track 1 day 1 cip-010 henderson nv · 2014-10-09 · track 1 day 1 cip-010 henderson nv ... devices
TRANSCRIPT
CIP-‐010-‐2 CIP 101
Ben Christensen Senior Compliance Risk Analyst, Cyber
Security
Pop Quiz!!
• Who invented the electric motor? A. William Sturgeon B. Thomas Davenport C. Michael Faraday
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
2
Pop Quiz!!
• Who invented the electric motor?
Michael Faraday
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
3
Agenda
• Help enUUes understand and prepare for the upcoming CIP 010-‐2 – Differences and relaUons to current requirements – Transient devices and removable media – Possible piYalls to look for while implemenUng CIP 010-‐2
– WECC’s audit approach – Best pracUces
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
4
CIP 010-‐2
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
5
CIP-‐010-‐2 EffecUve Dates
• CIP-‐010-‐2 R1 – R3 – April 1, 2016
• CIP-‐010-‐2 R4 – 9 months later (January 1, 2017) – Registered EnUUes shall not be required to comply with Reliability Standard CIP-‐010-‐2, Requirement R4 unUl nine calendar months aeer the effecUve date of Reliability Standard CIP-‐010-‐2.
6
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
Applicable Systems
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
7
Applicable Systems in R4 • Transient Devices • Removable Media
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
8
Purpose of CIP 010-‐2 • Prevent and detect unauthorized changes to BES Cyber Systems.
• Specify vulnerability assessment requirements in support of protecUng BES Cyber Systems from compromise.
• Document and maintain device baselines and periodically verify they are accurate.
• Prevent unauthorized access or malware propagaUon from transient devices.
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
9
CIP 010-‐2 SimilariUes with V.3
• CIP 003-‐3 R6: Change Control and ConfiguraUon Management
• CIP 007-‐3 R1: Test procedures • CIP 005-‐3 R4 and CIP 007-‐3 R8: Cyber Vulnerability Assessment(s)
• CIP 007-‐3 R9 and CIP 005-‐3 R5: DocumentaUon review and maintenance
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
10
POP Quiz!!
• Who invented the modern automobile? A. Henry Ford B. Karl Benz C. Ransom Olds
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
11
POP Quiz!!
• Who invented the modern automobile?
Karl Benz
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
12
CIP 010-‐2 R1
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
13
CIP 010-‐2 R1.1
CIP 003-‐3 R6
• Applicable to Protected Cyber Assets (PCA) and specifies informaUon required in device baselines
CIP 010-‐2 R1.1
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
CIP-‐010-‐2 R1.1 -‐ Possible PiYall #1
• CIP 003-‐3 R6 was previously not applicable to Non-‐CCAs that resided within an ESP. Thus enUty did not create baselines or update procedures to ensure baselines were maintained for these devices.
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
15
CIP-‐010-‐2 R1.1 -‐ Possible PiYall #2
• EnUty does not ensure documented baselines for all devices contain operaUng system, commercial/open source soeware, custom soeware, logical ports, and security patches applied.
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
16
CIP-‐010-‐2 R1.1 Approach
• Ensure enUty has documented baselines for all devices (or group of devices) in applicable BES Cyber Systems – Verify Baselines include operaUng system/firmware, commercial soeware, custom soeware, logical network accessible ports, and security patches applied
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
17
“Limited” Device Example
• Serial-‐only microprocessor relay: Asset #051028 at SubstaUon Alpha R1.1.1 – Firmware: [MANUFACTURER]-‐[MODEL]-‐XYZ-‐1234567890-‐ABC R1.1.2 – Not Applicable R1.1.3 – Not Applicable R1.1.4 – Not Applicable R1.1.5 – Patch 12345, Patch 67890, Patch 34567, Patch 437823
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
18
CIP-‐010-‐2 R1.1 Approach
• 5 minimum components of baseline – soeware/firmware versions – open source/commercially available soeware – custom applicaUons – logical network accessible ports – applied security patches
• InformaUon about hardware differences may apply since it could affect installed applicaUons and patches
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
19
Basic Baseline
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
20
CIP 010-‐2 R1.1 Best PracUce
• Use combinaUon of automated tools and manual walkthroughs/verificaUons to ensure lists and baselines are accurate
• Minimize applicaUons on devices to only what is necessary
• Include step to periodically verify accuracy of applicable device lists and baselines
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
21
CIP 010-‐2 R1.1 Best PracUce
• Discussions and careful planning should be conducted on the method for maintaining device baselines – Review CIP 007 R3 presentaUon from Oct 2013 CIPUG for common methods to maintain informaUon
– What method is best for your organizaUon: • Commercial Soeware • Custom Soeware • Spreadsheet
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
22
CIP 010-‐2 R1.1 Best PracUce
• Consider Moving away from spreadsheets and other manual methods, look into more advanced methods for retaining informaUon. – See Joe B presentaUon from October 2011 CIPUG on advantages of moving from spreadsheet to relaUonal database
• Includes some labeling schema Ups as well for when implemenUng a database for device management
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
23
CIP 010-‐2 R1.2
CIP 010-‐2 R1.2 CIP 003-‐3 R6
• Applicable to PCA and requires changes to be authorized
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
25
CIP-‐010-‐2 R1.2 -‐ Possible PiYall
• EnUty cannot demonstrate all changes made to baseline(s) were authorized
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
26
CIP 010-‐2 R1.2 -‐ Approach
• Ensure all changes made to baselines have been authorized.
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
27
CIP 010-‐2 R1.2 -‐ Approach
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
28
CIP 010-‐2 R1.2 -‐ Approach 29
CIP 010-‐2 R1.2 – Best PracUce
• Update procedural documentaUon to include at minimum: – Who can authorize changes, and to what – When authorizaUon needs to occur – How the authorizaUon will be documented, stored, and tracked
• SegregaUon of duUes – The implementer should be different from the authorizer
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
30
CIP 010-‐2 R1.3
CIP 010-‐2 R1.3
CIP 005-‐3 R5
CIP 007-‐3 R9
• Baselines must be updated within 30 days of change
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
31
CIP 010-‐2 R1.3 – Possible PiYall
• EnUty cannot demonstrate baselines are updated within 30 days of changes made
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
32
CIP 010-‐2 R1.3 -‐ Approach
• Ensure enUty is updaUng baselines within 30 days of when change was made. – Start date will be determined by reviewing work orders, tracking sheet, or other documentaUon that details when the change actually occurred.
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
33
CIP 010-‐2 R1.3 – Best PracUces
• Procedures for updaUng baselines should address: – Who will communicate the changes made to the baselines
– How changes will be communicated – Who the changes are communicated to – When the changes will be made
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
34
CIP 010-‐2 R1.3 – Best PracUces
• Maintain a version history when updaUng documentaUon. – Version number – Who performed the update to the documentaUon – Who made the change to the device – Who authorized the change – What was changed
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
35
POP Quiz!!
• Who invented the prinUng press?
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
36
POP Quiz!!
• Who invented the prinUng press?
Johannes Gutenberg
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
37
CIP 010-‐2 R1.4
CIP 010-‐2 R1.4 CIP 007-‐3 R1
• Impact due to a change must consider security controls in CIP 005 and CIP 007
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
38
CIP 010-‐2 R1.4 – Possible PiYall
• EnUty verifies same controls for all changes made to any baseline. – Thus enUty does not account for different environments, devices, or changes when determining what controls could be impacted
• May be ok if all controls are verified every Ume
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
39
CIP 010-‐2 R1.4 -‐ Approach
• Verify all changes made to device baselines are documented
• Ensure controls that may be impacted were idenUfied and documented prior to the change – Why were some controls not included?
• Review evidence supporUng idenUfied controls were not adversely impacted
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
40
CIP 010-‐2 R1.4 – Best PracUces
• Procedures should include: – DocumenUng date all steps taken to support cyber security controls were idenUfied prior to change taking place
– How are potenUal impacted cyber security controls idenUfied?
• Who does this?
– How will adverse impacts will be detected • Who does this and when?
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
41
CIP 010-‐2 R1.4 – Best PracUces
• Include a peer review step for reviewing what controls may be impacted and when verifying controls weren’t adversely impacted
• Coordinate tesUng processes between departments, business units, etc. to ensure consistency
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
42
CIP 010-‐2 R1.5
CIP 010-‐2 R1.5 CIP 007-‐3 R1
43
CIP 010-‐2 R1.5 cont.. • Only applicable to High Impact systems • Specific to security controls that must be tested
– Security Controls in CIP 005 and CIP 007 • New test environment requirements
– Document if test environment was used – Document differences between test and producUon environment
• Measures taken to account for these differences
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
44
CIP 010-‐2 R1.5 Possible PiYall
• EnUty does not document differences between producUon and tesUng environment
• EnUty does not take measures to account for differences in the producUon and tesUng environment.
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
45
CIP 010-‐2 R1.5 -‐ Approach
• For each change that deviates from exisUng baseline: – List of cyber security controls tested
• Test results • List of differences between the producUon and test environments
• DescripUons of how any differences were accounted for
• When tesUng occurred
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
46
CIP 010-‐2 R1.5 – Best PracUces
• Use checklist or other task managing tool to reduce likelihood of not tesUng all controls
• Document specific test procedures for all cyber assets or group of assets? – Describe the test procedures
• Describe the test environment and how It reflects the producUon environment
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
47
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
48
POP Quiz!!
• When was the atomic bomb first invented?
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
49
POP Quiz!!
• When was the atomic bomb first invented?
July 1945
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
50
CIP 010-‐2 R2.1
• Must actively search for unauthorized changes to baseline – Automated preferred but can be manual
• Must document and investigate unauthorized changes
CIP 010-‐2 R2.1 CIP 003-‐3 R6
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
51
CIP-‐010-‐2 R2.1 – Possible PiYall
• Not consistently monitoring for changes every 35 days – EnUty begins process at end of month
• Thus enUty conUnuously misses 35 day deadline as it does not have enough Ume to complete review
– DocumentaUon is inconsistent and SMEs can’t keep track if specific devices have automated or manual process for tracking configuraUon changes
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
52
CIP 010-‐2 R2.1 -‐ Approach
• Logs from a system that is monitoring configuraUons
• Work orders, tracking sheets, raw data evidence of manual invesUgaUons
• Records invesUgaUng detected unauthorized changes
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
53
CIP 010-‐2 R2.1 -‐ Approach
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
54
• Sample review of baseline
CIP 010-‐2 R2 – Best PracUce
• Consider using a commercial or open source File Integrity Monitoring software for continuous monitoring
• Start monitoring process with enough advance to complete review o Consider using an automated task managing
tool
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
55
CIP 010-‐2 R2 – Best PracUce
• What if you find an unauthorized change? – What change(s) have been made without authorizaUon
– Who made the change(s)? – When were the change(s) made? – How can a similar issue be prevented?
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
56
CIP 010-‐2 R1 and R2
QUIZ Time
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
57
CIP 010-‐2 R1 and R2
• EnUUes are required to test all changes in a test environment that reflects the producUon environment.
False
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
58
CIP 010-‐2 R1 and R2
• EnUty baselines are required to include: 1. OperaUng system/Firmware 2. Commercial/open source soeware 3. Custom soeware 4. Logical ports 5. All security patches applied
TRUE
But what about devices where some of these don’t apply?
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
59
CIP 010-‐2 R3
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
60
CIP 010-‐2 R3.1
CIP 010-‐2 R3.1 CIP 007-‐3 R8
CIP 005-‐3 R4
• No more annual requirement, and VA can be active or paper
61
CIP-‐010-‐2 VA Timelines
• 1st performance of acUve or paper (15 months) – April 1, 2017
• 1st performance of acUve (36 months) – April 1, 2018
62
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
CIP-‐010-‐2 R3.1 – Possible PiYall
• EnUty conducts iniUal Vulnerability Assessment in January then not again unUl April the next year (16 months)
• Miss the 1st performance of acUve and paper VAs
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
63
4 Steps for Paper VA
1. Network Discovery 2. Network Port and Service IdenUficaUon 3. Vulnerability Review 4. Wireless Review
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
64
Paper VA
• Network Discovery -‐ A review of network connecUvity to idenUfy all Electronic Access Points to the Electronic Security
• Network Port and Service IdenUficaUon -‐ A review to verify that all enabled ports and services have an appropriate business jusUficaUon.
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
65
Paper VA
• Vulnerability Review -‐ A review of security rule-‐sets and configuraUons including controls for default accounts, passwords, and network management community strings.
• Wireless Review -‐ IdenUficaUon of common types of wireless networks (such as 802.11a/b/g/n) and a review of their controls if they are in any way used for BES Cyber System communicaUons.
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
66
What is a Paper Assessment?
• Is it a “document review” exercise? • Should I perform physical inspecUons? • Do I need to include EnumeraUon of ports and services?
67
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
What is a Paper Assessment? Should include: • Document reviews
– Such as reviews of known vulnerabiliUes of installed applicaUons
• Dumps of configs – Such as list of open listening ports generated by plaYorm resident tools such as netstat
Might contain informaUon about issues such as: • Current threats and how the baseline configuraUons are designed to address them
68
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
4 Steps for AcUve VA
1. Network Discovery 2. Network Port and Service IdenUficaUon 3. Vulnerability Scanning 4. Wireless Scanning
69
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
AcUve VA
• Network Discovery -‐ Use of acUve discovery tools to discover acUve devices and idenUfy communicaUon paths in order to verify that the discovered network architecture matches the documented architecture.
• Network Port and Service IdenUficaUon – Use of acUve discovery tools (such as Nmap) to discover open ports and services.
70
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
AcUve VA
• Vulnerability Scanning – Use of a vulnerability scanning tool to idenUfy network accessible ports and services along with the idenUficaUon of known vulnerabiliUes associated with services running on those ports.
• Wireless Scanning – Use of a wireless scanning tool to discover wireless signals and networks in the physical perimeter of a BES Cyber System. Serves to idenUfy unauthorized wireless devices within the range of the wireless scanning tool.
71
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
What tools should I use?
Are tools such as Nmap required for acUve assessments, or can enUUes use custom scripts (which use naUve OS commands) to enumerate open ports and services? What consUtutes an acUve port scan?
72
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
What tools should I use?
The intent of the acUve assessment is to test the Cyber Asset from the “outside” rather than simply having the Cyber Asset look at itself.
73
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
CIP-‐010-‐2 R3.1 – Approach
• Verify when last VA was conducted • Verify current VA was conducted within 15 calendar months of previous VA
• Evidence could include: – A document lisUng the date of the assessment and the output of any tools used to perform the assessment.
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
74
CIP-‐010-‐2 R3 IniUal Evidence 75
C:\HMI-‐1>netstat AcUve ConnecUons Proto Local Address Foreign Address State TCP HMI-‐1:2111 localhost:33333 ESTABLISHED TCP HMI-‐1:3616 localhost:10525 ESTABLISHED TCP HMI-‐1:5152 localhost:1573 CLOSE_WAIT TCP HMI-‐1:10525 localhost:3616 ESTABLISHED TCP HMI-‐1:33333 localhost:2111 ESTABLISHED TCP HMI-‐1:netbios-‐ssn 172.16.105.1:56761 TIME_WAIT TCP HMI-‐1:netbios-‐ssn 172.16.105.1:56762 TIME_WAIT TCP HMI-‐1:netbios-‐ssn 172.16.105.1:56765 TIME_WAIT TCP HMI-‐1:netbios-‐ssn 172.16.105.1:56766 TIME_WAIT
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
R3 Evidence – Nessus Summary 76
Nessus Summary 77
2014 Cyber Vulnerability Assessment
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
78
#show run … ip hzp server ! access-‐list 23 permit 172.16.105.200 0.0.0.0 access-‐list 23 permit 172.16.105.201 0.0.0.0 ! line vty 5 15 transport input ssh ! access-‐class 23 in ! ntp-‐server 172.16.105.88 ...
Manual Review of Configs
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
79
#show run … no logging ip hzp server ! access-‐list 23 permit 172.16.105.200 0.0.0.0 access-‐list 23 permit 172.16.105.201 0.0.0.0 ! line vty 5 15 transport input telent Login Password *********** ! access-‐class 23 in ! no logging console debug condiUon interface no snmp-‐server ntp-‐server 172.16.105.88 ...
Manual Vulnerability Assessment
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
80
• For the following servers and workstaUons (within the BCS) provide current “netsat” (netstat –b –o –a -‐n / netstat –p –a -‐l) or port scan (TCP/UDP) results. [sample list]
• For the following network devices, provide current configuraUon files (i.e., show run all), ports and services running (scan results if exists)
• Provide a spreadsheet idenUfying all BCS assets, associated TFEs, and associated requirements
[CIP-‐010-‐2 R3] Typical Data Requests
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
81
[CIP-‐010-‐2 R3] Typical Data Requests • Provide iniUal paper vulnerability assessment report
• Provide iniUal acUve vulnerability assessment • Provide subsequent assessments • Provide detailed (RAW DATA) vulnerability assessment results for the following specific BCS, EACMs and PACS [sample list]
• Provide miUgaUon plan and results (current status) for VA
• Provide acUon Plan and current status
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
82
[CIP-‐010-‐2 R3] Typical Interview QuesUons
• How do you perform an acUve and paper assessment?
• Describe the procedures used to idenUfy the required ports/services
• Are vendors involved with the definiUon of required ports/services?
• Are there devices, which ports and services cannot be disabled?
• If so, what are the compensaUng measures in place
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
83
[CIP-‐010-‐2 R3] Typical Interview QuesUons
• Describe the vulnerability assessment process
• Who performs the assessment? Is the assessment performed in-‐house or outsourced
• Does the assessment include all BCS and cyber assets? – specific addresses or enUre networks
• Describe procedures/tools uUlized to idenUfy open ports/services and user accounts
• Is there a baseline to compare ports/services and user accounts with?
84
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
R3 Audit Evidence Examples • Netstat:
– Netstat -‐b -‐o -‐a -‐n > netstat_boan.txt – Netstat -‐p -‐a -‐l > netstat_pal.txt
• NMAP scan results – Nmap –sT –sV –p T:0-‐65535 <IP_address> >>nmap_tcp.txt
– Nmap –sU –sV –p U:0-‐65535 <IP_address> >> nmap_udp.txt
– show control-‐plane host open-‐ports • Manual review – show run config file (router or firewall)
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
85
VA Sample Checklist
q AcUve or Paper q Network Discovery
q Review of network diagrams q Walk down performed q Ping sweeps
q Network Port and Service IdenUficaUon q Nmap scans of all subnets q Netstat or other resident tool used q Manual review of config
86
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
VA Sample Checklist Cont.
q Vulnerability Scanning q Nmap/Nessus scan performed q Manual review of config
q Rule-‐sets q Accounts q Passwords q Default community strings
q Wireless Scanning q Scan performed q Visual inspecUon performed
87
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
C:\Documents and Se}ngs\HMI-‐1>netstat -‐b -‐o -‐a -‐n > netstat_boan.txt AcUve ConnecUons Proto Local Address Foreign Address State PID TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 952 C:\WINDOWS\system32\svchost.exe TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4 [System] TCP 0.0.0.0:6002 0.0.0.0:0 LISTENING 428 [spnsrvnt.exe] TCP 0.0.0.0:7001 0.0.0.0:0 LISTENING 248 [sntlkeyssrvr.exe] TCP 0.0.0.0:7002 0.0.0.0:0 LISTENING 248 [sntlkeyssrvr.exe] TCP 127.0.0.1:1025 0.0.0.0:0 LISTENING 1656 [dirmngr.exe] TCP 127.0.0.1:1029 0.0.0.0:0 LISTENING 2484 [alg.exe] TCP 127.0.0.1:5152 0.0.0.0:0 LISTENING 1764 [jqs.exe] TCP 127.0.0.1:33333 0.0.0.0:0 LISTENING 1856 [PGPtray.exe] TCP 172.16.105.220:139 0.0.0.0:0 LISTENING 4 [System] TCP 127.0.0.1:2111 127.0.0.1:33333 ESTABLISHED 1616 UDP 0.0.0.0:7001 *:* 248 [sntlkeyssrvr.exe] UDP 0.0.0.0:500 *:* 700 [lsass.exe] UDP 0.0.0.0:4500 *:* 700 [lsass.exe] UDP 0.0.0.0:445 *:* 4 [System] UDP 127.0.0.1:123 *:* 1084 c:\windows\system32\WS2_32.dll UDP 172.16.105.220:6001 *:* 428 [spnsrvnt.exe]
HMI-‐1 Baseline Evidence
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
88
HMI-‐1 Evidence [conUnued] root@bt# nmap -‐sT -‐sV -‐p T:0-‐65535 172.16.105.220 StarUng Nmap 5.59BETA1 ( hzp://nmap.org ) at 2012-‐01-‐03 10:28 EST Nmap scan report for 172.16.105.220 Host is up (0.00084s latency). Not shown: 65528 closed ports PORT STATE SERVICE VERSION 135/tcp open msrpc Microsoe Windows RPC 139/tcp open netbios-‐ssn 445/tcp open microsoe-‐ds Microsoe Windows XP microsoe-‐ds 777/tcp open mulUling-‐hzp? 6002/tcp open hzp SafeNet SenUnel License Monitor hzpd 7.3 7001/tcp open afs3-‐callback? 7002/tcp open hzp SafeNet SenUnel Keys License Monitor hzpd 1.0 (Java Console) MAC Address: 00:0C:29:07:09:3B (VMware) Service Info: Host: HMI-‐1; OS: Windows
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
89
HMI-‐1 Evidence [conUnued] root@bt# nmap -‐sU -‐sV -‐p U:0-‐65535 172.16.105.220 StarMng Nmap 5.59BETA1 ( hUp://nmap.org ) at 2012-‐01-‐03 10:28 EST Nmap scan report for 172.16.105.220 Host is up (0.00084s latency). Not shown: 65527 closed ports PORT STATE SERVICE VERSION 123/udp open ntp Microso` NTP 137/udp open netbios-‐ns Microso` Windows NT netbios-‐ssn (workgroup: WORKGROUP) 138/udp open|filtered netbios-‐dgm 445/udp open|filtered microso`-‐ds 500/udp open|filtered isakmp 1900/udp open|filtered upnp 4500/udp open|filtered nat-‐t-‐ike 6001/udp open|filtered X11:1 MAC Address: 00:0C:29:07:09:3B (VMware) Service Info: Host: HMI-‐1; OS: Windows
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
90
EMS1 Evidence
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
91
EMS1 Evidence [conUnued] EMS1 root@bt:/# nmap -‐sT -‐sV -‐p T:0-‐65535 172.16.105.151 StarMng Nmap 5.59BETA1 ( hUp://nmap.org ) at 2012-‐01-‐18 12:15 EST Nmap scan report for 172.16.105.151 Host is up (0.034s latency). Not shown: 65531 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 5.3p1 Debian 3ubuntu6 (protocol 2.0) 80/tcp open hUp Apache hUpd 2.2.14 ((Ubuntu)) 111/tcp open rpcbind (rpcbind V2) 2 (rpc #100000) 42851/tcp open status (status V1) 1 (rpc #100024) MAC Address: 00:0C:29:66:05:65 (VMware) Service Info: OS: Linux Service detecMon performed. Please report any incorrect results at hUp://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 13.25 seconds
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
92
EMS1 Evidence [conUnued] EMS1 root@bt:/# nmap -‐sU -‐sV -‐p U:0-‐65535 172.16.105.151 StarMng Nmap 5.59BETA1 ( hUp://nmap.org ) at 2012-‐01-‐18 12:15 EST Nmap scan report for 172.16.105.151 Host is up (7.57s latency). Not shown: 65533 closed ports PORT STATE SERVICE VERSION 68/udp open|filtered dhcpc 111/udp open rpcbind MAC Address: 00:0C:29:66:05:65 (VMware) Nmap done: 1 IP address (1 host up) scanned in 1081.98 seconds Service detecMon performed. Please report any incorrect results at hUp://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 123.25 seconds
93
Router Ports/Services
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
94
2014 Vulnerability Assessment 95
2014 BPC VA
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
96
2014 BPC VA 97
AcUve VA – Wireless Scanning 98
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
2014 CVA-‐ HMI1 Soeware Vulnerability
Security vulnerability -‐ exploit available to execute arbitrary code. hzp://www.exploit-‐db.com/exploits/15957/ Exploit Title: KingView 6.53 SCADA HMI Heap Overflow PoC 9/28/2010 hzp://www.exploit-‐db.com/exploits/16936/ # Exploit Title: KingView 6.5.3 SCADA AcUveX TCP 777 W ESTERN E LECTRICITY C OORDINATING C OUNCIL
99
EMS1 Baseline Evidence
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
100
Account Name :Administrator The Administrator account is an ADMINISTRATOR, and the password was changed 1207 days ago. This account has been used 70 Umes to logon. The default Administrator account has not been renamed. Comment :Built-‐in account for administering the computer/domain Account Name :bill The ubill account is an ADMINISTRATOR, and the password was changed 548 days ago. This account has been used 0 Umes to logon. Comment :auto-‐logon account Account Name :billiam The billiam account is an ADMINISTRATOR, and the password was changed 548 days ago. This account has been used 233 Umes to logon. Comment :shared account
CIS Scan results [Local Account Results]
WARNING Administrator's password is blank W ESTERN E LECTRICITY C OORDINATING C OUNCIL
101
Nessus Results – Services
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
102
3rd Party VA Sample – 1 host
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
103
CIP-‐010-‐2 R3.1 – Best PracUce
• Consider keeping Vulnerability Assessments for devices or groups of devices on the same cycle
• Implement a task managing tool to help track needed tasks and deadlines
• Review NIST SP800-‐115 for guidance on conducUng a vulnerability assessment
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
104
POP Quiz!!
• What was the first home video game console? A. Atari 2600 B. Magnavox Odyssey C. VES D. RCA Studio II
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
105
POP Quiz!!
• What was the first home video game console?
• Developed in 1972
Magnavox Odyssey
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
106
CIP 010-‐2 R3.2
CIP 005-‐3 R4
CIP 007-‐3 R8 CIP 010-‐2 R3.2
107
CIP 010-‐2 R3.2 cont..
• Only applicable to High Impact BES systems • Required to be performed at least every 36 months • VA must be acMve and can be performed in producUon or test environment – Test environment must reflect producUon – Document differences between test and producUon environment
– Take and document measures to address the differences between test and producUon environment
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
108
CIP 010-‐2 R3.2 – Possible PiYall
• EnUty does not conduct acUve Vulnerability Assessments at least every 36 months
• EnUty does manual review on devices that are technically feasible to have acUve review
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
109
CIP 010-‐2 R3.2 – Approach
• Verify acUve Vulnerability Assessments conducted at least every 36 months
• DescripUon of test environment and how differences were account for (if test environment used for assessment)
• Raw data outputs of assessment for applicable devices
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
110
ProducUon Vs. Test 111
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
CIP 010-‐2 R3.2 – Best PracUces
• Vulnerability assessment should include at minimum: – Network and access point discovery – Port and service IdenUficaUon – Review of default accounts, passwords, and network management community strings
– Wireless access point review
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
112
CIP 010-‐2 R3.2 – Best PracUce
• Where possible conduct the Vulnerability Assessment on the producUon environment
• Implement a task managing tool to help track needed tasks and deadlines
• Document SMEs responsible for conducUng the Vulnerability Assessment and for what cyber assets
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
113
CIP 010-‐2 R3.3
CIP 010-‐2 R3.3 CIP 007-‐3 R1
• New devices need an active Vulnerability Assessment prior to deployment
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
114
CIP-‐010-‐2 R3.3 – Possible PiYall
• EnUty adds new asset to producUon without first conducUng acUve Vulnerability Assessment
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
115
CIP 010-‐2 R3.3 – Approach
• Ensure all newly added assets have had acUve vulnerability scan conducted prior to device being added to producUon
• Verify all necessary controls were verified as part of assessment
• Verify raw data output of vulnerability assessment can be provided
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
116
CIP 010-‐2 R3.3 – Best PracUce
• Document specific procedures that include: – Responsible personnel for conducUng the test – When tesUng needs to occur – Where tesUng should occur – How the tesUng should be conducted for each cyber asset or group of cyber assets
• Use a checklist and/or peer reviews to reduce chance of human error
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
117
CIP 010-‐2 R3.4
CIP 005-‐3 R4
CIP 007-‐3 R8 CIP 010-‐2 R3.4
• Document planned completion date for each remediation action
119
CIP-‐010-‐2 R3.4 – Possible PiYall
• EnUty is not acUvely maintaining an acUon plan to remediate vulnerabiliUes found in the CVA. – EnUty is not documenUng or updaUng planned date of compleUon for remediaUon acUons
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
120
CIP-‐010-‐2 R3.4 – Approach
• Document results or the review or assessment • List of acUon items to remediate issues • Status of the acUon items
– Documented proposed dates of compleUon for the acUon plan
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
121
CIP-‐010-‐2 R3.4 – Approach
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
122
• Basic sample of acUon items with status
CIP-‐010-‐2 R3.4 Document the results of the assessments… …acUon plan to remediate or miUgate vulnerabiliUes idenUfied… …planned date of compleUng the acUon plan and the execuUon status…
BPC mi-ga-on plan – There is work in progress within BPC as well from current vendors to document correct Ports/Services required. The vendor will be on-‐site in March to assist with the finaliza-on of this effort. Expected comple-on of the defini-ons for each host/group of hosts, to be completed June 30, 2014.
BPC mi-ga-on plan – APer the comple-on of the mi-ga-on plan BPC will begin a valida-on and change process to ensure that all systems within the BCS have the approved ports and services configured and un-‐needed ports/services disabled or removed. The expected comple-on date for this effort will be by September 31, 2014.
R3 BPC MiUgaUon Plan
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
123
R3 MiUgaUon Plan
hzp://www.dsd.gov.au/images/top35-‐table-‐2012.png
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
124
CIP-‐010-‐2 R3.4 – Best PracUce
• Tie acUons outlined in the plan to specific SMEs
• Use an automated task managing tool to track all required tasks and ensure they are being completed
• Have steps to ensure acUon plan is updated and reflects actual proposed compleUon date of acUons
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
125
CIP 010-‐2 R3
QUIZ Time
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
126
CIP 010-‐2 R3
• EnUUes are required to test all changes in a test environment that reflects the producUon environment.
False AcUve VA not required for Medium impact faciliUes or for like devices with similar baseline configuraUons
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
127
CIP 010-‐2 R3
• EnUty’s will be required to meet expected compleUon date of acUon plans to remediate issues found during Vulnerability Assessment
However, enUty can update the expected date if more Ume is needed. If the update is reasonable, jusUfied, and done prior to the due date
TRUE
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
128
Transient and Removable Media 129
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
CIP 010-‐2 R4
Each Responsible EnUty, for its high impact and medium impact BES Cyber Systems, shall implement one or more documented Transient Cyber Asset and Removable Media plan(s) that include the applicable elements in Azachment 1…
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
130
CIP 010-‐2 R4 Goals
To address FERC Order No. 791 Paragraphs 6 and 136, which require the standards to address security-‐related issues associated with tools specifically used for data transfer, vulnerability assessment, maintenance, or troubleshooUng.
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
131
CIP 010-‐2 R4 Goals
• PrevenUng unauthorized access or malware propagaUon to BES Cyber Systems through Transient Cyber Assets or Removable Media; and
• PrevenUng unauthorized access to BES Cyber System InformaUon through Transient Cyber Assets or Removable Media
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
132
Manage the Transient Cyber Asset Transient Cyber Asset(s) Owned or Managed by the Responsible EnUty: 1. Ongoing manner to ensure compliance with
applicable requirements at all Umes 2. On-‐demand manner applying the applicable
requirements before connecUon to a BES Cyber System
3. CombinaUon of both
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
133
Development of Transient Cyber Asset and Removable Media Plan
• Plan(s) should address: – Transient Cyber Asset authorizaUon – MiUgaUng security vulnerabiliUes – MiUgaUng the introducUon of malicious code – MiUgaUng the risk of unauthorized use
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
134
Development of Transient Cyber Asset and Removable Media Plan
• 1.1. Transient Cyber Asset authorizaUon, either individually or by group, which shall include:
• 1.1.1. Users, either individually or by group or role
• 1.1.2. LocaUons, either individually or by group • 1.1.3. Acceptable use, limited to what is necessary to perform business funcUons
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
135
Development of Transient Cyber Asset and Removable Media Plan
• 1.2. To miUgate security vulnerabiliUes (per Transient Cyber Asset capability), use one or a combinaUon of the following methods:
• Security patching, including manual or managed updates
• Live operaUng system and soeware executable only from read-‐only media
• System hardening • Other measures that provide an equal or greater level of protecUon to those listed above under 1.2
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
136
Development of Transient Cyber Asset and Removable Media Plan
• 1.3. To miUgate the introducUon of malicious code (per Transient Cyber Asset capability), use one or a combinaUon of the following methods:
• AnUvirus soeware, including manual or managed updates of signatures or pazerns
• ApplicaUon whitelisUng • Restricted communicaUon to limit the exchange of data to only the TCA and the Cyber Assets to which it is connected
• Other measures that provide an equal or greater level of protecUon to those listed above under 1.3
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
137
Development of Transient Cyber Asset and Removable Media Plan
• 1.4. To miUgate the risk of unauthorized use, use one or a combinaUon of the following methods:
• Transient Cyber Asset resides within a locaUon with restricted physical access
• Full-‐disk encrypUon with authenUcaUon • MulU-‐factor authenUcaUon • Thee recovery tools • Other measures to miUgate the risk of unauthorized use
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
138
CIP-‐010-‐2 R4 Approach
• Auditors will request your plan(s) which address Transient Devices and Removable Media
• Evidence of records of connecUng, using, and disconnecUng Transient Devices and Removable Media
• Sample of devices and methods used to secure device prior to connecUng
139
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
CIP-‐010-‐2 R4 Example 140
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
• Sample record
• Raw data – Screen shot of A/V signatures, patch level – Screenshot of full disk encrypUon se}ngs – Change Ucket
CIP-‐010-‐2 R4 Change Ticket Example 141
Transient Cyber Asset(s) Owned or Managed by Vendors or Contractors
Implement acUons prior to connecMng the vendor-‐ or contractor-‐owned Transient Cyber Asset.
142
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
Transient Cyber Asset(s) Owned or Managed by Vendors or Contractors
2.1 To miUgate security vulnerabiliUes (per Transient Cyber Asset capability), use one or a combinaUon of the following methods: • Review of installed security patch(es) • Review of security patching process used by the vendor or contractor
• Review other vulnerability miUgaUon performed by the vendor or contractor
• Other measures that provide an equal or greater level of protecUon to those listed above under 2.1
143
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
Transient Cyber Asset(s) Owned or Managed by Vendors or Contractors
2.2 To miUgate malicious code, use one or a combinaUon of the following methods: • Review of anUvirus update level • Review of anUvirus update process used by the vendor or
contractor • Review of applicaUon whitelisUng used by the vendor or
contractor • Review use of live operaUng system and soeware
executable only from read-‐only media • Review of system hardening used by the vendor or
contractor • Other measures that provide an equal or greater level of
protecUon to those listed above under 2.2
144
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
Transient Cyber Asset(s) Owned or Managed by Vendors or Contractors
• Sample review record
145
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
CIP-‐010-‐2 R4 Change Ticket Example 146
Removable Media
3.1 Acceptable use, which shall include: 3.1.1 Users, either individually or by group or role 3.1.2 LocaUons, either individually or by group
3.2 To miUgate malicious code, scan Removable Media outside of the BES Cyber System
147
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
Transient and Removable Media Types These assets do not provide BES reliability services and are not part of the BES Cyber Asset they are connected to. Examples of these devices include, but are not limited to: • Hardware/soeware diagnosUc test equipment • Hardware/soeware packet sniffers • Hardware/soeware used for BES Cyber System maintenance
• Hardware/soeware used for BES Cyber System configuraUon
• Hardware/soeware used to perform vulnerability assessments
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
148
Removable Media Types Media, directly connected for 30 consecuUve calendar days or less, capable of transmi}ng executable code to: • A BES Cyber Asset • A network within an ESP • A Protected Cyber Asset that can be used to store, copy, move, or access data
Removable Media are not Cyber Assets. Examples include, but are not limited to, floppy disks, compact disks, USB flash drives, external hard drives, and other flash memory cards/drives that contain nonvolaUle memory.
149
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
Transient Cyber Asset Types
Transient Cyber Asset: A Cyber Asset, (e.g., using Ethernet, serial, Universal Serial Bus, and wireless including near field and Bluetooth communicaUon) directly connected for 30 consecuUve calendar days or less, capable of transmi}ng executable code to: • A BES Cyber Asset • A network within an ESP • A Protected Cyber Asset
150
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
Transient Cyber Asset Types
Examples include, but are not limited to Cyber Assets used for: • Data transfer • Vulnerability assessment • Maintenance • TroubleshooUng purposes Once the transient device is disconnected, the requirements listed herein are not applicable.
151
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
CIP 010-‐2 R4 Approach • How should I document the use and removal of transient devices and removable media?
• Maintain records: – Which devices were connected to which ESP – When they were connected/disconnected – What was it used for – Systems assessed
• EnUUes are required to document and implement a plan for how they will manage the use of Transient Cyber Assets and Removable Media
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
152
CIP 010-‐2 R4 Best PracUces
• Ensure transient devices do not have wireless or Bluetooth features enabled
• Transient Cyber Assets that may be used for assets in differing impact areas (i.e. high impact, medium impact, low impact) – Consider the need to have separate Transient Cyber Assets for each impact level
• Use a combinaUon of methods listed, not just the minimum
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
153
CIP 010-‐2 R4 Best PracUces • Use the concept of system hardening for Transient devices – helps minimize security vulnerabiliUes by removing all non-‐essenUal soeware programs and uUliUes and only installing the bare necessiUes
• Restrict or disable serial or network (including wireless) communicaUons – can be used to minimize the opportunity to introduce malicious code onto the Transient Cyber Asset
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
154
AddiUonal Resources
• CIP-‐010-‐1 • NERC version 4 to version 5 mapping • Glossary of Terms Used in NERC Reliability Standards
• NIST SP800-‐115 – Security tesUng
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
155
Summary
• Know what is required for each BES cyber system(s)
• Create and maintain device baselines • AcUve Vs. paper assessment • Track and manage deadlines • Transient and Removable Media • Review referenced NIST documents for added guidance
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
156
Speaker Contact Info
Ben Christensen Senior Compliance Risk Analyst, Cyber Security 801-‐819-‐7666 [email protected]
157
W ESTERN E LECTRICITY C OORDINATING C OUNCIL