NERC-CIP Cyber Security Standards Compliance Documentation

Transcription

1 Cmpliance Dcumentatin Briv OnAir 8/3/20154

2 Page 2 Overview This dcument is intended t be the primary surce f infrmatin fr Briv s cmpliance with the Nrth America Electric Reliability Crpratin (NERC) reliability standard fr Critical Infrastructure Prtectin (CIP) Cyber Security Standards. The fllwing tpics are cvered: Critical Cyber Asset Identificatin (CIP-002-3) Security Management Cntrls (CIP-003-3) Electrnic Security Perimeter(s) (CIP-005-3a) Physical Security f Cyber Security Assets (CIP-006-3c) Systems Security Management (CIP-007-3a) Incident Reprting and Respnse Planning (CIP-008-3) Recvery Plans fr Critical Cyber Assets (CIP-009-3) Secndary surces fr infrmatin n Briv s infrmatin security capabilities can be fund at This dcument is rganized by the currently regulated CIP requirement tpics. Where Briv OnAir prvides the capability t meet the requirement, it is described in mre detail. CIP requirements that are strictly based in plicy r are nt therwise regulated r supprted by Briv OnAir are nt discussed. Backgrund Briv Inc. prvides a web-hsted physical access cntrl system by the prduct name Briv OnAir. Briv OnAir is designed t cntrl physical access t drs and gates via the use f a knwn credential such as an access card, PIN r bimetric template. There are three majr cmpnents t the verall peratin f the Briv OnAir service: Custmer premises equipment cnsisting f a Cntrl Panel and Readers Briv s centralized, web-hsted applicatins resident at ur Data Center Web brwser n end-user PC fr System Administratin These cmpnents share data acrss multiple platfrms and netwrks in rder t distribute credentials, centralize access and alarm event recrds, live and recrded vide, and prvide ther services such as sftware updates t Cntrl Panels. Cntrl Panels are netwrked t ur Data Center thrugh a variety f IP technlgies. It is assumed that Briv s n site access cntrl panels, PC s with brwser access t Briv s hsting Center and Briv s hsting center fall within an Electrnic Security Perimeter (ESP) which requires identificatin and prtectin per CIP Old Gergetwn Rad, Suite 300, Bethesda, MD Tll Free

3 Page 3 Critical Cyber Asset Identificatin (CIP-002-3) Per the standard, Standard CIP requires the identificatin and dcumentatin f the Critical Cyber Assets assciated with the Critical Assets that supprt the reliable peratin f the Bulk Electric System (BES). These Critical Assets are t be identified thrugh the applicatin f a risk-based assessment. The Respnsible Entity identifies the Critical Assets. The Critical Cyber Assets are thse cmpnents that are essential t the peratin f the Critical Assets. Fr the purpses f the Standard CIP-002-3, Critical Cyber Assets are further qualified t be thse having at least ne f the fllwing characteristics: The Cyber Asset uses a rutable prtcl t cmmunicate utside the Electrnic Security Perimeter; r, The Cyber Asset uses a rutable prtcl with a cntrl center; r, The Cyber Asset is dial-up accessible. The physical access cntrl system may nt be cnsidered essential t the peratin f critical assets and pwer generatin, s it may nt necessarily be n the initial list f identified assets. Hwever, the PACS uses TCP/IP (a rutable prtcl) fr cmmunicatin with Briv s data center. Fr this reasn, it shuld be included n the list f Critical Cyber Assets. Hardware at the physical security perimeter, hwever, including badge readers, electrnic lcking mechanisms, lcking cntrl mechanisms, etc., shuld nt be included in the list f critical assets. Certain hardware such as dr cntrllers and input/utput devices are used fr data cllectin and interface t the envirnment, but are pass-thrugh devices withut autnmus authrizatin r lgging respnsibility; and therefre, these devices need nt be cnsidered cyber assets. Briv OnAir uses access cntrl panels with purpse-built firmware. There is n perating system and due t the purpse-built nature, they are nt subject t traditinal viruses, wrms, Trjan hrses, r ther malicius attacks. Security Management Cntrls (CIP-003-3) CIP R5 requires that the Respnsible Entity dcument and implement a prgram fr managing access t prtected Critical Cyber Asset infrmatin. Briv OnAir supprt individual lgin credentials fr each administratr. The lgin credentials include a username and passwrd. Passwrds may be made up f letters, numbers and nnalphanumeric characters. Passwrds may be up t 128 characters lng and t meet the NERC-CIP requirements a strng passwrd requirement can be enfrced. Within Briv OnAir, a strng passwrd is ne that is case sensitive; has at least 6 characters; must have at least ne lwercase character, ne uppercase character, ne numeric

4 Page 4 character, and ne nn-alphanumeric character. In additin, a passwrd cannt be the same as the administratr s username. The administratr s accunt can be assigned a specific rle. Briv OnAir supprts tiered administratin within the sftware, thereby preventing an administratr frm perfrming functins they are nt authrized t perfrm. One f the requirements fr Critical Cyber Asset Infrmatin (CCAI) prtectin is t set frth privileges fr access. Briv OnAir enfrces a tiered based administratin mdel. Each administratr lgging int the system can be tracked and assciated with their admin ID. The type f administratr is made up f a list f capabilities and features in the system which the administratr is allwed t utilize. Master Administratrs have cmplete access t the Briv OnAir accunt and can create, edit, and delete ther administratrs as well as view, edit, and append data and activate any devices within the accunt. Super Administratrs have the same rights as the Master Administratr except that they cannt alter the Master Administratr s credentials in any way. Senir Administratrs have the same rights as Super Administratrs, except that they cannt create new administratrs. Assistant Administratrs can view, edit, r append data and activate devices n the accunt, depending upn their permissins. View the administratr can review data in the accunt, but cannt edit r append it. Edit the administratr can edit and delete data in the accunt. Append the administratr may add r remve users frm the accunt. Activate the administratr can activate devices n the accunt, fr example using the Unlck Dr functinality. Electrnic Security Perimeter(s) (CIP-005-3a) Standard CIP-005-3a requires the identificatin and prtectin f the Electrnic Security Perimeter(s) inside which all Critical Cyber Assets reside as well as all access pints n the perimeter. Fr the purpses f CIP-005-3a cmpliance the fllwing tpics are relevant t Briv OnAir slutin and prvide the required dcumentatin fr sectin R2.5 f CIP-005-3a: CIP-005-3a R2.1 Cmpliance: Briv OnAir panels cmply with CIP R2.1 as they are set up t deny by default all cnnectin attempts. CIP-005-3a R2.2 Cmpliance: Briv OnAir panels cmply with CIP R2.2 since nly prt 443 is required fr utbund cmmunicatins. CIP-005-3a R2.3 Cmpliance: This sectin is nt applicable as there is n dial-up access t the Electrnic Perimeter prvided within the Briv slutin. CIP-005-3a R2.4 Cmpliance fr Brwser Access: Administratrs access their data via the Internet, using a web brwser in an encrypted Secure Sckets Layer (SSL) sessin. Briv supprts 128-bit encryptin n this link. Administratrs are authenticated via username and passwrd.

5 Page 5 CIP-005-3a R2.4 Cmpliance fr Panels: As required fr system peratin, Briv cntrl panels establish an SSL sessin with Briv OnAir befre it begins t exchange infrmatin. The cntrl panel checks a digital certificate that resides n the servers at Briv s data center. In ding s, Briv presents its digital certificate t the cntrl panel which supplies mutual validatin. If the certificate presented by the Briv data center des nt match the certificate that the cntrl panel expects, then it will refuse t cmmunicate with the data center. Briv servers are able t verify the cntrl panel s identity because Briv installs a unique digital certificate (used as a client certificate in the cntext f SSL) n each cntrl panel at the time f manufacture. This certificate is digitally signed by Briv s that its rigin can always be cnfirmed at a later time, and cannt be faked. When a cntrl panel attempts t establish an SSL sessin t dwnlad data r reprts events, Briv servers frce it t present its client certificate befre gaining access t the system. If it has a valid certificate that was issued by Briv, then an SSL sessin is initiated and it is allwed t dwnlad data and uplad event infrmatin. If nt, it is blcked frm any further activity n the server. In additin t blcking attempts at spfing r impersnatin, the client certificate requirement als blcks ut attempts by hackers t gain access t these web servers. CIP-005-3a R2.4 Cmpliance fr Briv s data center: Briv s servers fr Briv OnAir are physically hsted at secure, guarded, 24x7 facilities with strict physical access cntrls. The sites are als equipped with the latest fire detectin and cntrl technlgy, as well as redundant, diesel backed uninterruptible pwer supplies. In rder t prtect Briv s hsted applicatins at ur data center, we have implemented safeguards against all f the fllwing types f threats: Denial f Service (DOS) attacks Web server explits Applicatins server explits Operating system explits Database attacks Malicius emplyees Scial engineering attacks Natural disaster As recmmended by best practices in the field f infrmatin security, Briv uses a multilayered apprach t prviding fr the security f its servers and the cnfidentiality f the infrmatin they hld. The first layer f security is prvided by dedicated, redundant firewalls that screen ut all Internet traffic except fr legitimate requests t access ne f the frntend web servers that Briv perates fr its Briv OnAir service. A secnd layer f security, specifically designed t prtect against cmmn denial f service (DOS) attempts, is prvided by a set f switches that detect these attacks and shunt the traffic befre it can affect the quality f service prvided by ur web servers. Briv uses highly rated perating systems n all f its servers, which prvides fr insurance against many f the security hles that affect ther brands f perating system. Briv further hardens its servers thrugh a rigrus set f plicies that restrict services and prts, restrict user IDs and

6 Page 6 passwrds, and require applicatin f all f the latest security-related perating system patches frm ur vendrs. Physical Security f Cyber Security Assets (CIP-006-3c) Per the standard, Standard CIP-006-3c is intended t ensure the implementatin f a physical security prgram fr the prtectin f Critical Cyber Assets. The Respnsible Entity shall dcument, implement, and maintain a physical security perimeter (PSP). The PSP is a six-wall brder surrunding the Electrnic Security Perimeter (ESP). CIP-006-3c R1 Cmpliance with Physical Security Plan. In additin t the perimeter, there will be access cntrl at different levels thrughut the facility. Fr example, the lbby may be cmpletely pen t the public, whereas ffices may be cntrlled nly permitting access via card reader r PIN cde. Certain highly secure areas, such as server rms r financial archives, may require bimetric authenticatin. The specifics will be determined based n a risk assessment. CIP-006-3c R2 Cmpliance with Prtectin f Physical Access Cntrl Systems. This requirement indicates that cyber assets used fr physical security are affrded the prtective measures f CIP-003, CIP-004-3, CIP-005-R2 & R3, CIP-006-R2, CIP-007-3a, CIP-008-3, and CIP Please refer t the specific sectins f this dcument t review hw Briv OnAir facilitates this requirement. Hardware at the physical security perimeter, hwever, including badge readers, electrnic lcking mechanisms, lcking cntrl mechanisms, etc., shuld nt be included in the list f critical assets. Certain hardware such as dr cntrllers and input/utput devices are used fr data cllectin and interface t the envirnment, but are pass-thrugh devices withut autnmus authrizatin r lgging respnsibility; and therefre, these devices need nt be cnsidered cyber assets. Briv OnAir uses access cntrl panels with purpse-built firmware. There is n perating system and due t the purpse-built nature, they are nt subject t traditinal viruses, wrms, Trjan hrses, r ther malicius attacks. CIP-006-3c R4 Cmpliance with Physical Access Cntrls. Briv OnAir prvides means fr implementing peratinal cntrl as well as supprting the dcumentatin requirements fr all access pints t the Physical Security Perimeter. Cards card access ffers excellent management cntrl and is cst effective in cmparisn t deplying 24/7 security persnnel. Card access als speeds persnnel thrughput and simplifies lgging and reprting. CIP-006-3c R5 Cmpliance with Mnitring Physical Access. The Respnsible Entity shall dcument and implement the technical and prcedural cntrls fr mnitring physical access at all access pints t the Physical Security Perimeter(s) twenty-fur hurs a day, seven days a week. Unauthrized access attempts shall be reviewed immediately and handled in accrdance with the prcedures specified in Requirement CIP Alarm systems Briv OnAir can be used directly t mnitr alarm inputs, cntrl access thrugh drs, and trigger utputs. ntificatin can be linked t these events, immediately infrming the necessary persnnel.

7 Page 7 Briv events can als be passed t ther mnitring systems via analg r digital means. CIP-006-3c R6 Cmpliance with Lgging Physical Access. Briv OnAir lgs all system activity (at access pints as well as administratr activity) which supprts the requirement t recrd sufficient infrmatin t uniquely identify individuals and the time f access. Electrnic lgging all events (at access pints as well as administratr activity) are jurnaled in the Briv OnAir system. These events can be used t generate reprts in a number f different cnfiguratins thrugh the My Reprts functinality within Briv OnAir. Vide recrding vide is supprted thrugh Briv OnAir Vide r NVR integratin. Events are viewable bth live and frm archived vide thrugh the Briv OnAir interface. These vide clips are autmatically linked t their respective event in the Briv OnAir Activity Lg. CIP-006-3c R7 Cmpliance with Access Lg Retentin. Activity Lg infrmatin is viewable fr ninety (90) calendar days. Per CIP regulatins, retentin f recrds is required fr at least three (3) years and archived data can be retrieved upn request frm Briv. CIP-006-3c R8 Cmpliance with Maintenance and Testing. The Respnsible Entity is required t develp the maintenance and testing prgram. This prgram is required t include the items listed belw: Maintenance f physical security mechanisms n a cycle f n lnger than three (3) years. Firmware changes t the Briv OnAir cntrl panels are cvered under this requirement, but the need fr firmware updates ccurs rarely. Retentin f utage recrds fr a minimum f ne calendar year Briv OnAir makes an entry in the Activity Lg fr pwer lss events. The My Reprts functinality allws this infrmatin t be retrieved frm up t 366 days ag. Systems Security Management (CIP-007-3a) Standard CIP requires Respnsible Entities t define methds, prcesses, and prcedures fr securing thse systems determined t be Critical Cyber Assets, as well as the ther (nn-critical) Cyber Assets within the Electrnic Security Perimeter(s). CIP-007-3a R2 Cmpliance with Prts and Services. Prt 443 pen t utbund traffic is the nly prt that needs t be available fr the Briv OnAir t functin prperly. CIP-007-3a R5 Cmpliance with Accunt Management. The Respnsible Entity shall enfrce authenticatin f, and accuntability fr, all user activity. Briv OnAir allws master administratrs t delete ther administratrs and t create new administratrs with specific privileges t enfrce accuntability. Briv OnAir als jurnals all accunt activity fr up t 90 days, which is viewable by the master administratr. Briv OnAir als supprts strng passwrds, allwing fr the fllwing requirements: Must be at least 6 characters lng Must have at least ne lwercase character Must have at least ne uppercase character Must have at least ne numeric character Must have at least ne nn-alphanumeric character Cannt be the same as the admin ID

8 Page 8 Finally, Briv OnAir is cnfigured t autmatically lg ff an administratr after a specified perid f inactivity. Incident Reprting and Respnse Planning (CIP-008-3) Per the standard, Standard CIP ensures the identificatin, classificatin, respnse, and reprting f Cyber Security Incidents related t Critical Cyber Assets. The Respnsible Entity shall develp and maintain a Cyber Security Incident respnse plan and implement the plan in respnse t Cyber Security Incidents. The requirements f this sectin necessitate plicies, prcedures, and applicatins beynd the scpe f the PACS, althugh peratins within the PACS may assist as part f an incident respnse plan. Alarm events that are received by the Briv PACS can be tied t an ntificatin which can be sent t any number f recipients, including nsite security persnnel. Briv OnAir supprts integratin with 3 rd party systems thrugh Briv API, ur RESTful API. Develpers may use Briv API t write middleware fr integratin with, fr example, an incident reprting and management sftware package. Recvery Plans fr Critical Cyber Assets (CIP-009-3) Per the standard, Standard CIP ensures that recvery plan(s) are put in place fr Critical Cyber Assets and that these plans fllw established business cntinuity and disaster recvery techniques and practices. Briv OnAir stres all accunt data ff-site at a Briv data center, thereby remving the necessity fr n-site backups. Cmmunicatin lss with the Briv PACS is captured by OnAir and ntificatins can be created fr any number f recipients, including n-site security persnnel and OnAir administratrs. Additinally, Briv s disaster recvery actin plan ensures that all data center infrmatin is securely stred at a disaster recvery facility. Briv s disaster recvery plan is listed as SSAE16 and ISO27001 cmpliant.

9 Page 9 Transprtatin Wrker Identity Credential Many f the electric pwer generatin and distributin cmpanies have facilities that are regulated t cmply with the TWIC prgram implemented by the Transprtatin Security Agency. The TWIC card is an electrnically enabled (smart card) identity dcument. The TWIC has bigraphic and bimetric data that assciate the card with the individual. By registering the credential ID number in the physical access cntrl system (via Briv s integratin with pivclass), the card can als be used t assciate the individual with their access privileges as assigned by the administratr at the facility. The TWIC prgram requires that all individuals with unescrted access t secure areas f regulated facilities must have their TWIC card within 5 minutes f their persn. If the card is used t gain access t secure areas, it is a further assurance that the persn has their card with them. T prvide the irrefutable cnnectin between the persn and the card, bimetric authenticatin must be applied at the entrance. Use f the TWIC as the access cntrl credential als simplifies the prcess fr the cardhlder. They n lnger have t carry multiple cards t gain access at varius facilities. The TWIC is based n Federal Infrmatin Prcessing Standard (FIPS) 201 and therefre is interperable with ther systems that als supprt this standard. Supprt f the standard means that the system is capable f reading the card the cardhlder must still register in the PACS and be assigned apprpriate access rights. Supprt fr the TWIC and ther FIPS 201-based credential slutins is achieved by use f Briv OnAir. The latest versin f OnAir supprts the varius identity fields n the TWIC and similar smart cards. Summary This cmpliance dcument has highlighted areas within the NERC Critical Infrastructure Prtectin Cyber Security Standards where Briv OnAir supprts the effrts f the Respnsible Entity in securing the perimeter f their facility. Additinally, being a cyber-asset itself, the Briv PACS inherently supprts the features needed t facilitate the Respnsibility Entity s plicies, prcedures, and dcumentatin requirements.