GE Measurement & Control. Cyber Security for NEI 08-09

Transcription

1 GE Measurement & Control Cyber Security for NEI 08-09

2 Contents Cyber Security for NEI Cyber Security Solution Support for NEI Access Contols Audit And Accountability CDA, System and Communications Protection Identification and Authentication System Hardening Cyber Security Contingency Plan (Continuity of Operations)....7

3 Cyber Security for NEI Cyber Security Solution Support for NEI As a vendor of industrial controls, GE embraces its responsibilities to assist critical infrastructure owners to improve their security postures and support compliance efforts as they relate to GE provided equipment. Many of the product security features available for current controls, such Mark* VIe and EX2100e, are also available as enhancements for older controls, such as the EX2000, Mark V, EX2100, Mark VI. GE supports customer compliance efforts by providing baseline configuration documentation for current and certain legacy controls, supporting asset operator cyber vulnerability assessments and associated mitigations. GE s cyber security solution is comprised of the Cyber Asset Protection (CAP) Software Update Subscription, and the SecurityST Appliance that support cyber security best practices such as centralized patch management, anti-virus/host intrusion detection updates, account management, logging and event management, intrusion detection and automated backup. The solution supports confidentiality, integrity and availability of critical controls and related networks, which in turn can be applied to support owner compliance towards NEI The following provides more details on how CAP Software Update Subscription and SecurityST Appliance support NEI compliance. 1.0 Access Controls 1.2 Account Management The SecurityST appliance uses Active Directory to centrally manage and collect all role-based HMI account activities. This includes all account management functions, such as: limiting account access rights; terminating temporary, guest and emergency accounts within set time period of inactivity; disabling inactive accounts; and creating and protecting audit records for account creation, deletion, and modification. 1.3 Access Enforcement The SecurityST appliance s Active Directory Server supports Role Based Access Control to enforce policies that are assigned based on least privilege. 1.4 Information Flow Enforcement GE s security solution includes redundant firewalls to assist in the enforcement of information flow. Session enforcement between the controllers and the HMI is provided by the Certificate of Authority Server and prioritization of flows is handled with Quality of Service on the switches. 1.5 Separation of Functions The SecurityST appliance s Active Directory Server supports Role Based Access Control to enforce policies that are assigned based on least privilege 1.6 Least Privilege The SecurityST appliance s Active Directory Server supports Role Based Access Control to enforce policies that are assigned based on least privilege 1.7 Unsuccessful Login Attempts The Security Information Event Management (SIEM) captures log-in attempts on Switches, Firewalls, HMIs, the SecurityST appliance, and the controllers. 1.8 System Use Notification GE s solution supports use notifications on HMIs, routers, switches, and network intrusion detection system (NIDS). GE CAP Support for NEI

4 1.0 Access Controls cont. 1.9 Previous Logon Notification The Security Information Event Management (SIEM) captures log-in attempts on Switches, Firewalls, HMIs, the SecurityST appliance, and the controllers Session Lock Session locks applied within licensee-defined criteria for inactivity, users to initiate session lock mechanisms and maintaining session lock status until the user completes identification and authentication procedures Supervision and Reviewer-Access Control The Active Directory provides a centralized approach to review user activities. Additionally, SIEM can be configured to collect access activity, allowing reviewer of access control settings and enforcement Wireless Access Restrictions GE s control system design is not designed to support wireless devices Proprietary Protocol Visibility GE supports the Ethernet Global Data (EGD) proprietary protocol and provides visibility by including alternative controls and counter measures, such as logging activities via the Command Event Log and Events that are visible on the Alarm Viewer screen. Additionally, the EGD protocol isolated to its own secured V-LAN from the rest of the licensee s network. Each data exchange is identified by a unique combination of three major identifiers: The Producer ID (the producer s IP address) The Exchange ID (the exchange s identifier) The Adapter Name (the Ethernet interface identifier) 1.21 Third Party Products and Controls Active Directory restricts operators from installing software. In addition, SIEM can be configured to detect and report on software installed by authorized users Public Access Protections By default, controls and networks do not support public remote access. 2.0 Audit And Accountability 2.3 Content of Audit Records SIEM allows for centralized log and event management of devices within the network, using a single synchronized time stamp source. 2.4 Audit Storage Capacity SIEM provides centralized audit storage for intermediate term storage. GE can work with the licensee for licensee-defined audit record storage capacity based on the types of Iicensee-defined auditable events, aiarms, event correlation, and associated documentation. 2.5 Response to Audit Processing Failures Active Directory and SIEM can be configured to provide warnings when allocated audit record storage volume reaches a defined percentage of storage capacity. 2.6 Audit Review, Analysis, and Reporting SIEM system provides an automated mechanism to centrally collect and audit logs, allowing rapid review and analysis. For example, SIEM can be configured to collect NIDS logs. 4 Cyber Security for NEI 08-09

5 2.0 Audit And Accountability cont. 2.7 Audit Reduction and Report Generation SIEM system provides automated audit reduction and report generation capability to include audit records for events of interest based on selectable event criteria. GE supports licensee efforts to fine tune SIEM rules and reports through ongoing Technical Service Support. 2.8 Time Stamps Solution can use either GE or customer-provided time source such as NTP. GE can work with the customer to configure NTP communications securely. GE recommends that the time source be restricted to the same security zone as the controllers, not through the Internet or an external network service. 2.9 Protection of Audit Information Access to audit information is restricted to authorized users via role-based access control Non-Repudiation CAP audit records provide non-repudiation by auditing the following information: origin host, impacted host and secure timestamps Audit Record Retention Solution record retention can be configured based on customer record-keeping requirements. SIEM and the Active Directory provide centralized audit record retention Audit Generation SIEM provides audit record generation and allows authorized users to refine list of auditable events to be included in report generation. Reports are time stamped to allow for correlation across disparate devices. 3.0 CDA, System and Communications Protection 3.2 Application Partitioning/Security Function Isolation The Active Directory user and management functions can be used to enable security functions for administrative users only and to limit functions for operators. There is physical partitioning in the network levels between the UDH, PDH, and I/O networks. The control system I/O network is physically separated from all other networks. In addition, role-based access to the controller is provided. The UDH, where the control processors are connected, is logically separated from the PDH where plant data, protocols, and peripherals are located. The network separation is achieved through physical connections at the I/O net and port level V-LAN segmentation. 3.4 Denial of Service Protection The solution provides a stateful firewall which protects against unsolicited in-bound traffic and prevents intrusion via behavioral rules and signatures to reduce operational risk for network operations. The network intrusion detection employs rules and policies defining limits to identify potential DoS attacks. Solution includes HIDS and NIDS, detecting DoS attacks. 3.5 Resource Priority HMIs and Servers rely on Windows System Resource Manager which includes five built-in resource management policies that the licensee can use to quickly implement management. In addition, GE can assist in creating custom resource management policies to meet the licensee s specific needs to manage system resources (processor and memory). The network switches also use QoS to prioritize network resources and insure that controller traffic has the highest priority. CAP s secured network design segments control network traffic from other network traffic and guarantees the per forma nee of the control network by prioritizing the control network traffic over supervisory traffic via Quality of Service (QoS) which relegates non-control network traffic to best effort delivery. Cyber Security for NEI

6 3.0 CDA, System and Communications Protection cont. 3.6 Transmission Integrity GE s solution includes a Certificate Authority Server with security certificates supporting transmission integrity and authenticated access to the controller, allowing the Mark VIe Control System and EX2100e Generator Excitation to operate in secure mode during normal operations. 3.8 Trusted Path GE s solution provides a stateful firewall which protects against unsolicited in-bound traffic and prevents foreign hosts and other network devices from joining the network. This prevents additions to the network load and broadcast storm. In addition, Network intrusion Detection Provides network Visibility Unauthorized Remote Activation of Services Windows-based HMIs and servers can be configured based on the Windows security policy to disable or remove services that support collaborative computing mechanisms and remote activation of these mechanisms Transmission of Security Parameters Within the Windows Framework, the Active Directory protects the transmission of security parameters Session Authenticity The SecurityST appliance includes a Certificate Authority Server to help establish transmission integrity and provide authenticated access to the controller, allowing the Mark VIe and EX2100e to operate in secure mode during normal operations. The Certificate of Authority Server maintains session authenticity between the controller and the HMIs. In addition, the network firewalls, NIDS, and V-LAN switch control support session authenticity Confidentiality of Information at Rest HMI local security policy can be configured to restrict access of file-based information to authorized users. Additionally, file data encryption can be enabled to support data security in the event of theft. The SecurityST application includes a centralized backup tool that can be configured to back up encrypted data to the SecurityST to protect the confidentiality of information at rest. To increase the security of confidential data, the backup archive can be encrypted with the strong, industry-standard Advanced Encryption Standard (AES) cryptographic algorithm Heterogeneity GE s cyber security solution employs diverse controls provided with best in class technology that easily integrates into larger plant level or fleet level policies or architectures Fail In Known (Safe) State GE s solution employs fail in known safe state to ensure that functions are not adversely impacted by failure. In addition, controlling and safety related functions are independently controlled and are not dependent on the function of the HMI. Redundant networks, HMI systems, and a local control panel via I/0 are methods used to limit risk of failure due to a single failure and support continuity of operations. 4.0 Identification and Authentication 4.2 User Identification and Authentication SecurityST appliance s Active Directory employs centralized User Identification and Authentication to uniquely identify and authenticate Individuals and processes acting on behalf of users. 4.3 Password Requirements The SecurityST appliance implements role-based access control and controls inbound access. The solution uses an integrated Password Policy Enforcer to enforce granular password policies for Windows: minimum password strength and password lifetimes and reuse restrictions. Network components, including switches, firewalls and intrusion detection system authenticate to Active Directory 6 Cyber Security for NEI 08-09

7 4.0 Identification and Authentication cont. 4.4 Non-Authenticated Human Machine Interaction (HML) Security Not applicable. All HMI activity requires authentication. 4.6 Identifier Management SecurityST appliance uniquely verifies the identity of users, and can disable user accounts within 31 days of Inactivity. Active Directory authenticates centralized access and account management. 4.7 Authenticator Management SecurityST appliance can authenticate passwords based on length and composition. Multifactor authentication via RAD IUS, RSA token, or authentication key is supported through Active Directory. Active Directory also provides centralized access and account management. 4.8 Authenticator Feedback The SecurityST appliance obscures feedback of authentication information during the authentication process through Active Directory. In addition, password characters entered by the user are not displayed. All password transmission protocols are secured (SSH, Active Directory, SSL, etc.). 5.0 System Hardening 5.1 Removal of Unnecessary Services and Programs GE HMIs and controllers are configured and hardened using industry guidelines and standards such as NIST and NSA, as well as, industry accepted third party accreditations. GE provides lists of ports, services, and programs that allow the user to document and track services, programs, drivers, and ports in use or installed on HMIs and servers. 5.2 Host Intrusion Detection System (HIDS) The CAP Software Update Subscription includes HIDS for HMIs and Windows Servers. 5.4 Hardware Configuration Hardware configuration includes the disabling of communication ports, disabling removable media drives. Solution includes role-based USB port control that can be configured based on customer requirements. CD/DVD devices are needed for software installation and disaster recovery backup. During normal operation, these devices can be disabled, and administrators can re-enable them as needed. 5.5 Installing Operating Systems, Applications, and Third-Party Software Updates The CAP Software Update Subscription, Patch Applicability Report inventories the system for current revision levels, defines which updates are applicable, update status, associated US- CERT criticality/security ratings, whether a reboot may be required, and the estimated time required for patch installation. 8.0 Cyber Security Contingency Plan (Continuity of Operations) 8.1 Contingency Plan The SecurityST appliance provides centralized, automated and operator acknowledged, rule based, backups and documentation to support restoration. The solution can be implemented in a redundant, high availability mode with redundant hardware and applications. The solution provides logs to demonstrate completion of backups. Cyber Security for NEI

8 GE Control Solutions 1800 Nelson Road Longmont, CO Controls Connect customer portal: ge-controlsconnect.com *Trademark of General Electric Company Windows is a registered trademark of Microsoft Corporation in the United States and other countries. Copyright 2012 General Electric Company. All rights reserved. GEA20276 (10/2012)