cip 005 5 r1 5 spring cip audit workshop
play

CIP-005-5 R1.5 Spring CIP Audit Workshop April 14, 2016 Scott - PowerPoint PPT Presentation

Sep 21, 2022 •419 likes •813 views

CIP-005-5 R1.5 Spring CIP Audit Workshop April 14, 2016 Scott Pelfrey, CISA, CISSP, GISP, MBA Senior Technical Auditor CIP-005-5 Part 1.5 Learning Objectives Terminology Discussion of IPS/IDS & firewall Questions Answered

  1. CIP-005-5 R1.5 Spring CIP Audit Workshop April 14, 2016 Scott Pelfrey, CISA, CISSP, GISP, MBA Senior Technical Auditor

  2. CIP-005-5 Part 1.5 – Learning Objectives  Terminology  Discussion of IPS/IDS & firewall  Questions Answered  Overview of Requirement  Audit Approach by RF 2 Forward Together • ReliabilityFirst

  3. CIP-005-5 Part 1.5 – Terminology  BES Cyber Asset (BCA)  High Impact BES Cyber Systems (BCS)  Protected Cyber Asset (PCA)  Electronic Security Perimeter (ESP)  Electronic Access Point (EAP)  Intrusion Prevention System (IPS)  Intrusion Detection System (IDS)  Firewall 3 Forward Together • ReliabilityFirst

  4. CIP-005-5 Part 1.5 – Discussion  Firewalls, Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS) 4 Forward Together • ReliabilityFirst

  5. CIP-005-5 Part 1.5 - Firewall  Firewall – Analyzes packet headers, enforces policy ‒ Policy based on: • Protocol Type • Source Address • Destination Address • Source Port • Destination Port ‒ Transparent and Fast 5 Forward Together • ReliabilityFirst

  6. CIP-005-5 Part 1.5 – Firewall Details (1)  Capabilities • Single point for monitoring, exclusion of attacks, unauthorized users, malware, viruses, etc. • Convenient platform for Internet functions not security related • Can log or audit ingress / egress activities • Stateful Inspection ‒ Keeps “directory” of TCP connections ‒ Only allows incoming traffic for “known” connections ‒ May also keep track of TCP sequence numbers as well 6 Forward Together • ReliabilityFirst

  7. CIP-005-5 Part 1.5 – Firewall Details (2)  Limitations • Cannot protect against attacks bypassing device (Transient devices) • May not fully protect against threats ‒ May be vulnerable to IP address spoofing, source route attacks & tiny fragment attacks ‒ Vulnerable to TCP/IP protocol bugs • Improper configuration may lead to breaches • Wireless connections may circumvent firewall 7 Forward Together • ReliabilityFirst

  8. CIP-005-5 Part 1.5 – Firewall Example 8 Forward Together • ReliabilityFirst

  9. CIP-005-5 Part 1.5 – IDS  Intrusion Detection System (IDS)  Analyzes packets – both header and payload – looks for known events ‒ known event detected; a log message generated detailing event 9 Forward Together • ReliabilityFirst

  10. CIP-005-5 Part 1.5 – IDS Details (1)  Two Physical Types • Host-Based ‒ Resident on one system ‒ M onitors only that system’s activity ‒ Can detect both Internal / External intrusions • Network-Based ‒ Monitors particular network segments or devices ‒ May be inline (as part of another net device) or passive (copy of traffic through tap or mirrored port) 10 Forward Together • ReliabilityFirst

  11. CIP-005-5 Part 1.5 – IDS Details (2)  Two Detection Types • Signature or Rules Detection ‒ Analyze records for match with current rules or signatures ‒ Requires constant updates for protection ‒ Issue: only knows known intrusions, new intrusions may not be found • Anomaly Detection ‒ Builds profile or keeps thresholds ‒ Matches incoming packets to profiles or thresholds ‒ Issue: May have false positives during “extreme” events • Events generated from deviations of either 11 Forward Together • ReliabilityFirst

  12. CIP-005-5 Part 1.5 – IDS Example Corporate Network 12 Forward Together • ReliabilityFirst

  13. CIP-005-5 Part 1.5 – IPS  Intrusion Prevention System (IPS) analyzes packets – both header and payload – looks for known events ‒ known event detected the packet is rejected 13 Forward Together • ReliabilityFirst

  14. CIP-005-5 Part 1.5 – IPS Details (1)  Host Based • Resident on one system • M onitors only that system’s activity • Can detect both Internal / External intrusions • Uses both Signature/Rules & Anomaly Detection • Can be tailored for specific purpose ‒ Web, Database, General • May use sandbox to monitor behavior • May give file, registry, or I/O protection 14 Forward Together • ReliabilityFirst

  15. CIP-005-5 Part 1.5 – IPS Details (2)  Network Based • Inline IPS can discard packets or terminate TCP connections • Uses both Signature/Rules & Anomaly Detection • May provide content flow protection • Identifies malicious packets using multiple methods 15 Forward Together • ReliabilityFirst

  16. CIP-005-5 Part 1.5 – IPS Example Host-Based IPS 16 Forward Together • ReliabilityFirst

  17. CIP-005-5 Part 1.5 – Differences (1)  Firewall – use of rules to “pass” traffic through (looking for a rule to allow packets through)  IPS – use of rules to “block” traffic through (looking for a rule to drop packets)  Firewall/IPS – “control” devices, sitting inline and controlling packets  IDS – “visibility” tool 17 Forward Together • ReliabilityFirst

  18. CIP-005-5 Part 1.5 – Differences (2)  IPS/IDS – Functional difference very subtle between two  IPS/IDS – Sometimes only configuration setting  IPS/IDS – May or may not be physical modules  IPS/IDS – Often functionally indistinguishable (even if they are two separate devices or modules) 18 Forward Together • ReliabilityFirst

  19. CIP-005-5 Part 1.5 – IDS/IPS Management 19 Forward Together • ReliabilityFirst

  20. CIP-005-5 Part 1.5 – NGFW (1)  Next Generation Firewall (NGFW)  Newer concept  Single device converges FW and IDS/IPS  Deep packet inspection of both Header and Payload in one action  Decision-making capabilities for policy enforcement 20 Forward Together • ReliabilityFirst

  21. CIP-005-5 Part 1.5 – NGFW (2)  Supports typical FW capabilities (NAT, VPN, QoS, packet filtering)  Adds • Intrusion Prevention • SSL / SSH inspection • Reputation-based Malware detection • Application Awareness • Signature-based antivirus 21 Forward Together • ReliabilityFirst

  22. CIP-005-5 Part 1.5 – NGFW (3) 22 Forward Together • ReliabilityFirst

  23. CIP-005-5 Part 1.5 – NGFW Single Pass Architecture 23 Forward Together • ReliabilityFirst

  24. CIP-005-5 Part 1.5 – Overview (1) 24 Forward Together • ReliabilityFirst

  25. CIP-005-5 Part 1.5 – Overview (2)  Applies to only Electronic Access Points (EAPs)  Applies only to High/Medium Control Centers • specifically RC, BA, TO, GO  Best Practice – apply to all EAPs… 25 Forward Together • ReliabilityFirst

  26. CIP-005-5 Part 1.5 – Questions  A couple of questions answered first… 26 Forward Together • ReliabilityFirst

  27. CIP-005-5 Part 1.5 – Question 1  Why include outbound communications? 27 Forward Together • ReliabilityFirst

  28. CIP-005-5 Part 1.5 – Answer  Compromised BCA – outside communication (Command and Control)  First level of defense to stop Command & Control (C&C) exploit  Know what you connect to and limit traffic to those communications needs to include: • Normal Operations • Emergency Operations • Support • Maintenance • Troubleshooting 28 Forward Together • ReliabilityFirst

  29. CIP-005-5 Part 1.5 – Question 2  Do we need two separate devices? • Part 1.5 direct result of FERC Order 706, Paragraphs 496-503 • ESPs required to have two DISTINCT security measures • Further explanation in FERC Order 706-A, paragraph 66 - requirement for two separate and distinct electronic devices (but that doesn’t necessarily mean two physical devices) for defense-in-depth 29 Forward Together • ReliabilityFirst

  30. CIP-005-5 Part 1.5 - Answer  Short Answer: No.  CIP Version 5 FAQs – Need one or more METHODS… not physical devices… modules CAN reside on same appliance 30 Forward Together • ReliabilityFirst

  31. CIP-005-5 Part 1.5 – Guidelines  Guidelines and Technical Basis Overview 31 Forward Together • ReliabilityFirst

  32. CIP-005-5 Part 1.5 – Guidelines (1)  Large ranges of internal addresses allowed (ephemeral ports…)  You know what ranges are required – (Document)  Suggest communication through EAP to Entities address space ONLY – no internet  Know what you talk to – both inside and outside of ESP – (Document)  Need to detect rogue connections and block 32 Forward Together • ReliabilityFirst

  33. CIP-005-5 Part 1.5 – Guidelines (2)  “Deny by default” – need to see explicit (or implicit) “deny all” in ruleset  Direct serial or non-routable connections not included  Use common sense and due diligence  Fail “open” but maintain perimeter protection  Show malicious traffic inspection – (Document)  Require “deep packet inspection”  Redundancy of firewalls does NOT count 33 Forward Together • ReliabilityFirst

  34. CIP-005-5 Part 1.5 – Audit Approach  ReliabilityFirst’s Audit Approach 34 Forward Together • ReliabilityFirst

  35. CIP-005-5 Part 1.5 – Audit Approach (1)  Most entities – EAP is firewall (Juniper, Cisco, Microsoft, Check Point, Palo Alto, Sophos, WatchGuard, Barracuda, many others…) - first line of defense  May add modules, separate systems, taps to monitor ingress – egress traffic on EAP  May be host-based or network-based for malicious communications – Entity decision – (Document)  Updates – Software / Firmware  Change control for updates 35 Forward Together • ReliabilityFirst

Recommend

Conducting The Field Audit The Field Audit Conducting IFTA / IRP 2005 Annual Audit Workshop

Conducting The Field Audit The Field Audit Conducting IFTA / IRP 2005 Annual Audit Workshop

Conducting The Field Audit The Field Audit Conducting IFTA / IRP 2005 Annual Audit Workshop Workshop IFTA / IRP 2005 Annual Audit Wayne Brown Mark Byrne Joel Foreman Russ Jakes Rick LaRose 1/20/2005 1 Introduction REVIEW OF RECORD

867 views • 66 slides
Audit Sub-Committee Workshop Members of the Regions Audit Sub Committee & Halton

Audit Sub-Committee Workshop Members of the Regions Audit Sub Committee & Halton

Audit Sub-Committee Workshop Members of the Regions Audit Sub Committee & Halton Community Housing Corporations (HCHC) Audit Committee April 10, 2019 Presented by: Cyndy Winslow, Director, Financial Services & Payroll Karen

547 views • 54 slides
Single Audit Training Workshop Assessing Single Audit Quality of Local Governments in Virginia

Single Audit Training Workshop Assessing Single Audit Quality of Local Governments in Virginia

Single Audit Training Workshop Assessing Single Audit Quality of Local Governments in Virginia _____________________________________ August 6, 2015 Michael A. Sidell, CGFM Audit Supervisor Auditor of Public Accounts Quote The goal is to

496 views • 49 slides
Task: Draw up an audit programme Please take the following facts and instructions as a basis: The

Task: Draw up an audit programme Please take the following facts and instructions as a basis: The

Audit Case Workshop about applying the checklist on Financial Audit of Public Procurement Task: Draw up an audit programme Please take the following facts and instructions as a basis: The audit plan for the next six months includes an audit of

229 views • 5 slides
Community College Audit and Fiscal Compliance Workshop VAVRINEK, TRINE, DAY & CO., LLP May

Community College Audit and Fiscal Compliance Workshop VAVRINEK, TRINE, DAY & CO., LLP May

Community College Audit and Fiscal Compliance Workshop VAVRINEK, TRINE, DAY & CO., LLP May 23, 2017 Audit Responsibilities Overview An annual financial statement and compliance audit of California Community College Districts is

295 views • 28 slides
Network - Edinburgh workshop 2016 Tim Bridle 14 September 2016 Areas to cover New audit

Network - Edinburgh workshop 2016 Tim Bridle 14 September 2016 Areas to cover New audit

CIPFA Pensions Network - Edinburgh workshop 2016 Tim Bridle 14 September 2016 Areas to cover New audit appointments & code Overview of other stakeholder activity The annual reports and accounts 2015-16 Audit issues arising

1.14k views • 50 slides
Farmersville, Texas Audit Presentation September 30, 2017 Presented By: Louis Breedlove, Audit

Farmersville, Texas Audit Presentation September 30, 2017 Presented By: Louis Breedlove, Audit

Farmersville, Texas Audit Presentation September 30, 2017 Presented By: Louis Breedlove, Audit Manager June 26, 2018 1 OVERVIEW OF THE AUDIT PROCESS Audit Planning and Risk Assessment Audit Standards The audit was performed in

425 views • 13 slides
Section 3 Risk ASJ Stages of an Audit Audit Approaches ASJ In this approach, audit

Section 3 Risk ASJ Stages of an Audit Audit Approaches ASJ In this approach, audit

ASJ Section 3 Risk ASJ Stages of an Audit Audit Approaches ASJ In this approach, audit resources are targeted on testing large volumes of transactions and account balances without any particular focus on specified Substantive areas of

271 views • 16 slides
Presentation on Bank Audit Audit Procedures, LFAR, Tax Audit, Certification , Demonetization etc.

Presentation on Bank Audit Audit Procedures, LFAR, Tax Audit, Certification , Demonetization etc.

Presentation on Bank Audit Audit Procedures, LFAR, Tax Audit, Certification , Demonetization etc. VIP Chartered Accountants Study Circle By Rishi Khator FCA, CPA(US), CIFRS March 26, 2017 Traditional banking to high level financial

868 views • 64 slides
ACF Audit Resolution Process and Areas of Interest in Grants Administration, Head Start, TANF,

ACF Audit Resolution Process and Areas of Interest in Grants Administration, Head Start, TANF,

ACF Audit Resolution Process and Areas of Interest in Grants Administration, Head Start, TANF, Foster Care, and Child Support Enforcement NEAR Single Audit Workshop August 6, 2015 ACF Presenters Sharon Sims , Team Lead, Audit Resolution /

433 views • 10 slides
OpenAFS Audit Interface Enhancements Cheyenne Wills OpenAFS 2019 Workshop 1 Overview

OpenAFS Audit Interface Enhancements Cheyenne Wills OpenAFS 2019 Workshop 1 Overview

OpenAFS Audit Interface Enhancements Cheyenne Wills OpenAFS 2019 Workshop 1 Overview Multiple Interfaces Multiple Instances of an interface New FIFO (named pipe) interface Collecting information from the audit facility 2

422 views • 17 slides
Striving Towards a Better PRESENTATION HERE> Audit in 2017 Who we are At Audit Solutions

Striving Towards a Better PRESENTATION HERE> Audit in 2017 Who we are At Audit Solutions

<INSERT TITLE OF Striving Towards a Better PRESENTATION HERE> Audit in 2017 Who we are At Audit Solutions Queensland, our focus is on providing a comprehensive, independent and efficient audit process. Our difference is our personal

606 views • 59 slides
Audit Partner Characteristics, Audit Quality and Audit Pricing in the U.S. Ally Zimmerman,

Audit Partner Characteristics, Audit Quality and Audit Pricing in the U.S. Ally Zimmerman,

Audit Partner Characteristics, Audit Quality and Audit Pricing in the U.S. Ally Zimmerman, Northern Illinois University, azimmerman5@niu.edu Al Nagy, John Carroll University, alnagy@jcu.edu 2016 Deloitte/KU Audit Symposium, May 20 8/16/2016 1

553 views • 17 slides
Audit Committee denvergov.org/Auditor Timothy M. O'Brien, CPA, Auditor 2 Audit Committee

Audit Committee denvergov.org/Auditor Timothy M. O'Brien, CPA, Auditor 2 Audit Committee

1 Audit Committee denvergov.org/Auditor Timothy M. O'Brien, CPA, Auditor 2 Audit Committee Affordable Housing Audit December 2018 Jared Miller, Audit Supervisor Pat Schafer, Audit Supervisor Shaun Wysong, Senior Auditor Chris Wilson,

485 views • 47 slides
MUS Workforce Data Reporting Performance Audit Audit Conducted by the Montana Legislative Audit

MUS Workforce Data Reporting Performance Audit Audit Conducted by the Montana Legislative Audit

MUS Workforce Data Reporting Performance Audit Audit Conducted by the Montana Legislative Audit Division Presented to the Montana Legislature, Legislative Audit Committee on February 2, 2016 Office of the Commissioner of Higher Education

605 views • 25 slides
Dependent Eligibility Audit Dependent Eligibility Audit Purpose: The dependent eligibility audit

Dependent Eligibility Audit Dependent Eligibility Audit Purpose: The dependent eligibility audit

Quick Guide to the Dependent Eligibility Audit Dependent Eligibility Audit Purpose: The dependent eligibility audit will help us comply with regulatory requirements and control costs by confirming that only eligible dependents receive coverage

506 views • 6 slides
Top 10 Retirement Plan Audit Problems 2017 Annual Educa1on Conference, Breakout Session 1 Academy

Top 10 Retirement Plan Audit Problems 2017 Annual Educa1on Conference, Breakout Session 1 Academy

SEBC Spring Annual Educa1on 2014 Conference Top 10 Retirement Plan Audit Problems 2017 Annual Educa1on Conference, Breakout Session 1 Academy of Medicine March 30 9 am Introduc1ons Barry Klein Hillary Collier Plan Audit Partner Plan Audit

362 views • 13 slides
TAM Audit for BRC August 2015 TAM Audit 2015 ? Purpose: Close 2014 TAM Audit Inspect

TAM Audit for BRC August 2015 TAM Audit 2015 ? Purpose: Close 2014 TAM Audit Inspect

TAM Audit for BRC August 2015 TAM Audit 2015 ? Purpose: Close 2014 TAM Audit Inspect TAM KPIs Sign-off 2014B Universe Update LSM issues on TAM Panel Improve HH weighting efficiency Preparing TAMS for the future

703 views • 27 slides
Audit in Screening Dr LS Wilkinson What is clinical audit? Clinical audit is a process that has

Audit in Screening Dr LS Wilkinson What is clinical audit? Clinical audit is a process that has

South West London Breast Screening Service London, UK Audit in Screening Dr LS Wilkinson What is clinical audit? Clinical audit is a process that has been defined as "a quality improvement process that seeks to improve patient care and

517 views • 23 slides
Percentage of Residents 100% 80% Initial audit 60% Re- audit 40% 20% 0% MUST on MUST

Percentage of Residents 100% 80% Initial audit 60% Re- audit 40% 20% 0% MUST on MUST

Percentage of Residents 100% 80% Initial audit 60% Re- audit 40% 20% 0% MUST on MUST MUST Care plan Factors Snacks Food admission accuracy monthly reviewed affecting and drinks fortified monthly food Audit Standards

511 views • 3 slides
Rollout of revised TTM audit Workshop housekeeping Emergency CoPTTM 4 th edition Phones

Rollout of revised TTM audit Workshop housekeeping Emergency CoPTTM 4 th edition Phones

18/09/2017 Rollout of revised TTM audit Workshop housekeeping Emergency CoPTTM 4 th edition Phones procedures Switch off or set to vibrate Toilets Electronic Start and finish devices times No browsing on the internet Tea and lunch

173 views • 15 slides
Framework for Audit Quality Framework for Audit Quality Key Elements that Create an Environment

Framework for Audit Quality Framework for Audit Quality Key Elements that Create an Environment

Framework for Audit Quality Framework for Audit Quality Key Elements that Create an Environment for Audit Quality Jon Grant Page 1 Background to the Audit Quality Project For an external audit to fulfill its objective the users of

297 views • 15 slides
GPs at SEA A train the trainer workshop for people supporting Significant Event Audit in

GPs at SEA A train the trainer workshop for people supporting Significant Event Audit in

GPs at SEA A train the trainer workshop for people supporting Significant Event Audit in General Practice e: academy@yhahsn.nhs.uk/ t: 01274 383926 www.improvementacademy.org Or visit our Academy Office: Bradford Institute for Health

898 views • 74 slides
2018 Annual Audit Report to the Commission GCPUD Audit Department 11/13/18 1 Meeting

2018 Annual Audit Report to the Commission GCPUD Audit Department 11/13/18 1 Meeting

2018 Annual Audit Report to the Commission GCPUD Audit Department 11/13/18 1 Meeting Objectives: 1. Principles of Audit Plan Development 2. Status of the 2018 Audit Plan 3. Review 2019 Audit Plan 4. Moving Forward GCPUD Audit Department

807 views • 60 slides

More recommend