CIP-005-5 R1.5 Spring CIP Audit Workshop April 14, 2016 Scott Pelfrey, CISA, CISSP, GISP, MBA Senior Technical Auditor
CIP-005-5 Part 1.5 – Learning Objectives Terminology Discussion of IPS/IDS & firewall Questions Answered Overview of Requirement Audit Approach by RF 2 Forward Together • ReliabilityFirst
CIP-005-5 Part 1.5 – Terminology BES Cyber Asset (BCA) High Impact BES Cyber Systems (BCS) Protected Cyber Asset (PCA) Electronic Security Perimeter (ESP) Electronic Access Point (EAP) Intrusion Prevention System (IPS) Intrusion Detection System (IDS) Firewall 3 Forward Together • ReliabilityFirst
CIP-005-5 Part 1.5 – Discussion Firewalls, Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS) 4 Forward Together • ReliabilityFirst
CIP-005-5 Part 1.5 - Firewall Firewall – Analyzes packet headers, enforces policy ‒ Policy based on: • Protocol Type • Source Address • Destination Address • Source Port • Destination Port ‒ Transparent and Fast 5 Forward Together • ReliabilityFirst
CIP-005-5 Part 1.5 – Firewall Details (1) Capabilities • Single point for monitoring, exclusion of attacks, unauthorized users, malware, viruses, etc. • Convenient platform for Internet functions not security related • Can log or audit ingress / egress activities • Stateful Inspection ‒ Keeps “directory” of TCP connections ‒ Only allows incoming traffic for “known” connections ‒ May also keep track of TCP sequence numbers as well 6 Forward Together • ReliabilityFirst
CIP-005-5 Part 1.5 – Firewall Details (2) Limitations • Cannot protect against attacks bypassing device (Transient devices) • May not fully protect against threats ‒ May be vulnerable to IP address spoofing, source route attacks & tiny fragment attacks ‒ Vulnerable to TCP/IP protocol bugs • Improper configuration may lead to breaches • Wireless connections may circumvent firewall 7 Forward Together • ReliabilityFirst
CIP-005-5 Part 1.5 – Firewall Example 8 Forward Together • ReliabilityFirst
CIP-005-5 Part 1.5 – IDS Intrusion Detection System (IDS) Analyzes packets – both header and payload – looks for known events ‒ known event detected; a log message generated detailing event 9 Forward Together • ReliabilityFirst
CIP-005-5 Part 1.5 – IDS Details (1) Two Physical Types • Host-Based ‒ Resident on one system ‒ M onitors only that system’s activity ‒ Can detect both Internal / External intrusions • Network-Based ‒ Monitors particular network segments or devices ‒ May be inline (as part of another net device) or passive (copy of traffic through tap or mirrored port) 10 Forward Together • ReliabilityFirst
CIP-005-5 Part 1.5 – IDS Details (2) Two Detection Types • Signature or Rules Detection ‒ Analyze records for match with current rules or signatures ‒ Requires constant updates for protection ‒ Issue: only knows known intrusions, new intrusions may not be found • Anomaly Detection ‒ Builds profile or keeps thresholds ‒ Matches incoming packets to profiles or thresholds ‒ Issue: May have false positives during “extreme” events • Events generated from deviations of either 11 Forward Together • ReliabilityFirst
CIP-005-5 Part 1.5 – IDS Example Corporate Network 12 Forward Together • ReliabilityFirst
CIP-005-5 Part 1.5 – IPS Intrusion Prevention System (IPS) analyzes packets – both header and payload – looks for known events ‒ known event detected the packet is rejected 13 Forward Together • ReliabilityFirst
CIP-005-5 Part 1.5 – IPS Details (1) Host Based • Resident on one system • M onitors only that system’s activity • Can detect both Internal / External intrusions • Uses both Signature/Rules & Anomaly Detection • Can be tailored for specific purpose ‒ Web, Database, General • May use sandbox to monitor behavior • May give file, registry, or I/O protection 14 Forward Together • ReliabilityFirst
CIP-005-5 Part 1.5 – IPS Details (2) Network Based • Inline IPS can discard packets or terminate TCP connections • Uses both Signature/Rules & Anomaly Detection • May provide content flow protection • Identifies malicious packets using multiple methods 15 Forward Together • ReliabilityFirst
CIP-005-5 Part 1.5 – IPS Example Host-Based IPS 16 Forward Together • ReliabilityFirst
CIP-005-5 Part 1.5 – Differences (1) Firewall – use of rules to “pass” traffic through (looking for a rule to allow packets through) IPS – use of rules to “block” traffic through (looking for a rule to drop packets) Firewall/IPS – “control” devices, sitting inline and controlling packets IDS – “visibility” tool 17 Forward Together • ReliabilityFirst
CIP-005-5 Part 1.5 – Differences (2) IPS/IDS – Functional difference very subtle between two IPS/IDS – Sometimes only configuration setting IPS/IDS – May or may not be physical modules IPS/IDS – Often functionally indistinguishable (even if they are two separate devices or modules) 18 Forward Together • ReliabilityFirst
CIP-005-5 Part 1.5 – IDS/IPS Management 19 Forward Together • ReliabilityFirst
CIP-005-5 Part 1.5 – NGFW (1) Next Generation Firewall (NGFW) Newer concept Single device converges FW and IDS/IPS Deep packet inspection of both Header and Payload in one action Decision-making capabilities for policy enforcement 20 Forward Together • ReliabilityFirst
CIP-005-5 Part 1.5 – NGFW (2) Supports typical FW capabilities (NAT, VPN, QoS, packet filtering) Adds • Intrusion Prevention • SSL / SSH inspection • Reputation-based Malware detection • Application Awareness • Signature-based antivirus 21 Forward Together • ReliabilityFirst
CIP-005-5 Part 1.5 – NGFW (3) 22 Forward Together • ReliabilityFirst
CIP-005-5 Part 1.5 – NGFW Single Pass Architecture 23 Forward Together • ReliabilityFirst
CIP-005-5 Part 1.5 – Overview (1) 24 Forward Together • ReliabilityFirst
CIP-005-5 Part 1.5 – Overview (2) Applies to only Electronic Access Points (EAPs) Applies only to High/Medium Control Centers • specifically RC, BA, TO, GO Best Practice – apply to all EAPs… 25 Forward Together • ReliabilityFirst
CIP-005-5 Part 1.5 – Questions A couple of questions answered first… 26 Forward Together • ReliabilityFirst
CIP-005-5 Part 1.5 – Question 1 Why include outbound communications? 27 Forward Together • ReliabilityFirst
CIP-005-5 Part 1.5 – Answer Compromised BCA – outside communication (Command and Control) First level of defense to stop Command & Control (C&C) exploit Know what you connect to and limit traffic to those communications needs to include: • Normal Operations • Emergency Operations • Support • Maintenance • Troubleshooting 28 Forward Together • ReliabilityFirst
CIP-005-5 Part 1.5 – Question 2 Do we need two separate devices? • Part 1.5 direct result of FERC Order 706, Paragraphs 496-503 • ESPs required to have two DISTINCT security measures • Further explanation in FERC Order 706-A, paragraph 66 - requirement for two separate and distinct electronic devices (but that doesn’t necessarily mean two physical devices) for defense-in-depth 29 Forward Together • ReliabilityFirst
CIP-005-5 Part 1.5 - Answer Short Answer: No. CIP Version 5 FAQs – Need one or more METHODS… not physical devices… modules CAN reside on same appliance 30 Forward Together • ReliabilityFirst
CIP-005-5 Part 1.5 – Guidelines Guidelines and Technical Basis Overview 31 Forward Together • ReliabilityFirst
CIP-005-5 Part 1.5 – Guidelines (1) Large ranges of internal addresses allowed (ephemeral ports…) You know what ranges are required – (Document) Suggest communication through EAP to Entities address space ONLY – no internet Know what you talk to – both inside and outside of ESP – (Document) Need to detect rogue connections and block 32 Forward Together • ReliabilityFirst
CIP-005-5 Part 1.5 – Guidelines (2) “Deny by default” – need to see explicit (or implicit) “deny all” in ruleset Direct serial or non-routable connections not included Use common sense and due diligence Fail “open” but maintain perimeter protection Show malicious traffic inspection – (Document) Require “deep packet inspection” Redundancy of firewalls does NOT count 33 Forward Together • ReliabilityFirst
CIP-005-5 Part 1.5 – Audit Approach ReliabilityFirst’s Audit Approach 34 Forward Together • ReliabilityFirst
CIP-005-5 Part 1.5 – Audit Approach (1) Most entities – EAP is firewall (Juniper, Cisco, Microsoft, Check Point, Palo Alto, Sophos, WatchGuard, Barracuda, many others…) - first line of defense May add modules, separate systems, taps to monitor ingress – egress traffic on EAP May be host-based or network-based for malicious communications – Entity decision – (Document) Updates – Software / Firmware Change control for updates 35 Forward Together • ReliabilityFirst
Recommend
More recommend