CIP$101:(CIP$005$5(AuditApproach,(ESP(Diagrams,( …...2014/09/24 ·...
Transcript of CIP$101:(CIP$005$5(AuditApproach,(ESP(Diagrams,( …...2014/09/24 ·...
![Page 1: CIP$101:(CIP$005$5(AuditApproach,(ESP(Diagrams,( …...2014/09/24 · CIP$005$5(R1(Requirements(Overview(• R1.(Each(Responsible(En@ty(shall(implementone(or(more(documented(processes(thatcollec@vely(include(each(of(the(applicable(requirement](https://reader036.fdocuments.net/reader036/viewer/2022070916/5fb6b5a3a19cc77f1e327640/html5/thumbnails/1.jpg)
CIP-‐101: CIP-‐005-‐5 Audit Approach, ESP Diagrams, and Industry Best Prac@ces Overview
September 24 – 25, 2014 Henderson, NV
Joe Andrews, MSc.IA, CISSP-‐ISSEP,
ISSAP, ISSMP, CISA, PSP Sr. Compliance Auditor – Cyber Security
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
![Page 2: CIP$101:(CIP$005$5(AuditApproach,(ESP(Diagrams,( …...2014/09/24 · CIP$005$5(R1(Requirements(Overview(• R1.(Each(Responsible(En@ty(shall(implementone(or(more(documented(processes(thatcollec@vely(include(each(of(the(applicable(requirement](https://reader036.fdocuments.net/reader036/viewer/2022070916/5fb6b5a3a19cc77f1e327640/html5/thumbnails/2.jpg)
Speaker Introduc@on • Joseph A. Andrews
o 4 years Cri@cal Infrastructure -‐ Cyber Security o 21 years DoD Cyber Security / Network Security Engineering (Federal
Civilian) § Senior Informa@on Systems Security Engineer § Informa@on Assurance Program Manager § Network Security Engineer § Informa@on Systems Security Officer § Etc..
o Academic § Master of Science in Informa@on Security & Assurance § Bachelor of Science in IT/Informa@on Security § Professional Cer@fica@ons: CISSP-‐ISSEP, ISSAP, ISSMP, CISA, PSP, CAP,
CSSA, GCIH, C|CISO, C|EH, CNDA, CBRM, CGEIT, CompTIA Security +
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
![Page 3: CIP$101:(CIP$005$5(AuditApproach,(ESP(Diagrams,( …...2014/09/24 · CIP$005$5(R1(Requirements(Overview(• R1.(Each(Responsible(En@ty(shall(implementone(or(more(documented(processes(thatcollec@vely(include(each(of(the(applicable(requirement](https://reader036.fdocuments.net/reader036/viewer/2022070916/5fb6b5a3a19cc77f1e327640/html5/thumbnails/3.jpg)
PRESENATION DIAGRAMS DISCLAIMER • The network diagrams depicted within this presenta@on are only provided as examples to illustrate topics of discussion and are not meant to be prescrip@ve regarding any specific applica@ons to compliance.
• WECC does not promote any par@cular brand of network appliance or computer. Various vendor models are used only for demonstra@on purposes.
3
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
![Page 4: CIP$101:(CIP$005$5(AuditApproach,(ESP(Diagrams,( …...2014/09/24 · CIP$005$5(R1(Requirements(Overview(• R1.(Each(Responsible(En@ty(shall(implementone(or(more(documented(processes(thatcollec@vely(include(each(of(the(applicable(requirement](https://reader036.fdocuments.net/reader036/viewer/2022070916/5fb6b5a3a19cc77f1e327640/html5/thumbnails/4.jpg)
CIP Version 5 -‐ Founda@on • Borrows from NIST Risk Management Framework o System-‐centric (e.g., BCS) approach to security
assessment, security control iden@fica@on and implementa@on
-‐ Establishing Cyber System boundaries based on security categorizaCon (e.g., criCcality – High, Medium or Low), then apply risk management strategy and processes
-‐ Common security control inheritance o Con@nuous monitoring
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
![Page 5: CIP$101:(CIP$005$5(AuditApproach,(ESP(Diagrams,( …...2014/09/24 · CIP$005$5(R1(Requirements(Overview(• R1.(Each(Responsible(En@ty(shall(implementone(or(more(documented(processes(thatcollec@vely(include(each(of(the(applicable(requirement](https://reader036.fdocuments.net/reader036/viewer/2022070916/5fb6b5a3a19cc77f1e327640/html5/thumbnails/5.jpg)
Terminology
• BES Cyber Asset (BCA) • BES Cyber Systems (BCS) • Protected Cyber Asset (PCA) • Electronic Security Perimeter (ESP) • External Routable Connec@vity (ERC) • Electronic Access Point (EAP) • Interac@ve Remote Access (IRA) • Dial-‐up Connec@vity
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
![Page 6: CIP$101:(CIP$005$5(AuditApproach,(ESP(Diagrams,( …...2014/09/24 · CIP$005$5(R1(Requirements(Overview(• R1.(Each(Responsible(En@ty(shall(implementone(or(more(documented(processes(thatcollec@vely(include(each(of(the(applicable(requirement](https://reader036.fdocuments.net/reader036/viewer/2022070916/5fb6b5a3a19cc77f1e327640/html5/thumbnails/6.jpg)
Requirement Count
• 5 Requirements (Version 3) – 26 Sub-‐requirements
• 2 Requirements (Version 5) – 8 Parts
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
![Page 7: CIP$101:(CIP$005$5(AuditApproach,(ESP(Diagrams,( …...2014/09/24 · CIP$005$5(R1(Requirements(Overview(• R1.(Each(Responsible(En@ty(shall(implementone(or(more(documented(processes(thatcollec@vely(include(each(of(the(applicable(requirement](https://reader036.fdocuments.net/reader036/viewer/2022070916/5fb6b5a3a19cc77f1e327640/html5/thumbnails/7.jpg)
CIP-‐005-‐5 R1 Requirements Overview • R1. Each Responsible En@ty shall implement one or more documented
processes that collec@vely include each of the applicable requirement parts in CIP-‐005-‐5 Table R1 – Electronic Security Perimeter.
o R1.1 All applicable Cyber Assets connected to a network via a routable protocol shall reside within a defined ESP.
o R1.2 All External Routable Connec@vity must be through an iden@fied Electronic Access Point (EAP).
o R1.3 Require inbound and outbound access permissions, including the reason for gran@ng access, and deny all other access by defa
o R1.4 Where technically feasible, perform authen@ca@on when establishing Dial-‐up Connec@vity with applicable Cyber Assets.
o R1.5 Have one or more methods for detec@ng known or suspected malicious communica@ons for both inbound and outbound communica@ons.
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
![Page 8: CIP$101:(CIP$005$5(AuditApproach,(ESP(Diagrams,( …...2014/09/24 · CIP$005$5(R1(Requirements(Overview(• R1.(Each(Responsible(En@ty(shall(implementone(or(more(documented(processes(thatcollec@vely(include(each(of(the(applicable(requirement](https://reader036.fdocuments.net/reader036/viewer/2022070916/5fb6b5a3a19cc77f1e327640/html5/thumbnails/8.jpg)
CIP-‐005-‐5 R2 Requirements Overview • R2. Each Responsible En@ty allowing Interac@ve Remote
Access to BES Cyber Systems shall implement one or more documented processes that collec@vely include the applicable requirement parts, where technically feasible, in CIP-‐005-‐5 Table R2 – Interac@ve Remote Access Management.
o R2.1 All applicable Cyber Assets connected to a network via a routable protocol shall reside within a defined ESP.
o R2.2 For all Interac@ve Remote Access sessions, u@lize encryp@on that terminates at an Intermediate System.
o R2.3 Require mul@-‐factor authen@ca@on for all Interac@ve Remote Access sessions.
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
![Page 9: CIP$101:(CIP$005$5(AuditApproach,(ESP(Diagrams,( …...2014/09/24 · CIP$005$5(R1(Requirements(Overview(• R1.(Each(Responsible(En@ty(shall(implementone(or(more(documented(processes(thatcollec@vely(include(each(of(the(applicable(requirement](https://reader036.fdocuments.net/reader036/viewer/2022070916/5fb6b5a3a19cc77f1e327640/html5/thumbnails/9.jpg)
9
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
![Page 10: CIP$101:(CIP$005$5(AuditApproach,(ESP(Diagrams,( …...2014/09/24 · CIP$005$5(R1(Requirements(Overview(• R1.(Each(Responsible(En@ty(shall(implementone(or(more(documented(processes(thatcollec@vely(include(each(of(the(applicable(requirement](https://reader036.fdocuments.net/reader036/viewer/2022070916/5fb6b5a3a19cc77f1e327640/html5/thumbnails/10.jpg)
Electronic Security Perimeter (ESP)
• Provides network segmenta@on and restricted access to Cyber Assets within the SCADA and Process Control Network from the Enterprise/Corporate Network and any other untrusted networks and sources (e.g, unauthorized mobile sources/systems).
• It is the Electronic Access Point, which establishes the Electronic Security Perimeter.
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
![Page 11: CIP$101:(CIP$005$5(AuditApproach,(ESP(Diagrams,( …...2014/09/24 · CIP$005$5(R1(Requirements(Overview(• R1.(Each(Responsible(En@ty(shall(implementone(or(more(documented(processes(thatcollec@vely(include(each(of(the(applicable(requirement](https://reader036.fdocuments.net/reader036/viewer/2022070916/5fb6b5a3a19cc77f1e327640/html5/thumbnails/11.jpg)
Electronic Access Point (EAP) • An interface of a Cyber System, device or appliance that provides access to and/or through (e.g., ingress and egress traffic) an ESP (e.g., Firewall, Gateway, Control device w/modem (TCP, UDP; Telnet, SSH, SSL, VPN, HTTP[s]), which the Cyber Assets with routable connec@vity must reside within the ESP.
• May provide access control, monitoring, aler@ng and/or logging of access to and/or through the ESP o may require intermediary device(s) for some of this funcConality: Electronic Access Control and Monitoring (EACM) devices
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
![Page 12: CIP$101:(CIP$005$5(AuditApproach,(ESP(Diagrams,( …...2014/09/24 · CIP$005$5(R1(Requirements(Overview(• R1.(Each(Responsible(En@ty(shall(implementone(or(more(documented(processes(thatcollec@vely(include(each(of(the(applicable(requirement](https://reader036.fdocuments.net/reader036/viewer/2022070916/5fb6b5a3a19cc77f1e327640/html5/thumbnails/12.jpg)
BES Cyber Asset (BCA) Defini@on -‐ FERC Approved Date: 11/22/2013 Effec@ve Date: 4/1/2016
• A Cyber Asset that if rendered unavailable, degraded, or misused would, within 15 minutes of its required opera@on, misopera@on, or non-‐opera@on, adversely impact one or more Facili@es, systems, or equipment, which, if destroyed, degraded, or otherwise rendered unavailable when needed, would affect the reliable opera@on of the Bulk Electric System. Redundancy of affected Facili@es, systems, and equipment shall not be considered when determining adverse impact. Each BES Cyber Asset is included in one or more BES Cyber Systems. (A Cyber Asset is not a BES Cyber Asset if, for 30 consecuAve calendar days or less, it is directly connected to a network within an ESP, a Cyber Asset within an ESP, or to a BES Cyber Asset, and it is used for data transfer, vulnerability assessment, maintenance, or troubleshoo@ng purposes.)
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
![Page 13: CIP$101:(CIP$005$5(AuditApproach,(ESP(Diagrams,( …...2014/09/24 · CIP$005$5(R1(Requirements(Overview(• R1.(Each(Responsible(En@ty(shall(implementone(or(more(documented(processes(thatcollec@vely(include(each(of(the(applicable(requirement](https://reader036.fdocuments.net/reader036/viewer/2022070916/5fb6b5a3a19cc77f1e327640/html5/thumbnails/13.jpg)
• Cyber Assets are subject to the CIP standards based on their func@onality and resultant poten@al impact to BES reliability.
• BES Cyber Systems and associated BES Cyber Assets are not dependent upon a routable protocol (see defini@ons).
• A BES Cyber System may include non-‐routable (serial) devices.
• End point devices (relays) may be included within the v5 requirements and iden@fied as BES Cyber Assets, even if no routable communica@ons exist.
• There are v5 requirements to be addressed (i.e. CIP-‐007-‐5)
Non-‐Routable BCA/BCS
![Page 14: CIP$101:(CIP$005$5(AuditApproach,(ESP(Diagrams,( …...2014/09/24 · CIP$005$5(R1(Requirements(Overview(• R1.(Each(Responsible(En@ty(shall(implementone(or(more(documented(processes(thatcollec@vely(include(each(of(the(applicable(requirement](https://reader036.fdocuments.net/reader036/viewer/2022070916/5fb6b5a3a19cc77f1e327640/html5/thumbnails/14.jpg)
BCA and BCS CIP-‐005-‐5 Applicability
• All applicable Cyber Assets mee@ng the BES Cyber Asset defini@on criteria connected to a network via a routable protocol
14
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
![Page 15: CIP$101:(CIP$005$5(AuditApproach,(ESP(Diagrams,( …...2014/09/24 · CIP$005$5(R1(Requirements(Overview(• R1.(Each(Responsible(En@ty(shall(implementone(or(more(documented(processes(thatcollec@vely(include(each(of(the(applicable(requirement](https://reader036.fdocuments.net/reader036/viewer/2022070916/5fb6b5a3a19cc77f1e327640/html5/thumbnails/15.jpg)
![Page 16: CIP$101:(CIP$005$5(AuditApproach,(ESP(Diagrams,( …...2014/09/24 · CIP$005$5(R1(Requirements(Overview(• R1.(Each(Responsible(En@ty(shall(implementone(or(more(documented(processes(thatcollec@vely(include(each(of(the(applicable(requirement](https://reader036.fdocuments.net/reader036/viewer/2022070916/5fb6b5a3a19cc77f1e327640/html5/thumbnails/16.jpg)
BES Cyber System (BCS) Defini@on -‐ FERC Approved Date: 11/22/2013 Effec@ve Date: 4/1/2016
• One or more BES Cyber Assets logically grouped by a responsible en@ty to perform one or more reliability tasks for a func@onal en@ty.
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
![Page 17: CIP$101:(CIP$005$5(AuditApproach,(ESP(Diagrams,( …...2014/09/24 · CIP$005$5(R1(Requirements(Overview(• R1.(Each(Responsible(En@ty(shall(implementone(or(more(documented(processes(thatcollec@vely(include(each(of(the(applicable(requirement](https://reader036.fdocuments.net/reader036/viewer/2022070916/5fb6b5a3a19cc77f1e327640/html5/thumbnails/17.jpg)
Protected Cyber Asset
• One or more Cyber Assets connected using a routable protocol within or on an Electronic Security Perimeter that is not part of the highest impact BES Cyber System within the same Electronic Security Perimeter. The impact ra@ng of Protected Cyber Assets is equal to the highest rated BES Cyber System in the same ESP. A Cyber Asset is not a Protected Cyber Asset if, for 30 consecu@ve calendar days or less, it is connected either to a Cyber Asset within the ESP or to the network within the ESP, and it is used for data transfer, vulnerability assessment, maintenance, or troubleshoo@ng purposes.
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
![Page 18: CIP$101:(CIP$005$5(AuditApproach,(ESP(Diagrams,( …...2014/09/24 · CIP$005$5(R1(Requirements(Overview(• R1.(Each(Responsible(En@ty(shall(implementone(or(more(documented(processes(thatcollec@vely(include(each(of(the(applicable(requirement](https://reader036.fdocuments.net/reader036/viewer/2022070916/5fb6b5a3a19cc77f1e327640/html5/thumbnails/18.jpg)
![Page 19: CIP$101:(CIP$005$5(AuditApproach,(ESP(Diagrams,( …...2014/09/24 · CIP$005$5(R1(Requirements(Overview(• R1.(Each(Responsible(En@ty(shall(implementone(or(more(documented(processes(thatcollec@vely(include(each(of(the(applicable(requirement](https://reader036.fdocuments.net/reader036/viewer/2022070916/5fb6b5a3a19cc77f1e327640/html5/thumbnails/19.jpg)
EACM Electronic Access Control or Monitoring • Cyber Assets that perform electronic access control or electronic access monitoring of the Electronic Security Perimeter(s) or BES Cyber Systems.
• This includes but is not limited to EAPs, Intermediate Devices, authen@ca@on servers (RADIUS/TACACS), Ac@ve Directory Servers, Cer@ficate Authori@es, Security Event Monitoring systems, IDS/IPS, etc..
19
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
![Page 20: CIP$101:(CIP$005$5(AuditApproach,(ESP(Diagrams,( …...2014/09/24 · CIP$005$5(R1(Requirements(Overview(• R1.(Each(Responsible(En@ty(shall(implementone(or(more(documented(processes(thatcollec@vely(include(each(of(the(applicable(requirement](https://reader036.fdocuments.net/reader036/viewer/2022070916/5fb6b5a3a19cc77f1e327640/html5/thumbnails/20.jpg)
20
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
![Page 21: CIP$101:(CIP$005$5(AuditApproach,(ESP(Diagrams,( …...2014/09/24 · CIP$005$5(R1(Requirements(Overview(• R1.(Each(Responsible(En@ty(shall(implementone(or(more(documented(processes(thatcollec@vely(include(each(of(the(applicable(requirement](https://reader036.fdocuments.net/reader036/viewer/2022070916/5fb6b5a3a19cc77f1e327640/html5/thumbnails/21.jpg)
![Page 22: CIP$101:(CIP$005$5(AuditApproach,(ESP(Diagrams,( …...2014/09/24 · CIP$005$5(R1(Requirements(Overview(• R1.(Each(Responsible(En@ty(shall(implementone(or(more(documented(processes(thatcollec@vely(include(each(of(the(applicable(requirement](https://reader036.fdocuments.net/reader036/viewer/2022070916/5fb6b5a3a19cc77f1e327640/html5/thumbnails/22.jpg)
BCS (HIGH WATERMARK) • An example of the high water applica@on would be a Protected Cyber Asset (PCA) that is physically and logically connected (e.g., same subnet) to the same ESP of an interconnected BES Cyber Asset (BCA) or BES Cyber System (BCS), which results in the lower security category PCA inheri@ng the same security category and subsequent NERC CIP security control requirements of the BCA or BCS.
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
![Page 23: CIP$101:(CIP$005$5(AuditApproach,(ESP(Diagrams,( …...2014/09/24 · CIP$005$5(R1(Requirements(Overview(• R1.(Each(Responsible(En@ty(shall(implementone(or(more(documented(processes(thatcollec@vely(include(each(of(the(applicable(requirement](https://reader036.fdocuments.net/reader036/viewer/2022070916/5fb6b5a3a19cc77f1e327640/html5/thumbnails/23.jpg)
![Page 24: CIP$101:(CIP$005$5(AuditApproach,(ESP(Diagrams,( …...2014/09/24 · CIP$005$5(R1(Requirements(Overview(• R1.(Each(Responsible(En@ty(shall(implementone(or(more(documented(processes(thatcollec@vely(include(each(of(the(applicable(requirement](https://reader036.fdocuments.net/reader036/viewer/2022070916/5fb6b5a3a19cc77f1e327640/html5/thumbnails/24.jpg)
![Page 25: CIP$101:(CIP$005$5(AuditApproach,(ESP(Diagrams,( …...2014/09/24 · CIP$005$5(R1(Requirements(Overview(• R1.(Each(Responsible(En@ty(shall(implementone(or(more(documented(processes(thatcollec@vely(include(each(of(the(applicable(requirement](https://reader036.fdocuments.net/reader036/viewer/2022070916/5fb6b5a3a19cc77f1e327640/html5/thumbnails/25.jpg)
![Page 26: CIP$101:(CIP$005$5(AuditApproach,(ESP(Diagrams,( …...2014/09/24 · CIP$005$5(R1(Requirements(Overview(• R1.(Each(Responsible(En@ty(shall(implementone(or(more(documented(processes(thatcollec@vely(include(each(of(the(applicable(requirement](https://reader036.fdocuments.net/reader036/viewer/2022070916/5fb6b5a3a19cc77f1e327640/html5/thumbnails/26.jpg)
![Page 27: CIP$101:(CIP$005$5(AuditApproach,(ESP(Diagrams,( …...2014/09/24 · CIP$005$5(R1(Requirements(Overview(• R1.(Each(Responsible(En@ty(shall(implementone(or(more(documented(processes(thatcollec@vely(include(each(of(the(applicable(requirement](https://reader036.fdocuments.net/reader036/viewer/2022070916/5fb6b5a3a19cc77f1e327640/html5/thumbnails/27.jpg)
Discreet Electronic Security Perimeter
• An Electronic Security Perimeter that is typically located in a single geographical loca@on, which may be protected by a single Physical Security Perimeter (PSP) that may or may not traverse mul@ple rooms, albeit, the cabling infrastructure is protected by the PSP and all rooms are afforded the protec@ons of CIP-‐006.
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
![Page 28: CIP$101:(CIP$005$5(AuditApproach,(ESP(Diagrams,( …...2014/09/24 · CIP$005$5(R1(Requirements(Overview(• R1.(Each(Responsible(En@ty(shall(implementone(or(more(documented(processes(thatcollec@vely(include(each(of(the(applicable(requirement](https://reader036.fdocuments.net/reader036/viewer/2022070916/5fb6b5a3a19cc77f1e327640/html5/thumbnails/28.jpg)
![Page 29: CIP$101:(CIP$005$5(AuditApproach,(ESP(Diagrams,( …...2014/09/24 · CIP$005$5(R1(Requirements(Overview(• R1.(Each(Responsible(En@ty(shall(implementone(or(more(documented(processes(thatcollec@vely(include(each(of(the(applicable(requirement](https://reader036.fdocuments.net/reader036/viewer/2022070916/5fb6b5a3a19cc77f1e327640/html5/thumbnails/29.jpg)
Extended Electronic Security Perimeter
• A single Electronic Security Perimeter that may be located in mul@ple geographical loca@ons, or mul@ple rooms in the same facility loca@on, protected by one or more Physical Security Perimeters (PSP), albeit, the cabling infrastructure may traverse mul@ple facility rooms or areas outside of an established PSP.
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
![Page 30: CIP$101:(CIP$005$5(AuditApproach,(ESP(Diagrams,( …...2014/09/24 · CIP$005$5(R1(Requirements(Overview(• R1.(Each(Responsible(En@ty(shall(implementone(or(more(documented(processes(thatcollec@vely(include(each(of(the(applicable(requirement](https://reader036.fdocuments.net/reader036/viewer/2022070916/5fb6b5a3a19cc77f1e327640/html5/thumbnails/30.jpg)
![Page 31: CIP$101:(CIP$005$5(AuditApproach,(ESP(Diagrams,( …...2014/09/24 · CIP$005$5(R1(Requirements(Overview(• R1.(Each(Responsible(En@ty(shall(implementone(or(more(documented(processes(thatcollec@vely(include(each(of(the(applicable(requirement](https://reader036.fdocuments.net/reader036/viewer/2022070916/5fb6b5a3a19cc77f1e327640/html5/thumbnails/31.jpg)
CIP-‐006 REMAND
• NERC contends wiring is not included within defini@on of Cyber Asset, so it should be excluded from CIP compliance measures.
• FERC states “15. …We do not agree that the network cabling (i.e., wires) that gives a communica@on network its networking capability would be exempt from the CIP Reliability Standards…”
• CIP-‐006-‐6 language now includes protec@on for Cyber Asset cabling
31
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
![Page 32: CIP$101:(CIP$005$5(AuditApproach,(ESP(Diagrams,( …...2014/09/24 · CIP$005$5(R1(Requirements(Overview(• R1.(Each(Responsible(En@ty(shall(implementone(or(more(documented(processes(thatcollec@vely(include(each(of(the(applicable(requirement](https://reader036.fdocuments.net/reader036/viewer/2022070916/5fb6b5a3a19cc77f1e327640/html5/thumbnails/32.jpg)
CIP-‐006-‐5 R1.10 Alterna@ve Controls • End-‐to-‐end Encryp@on examples: -‐ Layer-‐2 IEEE 802.1AE MACsec GCM-‐AES-‐256 (e.g. switches) -‐ Layer-‐2 intermediate encrypCon devices/appliances -‐ Layer-‐3 IPSEC -‐ Not required, but recommended for encrypCon validaCon e.g. FIPS 140-‐2 compliant Common Criteria: EAL4, EAL5
• Physical Security Controls examples: -‐ Special locks -‐ Key control – Authorized personnel
• Circuit monitoring w/ supplemental controls
32
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
![Page 33: CIP$101:(CIP$005$5(AuditApproach,(ESP(Diagrams,( …...2014/09/24 · CIP$005$5(R1(Requirements(Overview(• R1.(Each(Responsible(En@ty(shall(implementone(or(more(documented(processes(thatcollec@vely(include(each(of(the(applicable(requirement](https://reader036.fdocuments.net/reader036/viewer/2022070916/5fb6b5a3a19cc77f1e327640/html5/thumbnails/33.jpg)
![Page 34: CIP$101:(CIP$005$5(AuditApproach,(ESP(Diagrams,( …...2014/09/24 · CIP$005$5(R1(Requirements(Overview(• R1.(Each(Responsible(En@ty(shall(implementone(or(more(documented(processes(thatcollec@vely(include(each(of(the(applicable(requirement](https://reader036.fdocuments.net/reader036/viewer/2022070916/5fb6b5a3a19cc77f1e327640/html5/thumbnails/34.jpg)
![Page 35: CIP$101:(CIP$005$5(AuditApproach,(ESP(Diagrams,( …...2014/09/24 · CIP$005$5(R1(Requirements(Overview(• R1.(Each(Responsible(En@ty(shall(implementone(or(more(documented(processes(thatcollec@vely(include(each(of(the(applicable(requirement](https://reader036.fdocuments.net/reader036/viewer/2022070916/5fb6b5a3a19cc77f1e327640/html5/thumbnails/35.jpg)
![Page 36: CIP$101:(CIP$005$5(AuditApproach,(ESP(Diagrams,( …...2014/09/24 · CIP$005$5(R1(Requirements(Overview(• R1.(Each(Responsible(En@ty(shall(implementone(or(more(documented(processes(thatcollec@vely(include(each(of(the(applicable(requirement](https://reader036.fdocuments.net/reader036/viewer/2022070916/5fb6b5a3a19cc77f1e327640/html5/thumbnails/36.jpg)
36
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
![Page 37: CIP$101:(CIP$005$5(AuditApproach,(ESP(Diagrams,( …...2014/09/24 · CIP$005$5(R1(Requirements(Overview(• R1.(Each(Responsible(En@ty(shall(implementone(or(more(documented(processes(thatcollec@vely(include(each(of(the(applicable(requirement](https://reader036.fdocuments.net/reader036/viewer/2022070916/5fb6b5a3a19cc77f1e327640/html5/thumbnails/37.jpg)
37
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
![Page 38: CIP$101:(CIP$005$5(AuditApproach,(ESP(Diagrams,( …...2014/09/24 · CIP$005$5(R1(Requirements(Overview(• R1.(Each(Responsible(En@ty(shall(implementone(or(more(documented(processes(thatcollec@vely(include(each(of(the(applicable(requirement](https://reader036.fdocuments.net/reader036/viewer/2022070916/5fb6b5a3a19cc77f1e327640/html5/thumbnails/38.jpg)
![Page 39: CIP$101:(CIP$005$5(AuditApproach,(ESP(Diagrams,( …...2014/09/24 · CIP$005$5(R1(Requirements(Overview(• R1.(Each(Responsible(En@ty(shall(implementone(or(more(documented(processes(thatcollec@vely(include(each(of(the(applicable(requirement](https://reader036.fdocuments.net/reader036/viewer/2022070916/5fb6b5a3a19cc77f1e327640/html5/thumbnails/39.jpg)
YERSINIA (VLAN Exploit Tool) Contrary to popular belief: VLANs were originally created as a network performance and organiza@on feature, not a Security feature. • Dynamic Trunking protocol (DTP) abuse o Cisco proprietary, no authenCcaCon, switches are in default auto-‐negoCate, sniff all VLAN traffic
• Trunking protocol (802.1q and ISL) abuse o PVLAN hopping, Double 802.1q VLAN tagging
• Virtual Trunking protocol (VTP) abuse • Common spanning tree (CST) abuse • Mul@ple other aoacks • Broadcast storm traffic has been known to disrupt layer-‐2 switches and misconfigure VLANS
W ESTERN E LECTRICITY C OORDINATING C OUNCIL hop://www.yersinia.net/index.htm
![Page 40: CIP$101:(CIP$005$5(AuditApproach,(ESP(Diagrams,( …...2014/09/24 · CIP$005$5(R1(Requirements(Overview(• R1.(Each(Responsible(En@ty(shall(implementone(or(more(documented(processes(thatcollec@vely(include(each(of(the(applicable(requirement](https://reader036.fdocuments.net/reader036/viewer/2022070916/5fb6b5a3a19cc77f1e327640/html5/thumbnails/40.jpg)
Trend: Legacy Networks to IP VPN • Legacy SCADA Networks o Radio and Leased Line communicaCon o RTUs serially connected to Radio Modem or Leased Line Modem
o Radio Modem or Leased Line Modem Connected to Front End Processor (FEP) at control station
• Secure IP VPN (Vendors are pushing) o IP network communicaCons o RTU connected to mulC-‐homed and mulC-‐protocol devices (MPLS/Frame/IP; Fiber, Ethernet, VSAT)
o Front End Processors are mulC-‐homed and mulC-‐protocol capable and scalable devices
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
![Page 41: CIP$101:(CIP$005$5(AuditApproach,(ESP(Diagrams,( …...2014/09/24 · CIP$005$5(R1(Requirements(Overview(• R1.(Each(Responsible(En@ty(shall(implementone(or(more(documented(processes(thatcollec@vely(include(each(of(the(applicable(requirement](https://reader036.fdocuments.net/reader036/viewer/2022070916/5fb6b5a3a19cc77f1e327640/html5/thumbnails/41.jpg)
![Page 42: CIP$101:(CIP$005$5(AuditApproach,(ESP(Diagrams,( …...2014/09/24 · CIP$005$5(R1(Requirements(Overview(• R1.(Each(Responsible(En@ty(shall(implementone(or(more(documented(processes(thatcollec@vely(include(each(of(the(applicable(requirement](https://reader036.fdocuments.net/reader036/viewer/2022070916/5fb6b5a3a19cc77f1e327640/html5/thumbnails/42.jpg)
![Page 43: CIP$101:(CIP$005$5(AuditApproach,(ESP(Diagrams,( …...2014/09/24 · CIP$005$5(R1(Requirements(Overview(• R1.(Each(Responsible(En@ty(shall(implementone(or(more(documented(processes(thatcollec@vely(include(each(of(the(applicable(requirement](https://reader036.fdocuments.net/reader036/viewer/2022070916/5fb6b5a3a19cc77f1e327640/html5/thumbnails/43.jpg)
Legacy Networks to IP VPN -‐ WHY? • It’s cheaper o One to one hardware soluCons are more expensive
• It’s scalable & reliable (redundancy) o MulC-‐homed, mulC-‐protocol and network agnosCc systems are scalable, while eliminaCng single points of failure
• It’s safer o VPN-‐IPSEC, AES256 versus unencrypted legacy serial communicaCons
• It’s sAll IP! o SuscepCble to the same vulnerabiliCes plaguing tradiConal network architectures
o We’re not against it, we just need to check it
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
![Page 44: CIP$101:(CIP$005$5(AuditApproach,(ESP(Diagrams,( …...2014/09/24 · CIP$005$5(R1(Requirements(Overview(• R1.(Each(Responsible(En@ty(shall(implementone(or(more(documented(processes(thatcollec@vely(include(each(of(the(applicable(requirement](https://reader036.fdocuments.net/reader036/viewer/2022070916/5fb6b5a3a19cc77f1e327640/html5/thumbnails/44.jpg)
Hacking Satellite
• Spanish Cyber Security Researcher Leonardo Nve demonstrated at BlackHat the exploita@on of (i.e., gaining access to and impersonaCng legiCmate users) satellite internet connec@ons using less than $75 worth of tools, which can be purchased on Ebay.
-‐ (1) Skystar “2” PCI satellite receiver card, open source Linux DVB sojware app, and the free network data analysis tool
Wireshark. W ESTERN E LECTRICITY C OORDINATING C OUNCIL
![Page 45: CIP$101:(CIP$005$5(AuditApproach,(ESP(Diagrams,( …...2014/09/24 · CIP$005$5(R1(Requirements(Overview(• R1.(Each(Responsible(En@ty(shall(implementone(or(more(documented(processes(thatcollec@vely(include(each(of(the(applicable(requirement](https://reader036.fdocuments.net/reader036/viewer/2022070916/5fb6b5a3a19cc77f1e327640/html5/thumbnails/45.jpg)
EXTRA! EXTRA! Read all about it!
• US Satellites hacked by Chinese Military! • The hac@vist group Anonymous Hacks NASA Satellite!
• Anonymous hacks Turkish Satellite provider! • Three states have demonstrated the ability to physically damage satellites by intercep@ng them: the US, Russia and China
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
![Page 46: CIP$101:(CIP$005$5(AuditApproach,(ESP(Diagrams,( …...2014/09/24 · CIP$005$5(R1(Requirements(Overview(• R1.(Each(Responsible(En@ty(shall(implementone(or(more(documented(processes(thatcollec@vely(include(each(of(the(applicable(requirement](https://reader036.fdocuments.net/reader036/viewer/2022070916/5fb6b5a3a19cc77f1e327640/html5/thumbnails/46.jpg)
NERC Industry Advisories • Remote Access Guidance o Use encrypted access controls for remote
access o Use mulC-‐factor authenCcaCon o Consider Proxy device as VPN terminaCon
point o Implement logging and monitoring o etc…
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
![Page 47: CIP$101:(CIP$005$5(AuditApproach,(ESP(Diagrams,( …...2014/09/24 · CIP$005$5(R1(Requirements(Overview(• R1.(Each(Responsible(En@ty(shall(implementone(or(more(documented(processes(thatcollec@vely(include(each(of(the(applicable(requirement](https://reader036.fdocuments.net/reader036/viewer/2022070916/5fb6b5a3a19cc77f1e327640/html5/thumbnails/47.jpg)
NERC Guidance • Guidance for Secure Remote Access o Secure interacCve remote access concepts o Security pracCces and proposed soluCons for secure interacCve remote access
o Assessing the implementaCon of interacCve remote access controls
o Network architecture decisions
![Page 48: CIP$101:(CIP$005$5(AuditApproach,(ESP(Diagrams,( …...2014/09/24 · CIP$005$5(R1(Requirements(Overview(• R1.(Each(Responsible(En@ty(shall(implementone(or(more(documented(processes(thatcollec@vely(include(each(of(the(applicable(requirement](https://reader036.fdocuments.net/reader036/viewer/2022070916/5fb6b5a3a19cc77f1e327640/html5/thumbnails/48.jpg)
CIP-‐005-‐5 R1 Part 1.1 • All Cyber Assets with routable connec@vity shall reside within a defined ESP
![Page 49: CIP$101:(CIP$005$5(AuditApproach,(ESP(Diagrams,( …...2014/09/24 · CIP$005$5(R1(Requirements(Overview(• R1.(Each(Responsible(En@ty(shall(implementone(or(more(documented(processes(thatcollec@vely(include(each(of(the(applicable(requirement](https://reader036.fdocuments.net/reader036/viewer/2022070916/5fb6b5a3a19cc77f1e327640/html5/thumbnails/49.jpg)
Measures (Part 1.1)
• List of BES Cyber Systems • List of BES Cyber Assets within each BCS • List of Protected Cyber Assets (associated assets)
• ESP network topology including subnets • Cyber Asset IP addresses
49
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
![Page 50: CIP$101:(CIP$005$5(AuditApproach,(ESP(Diagrams,( …...2014/09/24 · CIP$005$5(R1(Requirements(Overview(• R1.(Each(Responsible(En@ty(shall(implementone(or(more(documented(processes(thatcollec@vely(include(each(of(the(applicable(requirement](https://reader036.fdocuments.net/reader036/viewer/2022070916/5fb6b5a3a19cc77f1e327640/html5/thumbnails/50.jpg)
CIP-‐005-‐5 R1 Part 1.2 50
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
• External routable connec@vity must be through an iden@fied EAP
![Page 51: CIP$101:(CIP$005$5(AuditApproach,(ESP(Diagrams,( …...2014/09/24 · CIP$005$5(R1(Requirements(Overview(• R1.(Each(Responsible(En@ty(shall(implementone(or(more(documented(processes(thatcollec@vely(include(each(of(the(applicable(requirement](https://reader036.fdocuments.net/reader036/viewer/2022070916/5fb6b5a3a19cc77f1e327640/html5/thumbnails/51.jpg)
External Routable Connec@vity
• External Routable Connec@vity’ includes the term ‘bi-‐direc@onal’ • ‘bi-‐direc@onal routable protocol connec@on’ • Systems behind a data diode do not have External Routable Connec@vity
51
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
![Page 52: CIP$101:(CIP$005$5(AuditApproach,(ESP(Diagrams,( …...2014/09/24 · CIP$005$5(R1(Requirements(Overview(• R1.(Each(Responsible(En@ty(shall(implementone(or(more(documented(processes(thatcollec@vely(include(each(of(the(applicable(requirement](https://reader036.fdocuments.net/reader036/viewer/2022070916/5fb6b5a3a19cc77f1e327640/html5/thumbnails/52.jpg)
52
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
![Page 53: CIP$101:(CIP$005$5(AuditApproach,(ESP(Diagrams,( …...2014/09/24 · CIP$005$5(R1(Requirements(Overview(• R1.(Each(Responsible(En@ty(shall(implementone(or(more(documented(processes(thatcollec@vely(include(each(of(the(applicable(requirement](https://reader036.fdocuments.net/reader036/viewer/2022070916/5fb6b5a3a19cc77f1e327640/html5/thumbnails/53.jpg)
Measures (Part 1.2)
• Network Diagrams • External routable communica@on paths • List of all Iden@fied EAPs
53
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
![Page 54: CIP$101:(CIP$005$5(AuditApproach,(ESP(Diagrams,( …...2014/09/24 · CIP$005$5(R1(Requirements(Overview(• R1.(Each(Responsible(En@ty(shall(implementone(or(more(documented(processes(thatcollec@vely(include(each(of(the(applicable(requirement](https://reader036.fdocuments.net/reader036/viewer/2022070916/5fb6b5a3a19cc77f1e327640/html5/thumbnails/54.jpg)
CIP-‐005-‐5 R1 Part 1.3 54
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
• Inbound and outbound access permissions must be applied, including a documented reason for access and deny all other access
![Page 55: CIP$101:(CIP$005$5(AuditApproach,(ESP(Diagrams,( …...2014/09/24 · CIP$005$5(R1(Requirements(Overview(• R1.(Each(Responsible(En@ty(shall(implementone(or(more(documented(processes(thatcollec@vely(include(each(of(the(applicable(requirement](https://reader036.fdocuments.net/reader036/viewer/2022070916/5fb6b5a3a19cc77f1e327640/html5/thumbnails/55.jpg)
Audit Approach (Part 1.3)
• Inbound and outbound access permissions must be configured for all EAPs
• Not required to document the inner workings of stateful firewalls, where connec@ons ini@ated in one direc@on are allowed a return path
• EAP must incorporate an access control model that denies access by default
55
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
![Page 56: CIP$101:(CIP$005$5(AuditApproach,(ESP(Diagrams,( …...2014/09/24 · CIP$005$5(R1(Requirements(Overview(• R1.(Each(Responsible(En@ty(shall(implementone(or(more(documented(processes(thatcollec@vely(include(each(of(the(applicable(requirement](https://reader036.fdocuments.net/reader036/viewer/2022070916/5fb6b5a3a19cc77f1e327640/html5/thumbnails/56.jpg)
Measures (Part 1.3)
• Established baseline • Electronic Access Point(s) configura@on(s) • U@lize ‘remark’ type command
56
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
![Page 57: CIP$101:(CIP$005$5(AuditApproach,(ESP(Diagrams,( …...2014/09/24 · CIP$005$5(R1(Requirements(Overview(• R1.(Each(Responsible(En@ty(shall(implementone(or(more(documented(processes(thatcollec@vely(include(each(of(the(applicable(requirement](https://reader036.fdocuments.net/reader036/viewer/2022070916/5fb6b5a3a19cc77f1e327640/html5/thumbnails/57.jpg)
CIP-‐005-‐5 R1 Part 1.4 57
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
• Authen@ca@on is required for all Dial-‐up connec@vity access, where technically feasible
![Page 58: CIP$101:(CIP$005$5(AuditApproach,(ESP(Diagrams,( …...2014/09/24 · CIP$005$5(R1(Requirements(Overview(• R1.(Each(Responsible(En@ty(shall(implementone(or(more(documented(processes(thatcollec@vely(include(each(of(the(applicable(requirement](https://reader036.fdocuments.net/reader036/viewer/2022070916/5fb6b5a3a19cc77f1e327640/html5/thumbnails/58.jpg)
Change Ra@onale (Part 1.4)
• Added clarifica@on that dial-‐up connec@vity should perform authen@ca@on so that the BES Cyber System is not directly accessible with a phone number only.
58
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
![Page 59: CIP$101:(CIP$005$5(AuditApproach,(ESP(Diagrams,( …...2014/09/24 · CIP$005$5(R1(Requirements(Overview(• R1.(Each(Responsible(En@ty(shall(implementone(or(more(documented(processes(thatcollec@vely(include(each(of(the(applicable(requirement](https://reader036.fdocuments.net/reader036/viewer/2022070916/5fb6b5a3a19cc77f1e327640/html5/thumbnails/59.jpg)
Audit Approach (Part 1.4)
• Authen@ca@on required for all dial-‐up accessible Cyber Assets o Secure modem with authen@ca@on feature
(e.g., username, password) o Documented process describing how
authen@ca@on is accomplished (e.g., dial-‐back, user challenge authen@ca@on, temporary modem plugin)
• Authen@ca@on – does not require mul@-‐factor authen@ca@on as in interac@ve remote access
59
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
![Page 60: CIP$101:(CIP$005$5(AuditApproach,(ESP(Diagrams,( …...2014/09/24 · CIP$005$5(R1(Requirements(Overview(• R1.(Each(Responsible(En@ty(shall(implementone(or(more(documented(processes(thatcollec@vely(include(each(of(the(applicable(requirement](https://reader036.fdocuments.net/reader036/viewer/2022070916/5fb6b5a3a19cc77f1e327640/html5/thumbnails/60.jpg)
CIP-‐005-‐5 R1 Part 1.5 60
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
• Having one or more methods for detec@ng malicious communica@ons for inbound and outbound ESP traffic
![Page 61: CIP$101:(CIP$005$5(AuditApproach,(ESP(Diagrams,( …...2014/09/24 · CIP$005$5(R1(Requirements(Overview(• R1.(Each(Responsible(En@ty(shall(implementone(or(more(documented(processes(thatcollec@vely(include(each(of(the(applicable(requirement](https://reader036.fdocuments.net/reader036/viewer/2022070916/5fb6b5a3a19cc77f1e327640/html5/thumbnails/61.jpg)
CIP-‐005-‐5 R1.5 Change Ra@onale
• Per FERC Order No. 706, Paragraphs 496-‐503, ESPs need two dis@nct security measures such that the Cyber Assets do not lose all perimeter protec@on if one measure fails or is misconfigured. The Order makes clear this is not simple redundancy of firewalls, thus the SDT has decided to add the security measure of malicious traffic inspec@on as a requirement for these ESPs.
61
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
![Page 62: CIP$101:(CIP$005$5(AuditApproach,(ESP(Diagrams,( …...2014/09/24 · CIP$005$5(R1(Requirements(Overview(• R1.(Each(Responsible(En@ty(shall(implementone(or(more(documented(processes(thatcollec@vely(include(each(of(the(applicable(requirement](https://reader036.fdocuments.net/reader036/viewer/2022070916/5fb6b5a3a19cc77f1e327640/html5/thumbnails/62.jpg)
Audit Approach (Part 1.5) • Direc@on of the traffic monitored – both inbound and outbound traffic subject to the applica@on of a malicious code detec@on mechanism
• Placement of malicious communica@ons inspec@on – specific architecture and placement is not prescribed
• Number of malicious code detec@on mechanisms (e.g. IDS) – Applicability is set at the EAP level
• Aler@ng is addressed through CIP-‐007-‐5 R4
62
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
![Page 63: CIP$101:(CIP$005$5(AuditApproach,(ESP(Diagrams,( …...2014/09/24 · CIP$005$5(R1(Requirements(Overview(• R1.(Each(Responsible(En@ty(shall(implementone(or(more(documented(processes(thatcollec@vely(include(each(of(the(applicable(requirement](https://reader036.fdocuments.net/reader036/viewer/2022070916/5fb6b5a3a19cc77f1e327640/html5/thumbnails/63.jpg)
CIP-‐005-‐5 R2.1 63
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
• Intermediate system(s) are required for Interac@ve Remote Access (IRA), to ensure direct access to Cyber Asset(s) is prohibited
![Page 64: CIP$101:(CIP$005$5(AuditApproach,(ESP(Diagrams,( …...2014/09/24 · CIP$005$5(R1(Requirements(Overview(• R1.(Each(Responsible(En@ty(shall(implementone(or(more(documented(processes(thatcollec@vely(include(each(of(the(applicable(requirement](https://reader036.fdocuments.net/reader036/viewer/2022070916/5fb6b5a3a19cc77f1e327640/html5/thumbnails/64.jpg)
R2.1 Audit Approach
• All Interac@ve Remote Access requires an Intermediate System that “proxies” all traffic into the ESP – No direct external access from client to internal BES cyber asset
– Source IP address is the IP address of the intermediate system
– NERC Remote Access guidance documenta@on • System-‐to system process communica@ons not considered IRA – can this communica@on be accessed for Interac@ve Remote Access?
64
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
![Page 65: CIP$101:(CIP$005$5(AuditApproach,(ESP(Diagrams,( …...2014/09/24 · CIP$005$5(R1(Requirements(Overview(• R1.(Each(Responsible(En@ty(shall(implementone(or(more(documented(processes(thatcollec@vely(include(each(of(the(applicable(requirement](https://reader036.fdocuments.net/reader036/viewer/2022070916/5fb6b5a3a19cc77f1e327640/html5/thumbnails/65.jpg)
CIP-‐005-‐5 R2.2 65
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
• Interac@ve Remote Access sessions must be encrypted and terminated at the intermediate system.
![Page 66: CIP$101:(CIP$005$5(AuditApproach,(ESP(Diagrams,( …...2014/09/24 · CIP$005$5(R1(Requirements(Overview(• R1.(Each(Responsible(En@ty(shall(implementone(or(more(documented(processes(thatcollec@vely(include(each(of(the(applicable(requirement](https://reader036.fdocuments.net/reader036/viewer/2022070916/5fb6b5a3a19cc77f1e327640/html5/thumbnails/66.jpg)
R2.2 Audit Approach
• Interac@ve Remote Access requires encryp@on from remote client all the way to the intermediate system
• Interac@ve Remote Access only allowed into the ESP from the intermediate system source IP address of the intermediate system
• All Intermediate system communica@ons into the ESP must traverse an EAP prior to entry into ESP
• Restric@ve access controls must be defined for all traffic from the intermediate system into the ESP, and traffic must be unencrypted before entry into the ESP, to ensure data can be inspected
66
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
![Page 67: CIP$101:(CIP$005$5(AuditApproach,(ESP(Diagrams,( …...2014/09/24 · CIP$005$5(R1(Requirements(Overview(• R1.(Each(Responsible(En@ty(shall(implementone(or(more(documented(processes(thatcollec@vely(include(each(of(the(applicable(requirement](https://reader036.fdocuments.net/reader036/viewer/2022070916/5fb6b5a3a19cc77f1e327640/html5/thumbnails/67.jpg)
CIP-‐005-‐5 R2.3 67
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
• IRA requires mul@-‐factor authen@ca@on
![Page 68: CIP$101:(CIP$005$5(AuditApproach,(ESP(Diagrams,( …...2014/09/24 · CIP$005$5(R1(Requirements(Overview(• R1.(Each(Responsible(En@ty(shall(implementone(or(more(documented(processes(thatcollec@vely(include(each(of(the(applicable(requirement](https://reader036.fdocuments.net/reader036/viewer/2022070916/5fb6b5a3a19cc77f1e327640/html5/thumbnails/68.jpg)
R2.3 Audit Approach
• Mul@-‐factor authen@ca@on is required for all Interac@ve Remote Access
• Mul@-‐factor authen@ca@on requires at least two of the following: – Something you have (tokens) – Something you know (passwords) – Something you are (biometrics)
• Mul@-‐factor authen@ca@on is required at the intermediate system –this is in addi@on to external corporate VPN access authen@ca@on
68
W ESTERN E LECTRICITY C OORDINATING C OUNCIL
![Page 69: CIP$101:(CIP$005$5(AuditApproach,(ESP(Diagrams,( …...2014/09/24 · CIP$005$5(R1(Requirements(Overview(• R1.(Each(Responsible(En@ty(shall(implementone(or(more(documented(processes(thatcollec@vely(include(each(of(the(applicable(requirement](https://reader036.fdocuments.net/reader036/viewer/2022070916/5fb6b5a3a19cc77f1e327640/html5/thumbnails/69.jpg)
References • NERC Industry Advisory: remote access guidance (2011). Retrieved from the North American Electric
Reliability Corporate website on January 7, 2012, from, hop://www.nerc.com/fileUploads/File/Events%20Analysis/A-‐2011-‐08-‐24-‐1-‐Remote_Access_Guidance-‐Final.pdf
• NERC Guidance for Secure Interac@ve Remote Access (2011). Retrieved from the North American Electric
Reliability Corporate website on January 7, 2012, from, hop://www.nerc.com/fileUploads/File/Events%20Analysis/FINAL-‐Guidance_for_Secure_Interac@ve_Remote_Access.pdf
![Page 70: CIP$101:(CIP$005$5(AuditApproach,(ESP(Diagrams,( …...2014/09/24 · CIP$005$5(R1(Requirements(Overview(• R1.(Each(Responsible(En@ty(shall(implementone(or(more(documented(processes(thatcollec@vely(include(each(of(the(applicable(requirement](https://reader036.fdocuments.net/reader036/viewer/2022070916/5fb6b5a3a19cc77f1e327640/html5/thumbnails/70.jpg)
Contact
Joe Andrews, MSc.IA, CISSP-‐ISSEP, ISSAP, ISSMP, CISA, PSP Sr. Compliance Auditor – Cyber Security Western Electricity Coordina@ng Council jandrews[@]wecc[.]biz Office: 801.819.7683