presentation - track 1 day 1_cip-010
TRANSCRIPT
![Page 1: Presentation - Track 1 Day 1_CIP-010](https://reader034.vdocuments.site/reader034/viewer/2022052606/5852db741a28abfa398e2814/html5/thumbnails/1.jpg)
CIP-‐010-‐2 CIP 101
Ben Christensen Senior Compliance Risk Analyst, Cyber
Security
![Page 2: Presentation - Track 1 Day 1_CIP-010](https://reader034.vdocuments.site/reader034/viewer/2022052606/5852db741a28abfa398e2814/html5/thumbnails/2.jpg)
Pop Quiz!!
• Who invented the electric motor? A. William Sturgeon B. Thomas Davenport C. Michael Faraday
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
2
![Page 3: Presentation - Track 1 Day 1_CIP-010](https://reader034.vdocuments.site/reader034/viewer/2022052606/5852db741a28abfa398e2814/html5/thumbnails/3.jpg)
Pop Quiz!!
• Who invented the electric motor?
Michael Faraday
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
3
![Page 4: Presentation - Track 1 Day 1_CIP-010](https://reader034.vdocuments.site/reader034/viewer/2022052606/5852db741a28abfa398e2814/html5/thumbnails/4.jpg)
Agenda
• Help enUUes understand and prepare for the upcoming CIP 010-‐2 – Differences and relaUons to current requirements – Transient devices and removable media – Possible piYalls to look for while implemenUng CIP 010-‐2
– WECC’s audit approach – Best pracUces
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
4
![Page 5: Presentation - Track 1 Day 1_CIP-010](https://reader034.vdocuments.site/reader034/viewer/2022052606/5852db741a28abfa398e2814/html5/thumbnails/5.jpg)
CIP 010-‐2
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
5
![Page 6: Presentation - Track 1 Day 1_CIP-010](https://reader034.vdocuments.site/reader034/viewer/2022052606/5852db741a28abfa398e2814/html5/thumbnails/6.jpg)
CIP-‐010-‐2 EffecUve Dates
• CIP-‐010-‐2 R1 – R3 – April 1, 2016
• CIP-‐010-‐2 R4 – 9 months later (January 1, 2017) – Registered EnUUes shall not be required to comply with Reliability Standard CIP-‐010-‐2, Requirement R4 unUl nine calendar months aeer the effecUve date of Reliability Standard CIP-‐010-‐2.
6
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
![Page 7: Presentation - Track 1 Day 1_CIP-010](https://reader034.vdocuments.site/reader034/viewer/2022052606/5852db741a28abfa398e2814/html5/thumbnails/7.jpg)
Applicable Systems
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
7
![Page 8: Presentation - Track 1 Day 1_CIP-010](https://reader034.vdocuments.site/reader034/viewer/2022052606/5852db741a28abfa398e2814/html5/thumbnails/8.jpg)
Applicable Systems in R4 • Transient Devices • Removable Media
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
8
![Page 9: Presentation - Track 1 Day 1_CIP-010](https://reader034.vdocuments.site/reader034/viewer/2022052606/5852db741a28abfa398e2814/html5/thumbnails/9.jpg)
Purpose of CIP 010-‐2 • Prevent and detect unauthorized changes to BES Cyber Systems.
• Specify vulnerability assessment requirements in support of protecUng BES Cyber Systems from compromise.
• Document and maintain device baselines and periodically verify they are accurate.
• Prevent unauthorized access or malware propagaUon from transient devices.
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
9
![Page 10: Presentation - Track 1 Day 1_CIP-010](https://reader034.vdocuments.site/reader034/viewer/2022052606/5852db741a28abfa398e2814/html5/thumbnails/10.jpg)
CIP 010-‐2 SimilariUes with V.3
• CIP 003-‐3 R6: Change Control and ConfiguraUon Management
• CIP 007-‐3 R1: Test procedures • CIP 005-‐3 R4 and CIP 007-‐3 R8: Cyber Vulnerability Assessment(s)
• CIP 007-‐3 R9 and CIP 005-‐3 R5: DocumentaUon review and maintenance
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
10
![Page 11: Presentation - Track 1 Day 1_CIP-010](https://reader034.vdocuments.site/reader034/viewer/2022052606/5852db741a28abfa398e2814/html5/thumbnails/11.jpg)
POP Quiz!!
• Who invented the modern automobile? A. Henry Ford B. Karl Benz C. Ransom Olds
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
11
![Page 12: Presentation - Track 1 Day 1_CIP-010](https://reader034.vdocuments.site/reader034/viewer/2022052606/5852db741a28abfa398e2814/html5/thumbnails/12.jpg)
POP Quiz!!
• Who invented the modern automobile?
Karl Benz
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
12
![Page 13: Presentation - Track 1 Day 1_CIP-010](https://reader034.vdocuments.site/reader034/viewer/2022052606/5852db741a28abfa398e2814/html5/thumbnails/13.jpg)
CIP 010-‐2 R1
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
13
![Page 14: Presentation - Track 1 Day 1_CIP-010](https://reader034.vdocuments.site/reader034/viewer/2022052606/5852db741a28abfa398e2814/html5/thumbnails/14.jpg)
CIP 010-‐2 R1.1
CIP 003-‐3 R6
• Applicable to Protected Cyber Assets (PCA) and specifies informaUon required in device baselines
CIP 010-‐2 R1.1
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
![Page 15: Presentation - Track 1 Day 1_CIP-010](https://reader034.vdocuments.site/reader034/viewer/2022052606/5852db741a28abfa398e2814/html5/thumbnails/15.jpg)
CIP-‐010-‐2 R1.1 -‐ Possible PiYall #1
• CIP 003-‐3 R6 was previously not applicable to Non-‐CCAs that resided within an ESP. Thus enUty did not create baselines or update procedures to ensure baselines were maintained for these devices.
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
15
![Page 16: Presentation - Track 1 Day 1_CIP-010](https://reader034.vdocuments.site/reader034/viewer/2022052606/5852db741a28abfa398e2814/html5/thumbnails/16.jpg)
CIP-‐010-‐2 R1.1 -‐ Possible PiYall #2
• EnUty does not ensure documented baselines for all devices contain operaUng system, commercial/open source soeware, custom soeware, logical ports, and security patches applied.
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
16
![Page 17: Presentation - Track 1 Day 1_CIP-010](https://reader034.vdocuments.site/reader034/viewer/2022052606/5852db741a28abfa398e2814/html5/thumbnails/17.jpg)
CIP-‐010-‐2 R1.1 Approach
• Ensure enUty has documented baselines for all devices (or group of devices) in applicable BES Cyber Systems – Verify Baselines include operaUng system/firmware, commercial soeware, custom soeware, logical network accessible ports, and security patches applied
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
17
![Page 18: Presentation - Track 1 Day 1_CIP-010](https://reader034.vdocuments.site/reader034/viewer/2022052606/5852db741a28abfa398e2814/html5/thumbnails/18.jpg)
“Limited” Device Example
• Serial-‐only microprocessor relay: Asset #051028 at SubstaUon Alpha R1.1.1 – Firmware: [MANUFACTURER]-‐[MODEL]-‐XYZ-‐1234567890-‐ABC R1.1.2 – Not Applicable R1.1.3 – Not Applicable R1.1.4 – Not Applicable R1.1.5 – Patch 12345, Patch 67890, Patch 34567, Patch 437823
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
18
![Page 19: Presentation - Track 1 Day 1_CIP-010](https://reader034.vdocuments.site/reader034/viewer/2022052606/5852db741a28abfa398e2814/html5/thumbnails/19.jpg)
CIP-‐010-‐2 R1.1 Approach
• 5 minimum components of baseline – soeware/firmware versions – open source/commercially available soeware – custom applicaUons – logical network accessible ports – applied security patches
• InformaUon about hardware differences may apply since it could affect installed applicaUons and patches
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
19
![Page 20: Presentation - Track 1 Day 1_CIP-010](https://reader034.vdocuments.site/reader034/viewer/2022052606/5852db741a28abfa398e2814/html5/thumbnails/20.jpg)
Basic Baseline
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
20
![Page 21: Presentation - Track 1 Day 1_CIP-010](https://reader034.vdocuments.site/reader034/viewer/2022052606/5852db741a28abfa398e2814/html5/thumbnails/21.jpg)
CIP 010-‐2 R1.1 Best PracUce
• Use combinaUon of automated tools and manual walkthroughs/verificaUons to ensure lists and baselines are accurate
• Minimize applicaUons on devices to only what is necessary
• Include step to periodically verify accuracy of applicable device lists and baselines
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
21
![Page 22: Presentation - Track 1 Day 1_CIP-010](https://reader034.vdocuments.site/reader034/viewer/2022052606/5852db741a28abfa398e2814/html5/thumbnails/22.jpg)
CIP 010-‐2 R1.1 Best PracUce
• Discussions and careful planning should be conducted on the method for maintaining device baselines – Review CIP 007 R3 presentaUon from Oct 2013 CIPUG for common methods to maintain informaUon
– What method is best for your organizaUon: • Commercial Soeware • Custom Soeware • Spreadsheet
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
22
![Page 23: Presentation - Track 1 Day 1_CIP-010](https://reader034.vdocuments.site/reader034/viewer/2022052606/5852db741a28abfa398e2814/html5/thumbnails/23.jpg)
CIP 010-‐2 R1.1 Best PracUce
• Consider Moving away from spreadsheets and other manual methods, look into more advanced methods for retaining informaUon. – See Joe B presentaUon from October 2011 CIPUG on advantages of moving from spreadsheet to relaUonal database
• Includes some labeling schema Ups as well for when implemenUng a database for device management
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
23
![Page 24: Presentation - Track 1 Day 1_CIP-010](https://reader034.vdocuments.site/reader034/viewer/2022052606/5852db741a28abfa398e2814/html5/thumbnails/24.jpg)
![Page 25: Presentation - Track 1 Day 1_CIP-010](https://reader034.vdocuments.site/reader034/viewer/2022052606/5852db741a28abfa398e2814/html5/thumbnails/25.jpg)
CIP 010-‐2 R1.2
CIP 010-‐2 R1.2 CIP 003-‐3 R6
• Applicable to PCA and requires changes to be authorized
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
25
![Page 26: Presentation - Track 1 Day 1_CIP-010](https://reader034.vdocuments.site/reader034/viewer/2022052606/5852db741a28abfa398e2814/html5/thumbnails/26.jpg)
CIP-‐010-‐2 R1.2 -‐ Possible PiYall
• EnUty cannot demonstrate all changes made to baseline(s) were authorized
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
26
![Page 27: Presentation - Track 1 Day 1_CIP-010](https://reader034.vdocuments.site/reader034/viewer/2022052606/5852db741a28abfa398e2814/html5/thumbnails/27.jpg)
CIP 010-‐2 R1.2 -‐ Approach
• Ensure all changes made to baselines have been authorized.
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
27
![Page 28: Presentation - Track 1 Day 1_CIP-010](https://reader034.vdocuments.site/reader034/viewer/2022052606/5852db741a28abfa398e2814/html5/thumbnails/28.jpg)
CIP 010-‐2 R1.2 -‐ Approach
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
28
![Page 29: Presentation - Track 1 Day 1_CIP-010](https://reader034.vdocuments.site/reader034/viewer/2022052606/5852db741a28abfa398e2814/html5/thumbnails/29.jpg)
CIP 010-‐2 R1.2 -‐ Approach 29
![Page 30: Presentation - Track 1 Day 1_CIP-010](https://reader034.vdocuments.site/reader034/viewer/2022052606/5852db741a28abfa398e2814/html5/thumbnails/30.jpg)
CIP 010-‐2 R1.2 – Best PracUce
• Update procedural documentaUon to include at minimum: – Who can authorize changes, and to what – When authorizaUon needs to occur – How the authorizaUon will be documented, stored, and tracked
• SegregaUon of duUes – The implementer should be different from the authorizer
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
30
![Page 31: Presentation - Track 1 Day 1_CIP-010](https://reader034.vdocuments.site/reader034/viewer/2022052606/5852db741a28abfa398e2814/html5/thumbnails/31.jpg)
CIP 010-‐2 R1.3
CIP 010-‐2 R1.3
CIP 005-‐3 R5
CIP 007-‐3 R9
• Baselines must be updated within 30 days of change
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
31
![Page 32: Presentation - Track 1 Day 1_CIP-010](https://reader034.vdocuments.site/reader034/viewer/2022052606/5852db741a28abfa398e2814/html5/thumbnails/32.jpg)
CIP 010-‐2 R1.3 – Possible PiYall
• EnUty cannot demonstrate baselines are updated within 30 days of changes made
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
32
![Page 33: Presentation - Track 1 Day 1_CIP-010](https://reader034.vdocuments.site/reader034/viewer/2022052606/5852db741a28abfa398e2814/html5/thumbnails/33.jpg)
CIP 010-‐2 R1.3 -‐ Approach
• Ensure enUty is updaUng baselines within 30 days of when change was made. – Start date will be determined by reviewing work orders, tracking sheet, or other documentaUon that details when the change actually occurred.
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
33
![Page 34: Presentation - Track 1 Day 1_CIP-010](https://reader034.vdocuments.site/reader034/viewer/2022052606/5852db741a28abfa398e2814/html5/thumbnails/34.jpg)
CIP 010-‐2 R1.3 – Best PracUces
• Procedures for updaUng baselines should address: – Who will communicate the changes made to the baselines
– How changes will be communicated – Who the changes are communicated to – When the changes will be made
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
34
![Page 35: Presentation - Track 1 Day 1_CIP-010](https://reader034.vdocuments.site/reader034/viewer/2022052606/5852db741a28abfa398e2814/html5/thumbnails/35.jpg)
CIP 010-‐2 R1.3 – Best PracUces
• Maintain a version history when updaUng documentaUon. – Version number – Who performed the update to the documentaUon – Who made the change to the device – Who authorized the change – What was changed
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
35
![Page 36: Presentation - Track 1 Day 1_CIP-010](https://reader034.vdocuments.site/reader034/viewer/2022052606/5852db741a28abfa398e2814/html5/thumbnails/36.jpg)
POP Quiz!!
• Who invented the prinUng press?
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
36
![Page 37: Presentation - Track 1 Day 1_CIP-010](https://reader034.vdocuments.site/reader034/viewer/2022052606/5852db741a28abfa398e2814/html5/thumbnails/37.jpg)
POP Quiz!!
• Who invented the prinUng press?
Johannes Gutenberg
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
37
![Page 38: Presentation - Track 1 Day 1_CIP-010](https://reader034.vdocuments.site/reader034/viewer/2022052606/5852db741a28abfa398e2814/html5/thumbnails/38.jpg)
CIP 010-‐2 R1.4
CIP 010-‐2 R1.4 CIP 007-‐3 R1
• Impact due to a change must consider security controls in CIP 005 and CIP 007
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
38
![Page 39: Presentation - Track 1 Day 1_CIP-010](https://reader034.vdocuments.site/reader034/viewer/2022052606/5852db741a28abfa398e2814/html5/thumbnails/39.jpg)
CIP 010-‐2 R1.4 – Possible PiYall
• EnUty verifies same controls for all changes made to any baseline. – Thus enUty does not account for different environments, devices, or changes when determining what controls could be impacted
• May be ok if all controls are verified every Ume
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
39
![Page 40: Presentation - Track 1 Day 1_CIP-010](https://reader034.vdocuments.site/reader034/viewer/2022052606/5852db741a28abfa398e2814/html5/thumbnails/40.jpg)
CIP 010-‐2 R1.4 -‐ Approach
• Verify all changes made to device baselines are documented
• Ensure controls that may be impacted were idenUfied and documented prior to the change – Why were some controls not included?
• Review evidence supporUng idenUfied controls were not adversely impacted
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
40
![Page 41: Presentation - Track 1 Day 1_CIP-010](https://reader034.vdocuments.site/reader034/viewer/2022052606/5852db741a28abfa398e2814/html5/thumbnails/41.jpg)
CIP 010-‐2 R1.4 – Best PracUces
• Procedures should include: – DocumenUng date all steps taken to support cyber security controls were idenUfied prior to change taking place
– How are potenUal impacted cyber security controls idenUfied?
• Who does this?
– How will adverse impacts will be detected • Who does this and when?
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
41
![Page 42: Presentation - Track 1 Day 1_CIP-010](https://reader034.vdocuments.site/reader034/viewer/2022052606/5852db741a28abfa398e2814/html5/thumbnails/42.jpg)
CIP 010-‐2 R1.4 – Best PracUces
• Include a peer review step for reviewing what controls may be impacted and when verifying controls weren’t adversely impacted
• Coordinate tesUng processes between departments, business units, etc. to ensure consistency
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
42
![Page 43: Presentation - Track 1 Day 1_CIP-010](https://reader034.vdocuments.site/reader034/viewer/2022052606/5852db741a28abfa398e2814/html5/thumbnails/43.jpg)
CIP 010-‐2 R1.5
CIP 010-‐2 R1.5 CIP 007-‐3 R1
43
![Page 44: Presentation - Track 1 Day 1_CIP-010](https://reader034.vdocuments.site/reader034/viewer/2022052606/5852db741a28abfa398e2814/html5/thumbnails/44.jpg)
CIP 010-‐2 R1.5 cont.. • Only applicable to High Impact systems • Specific to security controls that must be tested
– Security Controls in CIP 005 and CIP 007 • New test environment requirements
– Document if test environment was used – Document differences between test and producUon environment
• Measures taken to account for these differences
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
44
![Page 45: Presentation - Track 1 Day 1_CIP-010](https://reader034.vdocuments.site/reader034/viewer/2022052606/5852db741a28abfa398e2814/html5/thumbnails/45.jpg)
CIP 010-‐2 R1.5 Possible PiYall
• EnUty does not document differences between producUon and tesUng environment
• EnUty does not take measures to account for differences in the producUon and tesUng environment.
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
45
![Page 46: Presentation - Track 1 Day 1_CIP-010](https://reader034.vdocuments.site/reader034/viewer/2022052606/5852db741a28abfa398e2814/html5/thumbnails/46.jpg)
CIP 010-‐2 R1.5 -‐ Approach
• For each change that deviates from exisUng baseline: – List of cyber security controls tested
• Test results • List of differences between the producUon and test environments
• DescripUons of how any differences were accounted for
• When tesUng occurred
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
46
![Page 47: Presentation - Track 1 Day 1_CIP-010](https://reader034.vdocuments.site/reader034/viewer/2022052606/5852db741a28abfa398e2814/html5/thumbnails/47.jpg)
CIP 010-‐2 R1.5 – Best PracUces
• Use checklist or other task managing tool to reduce likelihood of not tesUng all controls
• Document specific test procedures for all cyber assets or group of assets? – Describe the test procedures
• Describe the test environment and how It reflects the producUon environment
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
47
![Page 48: Presentation - Track 1 Day 1_CIP-010](https://reader034.vdocuments.site/reader034/viewer/2022052606/5852db741a28abfa398e2814/html5/thumbnails/48.jpg)
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
48
![Page 49: Presentation - Track 1 Day 1_CIP-010](https://reader034.vdocuments.site/reader034/viewer/2022052606/5852db741a28abfa398e2814/html5/thumbnails/49.jpg)
POP Quiz!!
• When was the atomic bomb first invented?
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
49
![Page 50: Presentation - Track 1 Day 1_CIP-010](https://reader034.vdocuments.site/reader034/viewer/2022052606/5852db741a28abfa398e2814/html5/thumbnails/50.jpg)
POP Quiz!!
• When was the atomic bomb first invented?
July 1945
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
50
![Page 51: Presentation - Track 1 Day 1_CIP-010](https://reader034.vdocuments.site/reader034/viewer/2022052606/5852db741a28abfa398e2814/html5/thumbnails/51.jpg)
CIP 010-‐2 R2.1
• Must actively search for unauthorized changes to baseline – Automated preferred but can be manual
• Must document and investigate unauthorized changes
CIP 010-‐2 R2.1 CIP 003-‐3 R6
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
51
![Page 52: Presentation - Track 1 Day 1_CIP-010](https://reader034.vdocuments.site/reader034/viewer/2022052606/5852db741a28abfa398e2814/html5/thumbnails/52.jpg)
CIP-‐010-‐2 R2.1 – Possible PiYall
• Not consistently monitoring for changes every 35 days – EnUty begins process at end of month
• Thus enUty conUnuously misses 35 day deadline as it does not have enough Ume to complete review
– DocumentaUon is inconsistent and SMEs can’t keep track if specific devices have automated or manual process for tracking configuraUon changes
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
52
![Page 53: Presentation - Track 1 Day 1_CIP-010](https://reader034.vdocuments.site/reader034/viewer/2022052606/5852db741a28abfa398e2814/html5/thumbnails/53.jpg)
CIP 010-‐2 R2.1 -‐ Approach
• Logs from a system that is monitoring configuraUons
• Work orders, tracking sheets, raw data evidence of manual invesUgaUons
• Records invesUgaUng detected unauthorized changes
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
53
![Page 54: Presentation - Track 1 Day 1_CIP-010](https://reader034.vdocuments.site/reader034/viewer/2022052606/5852db741a28abfa398e2814/html5/thumbnails/54.jpg)
CIP 010-‐2 R2.1 -‐ Approach
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
54
• Sample review of baseline
![Page 55: Presentation - Track 1 Day 1_CIP-010](https://reader034.vdocuments.site/reader034/viewer/2022052606/5852db741a28abfa398e2814/html5/thumbnails/55.jpg)
CIP 010-‐2 R2 – Best PracUce
• Consider using a commercial or open source File Integrity Monitoring software for continuous monitoring
• Start monitoring process with enough advance to complete review o Consider using an automated task managing
tool
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
55
![Page 56: Presentation - Track 1 Day 1_CIP-010](https://reader034.vdocuments.site/reader034/viewer/2022052606/5852db741a28abfa398e2814/html5/thumbnails/56.jpg)
CIP 010-‐2 R2 – Best PracUce
• What if you find an unauthorized change? – What change(s) have been made without authorizaUon
– Who made the change(s)? – When were the change(s) made? – How can a similar issue be prevented?
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
56
![Page 57: Presentation - Track 1 Day 1_CIP-010](https://reader034.vdocuments.site/reader034/viewer/2022052606/5852db741a28abfa398e2814/html5/thumbnails/57.jpg)
CIP 010-‐2 R1 and R2
QUIZ Time
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
57
![Page 58: Presentation - Track 1 Day 1_CIP-010](https://reader034.vdocuments.site/reader034/viewer/2022052606/5852db741a28abfa398e2814/html5/thumbnails/58.jpg)
CIP 010-‐2 R1 and R2
• EnUUes are required to test all changes in a test environment that reflects the producUon environment.
False
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
58
![Page 59: Presentation - Track 1 Day 1_CIP-010](https://reader034.vdocuments.site/reader034/viewer/2022052606/5852db741a28abfa398e2814/html5/thumbnails/59.jpg)
CIP 010-‐2 R1 and R2
• EnUty baselines are required to include: 1. OperaUng system/Firmware 2. Commercial/open source soeware 3. Custom soeware 4. Logical ports 5. All security patches applied
TRUE
But what about devices where some of these don’t apply?
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
59
![Page 60: Presentation - Track 1 Day 1_CIP-010](https://reader034.vdocuments.site/reader034/viewer/2022052606/5852db741a28abfa398e2814/html5/thumbnails/60.jpg)
CIP 010-‐2 R3
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
60
![Page 61: Presentation - Track 1 Day 1_CIP-010](https://reader034.vdocuments.site/reader034/viewer/2022052606/5852db741a28abfa398e2814/html5/thumbnails/61.jpg)
CIP 010-‐2 R3.1
CIP 010-‐2 R3.1 CIP 007-‐3 R8
CIP 005-‐3 R4
• No more annual requirement, and VA can be active or paper
61
![Page 62: Presentation - Track 1 Day 1_CIP-010](https://reader034.vdocuments.site/reader034/viewer/2022052606/5852db741a28abfa398e2814/html5/thumbnails/62.jpg)
CIP-‐010-‐2 VA Timelines
• 1st performance of acUve or paper (15 months) – April 1, 2017
• 1st performance of acUve (36 months) – April 1, 2018
62
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
![Page 63: Presentation - Track 1 Day 1_CIP-010](https://reader034.vdocuments.site/reader034/viewer/2022052606/5852db741a28abfa398e2814/html5/thumbnails/63.jpg)
CIP-‐010-‐2 R3.1 – Possible PiYall
• EnUty conducts iniUal Vulnerability Assessment in January then not again unUl April the next year (16 months)
• Miss the 1st performance of acUve and paper VAs
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
63
![Page 64: Presentation - Track 1 Day 1_CIP-010](https://reader034.vdocuments.site/reader034/viewer/2022052606/5852db741a28abfa398e2814/html5/thumbnails/64.jpg)
4 Steps for Paper VA
1. Network Discovery 2. Network Port and Service IdenUficaUon 3. Vulnerability Review 4. Wireless Review
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
64
![Page 65: Presentation - Track 1 Day 1_CIP-010](https://reader034.vdocuments.site/reader034/viewer/2022052606/5852db741a28abfa398e2814/html5/thumbnails/65.jpg)
Paper VA
• Network Discovery -‐ A review of network connecUvity to idenUfy all Electronic Access Points to the Electronic Security
• Network Port and Service IdenUficaUon -‐ A review to verify that all enabled ports and services have an appropriate business jusUficaUon.
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
65
![Page 66: Presentation - Track 1 Day 1_CIP-010](https://reader034.vdocuments.site/reader034/viewer/2022052606/5852db741a28abfa398e2814/html5/thumbnails/66.jpg)
Paper VA
• Vulnerability Review -‐ A review of security rule-‐sets and configuraUons including controls for default accounts, passwords, and network management community strings.
• Wireless Review -‐ IdenUficaUon of common types of wireless networks (such as 802.11a/b/g/n) and a review of their controls if they are in any way used for BES Cyber System communicaUons.
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
66
![Page 67: Presentation - Track 1 Day 1_CIP-010](https://reader034.vdocuments.site/reader034/viewer/2022052606/5852db741a28abfa398e2814/html5/thumbnails/67.jpg)
What is a Paper Assessment?
• Is it a “document review” exercise? • Should I perform physical inspecUons? • Do I need to include EnumeraUon of ports and services?
67
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
![Page 68: Presentation - Track 1 Day 1_CIP-010](https://reader034.vdocuments.site/reader034/viewer/2022052606/5852db741a28abfa398e2814/html5/thumbnails/68.jpg)
What is a Paper Assessment? Should include: • Document reviews
– Such as reviews of known vulnerabiliUes of installed applicaUons
• Dumps of configs – Such as list of open listening ports generated by plaYorm resident tools such as netstat
Might contain informaUon about issues such as: • Current threats and how the baseline configuraUons are designed to address them
68
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
![Page 69: Presentation - Track 1 Day 1_CIP-010](https://reader034.vdocuments.site/reader034/viewer/2022052606/5852db741a28abfa398e2814/html5/thumbnails/69.jpg)
4 Steps for AcUve VA
1. Network Discovery 2. Network Port and Service IdenUficaUon 3. Vulnerability Scanning 4. Wireless Scanning
69
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
![Page 70: Presentation - Track 1 Day 1_CIP-010](https://reader034.vdocuments.site/reader034/viewer/2022052606/5852db741a28abfa398e2814/html5/thumbnails/70.jpg)
AcUve VA
• Network Discovery -‐ Use of acUve discovery tools to discover acUve devices and idenUfy communicaUon paths in order to verify that the discovered network architecture matches the documented architecture.
• Network Port and Service IdenUficaUon – Use of acUve discovery tools (such as Nmap) to discover open ports and services.
70
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
![Page 71: Presentation - Track 1 Day 1_CIP-010](https://reader034.vdocuments.site/reader034/viewer/2022052606/5852db741a28abfa398e2814/html5/thumbnails/71.jpg)
AcUve VA
• Vulnerability Scanning – Use of a vulnerability scanning tool to idenUfy network accessible ports and services along with the idenUficaUon of known vulnerabiliUes associated with services running on those ports.
• Wireless Scanning – Use of a wireless scanning tool to discover wireless signals and networks in the physical perimeter of a BES Cyber System. Serves to idenUfy unauthorized wireless devices within the range of the wireless scanning tool.
71
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
![Page 72: Presentation - Track 1 Day 1_CIP-010](https://reader034.vdocuments.site/reader034/viewer/2022052606/5852db741a28abfa398e2814/html5/thumbnails/72.jpg)
What tools should I use?
Are tools such as Nmap required for acUve assessments, or can enUUes use custom scripts (which use naUve OS commands) to enumerate open ports and services? What consUtutes an acUve port scan?
72
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
![Page 73: Presentation - Track 1 Day 1_CIP-010](https://reader034.vdocuments.site/reader034/viewer/2022052606/5852db741a28abfa398e2814/html5/thumbnails/73.jpg)
What tools should I use?
The intent of the acUve assessment is to test the Cyber Asset from the “outside” rather than simply having the Cyber Asset look at itself.
73
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
![Page 74: Presentation - Track 1 Day 1_CIP-010](https://reader034.vdocuments.site/reader034/viewer/2022052606/5852db741a28abfa398e2814/html5/thumbnails/74.jpg)
CIP-‐010-‐2 R3.1 – Approach
• Verify when last VA was conducted • Verify current VA was conducted within 15 calendar months of previous VA
• Evidence could include: – A document lisUng the date of the assessment and the output of any tools used to perform the assessment.
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
74
![Page 75: Presentation - Track 1 Day 1_CIP-010](https://reader034.vdocuments.site/reader034/viewer/2022052606/5852db741a28abfa398e2814/html5/thumbnails/75.jpg)
CIP-‐010-‐2 R3 IniUal Evidence 75
C:\HMI-‐1>netstat AcUve ConnecUons Proto Local Address Foreign Address State TCP HMI-‐1:2111 localhost:33333 ESTABLISHED TCP HMI-‐1:3616 localhost:10525 ESTABLISHED TCP HMI-‐1:5152 localhost:1573 CLOSE_WAIT TCP HMI-‐1:10525 localhost:3616 ESTABLISHED TCP HMI-‐1:33333 localhost:2111 ESTABLISHED TCP HMI-‐1:netbios-‐ssn 172.16.105.1:56761 TIME_WAIT TCP HMI-‐1:netbios-‐ssn 172.16.105.1:56762 TIME_WAIT TCP HMI-‐1:netbios-‐ssn 172.16.105.1:56765 TIME_WAIT TCP HMI-‐1:netbios-‐ssn 172.16.105.1:56766 TIME_WAIT
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
![Page 76: Presentation - Track 1 Day 1_CIP-010](https://reader034.vdocuments.site/reader034/viewer/2022052606/5852db741a28abfa398e2814/html5/thumbnails/76.jpg)
R3 Evidence – Nessus Summary 76
![Page 77: Presentation - Track 1 Day 1_CIP-010](https://reader034.vdocuments.site/reader034/viewer/2022052606/5852db741a28abfa398e2814/html5/thumbnails/77.jpg)
Nessus Summary 77
![Page 78: Presentation - Track 1 Day 1_CIP-010](https://reader034.vdocuments.site/reader034/viewer/2022052606/5852db741a28abfa398e2814/html5/thumbnails/78.jpg)
2014 Cyber Vulnerability Assessment
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
78
![Page 79: Presentation - Track 1 Day 1_CIP-010](https://reader034.vdocuments.site/reader034/viewer/2022052606/5852db741a28abfa398e2814/html5/thumbnails/79.jpg)
#show run … ip hzp server ! access-‐list 23 permit 172.16.105.200 0.0.0.0 access-‐list 23 permit 172.16.105.201 0.0.0.0 ! line vty 5 15 transport input ssh ! access-‐class 23 in ! ntp-‐server 172.16.105.88 ...
Manual Review of Configs
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
79
![Page 80: Presentation - Track 1 Day 1_CIP-010](https://reader034.vdocuments.site/reader034/viewer/2022052606/5852db741a28abfa398e2814/html5/thumbnails/80.jpg)
#show run … no logging ip hzp server ! access-‐list 23 permit 172.16.105.200 0.0.0.0 access-‐list 23 permit 172.16.105.201 0.0.0.0 ! line vty 5 15 transport input telent Login Password *********** ! access-‐class 23 in ! no logging console debug condiUon interface no snmp-‐server ntp-‐server 172.16.105.88 ...
Manual Vulnerability Assessment
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
80
![Page 81: Presentation - Track 1 Day 1_CIP-010](https://reader034.vdocuments.site/reader034/viewer/2022052606/5852db741a28abfa398e2814/html5/thumbnails/81.jpg)
• For the following servers and workstaUons (within the BCS) provide current “netsat” (netstat –b –o –a -‐n / netstat –p –a -‐l) or port scan (TCP/UDP) results. [sample list]
• For the following network devices, provide current configuraUon files (i.e., show run all), ports and services running (scan results if exists)
• Provide a spreadsheet idenUfying all BCS assets, associated TFEs, and associated requirements
[CIP-‐010-‐2 R3] Typical Data Requests
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
81
![Page 82: Presentation - Track 1 Day 1_CIP-010](https://reader034.vdocuments.site/reader034/viewer/2022052606/5852db741a28abfa398e2814/html5/thumbnails/82.jpg)
[CIP-‐010-‐2 R3] Typical Data Requests • Provide iniUal paper vulnerability assessment report
• Provide iniUal acUve vulnerability assessment • Provide subsequent assessments • Provide detailed (RAW DATA) vulnerability assessment results for the following specific BCS, EACMs and PACS [sample list]
• Provide miUgaUon plan and results (current status) for VA
• Provide acUon Plan and current status
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
82
![Page 83: Presentation - Track 1 Day 1_CIP-010](https://reader034.vdocuments.site/reader034/viewer/2022052606/5852db741a28abfa398e2814/html5/thumbnails/83.jpg)
[CIP-‐010-‐2 R3] Typical Interview QuesUons
• How do you perform an acUve and paper assessment?
• Describe the procedures used to idenUfy the required ports/services
• Are vendors involved with the definiUon of required ports/services?
• Are there devices, which ports and services cannot be disabled?
• If so, what are the compensaUng measures in place
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
83
![Page 84: Presentation - Track 1 Day 1_CIP-010](https://reader034.vdocuments.site/reader034/viewer/2022052606/5852db741a28abfa398e2814/html5/thumbnails/84.jpg)
[CIP-‐010-‐2 R3] Typical Interview QuesUons
• Describe the vulnerability assessment process
• Who performs the assessment? Is the assessment performed in-‐house or outsourced
• Does the assessment include all BCS and cyber assets? – specific addresses or enUre networks
• Describe procedures/tools uUlized to idenUfy open ports/services and user accounts
• Is there a baseline to compare ports/services and user accounts with?
84
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
![Page 85: Presentation - Track 1 Day 1_CIP-010](https://reader034.vdocuments.site/reader034/viewer/2022052606/5852db741a28abfa398e2814/html5/thumbnails/85.jpg)
R3 Audit Evidence Examples • Netstat:
– Netstat -‐b -‐o -‐a -‐n > netstat_boan.txt – Netstat -‐p -‐a -‐l > netstat_pal.txt
• NMAP scan results – Nmap –sT –sV –p T:0-‐65535 <IP_address> >>nmap_tcp.txt
– Nmap –sU –sV –p U:0-‐65535 <IP_address> >> nmap_udp.txt
– show control-‐plane host open-‐ports • Manual review – show run config file (router or firewall)
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
85
![Page 86: Presentation - Track 1 Day 1_CIP-010](https://reader034.vdocuments.site/reader034/viewer/2022052606/5852db741a28abfa398e2814/html5/thumbnails/86.jpg)
VA Sample Checklist
q AcUve or Paper q Network Discovery
q Review of network diagrams q Walk down performed q Ping sweeps
q Network Port and Service IdenUficaUon q Nmap scans of all subnets q Netstat or other resident tool used q Manual review of config
86
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
![Page 87: Presentation - Track 1 Day 1_CIP-010](https://reader034.vdocuments.site/reader034/viewer/2022052606/5852db741a28abfa398e2814/html5/thumbnails/87.jpg)
VA Sample Checklist Cont.
q Vulnerability Scanning q Nmap/Nessus scan performed q Manual review of config
q Rule-‐sets q Accounts q Passwords q Default community strings
q Wireless Scanning q Scan performed q Visual inspecUon performed
87
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
![Page 88: Presentation - Track 1 Day 1_CIP-010](https://reader034.vdocuments.site/reader034/viewer/2022052606/5852db741a28abfa398e2814/html5/thumbnails/88.jpg)
C:\Documents and Se}ngs\HMI-‐1>netstat -‐b -‐o -‐a -‐n > netstat_boan.txt AcUve ConnecUons Proto Local Address Foreign Address State PID TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 952 C:\WINDOWS\system32\svchost.exe TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4 [System] TCP 0.0.0.0:6002 0.0.0.0:0 LISTENING 428 [spnsrvnt.exe] TCP 0.0.0.0:7001 0.0.0.0:0 LISTENING 248 [sntlkeyssrvr.exe] TCP 0.0.0.0:7002 0.0.0.0:0 LISTENING 248 [sntlkeyssrvr.exe] TCP 127.0.0.1:1025 0.0.0.0:0 LISTENING 1656 [dirmngr.exe] TCP 127.0.0.1:1029 0.0.0.0:0 LISTENING 2484 [alg.exe] TCP 127.0.0.1:5152 0.0.0.0:0 LISTENING 1764 [jqs.exe] TCP 127.0.0.1:33333 0.0.0.0:0 LISTENING 1856 [PGPtray.exe] TCP 172.16.105.220:139 0.0.0.0:0 LISTENING 4 [System] TCP 127.0.0.1:2111 127.0.0.1:33333 ESTABLISHED 1616 UDP 0.0.0.0:7001 *:* 248 [sntlkeyssrvr.exe] UDP 0.0.0.0:500 *:* 700 [lsass.exe] UDP 0.0.0.0:4500 *:* 700 [lsass.exe] UDP 0.0.0.0:445 *:* 4 [System] UDP 127.0.0.1:123 *:* 1084 c:\windows\system32\WS2_32.dll UDP 172.16.105.220:6001 *:* 428 [spnsrvnt.exe]
HMI-‐1 Baseline Evidence
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
88
![Page 89: Presentation - Track 1 Day 1_CIP-010](https://reader034.vdocuments.site/reader034/viewer/2022052606/5852db741a28abfa398e2814/html5/thumbnails/89.jpg)
HMI-‐1 Evidence [conUnued] root@bt# nmap -‐sT -‐sV -‐p T:0-‐65535 172.16.105.220 StarUng Nmap 5.59BETA1 ( hzp://nmap.org ) at 2012-‐01-‐03 10:28 EST Nmap scan report for 172.16.105.220 Host is up (0.00084s latency). Not shown: 65528 closed ports PORT STATE SERVICE VERSION 135/tcp open msrpc Microsoe Windows RPC 139/tcp open netbios-‐ssn 445/tcp open microsoe-‐ds Microsoe Windows XP microsoe-‐ds 777/tcp open mulUling-‐hzp? 6002/tcp open hzp SafeNet SenUnel License Monitor hzpd 7.3 7001/tcp open afs3-‐callback? 7002/tcp open hzp SafeNet SenUnel Keys License Monitor hzpd 1.0 (Java Console) MAC Address: 00:0C:29:07:09:3B (VMware) Service Info: Host: HMI-‐1; OS: Windows
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
89
![Page 90: Presentation - Track 1 Day 1_CIP-010](https://reader034.vdocuments.site/reader034/viewer/2022052606/5852db741a28abfa398e2814/html5/thumbnails/90.jpg)
HMI-‐1 Evidence [conUnued] root@bt# nmap -‐sU -‐sV -‐p U:0-‐65535 172.16.105.220 StarMng Nmap 5.59BETA1 ( hUp://nmap.org ) at 2012-‐01-‐03 10:28 EST Nmap scan report for 172.16.105.220 Host is up (0.00084s latency). Not shown: 65527 closed ports PORT STATE SERVICE VERSION 123/udp open ntp Microso` NTP 137/udp open netbios-‐ns Microso` Windows NT netbios-‐ssn (workgroup: WORKGROUP) 138/udp open|filtered netbios-‐dgm 445/udp open|filtered microso`-‐ds 500/udp open|filtered isakmp 1900/udp open|filtered upnp 4500/udp open|filtered nat-‐t-‐ike 6001/udp open|filtered X11:1 MAC Address: 00:0C:29:07:09:3B (VMware) Service Info: Host: HMI-‐1; OS: Windows
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
90
![Page 91: Presentation - Track 1 Day 1_CIP-010](https://reader034.vdocuments.site/reader034/viewer/2022052606/5852db741a28abfa398e2814/html5/thumbnails/91.jpg)
EMS1 Evidence
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
91
![Page 92: Presentation - Track 1 Day 1_CIP-010](https://reader034.vdocuments.site/reader034/viewer/2022052606/5852db741a28abfa398e2814/html5/thumbnails/92.jpg)
EMS1 Evidence [conUnued] EMS1 root@bt:/# nmap -‐sT -‐sV -‐p T:0-‐65535 172.16.105.151 StarMng Nmap 5.59BETA1 ( hUp://nmap.org ) at 2012-‐01-‐18 12:15 EST Nmap scan report for 172.16.105.151 Host is up (0.034s latency). Not shown: 65531 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 5.3p1 Debian 3ubuntu6 (protocol 2.0) 80/tcp open hUp Apache hUpd 2.2.14 ((Ubuntu)) 111/tcp open rpcbind (rpcbind V2) 2 (rpc #100000) 42851/tcp open status (status V1) 1 (rpc #100024) MAC Address: 00:0C:29:66:05:65 (VMware) Service Info: OS: Linux Service detecMon performed. Please report any incorrect results at hUp://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 13.25 seconds
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
92
![Page 93: Presentation - Track 1 Day 1_CIP-010](https://reader034.vdocuments.site/reader034/viewer/2022052606/5852db741a28abfa398e2814/html5/thumbnails/93.jpg)
EMS1 Evidence [conUnued] EMS1 root@bt:/# nmap -‐sU -‐sV -‐p U:0-‐65535 172.16.105.151 StarMng Nmap 5.59BETA1 ( hUp://nmap.org ) at 2012-‐01-‐18 12:15 EST Nmap scan report for 172.16.105.151 Host is up (7.57s latency). Not shown: 65533 closed ports PORT STATE SERVICE VERSION 68/udp open|filtered dhcpc 111/udp open rpcbind MAC Address: 00:0C:29:66:05:65 (VMware) Nmap done: 1 IP address (1 host up) scanned in 1081.98 seconds Service detecMon performed. Please report any incorrect results at hUp://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 123.25 seconds
93
![Page 94: Presentation - Track 1 Day 1_CIP-010](https://reader034.vdocuments.site/reader034/viewer/2022052606/5852db741a28abfa398e2814/html5/thumbnails/94.jpg)
Router Ports/Services
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
94
![Page 95: Presentation - Track 1 Day 1_CIP-010](https://reader034.vdocuments.site/reader034/viewer/2022052606/5852db741a28abfa398e2814/html5/thumbnails/95.jpg)
2014 Vulnerability Assessment 95
![Page 96: Presentation - Track 1 Day 1_CIP-010](https://reader034.vdocuments.site/reader034/viewer/2022052606/5852db741a28abfa398e2814/html5/thumbnails/96.jpg)
2014 BPC VA
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
96
![Page 97: Presentation - Track 1 Day 1_CIP-010](https://reader034.vdocuments.site/reader034/viewer/2022052606/5852db741a28abfa398e2814/html5/thumbnails/97.jpg)
2014 BPC VA 97
![Page 98: Presentation - Track 1 Day 1_CIP-010](https://reader034.vdocuments.site/reader034/viewer/2022052606/5852db741a28abfa398e2814/html5/thumbnails/98.jpg)
AcUve VA – Wireless Scanning 98
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
![Page 99: Presentation - Track 1 Day 1_CIP-010](https://reader034.vdocuments.site/reader034/viewer/2022052606/5852db741a28abfa398e2814/html5/thumbnails/99.jpg)
2014 CVA-‐ HMI1 Soeware Vulnerability
Security vulnerability -‐ exploit available to execute arbitrary code. hzp://www.exploit-‐db.com/exploits/15957/ Exploit Title: KingView 6.53 SCADA HMI Heap Overflow PoC 9/28/2010 hzp://www.exploit-‐db.com/exploits/16936/ # Exploit Title: KingView 6.5.3 SCADA AcUveX TCP 777 W ESTERN E LECTRICITY C OORDINATING C OUNCIL
99
![Page 100: Presentation - Track 1 Day 1_CIP-010](https://reader034.vdocuments.site/reader034/viewer/2022052606/5852db741a28abfa398e2814/html5/thumbnails/100.jpg)
EMS1 Baseline Evidence
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
100
![Page 101: Presentation - Track 1 Day 1_CIP-010](https://reader034.vdocuments.site/reader034/viewer/2022052606/5852db741a28abfa398e2814/html5/thumbnails/101.jpg)
Account Name :Administrator The Administrator account is an ADMINISTRATOR, and the password was changed 1207 days ago. This account has been used 70 Umes to logon. The default Administrator account has not been renamed. Comment :Built-‐in account for administering the computer/domain Account Name :bill The ubill account is an ADMINISTRATOR, and the password was changed 548 days ago. This account has been used 0 Umes to logon. Comment :auto-‐logon account Account Name :billiam The billiam account is an ADMINISTRATOR, and the password was changed 548 days ago. This account has been used 233 Umes to logon. Comment :shared account
CIS Scan results [Local Account Results]
WARNING Administrator's password is blank W ESTERN E LECTRICITY C OORDINATING C OUNCIL
101
![Page 102: Presentation - Track 1 Day 1_CIP-010](https://reader034.vdocuments.site/reader034/viewer/2022052606/5852db741a28abfa398e2814/html5/thumbnails/102.jpg)
Nessus Results – Services
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
102
![Page 103: Presentation - Track 1 Day 1_CIP-010](https://reader034.vdocuments.site/reader034/viewer/2022052606/5852db741a28abfa398e2814/html5/thumbnails/103.jpg)
3rd Party VA Sample – 1 host
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
103
![Page 104: Presentation - Track 1 Day 1_CIP-010](https://reader034.vdocuments.site/reader034/viewer/2022052606/5852db741a28abfa398e2814/html5/thumbnails/104.jpg)
CIP-‐010-‐2 R3.1 – Best PracUce
• Consider keeping Vulnerability Assessments for devices or groups of devices on the same cycle
• Implement a task managing tool to help track needed tasks and deadlines
• Review NIST SP800-‐115 for guidance on conducUng a vulnerability assessment
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
104
![Page 105: Presentation - Track 1 Day 1_CIP-010](https://reader034.vdocuments.site/reader034/viewer/2022052606/5852db741a28abfa398e2814/html5/thumbnails/105.jpg)
POP Quiz!!
• What was the first home video game console? A. Atari 2600 B. Magnavox Odyssey C. VES D. RCA Studio II
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
105
![Page 106: Presentation - Track 1 Day 1_CIP-010](https://reader034.vdocuments.site/reader034/viewer/2022052606/5852db741a28abfa398e2814/html5/thumbnails/106.jpg)
POP Quiz!!
• What was the first home video game console?
• Developed in 1972
Magnavox Odyssey
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
106
![Page 107: Presentation - Track 1 Day 1_CIP-010](https://reader034.vdocuments.site/reader034/viewer/2022052606/5852db741a28abfa398e2814/html5/thumbnails/107.jpg)
CIP 010-‐2 R3.2
CIP 005-‐3 R4
CIP 007-‐3 R8 CIP 010-‐2 R3.2
107
![Page 108: Presentation - Track 1 Day 1_CIP-010](https://reader034.vdocuments.site/reader034/viewer/2022052606/5852db741a28abfa398e2814/html5/thumbnails/108.jpg)
CIP 010-‐2 R3.2 cont..
• Only applicable to High Impact BES systems • Required to be performed at least every 36 months • VA must be acMve and can be performed in producUon or test environment – Test environment must reflect producUon – Document differences between test and producUon environment
– Take and document measures to address the differences between test and producUon environment
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
108
![Page 109: Presentation - Track 1 Day 1_CIP-010](https://reader034.vdocuments.site/reader034/viewer/2022052606/5852db741a28abfa398e2814/html5/thumbnails/109.jpg)
CIP 010-‐2 R3.2 – Possible PiYall
• EnUty does not conduct acUve Vulnerability Assessments at least every 36 months
• EnUty does manual review on devices that are technically feasible to have acUve review
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
109
![Page 110: Presentation - Track 1 Day 1_CIP-010](https://reader034.vdocuments.site/reader034/viewer/2022052606/5852db741a28abfa398e2814/html5/thumbnails/110.jpg)
CIP 010-‐2 R3.2 – Approach
• Verify acUve Vulnerability Assessments conducted at least every 36 months
• DescripUon of test environment and how differences were account for (if test environment used for assessment)
• Raw data outputs of assessment for applicable devices
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
110
![Page 111: Presentation - Track 1 Day 1_CIP-010](https://reader034.vdocuments.site/reader034/viewer/2022052606/5852db741a28abfa398e2814/html5/thumbnails/111.jpg)
ProducUon Vs. Test 111
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
![Page 112: Presentation - Track 1 Day 1_CIP-010](https://reader034.vdocuments.site/reader034/viewer/2022052606/5852db741a28abfa398e2814/html5/thumbnails/112.jpg)
CIP 010-‐2 R3.2 – Best PracUces
• Vulnerability assessment should include at minimum: – Network and access point discovery – Port and service IdenUficaUon – Review of default accounts, passwords, and network management community strings
– Wireless access point review
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
112
![Page 113: Presentation - Track 1 Day 1_CIP-010](https://reader034.vdocuments.site/reader034/viewer/2022052606/5852db741a28abfa398e2814/html5/thumbnails/113.jpg)
CIP 010-‐2 R3.2 – Best PracUce
• Where possible conduct the Vulnerability Assessment on the producUon environment
• Implement a task managing tool to help track needed tasks and deadlines
• Document SMEs responsible for conducUng the Vulnerability Assessment and for what cyber assets
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
113
![Page 114: Presentation - Track 1 Day 1_CIP-010](https://reader034.vdocuments.site/reader034/viewer/2022052606/5852db741a28abfa398e2814/html5/thumbnails/114.jpg)
CIP 010-‐2 R3.3
CIP 010-‐2 R3.3 CIP 007-‐3 R1
• New devices need an active Vulnerability Assessment prior to deployment
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
114
![Page 115: Presentation - Track 1 Day 1_CIP-010](https://reader034.vdocuments.site/reader034/viewer/2022052606/5852db741a28abfa398e2814/html5/thumbnails/115.jpg)
CIP-‐010-‐2 R3.3 – Possible PiYall
• EnUty adds new asset to producUon without first conducUng acUve Vulnerability Assessment
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
115
![Page 116: Presentation - Track 1 Day 1_CIP-010](https://reader034.vdocuments.site/reader034/viewer/2022052606/5852db741a28abfa398e2814/html5/thumbnails/116.jpg)
CIP 010-‐2 R3.3 – Approach
• Ensure all newly added assets have had acUve vulnerability scan conducted prior to device being added to producUon
• Verify all necessary controls were verified as part of assessment
• Verify raw data output of vulnerability assessment can be provided
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
116
![Page 117: Presentation - Track 1 Day 1_CIP-010](https://reader034.vdocuments.site/reader034/viewer/2022052606/5852db741a28abfa398e2814/html5/thumbnails/117.jpg)
CIP 010-‐2 R3.3 – Best PracUce
• Document specific procedures that include: – Responsible personnel for conducUng the test – When tesUng needs to occur – Where tesUng should occur – How the tesUng should be conducted for each cyber asset or group of cyber assets
• Use a checklist and/or peer reviews to reduce chance of human error
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
117
![Page 118: Presentation - Track 1 Day 1_CIP-010](https://reader034.vdocuments.site/reader034/viewer/2022052606/5852db741a28abfa398e2814/html5/thumbnails/118.jpg)
![Page 119: Presentation - Track 1 Day 1_CIP-010](https://reader034.vdocuments.site/reader034/viewer/2022052606/5852db741a28abfa398e2814/html5/thumbnails/119.jpg)
CIP 010-‐2 R3.4
CIP 005-‐3 R4
CIP 007-‐3 R8 CIP 010-‐2 R3.4
• Document planned completion date for each remediation action
119
![Page 120: Presentation - Track 1 Day 1_CIP-010](https://reader034.vdocuments.site/reader034/viewer/2022052606/5852db741a28abfa398e2814/html5/thumbnails/120.jpg)
CIP-‐010-‐2 R3.4 – Possible PiYall
• EnUty is not acUvely maintaining an acUon plan to remediate vulnerabiliUes found in the CVA. – EnUty is not documenUng or updaUng planned date of compleUon for remediaUon acUons
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
120
![Page 121: Presentation - Track 1 Day 1_CIP-010](https://reader034.vdocuments.site/reader034/viewer/2022052606/5852db741a28abfa398e2814/html5/thumbnails/121.jpg)
CIP-‐010-‐2 R3.4 – Approach
• Document results or the review or assessment • List of acUon items to remediate issues • Status of the acUon items
– Documented proposed dates of compleUon for the acUon plan
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
121
![Page 122: Presentation - Track 1 Day 1_CIP-010](https://reader034.vdocuments.site/reader034/viewer/2022052606/5852db741a28abfa398e2814/html5/thumbnails/122.jpg)
CIP-‐010-‐2 R3.4 – Approach
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
122
• Basic sample of acUon items with status
![Page 123: Presentation - Track 1 Day 1_CIP-010](https://reader034.vdocuments.site/reader034/viewer/2022052606/5852db741a28abfa398e2814/html5/thumbnails/123.jpg)
CIP-‐010-‐2 R3.4 Document the results of the assessments… …acUon plan to remediate or miUgate vulnerabiliUes idenUfied… …planned date of compleUng the acUon plan and the execuUon status…
BPC mi-ga-on plan – There is work in progress within BPC as well from current vendors to document correct Ports/Services required. The vendor will be on-‐site in March to assist with the finaliza-on of this effort. Expected comple-on of the defini-ons for each host/group of hosts, to be completed June 30, 2014.
BPC mi-ga-on plan – APer the comple-on of the mi-ga-on plan BPC will begin a valida-on and change process to ensure that all systems within the BCS have the approved ports and services configured and un-‐needed ports/services disabled or removed. The expected comple-on date for this effort will be by September 31, 2014.
R3 BPC MiUgaUon Plan
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
123
![Page 124: Presentation - Track 1 Day 1_CIP-010](https://reader034.vdocuments.site/reader034/viewer/2022052606/5852db741a28abfa398e2814/html5/thumbnails/124.jpg)
R3 MiUgaUon Plan
hzp://www.dsd.gov.au/images/top35-‐table-‐2012.png
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
124
![Page 125: Presentation - Track 1 Day 1_CIP-010](https://reader034.vdocuments.site/reader034/viewer/2022052606/5852db741a28abfa398e2814/html5/thumbnails/125.jpg)
CIP-‐010-‐2 R3.4 – Best PracUce
• Tie acUons outlined in the plan to specific SMEs
• Use an automated task managing tool to track all required tasks and ensure they are being completed
• Have steps to ensure acUon plan is updated and reflects actual proposed compleUon date of acUons
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
125
![Page 126: Presentation - Track 1 Day 1_CIP-010](https://reader034.vdocuments.site/reader034/viewer/2022052606/5852db741a28abfa398e2814/html5/thumbnails/126.jpg)
CIP 010-‐2 R3
QUIZ Time
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
126
![Page 127: Presentation - Track 1 Day 1_CIP-010](https://reader034.vdocuments.site/reader034/viewer/2022052606/5852db741a28abfa398e2814/html5/thumbnails/127.jpg)
CIP 010-‐2 R3
• EnUUes are required to test all changes in a test environment that reflects the producUon environment.
False AcUve VA not required for Medium impact faciliUes or for like devices with similar baseline configuraUons
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
127
![Page 128: Presentation - Track 1 Day 1_CIP-010](https://reader034.vdocuments.site/reader034/viewer/2022052606/5852db741a28abfa398e2814/html5/thumbnails/128.jpg)
CIP 010-‐2 R3
• EnUty’s will be required to meet expected compleUon date of acUon plans to remediate issues found during Vulnerability Assessment
However, enUty can update the expected date if more Ume is needed. If the update is reasonable, jusUfied, and done prior to the due date
TRUE
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
128
![Page 129: Presentation - Track 1 Day 1_CIP-010](https://reader034.vdocuments.site/reader034/viewer/2022052606/5852db741a28abfa398e2814/html5/thumbnails/129.jpg)
Transient and Removable Media 129
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
![Page 130: Presentation - Track 1 Day 1_CIP-010](https://reader034.vdocuments.site/reader034/viewer/2022052606/5852db741a28abfa398e2814/html5/thumbnails/130.jpg)
CIP 010-‐2 R4
Each Responsible EnUty, for its high impact and medium impact BES Cyber Systems, shall implement one or more documented Transient Cyber Asset and Removable Media plan(s) that include the applicable elements in Azachment 1…
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
130
![Page 131: Presentation - Track 1 Day 1_CIP-010](https://reader034.vdocuments.site/reader034/viewer/2022052606/5852db741a28abfa398e2814/html5/thumbnails/131.jpg)
CIP 010-‐2 R4 Goals
To address FERC Order No. 791 Paragraphs 6 and 136, which require the standards to address security-‐related issues associated with tools specifically used for data transfer, vulnerability assessment, maintenance, or troubleshooUng.
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
131
![Page 132: Presentation - Track 1 Day 1_CIP-010](https://reader034.vdocuments.site/reader034/viewer/2022052606/5852db741a28abfa398e2814/html5/thumbnails/132.jpg)
CIP 010-‐2 R4 Goals
• PrevenUng unauthorized access or malware propagaUon to BES Cyber Systems through Transient Cyber Assets or Removable Media; and
• PrevenUng unauthorized access to BES Cyber System InformaUon through Transient Cyber Assets or Removable Media
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
132
![Page 133: Presentation - Track 1 Day 1_CIP-010](https://reader034.vdocuments.site/reader034/viewer/2022052606/5852db741a28abfa398e2814/html5/thumbnails/133.jpg)
Manage the Transient Cyber Asset Transient Cyber Asset(s) Owned or Managed by the Responsible EnUty: 1. Ongoing manner to ensure compliance with
applicable requirements at all Umes 2. On-‐demand manner applying the applicable
requirements before connecUon to a BES Cyber System
3. CombinaUon of both
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
133
![Page 134: Presentation - Track 1 Day 1_CIP-010](https://reader034.vdocuments.site/reader034/viewer/2022052606/5852db741a28abfa398e2814/html5/thumbnails/134.jpg)
Development of Transient Cyber Asset and Removable Media Plan
• Plan(s) should address: – Transient Cyber Asset authorizaUon – MiUgaUng security vulnerabiliUes – MiUgaUng the introducUon of malicious code – MiUgaUng the risk of unauthorized use
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
134
![Page 135: Presentation - Track 1 Day 1_CIP-010](https://reader034.vdocuments.site/reader034/viewer/2022052606/5852db741a28abfa398e2814/html5/thumbnails/135.jpg)
Development of Transient Cyber Asset and Removable Media Plan
• 1.1. Transient Cyber Asset authorizaUon, either individually or by group, which shall include:
• 1.1.1. Users, either individually or by group or role
• 1.1.2. LocaUons, either individually or by group • 1.1.3. Acceptable use, limited to what is necessary to perform business funcUons
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
135
![Page 136: Presentation - Track 1 Day 1_CIP-010](https://reader034.vdocuments.site/reader034/viewer/2022052606/5852db741a28abfa398e2814/html5/thumbnails/136.jpg)
Development of Transient Cyber Asset and Removable Media Plan
• 1.2. To miUgate security vulnerabiliUes (per Transient Cyber Asset capability), use one or a combinaUon of the following methods:
• Security patching, including manual or managed updates
• Live operaUng system and soeware executable only from read-‐only media
• System hardening • Other measures that provide an equal or greater level of protecUon to those listed above under 1.2
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
136
![Page 137: Presentation - Track 1 Day 1_CIP-010](https://reader034.vdocuments.site/reader034/viewer/2022052606/5852db741a28abfa398e2814/html5/thumbnails/137.jpg)
Development of Transient Cyber Asset and Removable Media Plan
• 1.3. To miUgate the introducUon of malicious code (per Transient Cyber Asset capability), use one or a combinaUon of the following methods:
• AnUvirus soeware, including manual or managed updates of signatures or pazerns
• ApplicaUon whitelisUng • Restricted communicaUon to limit the exchange of data to only the TCA and the Cyber Assets to which it is connected
• Other measures that provide an equal or greater level of protecUon to those listed above under 1.3
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
137
![Page 138: Presentation - Track 1 Day 1_CIP-010](https://reader034.vdocuments.site/reader034/viewer/2022052606/5852db741a28abfa398e2814/html5/thumbnails/138.jpg)
Development of Transient Cyber Asset and Removable Media Plan
• 1.4. To miUgate the risk of unauthorized use, use one or a combinaUon of the following methods:
• Transient Cyber Asset resides within a locaUon with restricted physical access
• Full-‐disk encrypUon with authenUcaUon • MulU-‐factor authenUcaUon • Thee recovery tools • Other measures to miUgate the risk of unauthorized use
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
138
![Page 139: Presentation - Track 1 Day 1_CIP-010](https://reader034.vdocuments.site/reader034/viewer/2022052606/5852db741a28abfa398e2814/html5/thumbnails/139.jpg)
CIP-‐010-‐2 R4 Approach
• Auditors will request your plan(s) which address Transient Devices and Removable Media
• Evidence of records of connecUng, using, and disconnecUng Transient Devices and Removable Media
• Sample of devices and methods used to secure device prior to connecUng
139
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
![Page 140: Presentation - Track 1 Day 1_CIP-010](https://reader034.vdocuments.site/reader034/viewer/2022052606/5852db741a28abfa398e2814/html5/thumbnails/140.jpg)
CIP-‐010-‐2 R4 Example 140
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
• Sample record
• Raw data – Screen shot of A/V signatures, patch level – Screenshot of full disk encrypUon se}ngs – Change Ucket
![Page 141: Presentation - Track 1 Day 1_CIP-010](https://reader034.vdocuments.site/reader034/viewer/2022052606/5852db741a28abfa398e2814/html5/thumbnails/141.jpg)
CIP-‐010-‐2 R4 Change Ticket Example 141
![Page 142: Presentation - Track 1 Day 1_CIP-010](https://reader034.vdocuments.site/reader034/viewer/2022052606/5852db741a28abfa398e2814/html5/thumbnails/142.jpg)
Transient Cyber Asset(s) Owned or Managed by Vendors or Contractors
Implement acUons prior to connecMng the vendor-‐ or contractor-‐owned Transient Cyber Asset.
142
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
![Page 143: Presentation - Track 1 Day 1_CIP-010](https://reader034.vdocuments.site/reader034/viewer/2022052606/5852db741a28abfa398e2814/html5/thumbnails/143.jpg)
Transient Cyber Asset(s) Owned or Managed by Vendors or Contractors
2.1 To miUgate security vulnerabiliUes (per Transient Cyber Asset capability), use one or a combinaUon of the following methods: • Review of installed security patch(es) • Review of security patching process used by the vendor or contractor
• Review other vulnerability miUgaUon performed by the vendor or contractor
• Other measures that provide an equal or greater level of protecUon to those listed above under 2.1
143
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
![Page 144: Presentation - Track 1 Day 1_CIP-010](https://reader034.vdocuments.site/reader034/viewer/2022052606/5852db741a28abfa398e2814/html5/thumbnails/144.jpg)
Transient Cyber Asset(s) Owned or Managed by Vendors or Contractors
2.2 To miUgate malicious code, use one or a combinaUon of the following methods: • Review of anUvirus update level • Review of anUvirus update process used by the vendor or
contractor • Review of applicaUon whitelisUng used by the vendor or
contractor • Review use of live operaUng system and soeware
executable only from read-‐only media • Review of system hardening used by the vendor or
contractor • Other measures that provide an equal or greater level of
protecUon to those listed above under 2.2
144
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
![Page 145: Presentation - Track 1 Day 1_CIP-010](https://reader034.vdocuments.site/reader034/viewer/2022052606/5852db741a28abfa398e2814/html5/thumbnails/145.jpg)
Transient Cyber Asset(s) Owned or Managed by Vendors or Contractors
• Sample review record
145
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
![Page 146: Presentation - Track 1 Day 1_CIP-010](https://reader034.vdocuments.site/reader034/viewer/2022052606/5852db741a28abfa398e2814/html5/thumbnails/146.jpg)
CIP-‐010-‐2 R4 Change Ticket Example 146
![Page 147: Presentation - Track 1 Day 1_CIP-010](https://reader034.vdocuments.site/reader034/viewer/2022052606/5852db741a28abfa398e2814/html5/thumbnails/147.jpg)
Removable Media
3.1 Acceptable use, which shall include: 3.1.1 Users, either individually or by group or role 3.1.2 LocaUons, either individually or by group
3.2 To miUgate malicious code, scan Removable Media outside of the BES Cyber System
147
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
![Page 148: Presentation - Track 1 Day 1_CIP-010](https://reader034.vdocuments.site/reader034/viewer/2022052606/5852db741a28abfa398e2814/html5/thumbnails/148.jpg)
Transient and Removable Media Types These assets do not provide BES reliability services and are not part of the BES Cyber Asset they are connected to. Examples of these devices include, but are not limited to: • Hardware/soeware diagnosUc test equipment • Hardware/soeware packet sniffers • Hardware/soeware used for BES Cyber System maintenance
• Hardware/soeware used for BES Cyber System configuraUon
• Hardware/soeware used to perform vulnerability assessments
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
148
![Page 149: Presentation - Track 1 Day 1_CIP-010](https://reader034.vdocuments.site/reader034/viewer/2022052606/5852db741a28abfa398e2814/html5/thumbnails/149.jpg)
Removable Media Types Media, directly connected for 30 consecuUve calendar days or less, capable of transmi}ng executable code to: • A BES Cyber Asset • A network within an ESP • A Protected Cyber Asset that can be used to store, copy, move, or access data
Removable Media are not Cyber Assets. Examples include, but are not limited to, floppy disks, compact disks, USB flash drives, external hard drives, and other flash memory cards/drives that contain nonvolaUle memory.
149
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
![Page 150: Presentation - Track 1 Day 1_CIP-010](https://reader034.vdocuments.site/reader034/viewer/2022052606/5852db741a28abfa398e2814/html5/thumbnails/150.jpg)
Transient Cyber Asset Types
Transient Cyber Asset: A Cyber Asset, (e.g., using Ethernet, serial, Universal Serial Bus, and wireless including near field and Bluetooth communicaUon) directly connected for 30 consecuUve calendar days or less, capable of transmi}ng executable code to: • A BES Cyber Asset • A network within an ESP • A Protected Cyber Asset
150
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
![Page 151: Presentation - Track 1 Day 1_CIP-010](https://reader034.vdocuments.site/reader034/viewer/2022052606/5852db741a28abfa398e2814/html5/thumbnails/151.jpg)
Transient Cyber Asset Types
Examples include, but are not limited to Cyber Assets used for: • Data transfer • Vulnerability assessment • Maintenance • TroubleshooUng purposes Once the transient device is disconnected, the requirements listed herein are not applicable.
151
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
![Page 152: Presentation - Track 1 Day 1_CIP-010](https://reader034.vdocuments.site/reader034/viewer/2022052606/5852db741a28abfa398e2814/html5/thumbnails/152.jpg)
CIP 010-‐2 R4 Approach • How should I document the use and removal of transient devices and removable media?
• Maintain records: – Which devices were connected to which ESP – When they were connected/disconnected – What was it used for – Systems assessed
• EnUUes are required to document and implement a plan for how they will manage the use of Transient Cyber Assets and Removable Media
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
152
![Page 153: Presentation - Track 1 Day 1_CIP-010](https://reader034.vdocuments.site/reader034/viewer/2022052606/5852db741a28abfa398e2814/html5/thumbnails/153.jpg)
CIP 010-‐2 R4 Best PracUces
• Ensure transient devices do not have wireless or Bluetooth features enabled
• Transient Cyber Assets that may be used for assets in differing impact areas (i.e. high impact, medium impact, low impact) – Consider the need to have separate Transient Cyber Assets for each impact level
• Use a combinaUon of methods listed, not just the minimum
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
153
![Page 154: Presentation - Track 1 Day 1_CIP-010](https://reader034.vdocuments.site/reader034/viewer/2022052606/5852db741a28abfa398e2814/html5/thumbnails/154.jpg)
CIP 010-‐2 R4 Best PracUces • Use the concept of system hardening for Transient devices – helps minimize security vulnerabiliUes by removing all non-‐essenUal soeware programs and uUliUes and only installing the bare necessiUes
• Restrict or disable serial or network (including wireless) communicaUons – can be used to minimize the opportunity to introduce malicious code onto the Transient Cyber Asset
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
154
![Page 155: Presentation - Track 1 Day 1_CIP-010](https://reader034.vdocuments.site/reader034/viewer/2022052606/5852db741a28abfa398e2814/html5/thumbnails/155.jpg)
AddiUonal Resources
• CIP-‐010-‐1 • NERC version 4 to version 5 mapping • Glossary of Terms Used in NERC Reliability Standards
• NIST SP800-‐115 – Security tesUng
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
155
![Page 156: Presentation - Track 1 Day 1_CIP-010](https://reader034.vdocuments.site/reader034/viewer/2022052606/5852db741a28abfa398e2814/html5/thumbnails/156.jpg)
Summary
• Know what is required for each BES cyber system(s)
• Create and maintain device baselines • AcUve Vs. paper assessment • Track and manage deadlines • Transient and Removable Media • Review referenced NIST documents for added guidance
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
156
![Page 157: Presentation - Track 1 Day 1_CIP-010](https://reader034.vdocuments.site/reader034/viewer/2022052606/5852db741a28abfa398e2814/html5/thumbnails/157.jpg)
Speaker Contact Info
Ben Christensen Senior Compliance Risk Analyst, Cyber Security 801-‐819-‐7666 [email protected]
157
W ESTERN E LECTRICITY C OORDINATING C OUNCIL