Notable Changes to NERC Reliability Standard CIP-010-3

Transcription

1 C L AR I T Y AS S U R AN C E R E S U LT S M I D W E S T R E LIAB I L I T Y ORGAN I Z AT I ON Notable Changes to NERC Reliability Standard CIP Cyber Security Configuration Change Management and Vulnerability Assessments Bill Steiner MRO Principal Risk Assessment and Mitigation Engineer MRO CIP Version 5 Workshop February 12 and 18, 2015 Improving RELIABILITY and mitigating RISKS to the Bulk Power System

2 Agenda Applicable Systems Baseline Configuration Concept Vulnerability Assessment Transient Cyber Assets and Removable media Plan(s) for Transient Cyber Assets Plan(s) for Removable Media 2

3 Applicable Systems This Standard includes the Configuration Management requirements for: High Impact BES Cyber Systems Medium Impact BES Cyber Systems Electronic Access Control or Monitoring Systems (EACMS) Physical Access Control Systems (PACS) Protected Cyber Assets (PCA) 3

4 Baseline Configuration Concept Baseline Configuration Concept The baseline concept is designed to provide clarity on requirement language ( Significant ) found in previous CIP Standard Versions The baseline provides the triggering mechanism for when entities must apply the change management processes Five required items in baseline: Operating system(s) (including version) or firmware where no OS exist Any commercially available or open-source application software (including version) intentionally installed Any custom software installed Any logical network accessible ports Any security patches applied 4

5 Baseline Configuration Concept Baseline Configuration Concept (continued) Authorize and document changes that deviate from the existing baseline (change management system) Baseline document must be updated within 30 days of change Prior to the change determine security controls (CIP-005 and CIP-007) which could be impacted Following the change verify the controls have not been adversely impacted 5

6 Baseline Configuration Concept Baseline Configuration Concept (continued) Document Results Evidence must provide reasonable assurance of completion of the test This is typically done by providing screen shots or electronic results of testing STRONG procedural controls, which would include signed, dated, detailed test results along with clear expectations and instructions of work to be completed can meet this requirement 6

7 Baseline Configuration Concept High Impact Control Centers have additional requirements: Changes which impact the baseline configuration must be tested in an environment which minimize adverse effects to the production environment Environment must be sufficient to ensure CIP-005 and CIP-007 test will be meaningful Along with the test results, the environment of the test must also be documented Include measures which were used to account for differences Must monitor at least every 35 days for changes to the baseline Intent is for automated monitoring when possible, manual procedural controls when not 7

8 Vulnerability Assessment Must conduct a paper or active vulnerability assessment at least every 15 calendar months Initial assessment must be completed within 12 months after the effective date of CIP Version 5 Paper Vulnerability Assessment Intended to be a comprehensive review and verification of security controls without the impact of active network scanning tools Active Vulnerability Assessment Use of active discovery tools (Nmap, etc.) to provide Network (including wireless), Ports/services, and vulnerability assessment of enabled services Required at least every 36 months (in a test environment) at High Impact Control Centers 8

9 Transient Cyber Assets and Removable Media Proposed Definition Transient Cyber Asset (NERC Glossary of Terms) A Cyber Asset that (i) is capable of transmitting or transferring executable code, (ii) is not included in a BES Cyber System, (iii) is not a Protected Cyber Asset (PCA), and (iv) is directly connected (e.g., using Ethernet, serial, Universal Serial Bus, or wireless, including near field or Bluetooth communication) for 30 consecutive calendar days or less to a BES Cyber Asset, a network within an ESP, or a PCA. Examples include, but are not limited to, Cyber Assets used for data transfer, vulnerability assessment, maintenance, or troubleshooting purposes. 9

10 Transient Cyber Assets and Removable Media Proposed Definition Removable Media (NERC Glossary of Terms) Storage media that (i) are not Cyber Assets, (ii) are capable of transferring executable code, (iii) can be used to store, copy, move, or access data, and (iv) are directly connected for 30 consecutive calendar days or less to a BES Cyber Asset, a network within an ESP, or a Protected Cyber Asset. Examples include, but are not limited to, floppy disks, compact disks, USB flash drives, external hard drives, and other flash memory cards/drives that contain nonvolatile memory. These types of devices represent the highest risk to BES Attachment 1 of CIP Details the required sections in the plan which must be implemented for Transient Cyber Assets and Removable Media 10

11 Plan Requirements for Transient Cyber Assets Highlights - Transient Cyber Assets owned by Registered Entities Authorization (all apply) Users, either individually, group, or role Locations, either individually, group, or role Uses, which shall be limited to what is necessary to perform business functions Software Vulnerability Mitigation (use one or combination) Security patching OS and software from read-only media System Hardening Other method(s) 11

12 Plan Requirements for Transient Cyber Assets Highlights - Transient Cyber Assets owned by Registered Entities Introduction of Malicious Code Mitigation (one or combination) Antivirus software Application whitelisting Other method(s) Unauthorized Use Mitigation (one or combination) Restrict physical access Full-disk encryption with authentication Multi-factor authentication Other method(s) 12

13 Plan Requirements for Transient Cyber Assets Highlights - Transient Cyber Assets managed by Third Party Software Vulnerabilities (one or combination) Review installed security patch(es) Review security patching process used by the party Review other mitigation performed by the party Other method(s) 13

14 Plan Requirements for Transient Cyber Assets Highlights - Transient Cyber Assets managed by Third Party, (continued) Introduction of malicious code mitigation (one or combination) Review antivirus update level Review antivirus update process used by the party Review of application whitelisting used by the party Review use of OS and software executable on from read-only media Review of system hardening used by the party Other method(s) Determination of 3 rd party policies for sufficiency 14

15 Plan Requirements for Removable Media Highlights - Removable Media Authorization Users, either individually, by group, or role Locations, either individually or by group Malicious Code Mitigation Use method(s) to detect malicious code on Removable Media using a Cyber Asset other that a BCS or PCA Mitigate the threat of detected malicious code on Removable Media prior to connecting to a BCA or PCA 15

16 Plan Requirements - Transient Cyber Assets and Removable Media Attachment 2 of CIP Provides detailed examples of expected evidence Can get complicated with Jointly owned facilities 16

17 Questions? 17