2012 CIP Spring Compliance Workshop May Testing, Ports & Services and Patch Management

Transcription

1 2012 CIP Spring Compliance Workshop May 7-11 Testing, Ports & Services and Patch Management

2 Purpose This presentation provides an overview of the CIP R1 Test Procedures which includes a discussion on related requirements: (R2) Ports and Services and (R3) Security Patch Management. 2

3 Agenda Testing Overview Identifying assets to be tested Developing and documenting test procedures Defining adversely affects existing cyber security controls Minimizing adverse effects on production systems 3

4 Agenda What is a significant change? Testing for ports and services Disabling unused ports and services Mitigation of ports and services that cannot be disabled Patch testing 4

5 CIP R1 Test Procedures The Responsible Entity shall ensure that new Cyber Assets and significant changes to existing Cyber Assets within the Electronic Security Perimeter do not adversely affect existing cyber security controls. 5

6 Significant Changes Includes all parts of a system including, but not limited to: Firmware for the system and any peripherals such as Network Interface Cards Operating system(s) Drivers Third party applications running on the system May include hardware such as motherboards or hard drives that have been replaced on a failed system must be tested 6

7 Identifying Changes for Testing Any new Cyber Assets within the Electronic Security Perimeter (ESP), as well as EACMs, and PACS. Any existing Cyber Asset that is eligible for: implementation of security patches cumulative service packs vendor releases version upgrades of operating systems, applications, database platforms, or other third-party software or firmware 7

8 Other Considerations Replacement of an existing Cyber Asset Does the replacement Cyber Asset contain BIOS, system, or other versions of hardware/software that has not been tested in your environment? Any other identified change that may adversely impact the security controls Consider performing a risk analysis 8

9 Minimizing Adverse Affects to Cyber Security Controls CIP-007-3, R1.1 The Responsible Entity shall create, implement, and maintain cyber security test procedures in a manner that minimizes adverse effects on the production system or its operation. 9

10 Adverse Affects to Cyber Security Controls Ensure that any new system or patches do not negatively impact security controls The new system or patch should not: Disable any configured security control already in place Introduce new vulnerabilities Modify access privileges Override configured monitoring and logging controls Open previously closed ports or create new services Send out new traffic that affects the environment 10

11 Testing for Adverse Affects Perform Network Packet Analysis in test environment Perform a vulnerability assessment For new patches or system software Look at your CIP-003-3, R6 Change Control and Configuration Management program for guidance Have any configuration files, registry keys, or other system variables changed (CIP-009-3, R4)? 11

12 Baselining Systems The following method may assist in identifying whether a change causes any adverse affects to your environment: Create a baseline network packet capture, ports/services scan, and system configuration of existing system or environment Create a post-installation capture of network traffic and system configuration Compare the above to determine the impact of the change(s) to existing cyber security controls. 12

13 Ports and Services Identify ports used for Normal and Emergency Operation Disable any unnecessary ports and services When introducing new systems, attempt to shutdown unnecessary services to determine impact (i.e. Windows Search, httpd, etc) Disable any ports configured for the purpose of testing 13

14 Ports and Services Uninstall unnecessary software Do you really need Internet Explorer on a system that shouldn t be accessing the Internet? In cases where unused ports and services cannot be disabled due to technical limitations, document the compensating measures applied to mitigate risk exposure and prepare any required TFEs 14

15 Test Procedures Develop test procedures for each system type Operating Systems Virtual environments such as VMWare or Citrix If patching a hypervisor, are you testing the virtual hosts running on the hypervisor? Network and security systems 15

16 Test Procedures Develop procedures for each application running on the system Ensure that any security controls on these applications are functional Each test procedure should identify an expected successful results 16

17 Testing Environment CIP-007-3, R1.2 The Responsible Entity shall document that testing is performed in a manner that reflects the production environment Change control window Consider documenting a process that ensures that any failed changes are capable of being backed out 17

18 Documenting Results CIP-007-3, R1.3 - The Responsible Entity shall document test results. What did you find? Were the results as expected? How did you mitigate any newly introduced security issues? Does it require a TFE? Should you update your documentation? (CIP-003-3, R3, CIP-008-3, CIP-009-3) 18

19 Patch Management Tracking Patches Three ways: Manual Monitoring Mailing lists and a spreadsheet Through OS Management Tools Red Hat Enterprise Linux Spacewalk Windows Management Interface (WMI), Group Policy Objects (GPOs), and Windows Software Update Services (WSUS) Third-party software or services 19

20 Evaluating Patches Track patches for ALL applications in the environment You must demonstrate that you have evaluated security patches and upgrades for applicability, within 30 days of the availability of the patch or upgrade Document and schedule implementation Best practices perform risk analysis if you are delaying implementation 20

21 Documenting Patch Implementation Document when you implement the patch Keep a running log for each patch type Operating system Application Other If you do not install a patch: Document compensating and mitigating measures to minimize your risk exposure Consider filing a TFE 21

22 Supply Chain Management Do you know where your suppliers get their products? Consider wiping and reinstalling OS on new equipment Ensure your patches or system upgrades come from a trusted source Consider a policy that dictates where your administrators get their patches and upgrades 22

23 Questions? 23