alerts within 15 minutes • Properly annotate PSP diagrams • Document PACS alarm assessment and response procedures • Document PACS responses for each incident of potential unauthorized physical access • Provide a hard key management program PACS – Common Problems & Pitfalls Western Electricity Coordinating Council
Electronic Access Control and Monitoring System Cyber Assets that perform electronic access control or electronic access monitoring of the Electronic Security Perimeter(s) or BES Cyber Systems. This includes Intermediate Systems. (NERC, Glossary, p. 12) Essential Cyber Assets include EACMS, Electronic Access Points [EAP], Intrusion Detection/Prevention Systems [IDS/IPS] and Intermediate Systems [IS] EACMS – What Is It? Western Electricity Coordinating Council
EACMS – Where is It? • EACMS generally establish the Electronic Security Perimeter [ESP] for BCS • EAP are located on the ESP as required, but the EACMS may have additional interfaces • IDS are typically located on the ESP network, but • Passive IDS may also be located outside the ESP, or • IPS may be inline with traffic • IS are typically located on a DMZ segment External Users Western Electricity Coordinating Council
Which Standards are associated with EACMS (includes EAP, IDS/IPS, and IS)? • CIP-004-6 R2, R3, R4, R5 • CIP-005-5 R1, R2 [Specifically EAP, Intermediate System, and Dial-up Connectivity] • CIP-006-6 R1 (Parts 1.2, 1.3, 1.4, 1.5, 1.8, 1.9), R2 • CIP-007-6 R1 Part 1.1, R2, R3, R4, R5 • CIP-009-6 R1, R2 (Parts 2.1, 2.2), R3 • CIP-010-2 R1 (Parts 1.1 – 1.4), R2 (high impact only), R3 (Parts 3.1, 3.3, 3.4) • CIP-011-2 R1, R2 • CIP-008-6 (Proposed Standard in Comment Phase) EACMS – Associated Standards Western Electricity Coordinating Council
EAP are typically configured with explicit access control lists [ACL] Passive IDS typical configuration seen on audit IPS are not as common IS are typically Terminal Servers or similar Cyber Assets In general, the CIP team will examine specific configurations, as required by the Standards EACMS – Typical Configuration Western Electricity Coordinating Council
EAP Firewalls AAA Servers Token Servers IDS/IPS devices Domain Controllers SIEM Devices IS Terminal Servers EACMS – Common Examples Western Electricity Coordinating Council
Entities may fail to: • Ensure IRA protocols are sourced only from an IS • Ensure system-to-system traffic is approved • Ensure spanning is configured in HA architectures • Disable access control rules for system maintenance • Refine access permissions to EACMS devices to specific IP addresses • Document reasons for granting access on EACMS • Provide system hardening beyond required controls • Address detection of malicious communications within encrypted communications through EAPs EACMS – Common Problems & Pitfalls Western Electricity Coordinating Council
A Cyber Asset or collection of Cyber Assets performing access control to restrict Interactive Remote Access to only authorized users. The Intermediate System must not be located inside the Electronic Security Perimeter. (NERC, Glossary, p. 17) • To fully understand IS, we also need to understand Interactive Remote Access [IRA] IS – What Is It? Western Electricity Coordinating Council
User-initiated access by a person employing a remote access client or other remote access technology using a routable protocol. Remote access originates from a Cyber Asset that is not an Intermediate System and not located within any of the Responsible Entity’s Electronic Security Perimeter(s) or at a defined Electronic Access Point (EAP). Remote access may be initiated from: 1) Cyber Assets used or owned by the Responsible Entity, 2) Cyber Assets used or owned by employees, and 3) Cyber Assets used or owned by vendors, contractors, or consultants. Interactive remote access does not include system-to-system process communications. (NERC, Glossary, p. 16) IRA – What Is It? Western Electricity Coordinating Council
Per the Glossary definition, the IS Cyber Asset(s) must be located outside the ESP Encrypted IRA data sessions may only be established by an authorized user IS – Where is It? Untrusted External Network Typically Unencrypted May Be Encrypted Must be Encrypted Western Electricity Coordinating Council
Graphic (TDI Technologies, n.d., EACMS Whitepaper, used for educational purposes only) retrieved from https://www.tditechnologies.com/wp-content/uploads/2017/03/TDi-CIP-005-CIP-007-CIP-010_2-1.pdf, p. 6 IS – Complex Configuration Western Electricity Coordinating Council
Installing applications with capability to directly operate one or more elements of the BCS on the IRA client and/or on the IS Failing to ensure all IS Cyber Assets are afforded applicable EACMS protections Allowing back channel communications into the ESP that bypass the IS and/or EACMS IS – Common Problems & Pitfalls Western Electricity Coordinating Council
An intrusion detection system (IDS) is a device or software application that monitors a network or systems for malicious activity or policy violations. Any malicious activity or violation is typically reported either to an administrator or collected centrally using a security information and event management (SIEM) system. A SIEM system combines outputs from multiple sources, and uses alarm filtering techniques to distinguish malicious activity from false alarms. Some IDS products have the ability to respond to detected intrusions. Systems with response capabilities are typically referred to as an Intrusion Prevention System [IPS]. (Wikipedia) IDS/IPS – What Is It? Western Electricity Coordinating Council
Where are they generally located? • Network intrusion detection systems (NIDS) • May be located on either or both sides of the EAP/EACMS to monitor inbound and outbound traffic • Host intrusion detection systems (HIDS) • Located on mission critical servers to monitor traffic to/from that specific server • Intrusion Prevention System [IPS] • IPS often sits directly behind the firewall and provides a complementary layer of analysis that negatively selects for dangerous content • Unlike IDS, IPS is placed inline (in the direct communication path between source and destination), actively analyzing and taking automated actions on all traffic flows that enter the network IDS/IPS – Where Is It? Western Electricity Coordinating Council
IDS/IPS – Typical Configuration (NIDS/HIDS) Untrusted Networks Layer 3 Switch Western Electricity Coordinating Council
Require experienced technicians to administer IDS/IPS, recognize and act on threats Entities may fail to regularly review IDS/IPS logs to analyze cyber intrusions High false positive rates can contribute to noise that inures system operators to actual intrusions Attack signatures must be updated regularly IDS/IPS – Common Problems & Pitfalls Western Electricity Coordinating Council
Serial Gateway • In the context of the Grid, typically an Ethernet-serial communication processor that collects and formats data from field processing units, such as relays, over serial connections and communicates with remote EMS/SCADA systems over a routable protocol for transmission between sites. Serial Gateway - What Is It? Western Electricity Coordinating Council
Where are they generally located? • Typically in substations to aggregate data from serially connected relays and other IEDs for transmission to EMS/SCADA systems • May also be located in generation stations as part of Distributed Control Systems [DCS] to collect data from multiple points Serial Gateway – Where is It? Western Electricity Coordinating Council
Generally has capability to allow personnel to configure relays and other serial devices remotely May also have dial-up capability, depending on configuration and location Modem may or may not be in ESP, depending on connection to gateway Serial Gateway - Typical Configuration Event Recorder Serial Gateway Western Electricity Coordinating Council
Failure to classify the gateway as a BCA when accessed through an EAP/EACMS Failure to classify routable gateways and serial relays as a BCS Serial Gateways Common Problems & Pitfalls Western Electricity Coordinating Council
Many remote substations are accessible only through a standard analog telephone connection. For those situations, the Dial-up Gateway enables sharing a single substation telephone line between devices, such as modems connected to fault locating relays, meters, etc. Dial-up Gateways & Modems What Is a Dial-up Gateway? Western Electricity Coordinating Council
A modem (modulator–demodulator) is a network hardware device that modulates one or more carrier wave signals to encode digital information for transmission and demodulates signals to decode the transmitted information. Modems can be used with any means of transmitting analog signals, from light-emitting diodes to radio. A common type of modem is one that turns the digital data of a computer into modulated electrical signal for transmission over telephone lines and demodulated by another modem at the receiver side to recover the digital data. (Wikipedia) Dial-up Gateways & Modems What Is a Modem? Western Electricity Coordinating Council
Typically used with POTS service • Generally seen at remote substations (Low impact BES Assets) that do not have higher speed access methods • Dial-up gateways can serve as a required authentication point as prescribed by • CIP-005-5 (Part R1.4, p. 7) • CIP-003-7 (Attachment 1, Section 3.2, p. 22) Dial-up Gateways & Modems Where are They? Western Electricity Coordinating Council
A BCS with Dial-Up Connectivity is reachable via an auto-answer modem with an unchanged default password A BCS has a wireless card on a public carrier with a public IP address A BCA has dual-homed interface cards, one of which may be an accessible modem, and IP forwarding is enabled by default Dial-up connectivity is directly to a modem or modem bank with no authentication gateway Dial-up Gateways & Modems Common Problems & Pitfalls Western Electricity Coordinating Council
Transient Cyber Asset • A Cyber Asset that (i) is capable of transmitting or transferring executable code, (ii) is not included in a BES Cyber System, (iii) is not a Protected Cyber Asset (PCA), and (iv) is directly connected (e.g., using Ethernet, serial, Universal Serial Bus, or wireless, including near field or Bluetooth communication) for 30 consecutive calendar days or less to a BES Cyber Asset, a network within an ESP, or a PCA. (NERC, Glossary, p. 32) TCA – What Is It? Western Electricity Coordinating Council
Examples of Transient Cyber Assets include, but are not limited to, Cyber Assets used for data transfer, vulnerability assessment, maintenance, or troubleshooting purposes • Backup drives • Relay technician’s laptop • Network packet sniffer • Vulnerability scanning tools and software TCA – Common Examples Western Electricity Coordinating Council
Removable Media [RM] • Storage media that (i) are not Cyber Assets, (ii) are capable of transferring executable code, (iii) can be used to store, copy, move, or access data, and (iv) are directly connected for 30 consecutive calendar days or less to a BES Cyber Asset, a network within an ESP, or a Protected Cyber Asset. (NERC, Glossary, p. 27) RM – What Is It? Western Electricity Coordinating Council
Where are TCA/RM generally located? • Locations can vary widely across the entity’s system • TCAs can be assigned to individuals or groups, for use at multiple BES Assets • Relay technician laptops • Communication department laptop • TCA/RM may reside at applicable BES assets and connected as needed to specific BCA • Substation maintenance workstation/laptop • Substation A’s thumb drive • RM devices are ubiquitous and travel easily in pockets, briefcases, laptop bags, purses, etc. TCA/RM – Where are They? Western Electricity Coordinating Council
CIP-010-2 R4, Attachment 1 • High and Medium impact BCS • Section 1: TCA managed by the entity • Section 2: TCA managed by third-parties • Section 3: RM • CIP-003-7 R2, Attachment 1 • Low impact BCS • Section 5: Malicious Code Mitigation TCA/RM – Associated Standards Western Electricity Coordinating Council
Examples include, but are not limited to, • USB flash drives • Floppy disks • Compact disks • External hard drives • Other flash memory cards/drives that contain nonvolatile memory RM – Common Examples Western Electricity Coordinating Council
Ensure TCAs are managed in defined methods, e.g. on-demand versus on-going • Ensure devices are authorized per plan • Recommend developing tracking methodology to ensure devices are not connected to applicable Cyber Assets for more than 30 consecutive calendar days • Retain evidence the entity is following plans • e.g., if RM is scanned prior to being connected to BCA/PCA, capture artifact of scan(s) TCA/RM – Common Problems & Pitfalls Western Electricity Coordinating Council
Automate operations where feasible • Implement an asset life-cycle inventory system, e.g. Configuration Management Database [CMDB] • Implement consistent naming and labeling conventions for all Cyber Assets • Ensure devices are evaluated for applicable Technical Feasibility Exceptions [TFE] • Consider utilizing layer 3 to segregate BES Cyber Systems from other non-ESP networks General Best Practices Western Electricity Coordinating Council
Essential Cyber Assets • Are important components of the BCS • Represent risk to the reliability of the BES • Proper security measures will help ensure entities close the loop on the BCS Essential Cyber Asset Review Western Electricity Coordinating Council
In your table groups, please address these points (10 minutes): • How do essential Cyber Assets impact your entity? • Identify essential Cyber Assets in your environment? • How do you protect essential Cyber Assets? • What are common problems and/or pitfalls? • Prepare a debriefing statement • Select a spokesperson to share your statement Table Group Discussion Western Electricity Coordinating Council