Joe Andrews, MsIA, CISSP-ISSEP, ISSAP, ISSMP, CISA, PSP Sr. Compliance Auditor Cyber Security

Transcription

1 Joe Andrews, MsIA, CISSP-ISSEP, ISSAP, ISSMP, CISA, PSP Sr. Compliance Auditor Cyber Security CIP Audit Approach, ESP Diagrams, Industry Best Practices September 24 25, 2013 SALT LAKE CITY, UTAH

2 Speaker Introduction Joseph A. Andrews o 21 years DoD IT & Information Security / Network Engineering (Federal Civilian) Senior Information Systems Security Engineer Information Assurance Program Manager Network Security Engineer Information Systems Security Officer Etc.. o Academic Master of Science in Information Security & Assurance Bachelor of Science in IT/Information Security Professional Certifications: CISSP-ISSEP, ISSAP, ISSMP, CISA, PSP, CAP, GCIH, C CISO, C EH, CNDA, CBRM, CGEIT, CompTIA Security + 2

3 CIP Requirements Overview R1. Identify and document Critical Cyber Assets (CCAs) residing within an Electronic Security Perimeter (ESP) including Access Points (AP) to the ESP R2. Implement and document ESP access controls (i.e., Access Points; deny by default, ports & services, appropriate use banner) R3. Monitor and log access to the ESP R4. Conduct annual Cyber Vulnerability Assessment (CVA) of the Access Points to the ESP R5. Review, update, maintain 3 CIP relevant documentation

4 4

5 R1. Electronic Security Perimeter (ESP) Provides network segmentation and restricted access to Critical Cyber Assets within the SCADA and Process Control Network from the Enterprise/Corporate Network and any other untrusted networks and sources. It is the Access Point, which establishes the Electronic Security Perimeter. 5

6 R1. Access Point (AP) An information system, device or appliance that provides access to and/or through (e.g., ingress or egress traffic) the ESP (e.g., Firewall, Gateway, Control device w/modem (TCP, UDP; Telnet, SSH, SSL, VPN, HTTP[s])) May provide access control, monitoring, alerting and/or logging of access to and/or through the ESP o may require intermediary device(s) for some of this functionality: Electronic Access Control and Monitoring (EACM) devices 6

7 7 ESP Graphical Depiction

8 8 ESP w/ DMZ Graphical Depiction

9 Discreet Electronic Security Perimeter An Electronic Security Perimeter that is typically located in a single geographical location, which may be protected by a single Physical Security Perimeter (PSP) that may or may not traverse multiple rooms, albeit, the cabling infrastructure is protected by the PSP and all rooms are afforded the protections of CIP

10 10

11 Extended Electronic Security Perimeter A single Electronic Security Perimeter that may be located in multiple geographical locations, or multiple rooms in the same facility location, protected by one or more Physical Security Perimeters (PSP), albeit, the cabling infrastructure may traverse multiple facility rooms or areas outside of an established PSP. 11

12 12

13 13 ESP-1 (Actual) Front Rack View

14 14 ESP-1 Front Rack View (CCAs Labeled)

15 15 Access Point Graphical Depiction

16 16 Access Point GUI & CLI INTERFACE

17 17

18 ICS components with serial and/or dial-up interfaces can be Access Points: 18 R1. CAR-005 o A Front End Processor (FEP) or CCA serially connected to a component of another network beyond your control (e.g., another entity) o A FEP or media converter device that uses the internet (e.g.,ip;vpn, SSL, AES) to communicate o Know the backend architecture of your ICS network!

19 19

20 20

21 21

22 Contrary to popular belief: VLANs were originally created as a network performance and organization feature, not a Security feature. Dynamic Trunking protocol (DTP) abuse o Cisco proprietary, no authentication, switches are in default auto-negotiate, sniff all VLAN traffic Trunking protocol (802.1q and ISL) abuse o PVLAN hopping, Double 802.1q VLAN tagging Virtual Trunking protocol (VTP) abuse Common spanning tree (CST) abuse Multiple other attacks 22 YERSINIA (VLAN Exploit Tool)

23 Trend: Legacy Networks to IP VPN Legacy SCADA Networks o Radio and Leased Line communication o RTUs serially connected to Radio Modem or Leased Line Modem o Radio Modem or Leased Line Modem Connected to Front End Processor (FEP) at control station Secure IP VPN (Vendors are pushing) o IP network communications o RTU connected to multi-homed and multi-protocol devices (MPLS/Frame/IP; Fiber, Ethernet, VSAT) o Front End Processors are multi-homed and multiprotocol capable and scalable devices 23

24 24

25 25

26 Legacy Networks to IP VPN - WHY? It s cheaper o One to one hardware solutions are more expensive It s scalable & reliable (redundancy) o Multi-homed, multi-protocol and network agnostic systems are scalable, while eliminating single points of failure It s safer o VPN-IPSEC, AES256 versus unencrypted legacy serial communications It s still IP! o Susceptible to the same vulnerabilities plaguing traditional network architectures o We re not against it, we just need to check it 26

27 Hacking Satellite 27 Spanish Cyber Security Researcher Leonardo Nve demonstrated at BlackHat the exploitation of (i.e., gaining access to and impersonating legitimate users) satellite internet connections using less than $75 worth of tools, which can be purchased on Ebay. - (1) Skystar 2 PCI satellite receiver card, open source Linux DVB software app, and the free network data analysis tool Wireshark.

28 EXTRA! EXTRA! Read all about it! 28 US Satellites hacked by Chinese Military! The hactivist group Anonymous Hacks NASA Satellite! Anonymous hacks Turkish Satellite provider! Three states have demonstrated the ability to physically damage satellites by intercepting them: the US, Russia and China

29 R1. CCA, ESP and AP Enumeration Verify Critical Cyber Asset (CCA) list Verify Electronic Security Perimeter (ESP) designation documentation Verify Access Points of ESP documentation Cross reference CCA, ESP and AP documentation with network diagrams 29

30 R2. Access Point Checks Access Point Configuration Analysis Checks o Appropriate Use Banner configured (Not on radar and Not Applicable for CIP-V5) o Deny by default statement An automatic implicit deny all statement after explicit statements is standard for most new firewalls o SNMP community string default (i.e. PUBLIC ) o Access Control List is restrictive (e.g., No entire Class A IP range left open (65K IP addresses) and justification for entire Class C) o Authorized ports and services 30

31 R3. AP Monitoring, Logging, & Alerting Validate electronic & manual 24/7 monitoring, logging and alerting (Including dial-up accessible CCAs with nonroutable protocols) o Validate electronic and/or manual logs o Verify implemented technical solutions that are responsible for alerting appropriate personnel (i.e., SMTP, SIEM, Log Server, etc.) 31

32 NERC Industry Advisories Remote Access Guidance o Use encrypted access controls for remote access o Use multi-factor authentication o Consider Proxy device as VPN termination point o Implement logging and monitoring o etc 32

33 NERC Guidance Guidance for Secure Remote Access o Secure interactive remote access concepts o Security practices and proposed solutions for secure interactive remote access o Assessing the implementation of interactive remote access controls o Network architecture decisions 33

34 34 R4. Annual Cyber Vulnerability Assessment (CVA) of APs to ESP Validate vulnerability assessment process documentation CVA criteria must address: o Authorized ports and services o Discovery of all Access Points to ESP o Review of controls, default accounts, passwords and network mgmt community strings (PUBLIC) o For vulnerabilities discovered, establish a remediation action plan, and ensure the execution of the action plan

35 R4 Cyber Vulnerability Assessment The CVA summary report should specifically identify, by unique identifiers, the Access Points that were assessed. The auditors will ask for any raw evidence relevant to the assessment. (e.g., automated scans, Access Point configurations) 35

36 R4 Cyber Vulnerability Assessment Auditors will cross reference the Access Point ports and services baseline with configuration Excess ports and services found during the CVA should be added to the CVA mitigation/ remediation plan 36

37 Auditors will review of Action Items DON T LEAVE BLANK!! Action Item Status Completion Date 37

38 R5. Documentation Review and Maintenance Documentation reflect current configurations Documentation updated within 90 days of change to network or security controls Retain relevant access logs for at least 90 calendar days, however, in the instance of a Cyber Security Incident the retention window is approximately 3 years 38

39 References NERC Industry Advisory: remote access guidance (2011). Retrieved from the North American Electric Reliability Corporate website on January 7, 2012, from, Remote_Access_Guidance-Final.pdf NERC Guidance for Secure Interactive Remote Access (2011). Retrieved from the North American Electric Reliability Corporate website on January 7, 2012, from, Guidance_for_Secure_Interactive_Remote_Access.pdf 39

40 Questions? Joe Andrews, CISSP-ISSEP, ISSAP, ISSMP, CISA Sr. Compliance Auditor Cyber Security Western Electricity Coordinating Council Office: