Relation to other standards • CIP-005 -- Access Point focused o TO and THROUGH the access points o Ensure adequate controls are in place to protect the Access Points o Ensure access THROUGH the Access Point is controlled (bi- directional restrictive controls) • CIP-007 – ESP cyber asset focused o TO every cyber asset within ESP o TO and THROUGH infrastructure devices (switches/routers) within the ESP (not access point) o Ensure adequate security controls are implemented on all cyber assets within the ESP to provide protections for the CCAs within the ESP o End Point security (authentication, AV, logging, etc.) 35
Relation to other standards EMS Electronic Security Perimeter Workstations Printer EMS WAN File Server Router Access Control Access Switch Server Point CIP-005 Firewall CIP-007 CIP-005 Access CorpNet Router Point CCA Switch Firewall CCA Printer CCA CCA CCA EMS Servers CCA CCA CCA Workstations 36
Relation to other standards EMS Electronic Security Perimeter Workstations Printer EMS WAN File Server Router Access Control Access Switch Server Point CIP-005 Firewall CIP-007 CIP-005 Access CorpNet Router Point CCA Switch Firewall CCA Printer CCA CCA CCA EMS Servers CCA CCA CCA Workstations 37
Audit Approach – What are we looking for? • Performance evidence for all requirements and sub requirements o Logs o Emails o Screenshots o Configuration files o Testing evidence o CVA assessment report o Change control evidence o Anything else that demonstrates compliance 38
Audit Approach– What are we looking for? • Auditors are fact finders – we want to see all pertinent facts • Entity must demonstrate compliance • We want to see documented processes and procedures • We want to see an auditable trail of evidence • Evidence should be in common application formats (.pdf, text, Word, Excel – please export Visio drawings to .pdf) 39
Audit Approach – What are we looking for? • Actively manage all cyber assets in the ESPs o Testing – changes to devices requires security testing o Configurations – current baselines, ports/services, etc. o Updates – process, procedures, testing and implementation o Anti-Virus/ Anti-Malware – current and active o Manage user access – process, procedures, shared/default o Logging and Alerts – active, reviewed, response o Device inventory management – disposal and redeployment • Vulnerability Assessment – all devices, annually • Document, Document, Document – is there an audit trail 40
Audit Approach – What are we looking for? • Security controls overview • Testing procedures for all cyber assets including actual testing evidence • Architectural drawings • Ports and services documentation • Log files for past 90 days from notice of audit • Alert configurations and evidence of performance and response 41
Audit Approach – What are we looking for? • User access list and logging of security events • Current Anti-Virus/Anti-Malware status – demonstrate active & current • Bookend data – proof of performance for previous period (annual) –, R5.1.1, R5.1.3, R5.3.3, R8, R9 • Approvals and signatures for policy and procedures 42
Audit Approach – What are we looking for? • Vulnerability Assessment evidence • Raw files • Vulnerability Assessment findings mitigation evidence • Destruction and redeployment evidence 43
Audit Approach – What are we looking for? • 6.56 Auditors must obtain sufficient, appropriate evidence to provide a reasonable basis for their findings and conclusions … • 6.57 … In assessing the sufficiency of evidence, auditors should determine whether enough evidence has been obtained to persuade a knowledgeable person that the findings are reasonable. • 6.60 Appropriateness is the measure of the quality of evidence that encompasses the relevance, validity, and reliability of evidence used for addressing the audit objectives and supporting findings and conclusions … GAGAS-Government Auditing Standards -2011.pdf (2011 Revision) www.gao.gov/govaud/iv2011gagas.pdf 44
Audit Approach – What are we looking for? • Clarification of evidence – RSAW, procedures, performance data, etc. • Missing evidence – performance and/or procedures • Bookend evidence (R5.1.1, R5.1.3, R5.3.3, R8, R9) • Attestations Ensuring the auditors have sufficient and appropriate evidence to determine and support the findings 45
Audit Approach – What are we looking for? • Describe … .. various requirement procedures and processes (testing, production-like testing, Anti- Virus management, Vulnerability Assessment process, Alerting process, logging controls, ports and services identification, configuration management, etc.) • Describe your access management controls • Any questions that are a result of evidence analysis (explanation and clarification) Interviews often lead to additional data requests 46
Additional Resources – tools, tasks, tips … • WECC outreach presentations website o https://www.wecc.biz/compliance/outreach/Pages/ default.aspx • WECC Compliance website– note country links o http://www.wecc.biz/compliance/Pages/default.aspx 47
Additional Resources – tools, tasks, tips … 48
Additional Resources – tools, tasks, tips … • WECC – call us with questions – prefer use of WECC CIP SME list for specific standard http://www.wecc.biz/compliance/United_States/Documents/WECC%20Subject%20Matter %20Experts%20List.pdf 49
Additional Resources – tools, tasks, tips … We are here as a resource for you • CIPUG events • WECC.biz and NERC.com o Google is your friend-watch out for dis-info • Audit Notice – Appendix G • Tools o OS tools: netstat o network scanners: nmap, Nessus o vulnerability & penetration tools: Nessus, Core Impact, Metasploit o Assessments: CSET 50
Additional Resources – tools, tasks, tips … • Cyber Security Evaluation Tool (CSET) o Department of Homeland Security (DHS) tool provides users with a systematic and repeatable approach for assessing the security posture of their cyber systems and networks o High-level and detailed questions related to all industrial control and IT systems o At no extra cost; paid for by our tax dollars J http://www.us-cert.gov/control_systems/csetdownload.html 51
Additional Resources – tools, tasks, tips … • Mapping Document Showing Translation of CIP-002-4 to CIP-009-4 into CIP-002-5 to CIP-009-5, CIP-010-1, and CIP-011-1 o Note: CIP-003-3 thru CIP-009-3 similar to CIP-00x-4 series o http://www.nerc.com/docs/standards/sar/ Mapping_Document_for_CIP_V5_Clean_(2012-0911).pdf 52
CIP-007-3a Cyber Security System Security Management • Summary of Agenda o Requirement Overview o Why do we need it? o Overview – W hat is it? o What makes it so difficult? o Relation to other standards o Audit Approach – What are we looking for? o Additional Resources – tools, tasks, tips … 53
Questions? Eric Weston Compliance Auditor, Cyber Security Western Electricity Coordinating Council (WECC) Eweston@wecc.biz Phone: 801-819-7630 Wally Magda, CISSP, PSP, CISA Compliance Auditor - Cyber Security Western Electricity Coordinating Council (WECC) wmagda@wecc.biz Mobile: 385-227-0724
Eric Weston Wally Magda, CISSP, PSP, CISA Compliance Auditor, Cyber Compliance Auditor, Cyber Security Security CIP 101 Training CIP-007-3a Cyber Security – System Security Management September 24-25, 2013 Salt Lake City, UT
WECC CIP-101 Disclaimer • The WECC Cyber Security team has created a sample Registered Entity, Billiam Power Company (BILL) and fabricated evidence to illustrate key points in the CIP audit processes. • Any resemblance of BILL to any actual Registered Entity is purely coincidental. • All evidence presented, auditor comments, and findings made in regard to BILL during this presentation and the mock audit are fictitious, but are representative of audit team activities during an actual audit. 56
Mock Audit Approach • Review of WECC audit approach by the auditors for each CIP-007-3 requirement • Review of ‘Billiam’ Evidence • Sample Data Requests • Sample Interview questions • Discussion and interactive audit of requirements 57
Data Retention • Per Data Retention in Standard section 1.4 • “The Responsible Entity shall keep all documentation and records from the previous full calendar year …… • Does that statement give you a documentation “get out of jail card” for the full audit period? 58
Data Retention • The Registered Entity will be expected to demonstrate compliance [for the entire audit period] • If a Reliability Standard specifies a document retention period that does not cover [the entire audit period] , the Registered Entity will not be found in noncompliance solely on the basis of the lack of specific information that has rightfully not been retained based on the retention period specified in the Reliability Standard 59
Data Retention • However , in such cases, the Compliance Enforcement Authority will require the Registered Entity to demonstrate compliance [for the entire audit period] through other means o (NERC, 2013 June 25, Compliance Monitoring and Enforcement Program: Appendix 4C, Section 3.1.4.2 , para 2, p. 9) • 90 day logs prior to date of audit notice letter 60
Terms used in NERC Reliability Standards • Cyber Assets – Programmable electronic devices and communication networks including hardware, software, and data. • Critical Cyber Assets – Cyber Assets essential to the reliable operation of Critical Assets. • Electronic Security Perimeter – The logical border surrounding a network to which Critical Cyber Assets are connected and for which access is controlled. 61
Catch-All Requirements • CIP-005-3 R1.5 (EACMs) o Cyber Assets used in the access control and/or monitoring of the Electronic Security Perimeter(s) shall be afforded the protective measures as a specified in Standard CIP- 003-3; Standard CIP-004-3 Requirement R3; Standard CIP-005-3 Requirements R2 and R3; Standard CIP-006-3 Requirement R3; Standard CIP-007-3 Requirements R1 and R3 through R9 ; Standard CIP-008-3; and Standard CIP-009-3. 62
Catch-All Requirements • CIP-006-3c R2.2 (PACS) Protection of Physical Access Control Systems — Cyber Assets that authorize and/or log access to the Physical Security Perimeter(s), exclusive of hardware at the Physical Security Perimeter access point such as electronic lock control mechanisms and badge readers, shall: • R2.2. Be afforded the protective measures specified in Standard CIP-003-3; Standard CIP- 004-3 Requirement R3; Standard CIP-005-3 Requirements R2 and R3; Standard CIP- 006-3 Requirements R4 and R5; Standard CIP-007-3 ; Standard CIP-008-3; and Standard CIP-009-3. 63
CIP-002-3 R3 • Critical Cyber Asset (CCA) list(s), even if null, determined through review of all cyber assets associated with every identified Critical Asset. The review must include all criteria found in CIP-002-3 R3. 64
CIP-002-3 R3 Critical Cyber Asset List 65
CIP-002-3 R3 CCA list 66
CIP CONFIDENTIAL Billiam EMS Architecture BUCC ASA Access CCA SW3 CCA Point FW3 RTR 3 BU1 CCA CCA CCA CCA CCA WKS3 Billiam EMS Console 5-6 EMS 5 - 6 DC2 Electronic Security EMS Net CC1 Perimeters BUCC WAN ASA HP PTR1-2 FW1 WKS1-2 HPUX 1- 2 CorpNet Access RTR CCA Point 1-2 EMS WAN EMS Console 1-4 ASA SU1 FW2 CCA CCA CCA CCA Access EMS Net RTR 4 Point CCA SUB1 SW4 CCA CCA CCA CCA CCA CCA CCA CCA CCA DMZ1 PIX FW CCA CCA CCA Access DC1 HMI1 ICCP 1- 2 EMS 1- 4 Point Relay 1- 3 HMI-2 Syslog1 LogRhythm WON 67
Is Hypervisor in-scope? • Any Hypervisor running a VM determined to be a CCA brings the Host in as a CCA • In addition ALL VM Cyber Assets on the Host machine are in-scope of CIP Standards 68
Mixed-Mode • Configuration where both in- scope and out-of-scope virtual Cyber Assets are running on the same hypervisor or host • Mixing VMs of different trust levels is not a recommended configuration CIP Protected (in-scope) Not CIP Protected (out-of-scope) 69
CAN-0051 (in Development ????) • CCA designation of management console for virtual machine (VM) technology o With the Management Console having the capabilities for impacting the CCA VM Client, the Management Console should be considered a CCA o With the expanded usage of Virtual Machine technology it is in the best interest of the industry to have this clearly outlined to make sure the overall reliability of the BES is maintained http://www.nerc.com/files/CAN%20Status%20and%20Priority%20List %2020120608.xls 70 http://www.nerc.com/page.php?cid=3|22|354
Virtual Machines & Storage • Not a new CIP concept • Cyber Assets that should be considered include, at a minimum: o Hardware platforms running virtual machines or virtual storage § Identifying Critical Cyber Assets, Version 1.0, pg. 6 § Approved by: Critical Infrastructure Protection Committee Effective Date: June 17, 2010 http://www.nerc.com/fileUploads/File/Standards/Critcal %20Cyber%20Asset_approved%20by%20CIPCl%20and %20SC%20for%20Posting%20with %20CIP-002-1,%20CIP-002-2,%20CIP-002-3.pdf 71
Cyber Assets Identifying Critical Cyber Assets, Version 1.0, pg. 6 72
CIP-007-3 R1 – Test Procedures • Test Procedures — The Responsible Entity shall ensure that new Cyber Assets and significant changes to existing Cyber Assets within the Electronic Security Perimeter do not adversely affect existing cyber security controls. • significant change shall, at a minimum, o security patches o cumulative service packs o vendor releases o version upgrades -- operating systems, applications, database platforms, or other third-party software or firmware. 73
[CIP-007-3 R1] Audit Approach – What are we looking for? • Technical narrative describing testing environment(s) • Documented testing procedures for each cyber asset within the ESP – must verify security controls (R1.1) • Entity definition of “significant change” • Evidence of security testing- not functional testing – before and after change evaluation • How is test environment similar/dissimilar to production environment • Are controls in place to protect production environment 74
[CIP-007-3 R1] Audit Approach – what are we looking for? [continued] • Definition of testing environment for each asset or asset type • Testing and Change Control processes – integrated in CIP-003 R6? • Define asset baselines – approved and documented configurations • Documentation of testing being performed o what tests are performed and why o testing results (compared to baselines?) o approvals – clear processes and documentation trail to audit (R1.3) 75
[CIP-007-3 R1] Audit Approach – what are we looking for? [continued] • Evidence that the test plans were followed • Baselines updated as part of Testing Procedures – who/ when/why/how • Approvals prior to production 76
FERC NOPR • P 609. “ … the Commission understands that test systems do not need to exactly match or mirror the production system in order to provide useful test results. However, to perform active testing, the responsible entities should be required at a minimum to create a “representative system” – one that includes the essential equipment and adequately represents the functioning of the production system. … ” • P 609 states “representative system”. No mention of using production backup 77
Frequently Asked Questions (FAQ’s) • Original v1 FAQs developed in 2004 o Filed with FERC in 2006 o Good to help understand original approach • Tread carefully—FAQ not the final answer • FAQ is not the CIP • Experience, lessons learned, events analysis factored into audit approach and used in addition to FAQs § http://www.nerc.com/pa/Stand/Cyber%20Security %20Permanent/Cyber_Security_FAQ.pdf 78
Frequently Asked Questions (FAQ’s) • 1. Question: Is an isolated test environment required? o Answer: Electronic isolation is not required; the test environment is not required to be outside the Electronic Security Perimeter. A controlled non-production system can be used. o Audit team : Will look at controls in place, expect thorough review • 2. Question: Can a redundant system be used for testing? o Answer: The entity is responsible for determining the non- production systems in its environment. It is possible depending on the entity’s environment that a redundant system can be used for testing if it can be configured such that it does not introduce additional risk to production operations. o Audit team: Key words: “Such that it does not introduce additional risk” 79
What does v5 look like? • CIP-007-3a R1 moved to CIP-010-1 R1.4 • Assess security controls following changes - Provides clarity on when testing must occur, and requires additional testing to ensure that accidental consequences of planned changes are appropriately managed. This change addresses FERC Order No. 706, Paragraphs 397, 609, 610, and 611. • CIP-007-3a R1.1 moved to CIP-010-1 R1.5 • Test procedures – This requirement provides clarity on when testing must occur and requires additional testing to ensure that accidental consequences of planned changes are appropriately managed. • This change addresses FERC Order No. 706, Paragraphs 397, 609, 610, and 611. 80
What does v5 look like? • CIP-007-3a R1.2 moved to CIP-010-1 R1.5 • Testing reflects production environment - This requirement provides clarity on when testing must occur and requires additional testing to ensure that accidental consequences of planned changes are appropriately managed. This change addresses FERC Order No. 706, Paragraphs 397, 609, 610, and 611. • CIP-007-3a R1.3 moved to CIP-010-1 R1.4 & 1.5 • The Responsible Entity shall document test results. The SDT attempted to provide clarity on when testing must occur and removed requirement for specific test procedures because it is implicit in the performance of the requirement. o http://www.nerc.com/docs/standards/sar/ Mapping_Document_for_CIP_V5_Clean_(2012-0911).pdf 81
CIP-007-3 R1 BPC Initial Evidence 82
[CIP-007-3 R1] Typical Data Requests • Change Control log for audit period • Provide test procedures for each device type or system within the EMS networks (EMS servers, routers/switches, workstations, etc.) that are used to determine if security related changes have taken place (CIP-007-3 R1.1). • Provide complete change control documentation (forms, baseline documents, testing procedures used, testing results documentation, approvals, etc.) for the following significant changes (NERC sampling methodology) [ sample list ] • Performance of testing to obtain current configuration versus baseline. [ sample list ] 83
NERC Sampling Methodology Confidence level for the Sampling Methodology is set at 95% 84
85
[CIP-007-3 R1] Interview Topics • Are there specific test procedures for all cyber assets or group of assets? • Describe the test procedures – sample device types • Describe the test environment and how testing closely reflects the production environment – controls to protect production • How do you validate ports/services? 86
[CIP-007-3 R1] Interview Topics • Have there been any significant changes during the audit period? • Are there baseline configuration to compare test results against? • Are there any circumstances where security testing must be performed on the production environment? How is it performed and what controls are in place? 87
R1 Audit Evidence Examples • Windows Test Procedures • Security test checklist 88
CIP-007-3 R1 Test Procedures 89
CIP-007-3 WMI Test Procedures 90
CIP-007-3 R1 BPC Security Checklist 91
CIP-007-3 R2 – Ports and Services • The Responsible Entity shall establish, document and implement a process to ensure that only those ports and services required for normal and emergency operations are enabled. o Normal and Emergency operations o TFEs? – Compensating measures (R2.3) 92
ERO Compliance Analysis Report Reliability Standards CIP-006 and CIP-007 -- December 2010 CIP-007 • Responsible Entities should work with all vendors of systems and applications of applicable cyber assets in their infrastructure to determine required ports and services . Most if not all vendors will have some form of documentation detailing this information. http://www.nerc.com/files/ERO%20CIP-006%20and%20CIP-007%20Compliance 93 %20Analysis%20Report%20for%20Posting.pdf
[CIP-007-3 R2] Audit Approach – What are we looking for? • Documentation of procedures to identify and manage required ports/services • What service is running on what port o TCP and UDP ports (listening and established states) o Vendor documentation may assist in defining required ports and services and their operational purpose • Required ports defined and documented o Cyber Asset specific • Normal or Operational requirement? • Are high risk ports/services running? 94
[CIP-007-3 R2] Audit Approach – What are we looking for? [continued] • Procedures to ensure only required ports/ services are enabled for new/changed devices (R1) • What tests are performed to validate correct configurations– who, when, how, tools (R1,R8) • TFE required? Why not feasible, vendor evidence, compensating measures in place (R2.3) 95
CIP-007-3 R2 Initial Evidence C:\HMI-1>netstat Active Connections Proto Local Address Foreign Address State TCP HMI-1:2111 localhost:33333 ESTABLISHED TCP HMI-1:3616 localhost:10525 ESTABLISHED TCP HMI-1:5152 localhost:1573 CLOSE_WAIT TCP HMI-1:10525 localhost:3616 ESTABLISHED TCP HMI-1:33333 localhost:2111 ESTABLISHED TCP HMI-1:netbios-ssn 172.16.105.1:56761 TIME_WAIT TCP HMI-1:netbios-ssn 172.16.105.1:56762 TIME_WAIT TCP HMI-1:netbios-ssn 172.16.105.1:56765 TIME_WAIT TCP HMI-1:netbios-ssn 172.16.105.1:56766 TIME_WAIT 96
[CIP-007-3 R2] Typical Data Requests • For the following servers and workstations (cyber assets) provide current “ netsat ” ( netstat –b –o –a - n / netstat –p –a -l ) or port scan (TCP/UDP) results. [sample list] • For the following network devices, provide current configuration files (i.e., show run all ), ports and services running (scan results if exists) • Provide a spreadsheet identifying all cyber assets, associated TFEs, and associated requirements 97
[CIP-007-3 R2] Typical Interview Questions • Describe the procedures used to identify the required ports/services • Are vendors involved with the definition of required ports/services? • Are there Cyber Assets, which ports and services cannot be disabled? o If so, what are the compensating measures in place 98
R2 Audit Evidence Examples • Netstat: o Netstat -b -o -a -n > netstat_boan.txt o Netstat -p -a -l > netstat_pal.txt • NMAP scan results o Nmap –sT –sV –p T:0-65535 <IP_address> >>nmap_tcp.txt o Nmap –sU –sV –p U:0-65535 <IP_address> >> nmap_udp.txt • show control-plane host open-ports • Manual review – show run config file (router or firewall) 99
HMI-1 Baseline Evidence C:\Documents and Settings\HMI-1> netstat -b -o -a -n > netstat_boan.txt Active Connections Proto Local Address Foreign Address State PID TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 952 C:\WINDOWS\system32\svchost.exe TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4 [System] TCP 0.0.0.0:6002 0.0.0.0:0 LISTENING 428 [spnsrvnt.exe] TCP 0.0.0.0:7001 0.0.0.0:0 LISTENING 248 [sntlkeyssrvr.exe] TCP 0.0.0.0:7002 0.0.0.0:0 LISTENING 248 [sntlkeyssrvr.exe] TCP 127.0.0.1:1025 0.0.0.0:0 LISTENING 1656 [dirmngr.exe] TCP 127.0.0.1:1029 0.0.0.0:0 LISTENING 2484 [alg.exe] TCP 127.0.0.1:5152 0.0.0.0:0 LISTENING 1764 [jqs.exe] TCP 127.0.0.1:33333 0.0.0.0:0 LISTENING 1856 [PGPtray.exe] TCP 172.16.105.220:139 0.0.0.0:0 LISTENING 4 [System] TCP 127.0.0.1:2111 127.0.0.1:33333 ESTABLISHED 1616 UDP 0.0.0.0:7001 *:* 248 [sntlkeyssrvr.exe] UDP 0.0.0.0:500 *:* 700 [lsass.exe] UDP 0.0.0.0:4500 *:* 700 [lsass.exe] UDP 0.0.0.0:445 *:* 4 [System] UDP 127.0.0.1:123 *:* 1084 c:\windows\system32\WS2_32.dll UDP 172.16.105.220:6001 *:* 428 [spnsrvnt.exe] 100
Recommend
More recommend