brent castagnetto, cbrm, cbra, mabr manager, cyber security audits car-005 and cip-006 diet esp...

Brent Castagnetto, CBRM, CBRA, MABR Manager, Cyber Security Audits

CAR-005 and CIP-006 “Diet” ESP Audit Approach

WECC Open Webinar February 21st 2013

2

• CAR-005 Audit Approach

• CIP-006 R2.2 PACS “Diet” ESP

Agenda

3

• NERC CIP-005 Compliance Analysis Report.

o Posted in May 2012

o Intended to provide practical information and suggestions surrounding CIP-005

What is CAR-005?

4

• Specific issues were raised related to non routable communication beyond ESP boundaries. (See pages 11 & 12)

• What is the current WECC approach on CAR-005?

What is CAR-005?

5

• Front End Processors (FEP) that are serially connected directly to field devices that an entity owns and or operates may not be considered Access Points under Version 3 of CIP-005.

• Know the backend architecture of your ICS network!

CAR-005 Audit Approach, Know Thy Self

6

• It may be necessary to classify Front End Processors as Cyber Assets within your ESP.

• Know the backend architecture of your ICS network!

CAR-005 Audit Approach, Know Thy Self

7

• ICS components with serial and/or dial-up interfaces may be Access Points:

- A Front End Processor (FEP) or CCA serially connected to a component of another network beyond your control (e.g., another entity)

- A FEP or media converter device that uses the internet (e.g. IP; VPN, SSL) to communicate

• Know the backend architecture of your ICS network!

CAR-005 Audit Approach

8

• Inquiring minds want to know!

• During an audit the WECC Cyber Security Team will ask questions about each entities back end non-routable architecture. CIP-005 sub teams will work with you during the offsite and onsite weeks to understand all communication paths traversing your ESP

CAR-005 Audit Approach

9

10

• CIP-006-3 R2.2 reads: Cyber Assets that authorize and/or log access to the

Physical Security Perimeter(s) shall be afforded the protective measures specified in Standard CIP-005-3 R2 and R3.

PACS “Diet” ESP CIP-006-3 R2.2

11

• “Diet” or “Sugar Free” drinks are missing something. Some people say you have the same taste, but none of the sugar.

• “Diet” ESP requires compliance with CIP-005 R2 & R3

PACS “Diet” ESP CIP-006-3 R2.2

Diet ESPESP

12

• CIP-005-3 R2 reads: The Responsible Entity shall implement and

document the organizational processes and technical and procedural mechanisms for control of electronic access at all electronic access points to the Electronic Security Perimeter(s)

R2.4 states specifically:Where external interactive access into the Electronic Security Perimeter has been enabled, the Responsible Entity shall implement strong procedural or technical controls at the access points to ensure authenticity of the accessing party, where technically feasible.

PACS “Diet” ESP CIP-006-3 R2.2

13

• NERC FAQ on CIP-005 clarifies what is intended as “strong procedural or technical controls”

Strong technical and procedural controls normally require use of at least two of the following three factors: (1) something the person knows, (2) something the person has, and (3) something the person is. “What a person knows” is typically a password, pass phrase or some personal identification number (PIN). “What a person has” is typically a physical device such as an electronic authentication token or smart card, and “what a person is” is usually some biometric characteristic such as a fingerprint or iris pattern.

NERC CIP-005 FAQ pg. 7

PACS “Diet” ESP CIP-006-3 R2.2

14

• PACS “Diet” ESP Example diagram

PACS “Diet” ESP CIP-006-3 R2.2

15

• NERC Industry Advisory: remote access guidance (2011). Retrieved from the North American Electric Reliability Corporate website on January 7, 2012, from, http://www.nerc.com/fileUploads/File/Events%20Analysis/A-2011-08-24-1-Remote_Access_Guidance-Final.pdf

• NERC Guidance for Secure Interactive Remote Access (2011). Retrieved from the North American Electric Reliability Corporate website on January 7, 2012, from, http://www.nerc.com/fileUploads/File/Events%20Analysis/FINAL-Guidance_for_Secure_Interactive_Remote_Access.pdf

• NERC CIP-005 FAQ

www.nerc.com/.../Revised_CIP-005-1_FAQs_20090217.pdf

• NERC CIP-005 Compliance Analysis Report

http://www.nerc.com/fileUploads/File/Standards/Revised_CIP-005-1_FAQs_20090217.pdf

• WECC_SLC CIP-101_CIP-005_JA

http://www.wecc.biz/compmtg/20121218cip/default.aspx?InstanceID=1

*Links retrieved 2/19/2012

References

Brent Castagnetto, CBRM, CBRA, MABR

Manager, Cyber Security Audits

Western Electricity Coordinating Council

bcastagnetto@wecc.biz

Office: 801.819.7627

Questions?