cip 005 5 r1 5 spring cip audit workshop
play

CIP-005-5 R1.5 Spring CIP Audit Workshop April 14, 2016 Scott - PowerPoint PPT Presentation

CIP-005-5 R1.5 Spring CIP Audit Workshop April 14, 2016 Scott Pelfrey, CISA, CISSP, GISP, MBA Senior Technical Auditor CIP-005-5 Part 1.5 Learning Objectives Terminology Discussion of IPS/IDS & firewall Questions Answered


  1. CIP-005-5 R1.5 Spring CIP Audit Workshop April 14, 2016 Scott Pelfrey, CISA, CISSP, GISP, MBA Senior Technical Auditor

  2. CIP-005-5 Part 1.5 – Learning Objectives  Terminology  Discussion of IPS/IDS & firewall  Questions Answered  Overview of Requirement  Audit Approach by RF 2 Forward Together • ReliabilityFirst

  3. CIP-005-5 Part 1.5 – Terminology  BES Cyber Asset (BCA)  High Impact BES Cyber Systems (BCS)  Protected Cyber Asset (PCA)  Electronic Security Perimeter (ESP)  Electronic Access Point (EAP)  Intrusion Prevention System (IPS)  Intrusion Detection System (IDS)  Firewall 3 Forward Together • ReliabilityFirst

  4. CIP-005-5 Part 1.5 – Discussion  Firewalls, Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS) 4 Forward Together • ReliabilityFirst

  5. CIP-005-5 Part 1.5 - Firewall  Firewall – Analyzes packet headers, enforces policy ‒ Policy based on: • Protocol Type • Source Address • Destination Address • Source Port • Destination Port ‒ Transparent and Fast 5 Forward Together • ReliabilityFirst

  6. CIP-005-5 Part 1.5 – Firewall Details (1)  Capabilities • Single point for monitoring, exclusion of attacks, unauthorized users, malware, viruses, etc. • Convenient platform for Internet functions not security related • Can log or audit ingress / egress activities • Stateful Inspection ‒ Keeps “directory” of TCP connections ‒ Only allows incoming traffic for “known” connections ‒ May also keep track of TCP sequence numbers as well 6 Forward Together • ReliabilityFirst

  7. CIP-005-5 Part 1.5 – Firewall Details (2)  Limitations • Cannot protect against attacks bypassing device (Transient devices) • May not fully protect against threats ‒ May be vulnerable to IP address spoofing, source route attacks & tiny fragment attacks ‒ Vulnerable to TCP/IP protocol bugs • Improper configuration may lead to breaches • Wireless connections may circumvent firewall 7 Forward Together • ReliabilityFirst

  8. CIP-005-5 Part 1.5 – Firewall Example 8 Forward Together • ReliabilityFirst

  9. CIP-005-5 Part 1.5 – IDS  Intrusion Detection System (IDS)  Analyzes packets – both header and payload – looks for known events ‒ known event detected; a log message generated detailing event 9 Forward Together • ReliabilityFirst

  10. CIP-005-5 Part 1.5 – IDS Details (1)  Two Physical Types • Host-Based ‒ Resident on one system ‒ M onitors only that system’s activity ‒ Can detect both Internal / External intrusions • Network-Based ‒ Monitors particular network segments or devices ‒ May be inline (as part of another net device) or passive (copy of traffic through tap or mirrored port) 10 Forward Together • ReliabilityFirst

  11. CIP-005-5 Part 1.5 – IDS Details (2)  Two Detection Types • Signature or Rules Detection ‒ Analyze records for match with current rules or signatures ‒ Requires constant updates for protection ‒ Issue: only knows known intrusions, new intrusions may not be found • Anomaly Detection ‒ Builds profile or keeps thresholds ‒ Matches incoming packets to profiles or thresholds ‒ Issue: May have false positives during “extreme” events • Events generated from deviations of either 11 Forward Together • ReliabilityFirst

  12. CIP-005-5 Part 1.5 – IDS Example Corporate Network 12 Forward Together • ReliabilityFirst

  13. CIP-005-5 Part 1.5 – IPS  Intrusion Prevention System (IPS) analyzes packets – both header and payload – looks for known events ‒ known event detected the packet is rejected 13 Forward Together • ReliabilityFirst

  14. CIP-005-5 Part 1.5 – IPS Details (1)  Host Based • Resident on one system • M onitors only that system’s activity • Can detect both Internal / External intrusions • Uses both Signature/Rules & Anomaly Detection • Can be tailored for specific purpose ‒ Web, Database, General • May use sandbox to monitor behavior • May give file, registry, or I/O protection 14 Forward Together • ReliabilityFirst

  15. CIP-005-5 Part 1.5 – IPS Details (2)  Network Based • Inline IPS can discard packets or terminate TCP connections • Uses both Signature/Rules & Anomaly Detection • May provide content flow protection • Identifies malicious packets using multiple methods 15 Forward Together • ReliabilityFirst

  16. CIP-005-5 Part 1.5 – IPS Example Host-Based IPS 16 Forward Together • ReliabilityFirst

  17. CIP-005-5 Part 1.5 – Differences (1)  Firewall – use of rules to “pass” traffic through (looking for a rule to allow packets through)  IPS – use of rules to “block” traffic through (looking for a rule to drop packets)  Firewall/IPS – “control” devices, sitting inline and controlling packets  IDS – “visibility” tool 17 Forward Together • ReliabilityFirst

  18. CIP-005-5 Part 1.5 – Differences (2)  IPS/IDS – Functional difference very subtle between two  IPS/IDS – Sometimes only configuration setting  IPS/IDS – May or may not be physical modules  IPS/IDS – Often functionally indistinguishable (even if they are two separate devices or modules) 18 Forward Together • ReliabilityFirst

  19. CIP-005-5 Part 1.5 – IDS/IPS Management 19 Forward Together • ReliabilityFirst

  20. CIP-005-5 Part 1.5 – NGFW (1)  Next Generation Firewall (NGFW)  Newer concept  Single device converges FW and IDS/IPS  Deep packet inspection of both Header and Payload in one action  Decision-making capabilities for policy enforcement 20 Forward Together • ReliabilityFirst

  21. CIP-005-5 Part 1.5 – NGFW (2)  Supports typical FW capabilities (NAT, VPN, QoS, packet filtering)  Adds • Intrusion Prevention • SSL / SSH inspection • Reputation-based Malware detection • Application Awareness • Signature-based antivirus 21 Forward Together • ReliabilityFirst

  22. CIP-005-5 Part 1.5 – NGFW (3) 22 Forward Together • ReliabilityFirst

  23. CIP-005-5 Part 1.5 – NGFW Single Pass Architecture 23 Forward Together • ReliabilityFirst

  24. CIP-005-5 Part 1.5 – Overview (1) 24 Forward Together • ReliabilityFirst

  25. CIP-005-5 Part 1.5 – Overview (2)  Applies to only Electronic Access Points (EAPs)  Applies only to High/Medium Control Centers • specifically RC, BA, TO, GO  Best Practice – apply to all EAPs… 25 Forward Together • ReliabilityFirst

  26. CIP-005-5 Part 1.5 – Questions  A couple of questions answered first… 26 Forward Together • ReliabilityFirst

  27. CIP-005-5 Part 1.5 – Question 1  Why include outbound communications? 27 Forward Together • ReliabilityFirst

  28. CIP-005-5 Part 1.5 – Answer  Compromised BCA – outside communication (Command and Control)  First level of defense to stop Command & Control (C&C) exploit  Know what you connect to and limit traffic to those communications needs to include: • Normal Operations • Emergency Operations • Support • Maintenance • Troubleshooting 28 Forward Together • ReliabilityFirst

  29. CIP-005-5 Part 1.5 – Question 2  Do we need two separate devices? • Part 1.5 direct result of FERC Order 706, Paragraphs 496-503 • ESPs required to have two DISTINCT security measures • Further explanation in FERC Order 706-A, paragraph 66 - requirement for two separate and distinct electronic devices (but that doesn’t necessarily mean two physical devices) for defense-in-depth 29 Forward Together • ReliabilityFirst

  30. CIP-005-5 Part 1.5 - Answer  Short Answer: No.  CIP Version 5 FAQs – Need one or more METHODS… not physical devices… modules CAN reside on same appliance 30 Forward Together • ReliabilityFirst

  31. CIP-005-5 Part 1.5 – Guidelines  Guidelines and Technical Basis Overview 31 Forward Together • ReliabilityFirst

  32. CIP-005-5 Part 1.5 – Guidelines (1)  Large ranges of internal addresses allowed (ephemeral ports…)  You know what ranges are required – (Document)  Suggest communication through EAP to Entities address space ONLY – no internet  Know what you talk to – both inside and outside of ESP – (Document)  Need to detect rogue connections and block 32 Forward Together • ReliabilityFirst

  33. CIP-005-5 Part 1.5 – Guidelines (2)  “Deny by default” – need to see explicit (or implicit) “deny all” in ruleset  Direct serial or non-routable connections not included  Use common sense and due diligence  Fail “open” but maintain perimeter protection  Show malicious traffic inspection – (Document)  Require “deep packet inspection”  Redundancy of firewalls does NOT count 33 Forward Together • ReliabilityFirst

  34. CIP-005-5 Part 1.5 – Audit Approach  ReliabilityFirst’s Audit Approach 34 Forward Together • ReliabilityFirst

  35. CIP-005-5 Part 1.5 – Audit Approach (1)  Most entities – EAP is firewall (Juniper, Cisco, Microsoft, Check Point, Palo Alto, Sophos, WatchGuard, Barracuda, many others…) - first line of defense  May add modules, separate systems, taps to monitor ingress – egress traffic on EAP  May be host-based or network-based for malicious communications – Entity decision – (Document)  Updates – Software / Firmware  Change control for updates 35 Forward Together • ReliabilityFirst

Recommend


More recommend