track 1 day 1 cip-010 henderson nv · 2014-10-09 · track 1 day 1 cip-010 henderson nv ... devices

CIP-‐010-‐2 CIP 101

Ben Christensen Senior Compliance Risk Analyst, Cyber

Security

Pop Quiz!!

•  Who invented the electric motor? A.  William Sturgeon B.  Thomas Davenport C.  Michael Faraday

W ESTERN E LECTRICITY C OORDINATING C OUNCIL

2

Pop Quiz!!

•  Who invented the electric motor?

Michael Faraday


3

Agenda

•  Help enUUes understand and prepare for the upcoming CIP 010-‐2 – Differences and relaUons to current requirements – Transient devices and removable media – Possible piYalls to look for while implemenUng CIP 010-‐2

– WECC’s audit approach – Best pracUces


4

CIP 010-‐2


5

CIP-‐010-‐2 EffecUve Dates

•  CIP-‐010-‐2 R1 – R3 – April 1, 2016

•  CIP-‐010-‐2 R4 – 9 months later (January 1, 2017) – Registered EnUUes shall not be required to comply with Reliability Standard CIP-‐010-‐2, Requirement R4 unUl nine calendar months aeer the effecUve date of Reliability Standard CIP-‐010-‐2.

6


Applicable Systems


7

Applicable Systems in R4 •  Transient Devices •  Removable Media


8

Purpose of CIP 010-‐2 •  Prevent and detect unauthorized changes to BES Cyber Systems.

•  Specify vulnerability assessment requirements in support of protecUng BES Cyber Systems from compromise.

•  Document and maintain device baselines and periodically verify they are accurate.

•  Prevent unauthorized access or malware propagaUon from transient devices.


9

CIP 010-‐2 SimilariUes with V.3

•  CIP 003-‐3 R6: Change Control and ConfiguraUon Management

•  CIP 007-‐3 R1: Test procedures •  CIP 005-‐3 R4 and CIP 007-‐3 R8: Cyber Vulnerability Assessment(s)

•  CIP 007-‐3 R9 and CIP 005-‐3 R5: DocumentaUon review and maintenance


10

POP Quiz!!

•  Who invented the modern automobile? A.  Henry Ford B.  Karl Benz C.  Ransom Olds


11

POP Quiz!!

•  Who invented the modern automobile?

Karl Benz


12

CIP 010-‐2 R1


13

CIP 010-‐2 R1.1

CIP 003-‐3 R6

•  Applicable to Protected Cyber Assets (PCA) and specifies informaUon required in device baselines

CIP 010-‐2 R1.1


CIP-‐010-‐2 R1.1 -‐ Possible PiYall #1

•  CIP 003-‐3 R6 was previously not applicable to Non-‐CCAs that resided within an ESP. Thus enUty did not create baselines or update procedures to ensure baselines were maintained for these devices.


15

CIP-‐010-‐2 R1.1 -‐ Possible PiYall #2

•  EnUty does not ensure documented baselines for all devices contain operaUng system, commercial/open source soeware, custom soeware, logical ports, and security patches applied.


16

CIP-‐010-‐2 R1.1 Approach

•  Ensure enUty has documented baselines for all devices (or group of devices) in applicable BES Cyber Systems – Verify Baselines include operaUng system/firmware, commercial soeware, custom soeware, logical network accessible ports, and security patches applied


17

“Limited” Device Example

•  Serial-‐only microprocessor relay: Asset #051028 at SubstaUon Alpha R1.1.1 – Firmware: [MANUFACTURER]-‐[MODEL]-‐XYZ-‐1234567890-‐ABC R1.1.2 – Not Applicable R1.1.3 – Not Applicable R1.1.4 – Not Applicable R1.1.5 – Patch 12345, Patch 67890, Patch 34567, Patch 437823


18

CIP-‐010-‐2 R1.1 Approach

•  5 minimum components of baseline –  soeware/firmware versions – open source/commercially available soeware – custom applicaUons –  logical network accessible ports – applied security patches

•  InformaUon about hardware differences may apply since it could affect installed applicaUons and patches


19

Basic Baseline


20

CIP 010-‐2 R1.1 Best PracUce

•  Use combinaUon of automated tools and manual walkthroughs/verificaUons to ensure lists and baselines are accurate

•  Minimize applicaUons on devices to only what is necessary

•  Include step to periodically verify accuracy of applicable device lists and baselines


21


•  Discussions and careful planning should be conducted on the method for maintaining device baselines – Review CIP 007 R3 presentaUon from Oct 2013 CIPUG for common methods to maintain informaUon

– What method is best for your organizaUon: •  Commercial Soeware •  Custom Soeware •  Spreadsheet


22


•  Consider Moving away from spreadsheets and other manual methods, look into more advanced methods for retaining informaUon. – See Joe B presentaUon from October 2011 CIPUG on advantages of moving from spreadsheet to relaUonal database

•  Includes some labeling schema Ups as well for when implemenUng a database for device management


23

CIP 010-‐2 R1.2

CIP 010-‐2 R1.2 CIP 003-‐3 R6

•  Applicable to PCA and requires changes to be authorized


25

CIP-‐010-‐2 R1.2 -‐ Possible PiYall

•  EnUty cannot demonstrate all changes made to baseline(s) were authorized


26

CIP 010-‐2 R1.2 -‐ Approach

•  Ensure all changes made to baselines have been authorized.


27



28

CIP 010-‐2 R1.2 -‐ Approach 29

CIP 010-‐2 R1.2 – Best PracUce

•  Update procedural documentaUon to include at minimum: – Who can authorize changes, and to what – When authorizaUon needs to occur – How the authorizaUon will be documented, stored, and tracked

•  SegregaUon of duUes – The implementer should be different from the authorizer


30

CIP 010-‐2 R1.3

CIP 010-‐2 R1.3

CIP 005-‐3 R5

CIP 007-‐3 R9

•  Baselines must be updated within 30 days of change


31

CIP 010-‐2 R1.3 – Possible PiYall

•  EnUty cannot demonstrate baselines are updated within 30 days of changes made


32


•  Ensure enUty is updaUng baselines within 30 days of when change was made. – Start date will be determined by reviewing work orders, tracking sheet, or other documentaUon that details when the change actually occurred.


33

CIP 010-‐2 R1.3 – Best PracUces

•  Procedures for updaUng baselines should address: – Who will communicate the changes made to the baselines

– How changes will be communicated – Who the changes are communicated to – When the changes will be made


34


•  Maintain a version history when updaUng documentaUon. – Version number – Who performed the update to the documentaUon – Who made the change to the device – Who authorized the change – What was changed


35

POP Quiz!!

•  Who invented the prinUng press?


36

POP Quiz!!

•  Who invented the prinUng press?

Johannes Gutenberg


37

CIP 010-‐2 R1.4

CIP 010-‐2 R1.4 CIP 007-‐3 R1

•  Impact due to a change must consider security controls in CIP 005 and CIP 007


38


•  EnUty verifies same controls for all changes made to any baseline. – Thus enUty does not account for different environments, devices, or changes when determining what controls could be impacted

•  May be ok if all controls are verified every Ume


39


•  Verify all changes made to device baselines are documented

•  Ensure controls that may be impacted were idenUfied and documented prior to the change – Why were some controls not included?

•  Review evidence supporUng idenUfied controls were not adversely impacted


40


•  Procedures should include: – DocumenUng date all steps taken to support cyber security controls were idenUfied prior to change taking place

– How are potenUal impacted cyber security controls idenUfied?

• Who does this?

– How will adverse impacts will be detected • Who does this and when?


41


•  Include a peer review step for reviewing what controls may be impacted and when verifying controls weren’t adversely impacted

•  Coordinate tesUng processes between departments, business units, etc. to ensure consistency


42

CIP 010-‐2 R1.5

CIP 010-‐2 R1.5 CIP 007-‐3 R1

43

CIP 010-‐2 R1.5 cont.. •  Only applicable to High Impact systems •  Specific to security controls that must be tested

– Security Controls in CIP 005 and CIP 007 •  New test environment requirements

– Document if test environment was used – Document differences between test and producUon environment

•  Measures taken to account for these differences


44

CIP 010-‐2 R1.5 Possible PiYall

•  EnUty does not document differences between producUon and tesUng environment

•  EnUty does not take measures to account for differences in the producUon and tesUng environment.


45


•  For each change that deviates from exisUng baseline: – List of cyber security controls tested

•  Test results •  List of differences between the producUon and test environments

•  DescripUons of how any differences were accounted for

• When tesUng occurred


46


•  Use checklist or other task managing tool to reduce likelihood of not tesUng all controls

•  Document specific test procedures for all cyber assets or group of assets? – Describe the test procedures

•  Describe the test environment and how It reflects the producUon environment


47


48

POP Quiz!!

•  When was the atomic bomb first invented?


49

POP Quiz!!

•  When was the atomic bomb first invented?

July 1945


50

CIP 010-‐2 R2.1

•  Must actively search for unauthorized changes to baseline – Automated preferred but can be manual

•  Must document and investigate unauthorized changes

CIP 010-‐2 R2.1 CIP 003-‐3 R6


51

CIP-‐010-‐2 R2.1 – Possible PiYall

•  Not consistently monitoring for changes every 35 days – EnUty begins process at end of month

•  Thus enUty conUnuously misses 35 day deadline as it does not have enough Ume to complete review

– DocumentaUon is inconsistent and SMEs can’t keep track if specific devices have automated or manual process for tracking configuraUon changes


52


•  Logs from a system that is monitoring configuraUons

•  Work orders, tracking sheets, raw data evidence of manual invesUgaUons

•  Records invesUgaUng detected unauthorized changes


53



54

•  Sample review of baseline

CIP 010-‐2 R2 – Best PracUce

•  Consider using a commercial or open source File Integrity Monitoring software for continuous monitoring

•  Start monitoring process with enough advance to complete review o Consider using an automated task managing

tool


55

CIP 010-‐2 R2 – Best PracUce

•  What if you find an unauthorized change? – What change(s) have been made without authorizaUon

– Who made the change(s)? – When were the change(s) made? – How can a similar issue be prevented?


56

CIP 010-‐2 R1 and R2

QUIZ Time


57


•  EnUUes are required to test all changes in a test environment that reflects the producUon environment.

False


58


•  EnUty baselines are required to include: 1.  OperaUng system/Firmware 2.  Commercial/open source soeware 3.  Custom soeware 4.  Logical ports 5.  All security patches applied

TRUE

But what about devices where some of these don’t apply?


59

CIP 010-‐2 R3


60

CIP 010-‐2 R3.1

CIP 010-‐2 R3.1 CIP 007-‐3 R8

CIP 005-‐3 R4

•  No more annual requirement, and VA can be active or paper

61

CIP-‐010-‐2 VA Timelines

•  1st performance of acUve or paper (15 months) – April 1, 2017

•  1st performance of acUve (36 months) – April 1, 2018

62



•  EnUty conducts iniUal Vulnerability Assessment in January then not again unUl April the next year (16 months)

•  Miss the 1st performance of acUve and paper VAs


63

4 Steps for Paper VA

1.  Network Discovery 2.  Network Port and Service IdenUficaUon 3.  Vulnerability Review 4.  Wireless Review


64

Paper VA

•  Network Discovery -‐ A review of network connecUvity to idenUfy all Electronic Access Points to the Electronic Security

•  Network Port and Service IdenUficaUon -‐ A review to verify that all enabled ports and services have an appropriate business jusUficaUon.


65

Paper VA

•  Vulnerability Review -‐ A review of security rule-‐sets and configuraUons including controls for default accounts, passwords, and network management community strings.

•  Wireless Review -‐ IdenUficaUon of common types of wireless networks (such as 802.11a/b/g/n) and a review of their controls if they are in any way used for BES Cyber System communicaUons.


66

What is a Paper Assessment?

•  Is it a “document review” exercise? •  Should I perform physical inspecUons? •  Do I need to include EnumeraUon of ports and services?

67


What is a Paper Assessment? Should include: •  Document reviews

–  Such as reviews of known vulnerabiliUes of installed applicaUons

•  Dumps of configs –  Such as list of open listening ports generated by plaYorm resident tools such as netstat

Might contain informaUon about issues such as: •  Current threats and how the baseline configuraUons are designed to address them

68


4 Steps for AcUve VA

1.  Network Discovery 2.  Network Port and Service IdenUficaUon 3.  Vulnerability Scanning 4.  Wireless Scanning

69


AcUve VA

•  Network Discovery -‐ Use of acUve discovery tools to discover acUve devices and idenUfy communicaUon paths in order to verify that the discovered network architecture matches the documented architecture.

•  Network Port and Service IdenUficaUon – Use of acUve discovery tools (such as Nmap) to discover open ports and services.

70


AcUve VA

•  Vulnerability Scanning – Use of a vulnerability scanning tool to idenUfy network accessible ports and services along with the idenUficaUon of known vulnerabiliUes associated with services running on those ports.

•  Wireless Scanning – Use of a wireless scanning tool to discover wireless signals and networks in the physical perimeter of a BES Cyber System. Serves to idenUfy unauthorized wireless devices within the range of the wireless scanning tool.

71


What tools should I use?

Are tools such as Nmap required for acUve assessments, or can enUUes use custom scripts (which use naUve OS commands) to enumerate open ports and services? What consUtutes an acUve port scan?

72


What tools should I use?

The intent of the acUve assessment is to test the Cyber Asset from the “outside” rather than simply having the Cyber Asset look at itself.

73


CIP-‐010-‐2 R3.1 – Approach

•  Verify when last VA was conducted •  Verify current VA was conducted within 15 calendar months of previous VA

•  Evidence could include: – A document lisUng the date of the assessment and the output of any tools used to perform the assessment.


74

CIP-‐010-‐2 R3 IniUal Evidence 75

C:\HMI-‐1>netstat AcUve ConnecUons Proto Local Address Foreign Address State TCP HMI-‐1:2111 localhost:33333 ESTABLISHED TCP HMI-‐1:3616 localhost:10525 ESTABLISHED TCP HMI-‐1:5152 localhost:1573 CLOSE_WAIT TCP HMI-‐1:10525 localhost:3616 ESTABLISHED TCP HMI-‐1:33333 localhost:2111 ESTABLISHED TCP HMI-‐1:netbios-‐ssn 172.16.105.1:56761 TIME_WAIT TCP HMI-‐1:netbios-‐ssn 172.16.105.1:56762 TIME_WAIT TCP HMI-‐1:netbios-‐ssn 172.16.105.1:56765 TIME_WAIT TCP HMI-‐1:netbios-‐ssn 172.16.105.1:56766 TIME_WAIT


R3 Evidence – Nessus Summary 76

Nessus Summary 77

2014 Cyber Vulnerability Assessment


78

#show run … ip hzp server ! access-‐list 23 permit 172.16.105.200 0.0.0.0 access-‐list 23 permit 172.16.105.201 0.0.0.0 ! line vty 5 15 transport input ssh ! access-‐class 23 in ! ntp-‐server 172.16.105.88 ...

Manual Review of Configs


79

#show run … no logging ip hzp server ! access-‐list 23 permit 172.16.105.200 0.0.0.0 access-‐list 23 permit 172.16.105.201 0.0.0.0 ! line vty 5 15 transport input telent Login Password *********** ! access-‐class 23 in ! no logging console debug condiUon interface no snmp-‐server ntp-‐server 172.16.105.88 ...

Manual Vulnerability Assessment


80

• For the following servers and workstaUons (within the BCS) provide current “netsat” (netstat –b –o –a -‐n / netstat –p –a -‐l) or port scan (TCP/UDP) results. [sample list]

• For the following network devices, provide current configuraUon files (i.e., show run all), ports and services running (scan results if exists)

• Provide a spreadsheet idenUfying all BCS assets, associated TFEs, and associated requirements

[CIP-‐010-‐2 R3] Typical Data Requests


81

[CIP-‐010-‐2 R3] Typical Data Requests •  Provide iniUal paper vulnerability assessment report

•  Provide iniUal acUve vulnerability assessment •  Provide subsequent assessments •  Provide detailed (RAW DATA) vulnerability assessment results for the following specific BCS, EACMs and PACS [sample list]

•  Provide miUgaUon plan and results (current status) for VA

•  Provide acUon Plan and current status


82

[CIP-‐010-‐2 R3] Typical Interview QuesUons

• How do you perform an acUve and paper assessment?

• Describe the procedures used to idenUfy the required ports/services

• Are vendors involved with the definiUon of required ports/services?

• Are there devices, which ports and services cannot be disabled?

•  If so, what are the compensaUng measures in place


83

[CIP-‐010-‐2 R3] Typical Interview QuesUons

•  Describe the vulnerability assessment process

•  Who performs the assessment? Is the assessment performed in-‐house or outsourced

•  Does the assessment include all BCS and cyber assets? – specific addresses or enUre networks

•  Describe procedures/tools uUlized to idenUfy open ports/services and user accounts

•  Is there a baseline to compare ports/services and user accounts with?

84


R3 Audit Evidence Examples •  Netstat:

– Netstat -‐b -‐o -‐a -‐n > netstat_boan.txt – Netstat -‐p -‐a -‐l > netstat_pal.txt

•  NMAP scan results – Nmap –sT –sV –p T:0-‐65535 <IP_address> >>nmap_tcp.txt

– Nmap –sU –sV –p U:0-‐65535 <IP_address> >> nmap_udp.txt

–  show control-‐plane host open-‐ports •  Manual review – show run config file (router or firewall)


85

VA Sample Checklist

q AcUve or Paper q Network Discovery

q Review of network diagrams q Walk down performed q Ping sweeps

q Network Port and Service IdenUficaUon q Nmap scans of all subnets q Netstat or other resident tool used q Manual review of config

86


VA Sample Checklist Cont.

q Vulnerability Scanning q Nmap/Nessus scan performed q Manual review of config

q Rule-‐sets q Accounts q Passwords q Default community strings

q Wireless Scanning q Scan performed q Visual inspecUon performed

87


C:\Documents and Se}ngs\HMI-‐1>netstat -‐b -‐o -‐a -‐n > netstat_boan.txt AcUve ConnecUons Proto Local Address Foreign Address State PID TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 952 C:\WINDOWS\system32\svchost.exe TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4 [System] TCP 0.0.0.0:6002 0.0.0.0:0 LISTENING 428 [spnsrvnt.exe] TCP 0.0.0.0:7001 0.0.0.0:0 LISTENING 248 [sntlkeyssrvr.exe] TCP 0.0.0.0:7002 0.0.0.0:0 LISTENING 248 [sntlkeyssrvr.exe] TCP 127.0.0.1:1025 0.0.0.0:0 LISTENING 1656 [dirmngr.exe] TCP 127.0.0.1:1029 0.0.0.0:0 LISTENING 2484 [alg.exe] TCP 127.0.0.1:5152 0.0.0.0:0 LISTENING 1764 [jqs.exe] TCP 127.0.0.1:33333 0.0.0.0:0 LISTENING 1856 [PGPtray.exe] TCP 172.16.105.220:139 0.0.0.0:0 LISTENING 4 [System] TCP 127.0.0.1:2111 127.0.0.1:33333 ESTABLISHED 1616 UDP 0.0.0.0:7001 *:* 248 [sntlkeyssrvr.exe] UDP 0.0.0.0:500 *:* 700 [lsass.exe] UDP 0.0.0.0:4500 *:* 700 [lsass.exe] UDP 0.0.0.0:445 *:* 4 [System] UDP 127.0.0.1:123 *:* 1084 c:\windows\system32\WS2_32.dll UDP 172.16.105.220:6001 *:* 428 [spnsrvnt.exe]

HMI-‐1 Baseline Evidence


88

HMI-‐1 Evidence [conUnued] root@bt# nmap -‐sT -‐sV -‐p T:0-‐65535 172.16.105.220 StarUng Nmap 5.59BETA1 ( hzp://nmap.org ) at 2012-‐01-‐03 10:28 EST Nmap scan report for 172.16.105.220 Host is up (0.00084s latency). Not shown: 65528 closed ports PORT STATE SERVICE VERSION 135/tcp open msrpc Microsoe Windows RPC 139/tcp open netbios-‐ssn 445/tcp open microsoe-‐ds Microsoe Windows XP microsoe-‐ds 777/tcp open mulUling-‐hzp? 6002/tcp open hzp SafeNet SenUnel License Monitor hzpd 7.3 7001/tcp open afs3-‐callback? 7002/tcp open hzp SafeNet SenUnel Keys License Monitor hzpd 1.0 (Java Console) MAC Address: 00:0C:29:07:09:3B (VMware) Service Info: Host: HMI-‐1; OS: Windows


89

HMI-‐1 Evidence [conUnued] root@bt# nmap -‐sU -‐sV -‐p U:0-‐65535 172.16.105.220 StarMng Nmap 5.59BETA1 ( hUp://nmap.org ) at 2012-‐01-‐03 10:28 EST Nmap scan report for 172.16.105.220 Host is up (0.00084s latency). Not shown: 65527 closed ports PORT STATE SERVICE VERSION 123/udp open ntp Microso` NTP 137/udp open netbios-‐ns Microso` Windows NT netbios-‐ssn (workgroup: WORKGROUP) 138/udp open|filtered netbios-‐dgm 445/udp open|filtered microso`-‐ds 500/udp open|filtered isakmp 1900/udp open|filtered upnp 4500/udp open|filtered nat-‐t-‐ike 6001/udp open|filtered X11:1 MAC Address: 00:0C:29:07:09:3B (VMware) Service Info: Host: HMI-‐1; OS: Windows


90

EMS1 Evidence


91

EMS1 Evidence [conUnued] EMS1 root@bt:/# nmap -‐sT -‐sV -‐p T:0-‐65535 172.16.105.151 StarMng Nmap 5.59BETA1 ( hUp://nmap.org ) at 2012-‐01-‐18 12:15 EST Nmap scan report for 172.16.105.151 Host is up (0.034s latency). Not shown: 65531 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 5.3p1 Debian 3ubuntu6 (protocol 2.0) 80/tcp open hUp Apache hUpd 2.2.14 ((Ubuntu)) 111/tcp open rpcbind (rpcbind V2) 2 (rpc #100000) 42851/tcp open status (status V1) 1 (rpc #100024) MAC Address: 00:0C:29:66:05:65 (VMware) Service Info: OS: Linux Service detecMon performed. Please report any incorrect results at hUp://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 13.25 seconds


92

EMS1 Evidence [conUnued] EMS1 root@bt:/# nmap -‐sU -‐sV -‐p U:0-‐65535 172.16.105.151 StarMng Nmap 5.59BETA1 ( hUp://nmap.org ) at 2012-‐01-‐18 12:15 EST Nmap scan report for 172.16.105.151 Host is up (7.57s latency). Not shown: 65533 closed ports PORT STATE SERVICE VERSION 68/udp open|filtered dhcpc 111/udp open rpcbind MAC Address: 00:0C:29:66:05:65 (VMware) Nmap done: 1 IP address (1 host up) scanned in 1081.98 seconds Service detecMon performed. Please report any incorrect results at hUp://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 123.25 seconds

93

Router Ports/Services


94

2014 Vulnerability Assessment 95

2014 BPC VA


96

2014 BPC VA 97

AcUve VA – Wireless Scanning 98


2014 CVA-‐ HMI1 Soeware Vulnerability

Security vulnerability -‐ exploit available to execute arbitrary code. hzp://www.exploit-‐db.com/exploits/15957/ Exploit Title: KingView 6.53 SCADA HMI Heap Overflow PoC 9/28/2010 hzp://www.exploit-‐db.com/exploits/16936/ # Exploit Title: KingView 6.5.3 SCADA AcUveX TCP 777 W ESTERN E LECTRICITY C OORDINATING C OUNCIL

99

EMS1 Baseline Evidence


100

Account Name :Administrator The Administrator account is an ADMINISTRATOR, and the password was changed 1207 days ago. This account has been used 70 Umes to logon. The default Administrator account has not been renamed. Comment :Built-‐in account for administering the computer/domain Account Name :bill The ubill account is an ADMINISTRATOR, and the password was changed 548 days ago. This account has been used 0 Umes to logon. Comment :auto-‐logon account Account Name :billiam The billiam account is an ADMINISTRATOR, and the password was changed 548 days ago. This account has been used 233 Umes to logon. Comment :shared account

CIS Scan results [Local Account Results]

WARNING Administrator's password is blank W ESTERN E LECTRICITY C OORDINATING C OUNCIL

101

Nessus Results – Services


102

3rd Party VA Sample – 1 host


103

CIP-‐010-‐2 R3.1 – Best PracUce

•  Consider keeping Vulnerability Assessments for devices or groups of devices on the same cycle

•  Implement a task managing tool to help track needed tasks and deadlines

•  Review NIST SP800-‐115 for guidance on conducUng a vulnerability assessment


104

POP Quiz!!

•  What was the first home video game console? A.  Atari 2600 B.  Magnavox Odyssey C.  VES D.  RCA Studio II


105

POP Quiz!!

•  What was the first home video game console?

•  Developed in 1972

Magnavox Odyssey


106

CIP 010-‐2 R3.2

CIP 005-‐3 R4

CIP 007-‐3 R8 CIP 010-‐2 R3.2

107

CIP 010-‐2 R3.2 cont..

•  Only applicable to High Impact BES systems •  Required to be performed at least every 36 months •  VA must be acMve and can be performed in producUon or test environment –  Test environment must reflect producUon –  Document differences between test and producUon environment

–  Take and document measures to address the differences between test and producUon environment


108


•  EnUty does not conduct acUve Vulnerability Assessments at least every 36 months

•  EnUty does manual review on devices that are technically feasible to have acUve review


109

CIP 010-‐2 R3.2 – Approach

•  Verify acUve Vulnerability Assessments conducted at least every 36 months

•  DescripUon of test environment and how differences were account for (if test environment used for assessment)

•  Raw data outputs of assessment for applicable devices


110

ProducUon Vs. Test 111



•  Vulnerability assessment should include at minimum: – Network and access point discovery – Port and service IdenUficaUon – Review of default accounts, passwords, and network management community strings

– Wireless access point review


112


•  Where possible conduct the Vulnerability Assessment on the producUon environment

•  Implement a task managing tool to help track needed tasks and deadlines

•  Document SMEs responsible for conducUng the Vulnerability Assessment and for what cyber assets


113

CIP 010-‐2 R3.3

CIP 010-‐2 R3.3 CIP 007-‐3 R1

•  New devices need an active Vulnerability Assessment prior to deployment


114


•  EnUty adds new asset to producUon without first conducUng acUve Vulnerability Assessment


115

CIP 010-‐2 R3.3 – Approach

•  Ensure all newly added assets have had acUve vulnerability scan conducted prior to device being added to producUon

•  Verify all necessary controls were verified as part of assessment

•  Verify raw data output of vulnerability assessment can be provided


116


•  Document specific procedures that include: – Responsible personnel for conducUng the test – When tesUng needs to occur – Where tesUng should occur – How the tesUng should be conducted for each cyber asset or group of cyber assets

•  Use a checklist and/or peer reviews to reduce chance of human error


117

CIP 010-‐2 R3.4

CIP 005-‐3 R4

CIP 007-‐3 R8 CIP 010-‐2 R3.4

•  Document planned completion date for each remediation action

119


•  EnUty is not acUvely maintaining an acUon plan to remediate vulnerabiliUes found in the CVA. – EnUty is not documenUng or updaUng planned date of compleUon for remediaUon acUons


120


•  Document results or the review or assessment •  List of acUon items to remediate issues •  Status of the acUon items

– Documented proposed dates of compleUon for the acUon plan


121



122

•  Basic sample of acUon items with status

CIP-‐010-‐2 R3.4 Document the results of the assessments… …acUon plan to remediate or miUgate vulnerabiliUes idenUfied… …planned date of compleUng the acUon plan and the execuUon status…

BPC mi-ga-on plan – There is work in progress within BPC as well from current vendors to document correct Ports/Services required. The vendor will be on-‐site in March to assist with the finaliza-on of this effort. Expected comple-on of the defini-ons for each host/group of hosts, to be completed June 30, 2014.

BPC mi-ga-on plan – APer the comple-on of the mi-ga-on plan BPC will begin a valida-on and change process to ensure that all systems within the BCS have the approved ports and services configured and un-‐needed ports/services disabled or removed. The expected comple-on date for this effort will be by September 31, 2014.

R3 BPC MiUgaUon Plan


123

R3 MiUgaUon Plan

hzp://www.dsd.gov.au/images/top35-‐table-‐2012.png


124

CIP-‐010-‐2 R3.4 – Best PracUce

•  Tie acUons outlined in the plan to specific SMEs

•  Use an automated task managing tool to track all required tasks and ensure they are being completed

•  Have steps to ensure acUon plan is updated and reflects actual proposed compleUon date of acUons


125

CIP 010-‐2 R3

QUIZ Time


126

CIP 010-‐2 R3

•  EnUUes are required to test all changes in a test environment that reflects the producUon environment.

False AcUve VA not required for Medium impact faciliUes or for like devices with similar baseline configuraUons


127

CIP 010-‐2 R3

•  EnUty’s will be required to meet expected compleUon date of acUon plans to remediate issues found during Vulnerability Assessment

However, enUty can update the expected date if more Ume is needed. If the update is reasonable, jusUfied, and done prior to the due date

TRUE


128

Transient and Removable Media 129


CIP 010-‐2 R4

Each Responsible EnUty, for its high impact and medium impact BES Cyber Systems, shall implement one or more documented Transient Cyber Asset and Removable Media plan(s) that include the applicable elements in Azachment 1…


130

CIP 010-‐2 R4 Goals

To address FERC Order No. 791 Paragraphs 6 and 136, which require the standards to address security-‐related issues associated with tools specifically used for data transfer, vulnerability assessment, maintenance, or troubleshooUng.


131

CIP 010-‐2 R4 Goals

•  PrevenUng unauthorized access or malware propagaUon to BES Cyber Systems through Transient Cyber Assets or Removable Media; and

•  PrevenUng unauthorized access to BES Cyber System InformaUon through Transient Cyber Assets or Removable Media


132

Manage the Transient Cyber Asset Transient Cyber Asset(s) Owned or Managed by the Responsible EnUty: 1.  Ongoing manner to ensure compliance with

applicable requirements at all Umes 2.  On-‐demand manner applying the applicable

requirements before connecUon to a BES Cyber System

3.  CombinaUon of both


133

Development of Transient Cyber Asset and Removable Media Plan

•  Plan(s) should address: – Transient Cyber Asset authorizaUon – MiUgaUng security vulnerabiliUes – MiUgaUng the introducUon of malicious code – MiUgaUng the risk of unauthorized use


134


•  1.1. Transient Cyber Asset authorizaUon, either individually or by group, which shall include:

•  1.1.1. Users, either individually or by group or role

•  1.1.2. LocaUons, either individually or by group •  1.1.3. Acceptable use, limited to what is necessary to perform business funcUons


135


•  1.2. To miUgate security vulnerabiliUes (per Transient Cyber Asset capability), use one or a combinaUon of the following methods:

•  Security patching, including manual or managed updates

•  Live operaUng system and soeware executable only from read-‐only media

•  System hardening •  Other measures that provide an equal or greater level of protecUon to those listed above under 1.2


136


•  1.3. To miUgate the introducUon of malicious code (per Transient Cyber Asset capability), use one or a combinaUon of the following methods:

•  AnUvirus soeware, including manual or managed updates of signatures or pazerns

•  ApplicaUon whitelisUng •  Restricted communicaUon to limit the exchange of data to only the TCA and the Cyber Assets to which it is connected

•  Other measures that provide an equal or greater level of protecUon to those listed above under 1.3


137


•  1.4. To miUgate the risk of unauthorized use, use one or a combinaUon of the following methods:

•  Transient Cyber Asset resides within a locaUon with restricted physical access

•  Full-‐disk encrypUon with authenUcaUon •  MulU-‐factor authenUcaUon •  Thee recovery tools •  Other measures to miUgate the risk of unauthorized use


138

CIP-‐010-‐2 R4 Approach

•  Auditors will request your plan(s) which address Transient Devices and Removable Media

•  Evidence of records of connecUng, using, and disconnecUng Transient Devices and Removable Media

•  Sample of devices and methods used to secure device prior to connecUng

139


CIP-‐010-‐2 R4 Example 140


•  Sample record

•  Raw data – Screen shot of A/V signatures, patch level – Screenshot of full disk encrypUon se}ngs – Change Ucket

CIP-‐010-‐2 R4 Change Ticket Example 141

Transient Cyber Asset(s) Owned or Managed by Vendors or Contractors

Implement acUons prior to connecMng the vendor-‐ or contractor-‐owned Transient Cyber Asset.

142



2.1 To miUgate security vulnerabiliUes (per Transient Cyber Asset capability), use one or a combinaUon of the following methods: •  Review of installed security patch(es) •  Review of security patching process used by the vendor or contractor

•  Review other vulnerability miUgaUon performed by the vendor or contractor

•  Other measures that provide an equal or greater level of protecUon to those listed above under 2.1

143



2.2 To miUgate malicious code, use one or a combinaUon of the following methods: •  Review of anUvirus update level •  Review of anUvirus update process used by the vendor or

contractor •  Review of applicaUon whitelisUng used by the vendor or

contractor •  Review use of live operaUng system and soeware

executable only from read-‐only media •  Review of system hardening used by the vendor or

contractor •  Other measures that provide an equal or greater level of

protecUon to those listed above under 2.2

144



•  Sample review record

145


CIP-‐010-‐2 R4 Change Ticket Example 146

Removable Media

3.1 Acceptable use, which shall include: 3.1.1 Users, either individually or by group or role 3.1.2 LocaUons, either individually or by group

3.2 To miUgate malicious code, scan Removable Media outside of the BES Cyber System

147


Transient and Removable Media Types These assets do not provide BES reliability services and are not part of the BES Cyber Asset they are connected to. Examples of these devices include, but are not limited to: •  Hardware/soeware diagnosUc test equipment •  Hardware/soeware packet sniffers •  Hardware/soeware used for BES Cyber System maintenance

•  Hardware/soeware used for BES Cyber System configuraUon

•  Hardware/soeware used to perform vulnerability assessments


148

Removable Media Types Media, directly connected for 30 consecuUve calendar days or less, capable of transmi}ng executable code to: •  A BES Cyber Asset •  A network within an ESP •  A Protected Cyber Asset that can be used to store, copy, move, or access data

Removable Media are not Cyber Assets. Examples include, but are not limited to, floppy disks, compact disks, USB flash drives, external hard drives, and other flash memory cards/drives that contain nonvolaUle memory.

149


Transient Cyber Asset Types

Transient Cyber Asset: A Cyber Asset, (e.g., using Ethernet, serial, Universal Serial Bus, and wireless including near field and Bluetooth communicaUon) directly connected for 30 consecuUve calendar days or less, capable of transmi}ng executable code to: •  A BES Cyber Asset •  A network within an ESP •  A Protected Cyber Asset

150


Transient Cyber Asset Types

Examples include, but are not limited to Cyber Assets used for: •  Data transfer •  Vulnerability assessment •  Maintenance •  TroubleshooUng purposes Once the transient device is disconnected, the requirements listed herein are not applicable.

151


CIP 010-‐2 R4 Approach •  How should I document the use and removal of transient devices and removable media?

•  Maintain records: – Which devices were connected to which ESP – When they were connected/disconnected – What was it used for –  Systems assessed

•  EnUUes are required to document and implement a plan for how they will manage the use of Transient Cyber Assets and Removable Media


152

CIP 010-‐2 R4 Best PracUces

•  Ensure transient devices do not have wireless or Bluetooth features enabled

•  Transient Cyber Assets that may be used for assets in differing impact areas (i.e. high impact, medium impact, low impact) – Consider the need to have separate Transient Cyber Assets for each impact level

•  Use a combinaUon of methods listed, not just the minimum


153

CIP 010-‐2 R4 Best PracUces •  Use the concept of system hardening for Transient devices –  helps minimize security vulnerabiliUes by removing all non-‐essenUal soeware programs and uUliUes and only installing the bare necessiUes

•  Restrict or disable serial or network (including wireless) communicaUons –  can be used to minimize the opportunity to introduce malicious code onto the Transient Cyber Asset


154

AddiUonal Resources

•  CIP-‐010-‐1 •  NERC version 4 to version 5 mapping •  Glossary of Terms Used in NERC Reliability Standards

•  NIST SP800-‐115 – Security tesUng


155

Summary

•  Know what is required for each BES cyber system(s)

•  Create and maintain device baselines •  AcUve Vs. paper assessment •  Track and manage deadlines •  Transient and Removable Media •  Review referenced NIST documents for added guidance


156

Speaker Contact Info

Ben Christensen Senior Compliance Risk Analyst, Cyber Security 801-‐819-‐7666 [email protected]

157
