Upload
doandung
View
217
Download
0
Embed Size (px)
Citation preview
Additional Considerations
Morgan King CISSP-ISSAP, CISA
Senior Compliance Auditor – Cyber Security
Transition Program
• Why is the Version 5 Transition Program needed? – There are major changes between the current
Version 3 and new Version 5 of the CIP standards, which were approved by the Federal Energy Regulatory Commission (FERC) on November 22, 2013. The Transition Program should help entities implement the Version 5 standards in a timely and efficient manner.
Slide 2
Western Electricity Coordinating Council
http://www.nerc.com/pa/CI/Pages/Transition-Program-FAQs.aspx
Transition Program
• How will entities not participating in the Implementation Study learn from the experiences of those involved in the Study? – Throughout the Implementation Study, NERC will
help participating entities address implementation challenges and develop lessons learned documentation. These lessons learned will be posted on this NERC web page. Webinars and workshops will also be held throughout the entire Transition Program.
Slide 3
Western Electricity Coordinating Council
http://www.nerc.com/pa/CI/Pages/Transition-Program-FAQs.aspx
Audits During the Transition Period
• August 12, 2014 – March 30, 2016 • CIP v3 controls that map to CIP v5 • Leverage IRA and ICE • Verify progress and approach to CIP v5
– Area of concern – Recommendation
• Provide outreach, not free consulting
Slide 4
Western Electricity Coordinating Council
Compliance and Enforcement Approach for the Transition Period
• NERC will therefore allow Responsible Entities to transition to the CIP V5 Standards, in whole or in part, during the Transition Period. In short, Responsible Entities may: – (1) continue to comply with all of the CIP V3
Standards during the Transition period, or – (2) begin transitioning to compliance with some
or all of the CIP V5 Standards
Slide 5
Western Electricity Coordinating Council
http://www.nerc.com/pa/CI/Documents/V3-V5%20Transition%20Guidance%20FINAL.pdf
Compliance and Enforcement Approach for the Transition Period
The goal is to support Responsible Entities’ implementation of the CIP V5 Standards as early as necessary to ensure that they may become fully compliant with the CIP V5 Standards by their effective date. (Section 2, pp. 2-3)
Slide 6
Western Electricity Coordinating Council
http://www.nerc.com/pa/CI/Documents/V3-V5%20Transition%20Guidance%20FINAL.pdf
Breaking LERC/ERC
• FERC NOPR – Supply Chain – Protecting communication links between control
centers – Adequacy of existing remote access controls in CIP
Version 5 – Protections for Transient Devices at Low Impact – Clearer descriptions and definitions of LERC
Slide 7
Western Electricity Coordinating Council
Breaking LERC/ERC
• CIP-003-6 Reference Model - 6 (Example) – Layer 7 application layer break – The Cyber Asset requires authentication and then
establishes a new connection • Protocol Break
• The expectation is that the non-BES Cyber Asset has provided a “protocol break” so that access to the low impact BES Cyber System is only from the non-BES Cyber Asset that is located within the asset containing the low impact BES Cyber System
Slide 8
Western Electricity Coordinating Council
FERC NOPR
• Seeks comments (and may direct modifications) – purpose of the meaning of the term “direct” in
relation to the phrases “direct user-initiated interactive access” and “direct device-to-device connection”
– implementation of the “layer 7 application layer break” contained in certain reference diagrams in the Guidelines and Technical Basis section of proposed Reliability Standard CIP-003-6
Slide 9
Western Electricity Coordinating Council
FERC NOPR
• Concern: – It appears that guidance provided in the Guidelines
and Technical Basis section of the proposed standard may conflict with the plain reading of the term “direct.”
– A conflict in the reading of the term “direct” could lead to complications in the implementation of the proposed CIP Reliability Standards, hindering the adoption of effective security controls for Low Impact BES Cyber Assets. Depending upon the responses received, we may direct NERC to develop a modification to the definition of Low Impact External Routable Connectivity.
Slide 10
Western Electricity Coordinating Council
NERC’s Response to NOPR
• As explained in the Technical Guideline and Basis section of proposed Reliability Standard CIP-003-6, the definition covers situations where a user or device could directly access a low impact BES Cyber Asset from outside the asset containing the low impact BES Cyber System absent a security break (e.g., without having to go through a firewall or another Cyber Asset).
Slide 11
Western Electricity Coordinating Council
NERC’s Response to NOPR
• Should comments to the NOPR indicate that there is confusion as to the meaning and application of LERC, NERC will take the necessary steps, such as issuing additional guidance or modifying the definition, to ensure entities can effectively and efficiently implement the proposed Reliability Standards.
Slide 12
Western Electricity Coordinating Council
External Routable Connectivity
• September 9th External Routable Connectivity Lesson Learned Posting
• Comment period closed October 9th
Slide 13
Western Electricity Coordinating Council
NERC Lesson Learned
Communications to BES Cyber Systems and BES Cyber Assets
Slide 14
Western Electricity Coordinating Council
Breaking ERC Slide 15
Western Electricity Coordinating Council
Breaking ERC Slide 16
Western Electricity Coordinating Council
Associated EACMS
• Scenario 1 – The EACMS (Digi Server) is within an ESP and
would be subject to the high water mark within that ESP
• Scenario 2 – The EACMS (Digi Server) is not within an ESP and
would be associated with the RTU BCS impact rating for which it is performing the EACMS function for
Slide 17
Western Electricity Coordinating Council
ERC Question
Can External Routable Connectivity be removed from a Cyber Asset by blocking all access to that Cyber Asset at the Electronic Access Point (EAP)?
Slide 18
Western Electricity Coordinating Council
Blocking ERC at EAP Slide 19
Western Electricity Coordinating Council
ERC Defined
The ability to access a BES Cyber System from a Cyber Asset that is outside of its associated Electronic Security Perimeter via a bi-directional routable protocol connection.
Slide 20
Western Electricity Coordinating Council
Access
• The use of the phrase “ability to access” in the definition implies that any communication path, whether direct or indirect, from outside the ESP to “PLC” would constitute External Routable Connectivity.
Slide 21
Western Electricity Coordinating Council
Approach
• If any Cyber Asset within an ESP has External Routable Connectivity, then all Cyber Assets within that ESP should be considered to have External Routable Connectivity.
Slide 22
Western Electricity Coordinating Council
CIP-007-6 R2, Part 2.4 Mitigation Plan
What constitute a “revision to the plan" in the mitigation plan? For CIP Senior Manager or delegate approval, is it simply the end date or do we need approval if a task is added or removed?
Slide 23
Western Electricity Coordinating Council
Approach
• It is specifically the WHEN (timeframe) and the HOW (planned actions) in the mitigation plan. If either of those change, consider it a “change of plan”
• Senior manager or delegate approval is required if the HOW and WHEN changes pertaining to the mitigation plan
• Newly identified patch could be added to an existing mitigation plan
Slide 24
Western Electricity Coordinating Council
CIP-007-6 R3
• If utilizing application whitelisting in addition
to utilizing AV for defense-in-depth, is testing of AV signatures still expected?
Slide 25
Western Electricity Coordinating Council
Approach
• The implementation of the additional method (Application Whitelisting) to deter, detect or prevent malicious code to meet CIP-007-6 R3 does not negate Part 3.3 for both are methods identified in Part 3.1 of which the AV uses ‘signatures or patterns’ and therefore would be required to address ‘testing and installing the signatures or patterns.’
Slide 26
W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L
Mixed Impacts and Shared Storage
• Can we have Medium and High Impact BCS with virtual Cyber Assets on the same SAN Storage?
Slide 27
W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L
Mixed Impacts and Shared Storage
http://bit.ly/1uKsrAS
W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L
Mixed Impacts and Shared Storage
http://bit.ly/1uKsrAS
W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L
Approach
• An entity can consider implementing a mixed trust SAN environment for virtual systems in Medium and High Impact BCSs.
• Hypervisor should be a BCA within an ESP and all associated guest workloads would be classified as associated Protected Cyber Assets to the High Impact BCS
• Consider SAN and virtual environment management taking place from within an ESP.
Slide 30
Western Electricity Coordinating Council
CIP-007-6 R2 Patch Management Slide 31
Western Electricity Coordinating Council
April 1, 2016 and Patching
• If you haven’t already, assess security patches on newly identified CIP v5 BCA for applicability
• On or before April 1st 2016 develop a security patch management process
• Develop a baseline configuration of any security patches applied pursuant to CIP-010-2 R1, Part 1.1.4
• On or before May 5th 2016 assess security patches for applicability and either: – Apply the patch on or before June 9th 2016 or – Create a mitigation plan on or before June 9th 2016
Slide 32
Western Electricity Coordinating Council
April 1, 2016 and 90-day of Logs
• For the requirements requiring 90 consecutive
calendar days of logs, do the 90 days of logs start from April 1, 2016 or is it required to have 90 consecutive days of logs prior to the CIP Version 5 compliance date of April 1, 2016?
Slide 33
Western Electricity Coordinating Council
April 1, 2016 and 90-day of Logs
• On or before April 1, 2016 – Verify an entity had one or more documented
processes addressing 90 days of logs for all Applicable Systems
• On April 1, 2016 and after
– Verify the required control has been implemented for all Applicable Systems
Slide 34
Western Electricity Coordinating Council
Per Cyber Asset Capability
• Cyber Assets that meet the definition of a BES Cyber Asset but have limitations in their ability to protect the BES Cyber Assets with the entire suite of the CIP Version 5 Standards
• FERC also approved a new set of terms “per (device/system) capability,”
Slide 35
Western Electricity Coordinating Council
Per Cyber Asset Capability
• The SDT has also determined that there are some requirement parts that should not require a TFE, as certain parameters are not essential themselves, but should apply if a device is capable of the parameter
• Building upon this concept, NERC will extend the “per (device/system) capability” available in some of the CIP Version 5 Standards to all of CIP-007-6, CIP-009-6, and CIP-010-2 standards for rudimentary BES Cyber Assets found in substations and generating facilities
Slide 36
Western Electricity Coordinating Council
Example
• Pressure sensor that is microprocessor based, but lacks many of the features that the standards seek to protect – lacks network accessible ports and services; – does not authenticate users; and – lacks the ability to log events.
• For these rudimentary BES Cyber Assets, NERC expects Responsible Entities to document the capabilities of the Cyber Assets and provide CIP Version 5 Standards protection commensurate with the Cyber Asset’s capabilities
Slide 37
Western Electricity Coordinating Council
CIP-007-6 R2 and CIP-007-6 R5
• If a Cyber Assets only has 6 character password length ‘per device capability’
• An available patch for a Cyber Asset would make the Cyber Asset capable of an 8 character password
• Is the patch a security patch or a security “enhancement”
Slide 38
Western Electricity Coordinating Council
Network Gear a BCA or PCA
• BES Cyber Asset definition – Availability ‘when needed’
• Demarcation is network gear inside an ESP and not the communication gear outside of the ESP
• For an entities one or more documented process for BCA identification consider an exclusion for network gear for BROS functionality
Slide 39
Western Electricity Coordinating Council
Communications and Networking Cyber Assets
Slide 40
Western Electricity Coordinating Council
Communications and Networking Cyber Assets
Slide 41
Western Electricity Coordinating Council
Interactive Remote Access
Is it permissible to directly login to an Intermediate System and then use the
Intermediate System to access a BES Cyber System within an ESP?
42
Western Electricity Coordinating Council
Intermediate System Resides in a DMZ 43
Western Electricity Coordinating Council
Intermediate System Resides in a DMZ 44
Western Electricity Coordinating Council
Interactive Remote Access User-initiated access by a person employing a remote access client or other remote access technology using a routable protocol. Remote access originates from a Cyber Asset that is not an Intermediate System and not located within any of the Responsible Entity’s Electronic Security Perimeter(s) or at a defined Electronic Access Point (EAP). Remote access may be initiated from: 1) Cyber Assets used or owned by the Responsible Entity, 2) Cyber Assets used or owned by employees, and 3) Cyber Assets used or owned by vendors, contractors, or consultants. Interactive remote access does not include system-to-system process communications.
Slide 45
February 5, 2015 Western Electricity Coordinating Council
Interactive Remote Access
• Direct login to an Intermediate System is not prohibited
• Use of an Intermediate System to access Cyber Assets within an Electronic Security Perimeter is not prohibited
• Such access does not meet the definition of Interactive Remote Access; therefore CIP-005-5 R2 does not apply in this case
46
Western Electricity Coordinating Council
Control Consoles Designated as Intermediate Systems
47
Western Electricity Coordinating Council
Interactive Remote Access
• Intermediate System is required to be identified as an EACMS and protected accordingly
• Carefully review the capabilities of the Intermediate System to ensure it does not meet the definition of a BES Cyber Asset
48
Western Electricity Coordinating Council
Questions
Morgan King CISSP-ISSAP,CISA Senior Compliance Auditor, Cyber Security [email protected] Cell: 801-608-6652