RADiFlow 3180 Security Appliance Review A NERC CIP version 5 Compliance Enabler

Transcription

1 0 P a g e DiFlow 3180 ecurity ppliance eview C CP version 5 Compliance nabler Performed by an ndependent Cybersecurity Consultant for DiFlow 12/1/2014 DiFlow 3180 uggedized ecure witch and i ecurity management software. he eview and eport was conducted by i2 nformation ecurity (i2), a Coloradobased cybersecurity vendor. i2 has expertise with ubject atter xpert participation in several cybersecurity standards for the energy sector.

2 1 P a g e he DiFlow nswer to emote ubstation ecurity, Compliance & esilience - C F DiFlow 3180 he Department of Homeland ecurity reports that of the growing number of cyber-attacks on critical infrastructure in 2012, more than 40 percent were made on energy-sector targets. his alarming increase of attacks poses new risk management challenges for utilities, and energy sector owners and operators of critical infrastructure. mong the most challenging responsibilities is improving security at remote substations. he physical attacks on remote substations in rkansas in the fall of 2013, causing downed transmission lines, sabotaged power poles, and substation control house fire, highlight the vulnerability of remote sites generally. cyber-attack on these sites is especially worrisome because of the inability of qualified cybersecurity and CD network expertise to respond in time. Fines from C CP noncompliance add further risk. he C ay 2012 Compliance nalysis eport shows that lectronic ecurity Perimeter ranks second in potential noncompliance under C CP. he top violation area is under ystems ecurity anagement. anaging compliance to remote sites is particularly burdensome enforcement data from C shows that fines in excess of $100,000 are imposed regularly for these cybersecurity violations. DiFlow 3180 helps to solve the management challenge of providing resilient cybersecurity controls for emote ubstations. ts service - aware features enable CD managers to securely monitor and control devices within the remote perimeter. he ease of compliance under CP 005 and 007 is afforded from the coupling of the serviceaware 3180 secure communication appliance and the i management software. s a package, their features assure security managers of C CP compliance for emote ubstations especially for the 2 most problematic areas: lectronic ecurity Perimeter and ystems ecurity anagement.

3 2 P a g e emote ubstation ecure Communication he DiFlow 3180 is a multi-function hardware and security appliance with extensive capabilities and network applications that warrant a broader device characterization closer to a full-feature appliance-type device than the conservative ruggedized switch description of the manufacturer. anufactured and marketed by DiFlow as a Compact witch or a ervice-aware ndustrial thernet witch, DiFlow 3180 is actually an ll-in-ne CD security multiplier that offers the power industry many security and efficiency advantages, while also enabling C CP version 5 compliance. DiFlow 3180 offers a suite of mix-and-match security configurations so that security managers can remotely tailor device-specific security controls. ptions such as device-specific protocol white listing, physical and virtual port tailored access control configurations and a variety of other security features maximize security options. What if each CD device within a emote ubstation could be distinctly and remotely configured for security, with separate access controls, white listing, and a suite of other individualized security features? his is possible with the coupling of i anagement oftware and DiFlow hese tailored security controls make DiFlow 3180 highly suitable for remote sites. his analysis of DiFlow 3180, conducted by independent cybersecurity subject matter experts, focuses on a power sector se Case, particularly remote substation applications, analyzing how DiFlow 3180 can render a C CP esponsible ntity compliance ready.

4 3 P a g e DiFlow 3180 Product eview Distributed ervice-aware in the 3180 ruggedized switch with a CD-aware firewall embedded in the device nables dynamic configuration to detect and deeply analyze various CD protocols White isting configurability options (command types, C addresses, ports, protocol ) Configurable to drop and alert, alert, or simply drop traffic Configurable with sensors to detect CD traffic anomalies nomaly detection and heuristics: can detect traffic spikes nables automatic detection of normalcy baseline Fail-over communication redundancy through thernet and cellular Pec VP tunnels with X.509 certificates emote collection of logs for activity monitoring pace reduction through multi-functions in one device i anagement oftware dvantages of Coupling 3180 with i anagement oftware Full functionality of the 3180, as well as robust management of the CD network, is enabled from the DiFlow i software. his coupling of capabilities offers a suite of C CP compliance options, as well as greatly improved security. From a management console, i affords configuration and security options such as: egmentation of CD device control by port, C D, protocol, white listing, port disabling, command type, and user access ulti-dimension access control functionality that complicates device access to any would-be attacker Configuration management segmentation: Global and pplication; so that user access controls may be configured to limit access he suite of security controls offers substantial benefits to remote substations, and other security enclaves that require both remote continuous security monitoring and management controls. C CP Compliance (version 5)

5 4 P a g e C CP Compliance (version 5) Get eady for C CP Version 5 Compliance FC has indicated that C CP version 4 will be skipped in favor of version 5. Presidential Policy Directive PPD-21 is also causing increased focus on cybersecurity. hese emerging compliance mandates upon the ulk lectric ystem, as well as general consensus across the cybersecurity landscape that will influence Public tility Commissions (PC), indicate that a dynamic cyber risk management approach will become the standard and norm. uch an approach, which puts a premium on the capability to adjust controls to new threats, requires security managers to invest in highly adaptable security solutions. C CP 5 similarly aligns with such an approach. Planning for improved cybersecurity, and to align with C CP 5, should therefore involve assessment of capabilities that can adapt to heightened security requirements. oreover, increasing security to remote locations can strain already over-taxed staff. n an increasingly hostile cyber landscape, both efficiency and resilience is required. ecurity managers require solutions configured with a hardened security baseline for resilience, as well as ease of configuration modification and change management to increase efficiencies. DiFlow 3180, as an ll-in-ne device, coupled with i management software meets these needs emote ite Cybersecurity Control anagement C CP Version 5 Compliance apping he following pages provide a mapping of DiFlow 3180 and i features to C CP 5 standards. he ll-in-ne design of the 3180/i appliance enables compliance readiness across multiple C CP 5 focus areas. ccordingly, a one-for-one matching (feature to standard) does not effectively account for the broad swath of readiness enabled by the fullfeatured appliance, especially when coupled with i security management software. he following table therefore focuses on coupling of features to demonstrate the scope of compliance readiness afforded by the paired 3180/i security and resilience package.

6 5 P a g e C CP (version 5) equirements apping CP003-5 CY G C he purpose of CP003-5 (cybersecurity policy controls) is to provide a management and governance foundation for all requirements that apply to personnel who have authorized electronic access and/or authorized unescorted physical access to Cyber ystems. CP003-5 periodic review and approval of the cybersecurity policy ensures that the policy is kept up-to-date and periodically reaffirms management s commitment to the protection of its Cyber ystems. he approach of CP003-5 incorporates an objective of empowering and enabling the industry to identify, assess, and correct deficiencies in the implementation of CP003-5 requirements. ethods and evidence for ensuring compliance include policy documents, revision history, records of review, and workflow evidence from a document management system assuring review of each policy at least once every 15 calendar months. DiFlow 3180, when coupled with i management software, either provides features that directly comply with certain CP003-5 requirements, or together provide the data or capability that enables the esponsible ntity to demonstrate through processes and recordkeeping its compliance with a particular requirement. CP005-5 CC CY P() CP CP Part 1.7: Configuration change mgmt & V. enabled by emote ccess gent Parts 1.2, 1.4, 1.5, 1.6: i coupled with 3180 supports and enables security management plans and processes for Cyber ystems, including system and asset identification, event logging, access control, configuration change management, recovery plans, and network management. he purpose of CP005-5 (electronic security perimeter) is to manage electronic access to Cyber ystems by specifying a controlled lectronic ecurity Perimeter in support of protecting Cyber ystems against compromise that could lead to misoperation or instability in the. ethods and evidence for ensuring compliance include the documented processes and direct system or capability measures that address the requirement. DiFlow 3180, through its CD-aware firewall, offers a suite of configurable controls to address access control, authentication, remote access controls, configuration change management, event and audit logging, and other features. CP Part 1.3: nbound/utbound routable traffic at P access control by V, CD firewall per port, enable / disable port, Port access filter per C/P, Do protection Part 1.4: Dial-up authentication and documented processes by dual configuration systems both with local or remote authentication, plus audit trail.

7 6 P a g e CP005-5 CC CY P() DiFlow 3180, through its CD-aware firewall, offers a suite of configurable controls to address access control, authentication, remote access controls, configuration change management, event and audit logging, and other features. CP Part 1.3: nbound/utbound routable traffic at P access control by V, CD firewall per port, enable / disable port, Port access filter per C/P, Do protection CP Part 1.4: Dial-up authentication and documented processes by dual configuration systems both with local or remote authentication, plus audit trail. Part 1.5: alicious traffic detection a P by ervice aware firewall acting as P /D by validating protocol structure and session flow, checking code function against operator provided list for validity, abnormality detection of traffic bursts or abnormal command patterns, operator alerts on detection as well as optional abnormal packet drop. Part 2.1: nteractive emote ccess boundaries enabled by management interfaces physically separated from other interfaces, and logically via V, and with ingress and egress filtering to ensure traffic does not cross interfaces, H and PC tunneling (VP). - Physical host authentication in the internal network (C/P address or 802.1x) and validation of performed operations by that host. - ogical authentication for access over insecure interfaces including PC encryption keys and remote user credentials. Part 2.2: nteractive emote ccess encryption performed by H, and system integration provided via PC tunnels Part 2.3: uthentication: everse H sessions to defined remote console, with x.509 certificates as a transition pathway. CP005-7 Y CY G he focus of CP007-7 (systems security management) is on port control and access, patch management, malicious code detection and prevention, incident log capabilities, and access controls.

8 7 P a g e CP007-5 Y CY G DiFlow 3180, when coupled with i management software, either provides features that directly comply with certain CP007-5 requirements, or together provide the data or capability that enables the esponsible ntity to demonstrate through processes and record-keeping its compliance with a particular requirement. CP Part 1.1: ogical port disabling provided by full firewall capability, to include CD protocol awareness and port shutdown / C / P restrictions, alerting V capabilities, port shutdown and C capabilities Part 1.2: Physical port shutdown capability and C / P restrictions to ports CP Parts 2.1, 2.2, 2.3: i management software facilitates patch management through a variety of features, such as device identification, topology characterization and system categorization, device query, and inventory listing. CP CP CP Parts 3.1, 3.2, 3.3, 3.4, 3.5: i and 3180 together or individually provide malware detection and prevention capabilities through packet inspection (includes CD awareness with anomaly detection and alerting, operator control over allowed / disallowed commands with alerting and dropping capabilities), and audit logs at both the 3180 and i. Part 4.1: ncident logging provided by CD aware firewall and interfacing with i; allows for detection and reaction to potential malicious activity, audit trail logging provides for failed access and logins Parts 4.1, 4.2, 4.4, 4.5: CD-aware firewall is fully configurable to alert on anomalies; ystem is syslog and P capable as well as can send logs to i for retention Part 5.1, 5.2: ccess control, user authentication and privilege level associations via H for remote access, local / CC / adius capable; procedural system supports user level access controls CP009-5 CVY P F CY Y edundancy and ecovery enabled by multiple failover features. CP Part 1.5: 3180 supports multiple command interfaces to include cellular with support for two sim cards, allowing for +2 failover of communications channels (P, VP)

9 8 P a g e CP010-1 CFG G D VY DiFlow 3180, when coupled with i management software, either provides features that directly comply with certain CP010-1 requirements, or together provide the data or capability that enables the esponsible ntity to demonstrate through processes and recordkeeping its compliance with a particular requirement. CP CP Parts 1.1, 1.2, 1.3: aseline configuration baselining enabled by the CD-aware firewall, configurability options of 3180, and i management provides anomaly detection of CD traffic with alerting capability. Part 2.1: 3180 enables internal baselining and anomaly detection of CD traffic with alerting capability, including bad / anomalous traffic and detection of configuration change, or failure of devices, and i management of CP011-1 F PC i management software provides features that enable the esponsible ntity to demonstrate through processes and recordkeeping its compliance with a particular requirement of CP CP i supports and enables information protection related to Cyber ystems, including system and asset identification, logging, change management, and network topology.

10 9 P a g e CP003-5 ecurity anagement Controls - 1 Cybersecurity Policy Controls - Part 1.2 lectronic ecurity Perimeter - Part 1.4 ystem ecurity anagement - Part 1.8 nformation Protection - 2 Cybersecurity Policy Controls - Part 2.3 xternal outable Protocol Connections - Part 2.4 Cyber ncident esponse CP005-5 lectronic ecurity Perimeter - 1 Comprehensive Process Controls - Part 1.1 Defined P for Cyber ssets - Part 1.2 Defined lectronic ccess Point - Part 1.3 ccess Control - Part 1.5 alicious raffic Detection - 2 nteractive emote ccess - Part 2.1 emote ccess arrier Control - Part 2.2 emote ccess ncryption - Part 2.3 ulti-factor uthentication CP007-5 ystems ecurity anagement - 1 Ports and ervices - Part 1.1 ogical Port nabling & Control - Part 1.2 Physical Port Control - 2 ecurity Patch anagement - Part 2.1 Configuration support for patch mgmt - Part 2.2 imely inspection (35 days) - 3 alicious Code Prevention - Part 3.1 Detect, deter, prevent method Part 3.2 itigation of malicious code Part 3.3 Process to meet Part 3.1 CP ecover pecifications - Part 1.5 Fail-over data preservation CP010-1 ecovery Plan for Cyber ystems Configuration Change anagement - 1 Change anagement Process Part 1.1 aseline Configuration Part 1.3 Cyber sset dentification Part 1.4 Change controls and documentation Part 1.5 Change testing and documentation - 2 nauthorized Change Detection Part 2.1 Detect nauthorized changes C CP version 5 apping ummary Compliance eady Contribution - Dynamic configurability meets 15 month review cycle; xtensive control options exceed requirements; emote access controls at device as a perimeter gateway. - i provides the dynamic control and G for human interface, management, and response to incidents. ntegrates with the embedded firewall to enable homestation management of 3180 and continuous monitoring. Compliance eady Contribution Comprehensive, compounding, and synergistic compliance and security multiplier for CP005-5 ables 1 and 2 requirements: access control to device level via white listing, protocol-aware access, C D-aware access, and layered authentication and H; two-way traffic control, detection, and alerting. i provides management of the 3180 to enable compliance with lectronic ecurity Perimeter requirements. he robust features of the 3180, especially at remote locations, are readily accessible and managed via i. Compliance eady Contribution Full embedded Firewall within 3180 ensures full compliance and exceeds all requirements: configurable, detect & prevent malicious code at the gateway; port control-enabled. i enables shutdown of physical and virtual ports; or, enabling device interface with the 3180 via specified ports. Patch management and continuous monitoring for malicious code are also enabled. Packet inspection includes CD awareness with anomaly detection and alerting, operator control over allowed / disallowed commands with alerting and dropping capabilities Compliance eady Contribution edundant fail-over communication pathways to ensure constant interface with management software and data retention: cellular with support for two sim cards, P, VP. i provides network topology and management; database backup for network administration; and multiple communication channels to 3180 for redundancy. mergency restoration via. Compliance eady Contribution Configurability includes device detection that facilitates baseline configuration, change management, and device management. CD-aware firewall enables baselining and anomaly detection of CD traffic with alerting capability; integrates with management software to enable unauthorized change detection and continuous monitoring. i provides activity logs, alarm logs, visibility into configuration changes, management, and unauthorized change logs. For more information about DiFlow products [email protected] web: Copyright 2014, DiFlow td. Ver 1.0