Transcription
Joe Andrews, MsIA, CISSP-ISSEP, ISSAP, ISSMP, CISA, PSPSr. Compliance Auditor – Cyber SecurityCIP-005-3 Audit Approach, ESP Diagrams,Industry Best PracticesSeptember 24 – 25, 2013SALT LAKE CITY, UTAH
Speaker Introduction Joseph A. Andrewso 21 years DoD IT & Information Security / NetworkEngineering (Federal Civilian)§ Senior Information Systems Security Engineer§ Information Assurance Program Manager§ Network Security Engineer§ Information Systems Security Officer§ Etc.o Academic§ Master of Science in Information Security & Assurance§ Bachelor of Science in IT/Information Security§ Professional Certifications: CISSP-ISSEP, ISSAP, ISSMP,CISA, PSP, CAP, GCIH, C CISO, C EH, CNDA, CBRM,CGEIT, CompTIA Security 2
CIP-005-3 Requirements Overview R1. Identify and document Critical Cyber Assets (CCAs)residing within an Electronic Security Perimeter (ESP)including Access Points (AP) to the ESP R2. Implement and document ESP access controls (i.e.,Access Points; deny by default, ports & services,appropriate use banner) R3. Monitor and log access to the ESP R4. Conduct annual Cyber Vulnerability Assessment (CVA)of the Access Points to the ESP R5. Review, update, maintain3 CIP-005-3 relevant documentation
4
R1. Electronic Security Perimeter (ESP) Provides network segmentation andrestricted access to Critical Cyber Assetswithin the SCADA and Process ControlNetwork from the Enterprise/CorporateNetwork and any other untrusted networksand sources. It is the Access Point, which establishes theElectronic Security Perimeter.5
R1. Access Point (AP) An information system, device or appliance thatprovides access to and/or through (e.g., ingress oregress traffic) the ESP (e.g., Firewall, Gateway,Control device w/modem (TCP, UDP; Telnet, SSH,SSL, VPN, HTTP[s])) May provide access control, monitoring, alertingand/or logging of access to and/or through the ESPo may require intermediary device(s) for some ofthis functionality: Electronic Access Controland Monitoring (EACM) devices6
ESP Graphical Depiction7
ESP w/ DMZ Graphical Depiction8
Discreet Electronic Security Perimeter An Electronic Security Perimeter that istypically located in a single geographicallocation, which may be protected by asingle Physical Security Perimeter (PSP)that may or may not traverse multiplerooms, albeit, the cabling infrastructure isprotected by the PSP and all rooms areafforded the protections of CIP-006.9
10
Extended Electronic Security Perimeter A single Electronic Security Perimeter thatmay be located in multiple geographicallocations, or multiple rooms in the samefacility location, protected by one or morePhysical Security Perimeters (PSP), albeit,the cabling infrastructure may traversemultiple facility rooms or areas outside of anestablished PSP.11
12
ESP-1 (Actual) Front Rack View13
ESP-1 Front Rack View (CCAs Labeled)14
Access Point Graphical Depiction15
Access Point GUI & CLI INTERFACE16
17
R1. CAR-005 ICS components with serial and/or dial-upinterfaces can be Access Points:o A Front End Processor (FEP) or CCA seriallyconnected to a component of another networkbeyond your control (e.g., another entity)o A FEP or media converter device that uses theinternet (e.g.,IP;VPN, SSL, AES) to communicateo Know the backend architecture of your ICSnetwork!18
19
20
21
YERSINIA (VLAN Exploit Tool)Contrary to popular belief: VLANs were originallycreated as a network performance and organizationfeature, not a Security feature. Dynamic Trunking protocol (DTP) abuseo Cisco proprietary, no authentication, switches are indefault auto-negotiate, sniff all VLAN traffic Trunking protocol (802.1q and ISL) abuseo PVLAN hopping, Double 802.1q VLAN tagging Virtual Trunking protocol (VTP) abuse Common spanning tree (CST) abuse Multiple other attacks22
Trend: Legacy Networks to IP VPN Legacy SCADA Networkso Radio and Leased Line communicationo RTUs serially connected to Radio Modem or LeasedLine Modemo Radio Modem or Leased Line Modem Connected toFront End Processor (FEP) at control station Secure IP VPN (Vendors are pushing)o IP network communicationso RTU connected to multi-homed and multi-protocoldevices (MPLS/Frame/IP; Fiber, Ethernet, VSAT)o Front End Processors are multi-homed and multiprotocol capable and scalabledevices23
24
25
Legacy Networks to IP VPN - WHY? It’s cheapero One to one hardware solutions are more expensive It’s scalable & reliable (redundancy)o Multi-homed, multi-protocol and network agnosticsystems are scalable, while eliminating single pointsof failure It’s safero VPN-IPSEC, AES256 versus unencrypted legacyserial communications It’s still IP!o Susceptible to the same vulnerabilities plaguingtraditional network architectureso We’re not against it, we just need to check it26
Hacking Satellite Spanish Cyber Security Researcher LeonardoNve demonstrated at BlackHat the exploitationof (i.e., gaining access to and impersonatinglegitimate users) satellite internet connectionsusing less than 75 worth of tools, which canbe purchased on Ebay.- (1) Skystar “2” PCI satellite receiver card,open source Linux DVB software app,and the free network data analysis toolWireshark.27
EXTRA! EXTRA! Read all about it! US Satellites hacked by Chinese Military! The hactivist group Anonymous HacksNASA Satellite! Anonymous hacks Turkish Satelliteprovider! Three states have demonstrated the abilityto physically damage satellites byintercepting them: the US, Russia andChina28
R1. CCA, ESP and AP Enumeration Verify Critical Cyber Asset (CCA) list Verify Electronic Security Perimeter (ESP)designation documentation Verify Access Points of ESP documentation Cross reference CCA, ESP and APdocumentation with network diagrams29
R2. Access Point Checks Access Point Configuration Analysis Checkso Appropriate Use Banner configured(Not on radar and Not Applicable for CIP-V5)o Deny by default statement§ An automatic implicit “deny all” statement afterexplicit statements is standard for most new firewallso SNMP community string default (i.e. “PUBLIC”)o Access Control List is restrictive(e.g., No entire Class A IP range left open 255.255.0.0(65K IP addresses) and justification for entire Class C)o Authorized ports and services30
R3. AP Monitoring, Logging, & Alerting Validate electronic & manual 24/7monitoring, logging and alerting(Including dial-up accessible CCAs with nonroutable protocols)o Validate electronic and/or manual logso Verify implemented technical solutions that areresponsible for alerting appropriate personnel(i.e., SMTP, SIEM, Log Server, etc.)31
NERC Industry Advisories Remote Access Guidanceo Use encrypted access controls forremote accesso Use multi-factor authenticationo Consider Proxy device as VPNtermination pointo Implement logging and monitoringo etc 32
NERC Guidance Guidance for Secure Remote Accesso Secure interactive remote accessconceptso Security practices and proposed solutionsfor secure interactive remote accesso Assessing the implementation ofinteractive remote access controlso Network architecture decisions33
R4. Annual Cyber VulnerabilityAssessment (CVA) of APs to ESP Validate vulnerability assessment processdocumentation CVA criteria must address:o Authorized ports and serviceso Discovery of all Access Points to ESPo Review of controls, default accounts,passwords and network mgmt communitystrings (PUBLIC)o For vulnerabilities discovered, establish aremediation action plan, and ensure theexecution of the action plan34
R4 Cyber Vulnerability Assessment The CVA summary report shouldspecifically identify, by unique identifiers,the Access Points that were assessed. The auditors will ask for any raw evidencerelevant to the assessment.(e.g., automated scans, Access Pointconfigurations)35
R4 Cyber Vulnerability Assessment Auditors will cross reference the AccessPoint ports and services baseline withconfiguration Excess ports and services found during theCVA should be added to the CVA mitigation/remediation plan36
Auditors will review of Action ItemsDON’T LEAVE BLANK!!Action Item37StatusCompletion Date
R5. Documentation Review and Maintenance Documentation reflect current configurations Documentation updated within 90 days ofchange to network or security controls Retain relevant access logs for at least 90calendar days, however, in the instance of aCyber Security Incident the retention windowis approximately 3 years38
References NERC Industry Advisory: remote access guidance (2011). Retrieved from the North AmericanElectric Reliability Corporate website on January 7, 2012, 0Analysis/A-2011-08-24-1Remote Access Guidance-Final.pdf NERC Guidance for Secure Interactive Remote Access (2011). Retrieved from the North AmericanElectric Reliability Corporate website on January 7, 2012, 0Analysis/FINALGuidance for Secure Interactive Remote Access.pdf39
Questions?Joe Andrews, CISSP-ISSEP, ISSAP,ISSMP, CISASr. Compliance Auditor – Cyber SecurityWestern Electricity Coordinating Counciljandrews[@]wecc[.]bizOffice: 801.819.7683
Joe Andrews, MsIA, CISSP-ISSEP, ISSAP, ISSMP, CISA, PSP Sr. Compliance Auditor - Cyber Security CIP-005-3 Audit Approach, ESP Diagrams, Industry Best Practices September 24 - 25, 2013 SALT LAKE CITY, UTAH . 2 Joseph A. Andrews o 21 years DoD IT & Information Security / Network
