Morgan King CISSP- ISSAP, CISA Senior Compliance Auditor – Cyber Security

Morgan King CISSP-ISSAP, CISA

Senior Compliance Auditor – Cyber Security

CIP-007-5 Compliance Outreach CIP v5 Roadshow

May 14-15, 2014Salt Lake City, Utah

2

• CIP-007-5 Overview• New/Redefined Terminology• CIP-007-5 Audit Approach• Issues & Pitfalls• Questions

Agenda

3

EMS ESP [IP network]

CorpNet

EMS WAN

Firewall

Firewall

Router

Workstations

Workstations

File Server

Access Control Server

EMS Servers

Printer

Printer

Router

Switch

Switch

CCA

CCA

CCA

CCA

CCA

CCA

CCACCA

CIP-007

EMS Electronic Security Perimeter

EAP

CIP-005

CIP-005

Intermediate Server


EACM

Switch

EACM

DMZ

EAP

4

EMS ESP/BCS [IP network]

BCSCIP-002

CorpNet

EMS WAN

Firewall

Firewall

Router

Non-BCS WorkstationsFile Server

Intermediate Server

Printer

Router

Switch

CIP-007


EAP CIP-005

CIP-005

PCA

PCA

PCAPCA

Workstations

CCA

EMS Servers

PrinterSwitch

BCA

BCA

BCA

BCA

BCA

BCA

BCAPCA BCA/PCA

BCA/PCA

PCA


EACM

Switch

EACM

EAP

DMZ

All PCA devices take on the impact level

of the BCS

5

Multi-BCS ESP

BCSCIP-002

CorpNet

EMS WAN

Firewall

Firewall

Router

BCS Workstations

BCSBCS Server

Intermediate Server

Printer

Router

Switch

CIP-007


EAP CIP-005

CIP-005

PCA

BCA

BCABCA

Workstations

CCA

EMS Servers

PrinterSwitch

BCA

BCA

BCA

BCA

BCA

BCA

BCAPCA BCA/PCA

BCA/PCA

BCA


EACM

Switch

EACM

EAP

DMZ

HIGH

MEDIUM

6

EMS ESP [High Water Mark]

BCSCIP-002

CorpNet

EMS WAN

Firewall

Firewall

Router

BCS WorkstationsBCS Server

Intermediate Server

Printer

Router

Switch

CIP-007


EAP CIP-005

CIP-005

PCA

PCA

PCAPCA

Workstations

CCA

EMS Servers

PrinterSwitch

BCA

BCA

BCA

BCA

BCA

BCA

BCAPCA BCA/PCA

BCA/PCA

PCA


EACM

Switch

EACM

EAP

DMZ

All PCA devices take on the impact level

of the BCS

HIGH

7

V5 Compliance Dates

CIP Version 5 Effective DatesRequirement Effective Date

Effective Date of Standard April 1, 2016Requirement-Specific Effective Dates

CIP-002-5 R2 April 1, 2016CIP-003-5 R1 April 1, 2016

CIP-003-5 R2for medium and high impact BES Cyber Systems April 1, 2016CIP-003-5 R2for low impact BES Cyber Systems April 1, 2017CIP-007-5 Part 4.4 April 15, 2016CIP-010-1 Part 2.1 May 6, 2016CIP-004-5 Part 4.2 July 1, 2016CIP-004-5 Part 2.3 April 1, 2017CIP-004-5 Part 4.3 April 1, 2017CIP-004-5 Part 4.4 April 1, 2017CIP-006-5 Part 3.1 April 1, 2017CIP-008-5 Part 2.1 April 1, 2017CIP-009-5 Part 2.1 April 1, 2017CIP-009-5 Part 2.2 April 1, 2017CIP-010-1 Part 3.1 April 1, 2017CIP-009-5 Part 2.3 April 1, 2018CIP-010-1 Part 3.1 April 1, 2017CIP-010-1 Part 3.2 April 1, 2018CIP-004-5 Part 3.5 Within 7 years after previous

Personnel Risk Assessment

8

• 7 Requirements (Version 3)o 26 sub-requirements

• 5 Requirements (Version 5)o 20 Parts

Requirement Count

9

• CIP-007-5 oR1 Ports and ServicesoR2 Security Patch ManagementoR3 Malicious Code PreventionoR4 Security Event MonitoringoR5 System Access Control

CIP-007-5 Requirements

10

• C-007-3 R1 CIP-010-1 R1.4 & R1.5• C-007-3 R2 CIP-007-5 R1• CIP-007-5 R1.2 – NEW – restrict physical ports• CIP-007-3 R3 CIP-007-5 R2• CIP-007-5 R2.1 – NEW – identify patch sources• CIP-007-3 R4 CIP-007-5 R3• CIP-007-5 R4.3 – NEW – Alerts• CIP-007-3 R5 CIP-007-5 R5• CIP-007-3 R5.1 CIP-004-5 R4.1• CIP-007-3 R5.1.1 CIP-003-5 R5.2• CIP-007-3 R5.1.2 CIP-007 R4.1• CIP-007-3 R5.1.3 CIP-004-5 R4.3• CIP-007-5 R5.7 – NEW – unsuccessful login thresholds and alerts• CIP-007-3 R6 CIP-007-5 R4• CIP-007-3 R7 CIP-011-1 R2• CIP-007-3 R8 CIP-010-1 R3• CIP-007-3 R9 Deleted

CIP-007 V3 to V5 Summary

Project 200806 Cyber Security Order 706 DL_Mapping_Document_012913.pdf

11

Applicable Systems

12

• CIP-007-5 R1-R5 o contain Identify, Assess and Correct language in

requirement.

• 17 requirements that include IAC o Filing deadline Feb. 3, 2015

IAC

13

• Post for 45‐day first comment and ballot June 2–July 17, 2014• Communication Networks (Proposed Resolution)

o Modified requirement Part 1.2 in CIP‐007 More comprehensive coverage of physical ports

• IACo CIP-007, a new R2.5o CIP‐007, update to R4.4

• Transient Devices CIP-010 – New Part 4.1

http://www.nerc.com/pa/Stand/Prjct2014XXCrtclInfraPrtctnVr5RvnsRF/SDT%20Industry%20Webinar.pdf

14

Serial Exemption

Blanket Serial Exemption

15

Substation Serial-Only Communications

16

• BES Cyber System and associated BES Cyber Assets are not dependent upon a routable protocol

• A BES Cyber System may include only serial devices with no routable devices at all

• End point devices (relays) are to be included within the V5 requirements and may be BES Cyber Assets or even BES Cyber System, even if no routable communications exist

• Therefore, there are V5 requirements to be addressed (i.e. CIP-007-5)

Non-Routable BCS

17

• CIP-007-5 Applicable Requirements:oR1.2 Physical PortsoR2 – Patch ManagementoR3 – AV & Malicious code preventionoR4.1, R4.3, R4.4 – LoggingoR5.2 – Default/Generic accountsoR5.4 – Change default passwordsoR5.5 – Password complexity

BCS with External Routable Connectivity

18

oMost of CIP-007 can NOT be performed at a ‘system’ level but at the Cyber Asset level for the following assets: BES Cyber Asset (BCA) EACM PACS PCA

o BCA groupings and BES Cyber Systems are permitted where indicated

CIP-007-5 Asset Level Requirements

19

• PACS systems (CIP-006-5 Part 3.1)• Ports and Services (CIP-007-5 Part 1)• Patch Management (CIP-007-5 Part 2)• Security Event Monitoring (CIP-007-5 Part 4)

• BES Cyber System and/or Cyber Asset (if supported)

• System Access Control (CIP-007-5 Part 5)• local system accounts

V5 Asset Level Requirements

20

• Baseline requirement (CIP-010-1 Part 1.1)• Baseline change managements (CIP-010-1 Part

1.2 – 1.5)• Active monitoring -35 days (CIP-010-1 Part 2.1)• Cyber Vulnerability Assessment (CIP-010-1 Part

3.1, 3.2, 3.4)• Testing of new asset (CIP-010-1 Part 3.3)• System reuse or destruction (CIP-011-1 Part 2)

V5 Asset Level Requirements

21

CIP-007-5 Part 1.1

Asset level requirement

22

• en.able, en.a.ble• Logical network accessible ports

Ports and Services

23

• Control required to be on the device itself or may be positioned inline (in a non-bypassable manner)

• Host based firewalls, TCP_Wrappers or other means on the Cyber Asset to restrict access

• Dynamic portso Port ranges or serviceso 0-65535

• Blocking ports at the EAP does not substitute for the device level requirement

• Know what ports are opened and give a reason for enabling service• Measures

o Listening ports (netstat -boan/-pault)o Configuration files of host-based firewalls

Ports and Services

24

• Netstat: o Netstat -b -o -a -n > netstat_boan.txto Netstat -p -a -u -l -t > netstat_pault.txt

• NMAP scan resultso Nmap -sT -sV –p T:0-65535 <IP_address>

>>nmap_tcp.txto Nmap –sU -sV –p U:0-65535 <IP_address> >>

nmap_udp.txt• #show control-plane host open-ports• #show run all

Tools/commands

25

C:\Documents and Settings\HMI-1>netstat -b -o -a -n > netstat_boan.txt

Active Connections Proto Local Address Foreign Address State PID TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 952 C:\WINDOWS\system32\svchost.exe TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4 [System] TCP 0.0.0.0:6002 0.0.0.0:0 LISTENING 428 [spnsrvnt.exe] TCP 0.0.0.0:7001 0.0.0.0:0 LISTENING 248 [sntlkeyssrvr.exe] TCP 0.0.0.0:7002 0.0.0.0:0 LISTENING 248 [sntlkeyssrvr.exe] TCP 127.0.0.1:1025 0.0.0.0:0 LISTENING 1656 [dirmngr.exe] TCP 127.0.0.1:1029 0.0.0.0:0 LISTENING 2484 [alg.exe] TCP 127.0.0.1:5152 0.0.0.0:0 LISTENING 1764 [jqs.exe] TCP 127.0.0.1:33333 0.0.0.0:0 LISTENING 1856 [PGPtray.exe] TCP 172.16.105.220:139 0.0.0.0:0 LISTENING 4 [System] TCP 127.0.0.1:2111 127.0.0.1:33333 ESTABLISHED 1616 UDP 0.0.0.0:7001 *:* 248 [sntlkeyssrvr.exe] UDP 0.0.0.0:500 *:* 700 [lsass.exe] UDP 0.0.0.0:4500 *:* 700 [lsass.exe] UDP 0.0.0.0:445 *:* 4 [System] UDP 127.0.0.1:123 *:* 1084 c:\windows\system32\WS2_32.dll UDP 172.16.105.220:6001 *:* 428 [spnsrvnt.exe]

Netstat

26

Nmap

EMS1

root@bt:/# nmap -sT -sV -p T:0-65535 172.16.105.151

Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-01-18 12:15 ESTNmap scan report for 172.16.105.151Host is up (0.034s latency).Not shown: 65531 closed ports

PORT STATE SERVICE VERSION22/tcp open ssh OpenSSH 5.3p1 Debian 3ubuntu6 (protocol 2.0)80/tcp open http Apache httpd 2.2.14 ((Ubuntu))111/tcp open rpcbind (rpcbind V2) 2 (rpc #100000)42851/tcp open status (status V1) 1 (rpc #100024)MAC Address: 00:0C:29:66:05:65 (VMware)Service Info: OS: Linux

Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 13.25 seconds

27

NmapEMS1

root@bt:/# nmap -sU -sV -p U:0-65535 172.16.105.151

Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-01-18 12:15 ESTNmap scan report for 172.16.105.151Host is up (7.57s latency).Not shown: 65533 closed ports

PORT STATE SERVICE VERSION68/udp open|filtered dhcpc111/udp open rpcbind

MAC Address: 00:0C:29:66:05:65 (VMware)Nmap done: 1 IP address (1 host up) scanned in 1081.98 seconds

Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 123.25 seconds

28

Router Ports/Services

29

What We Expect [Sample only]

Device ID Device Name TCP Ports UDP Ports Service Justification

SAMPLE FORMAT ONLY

30

• Is it required to capture not only the need for a port to be open, but also the authorization request for the port to be opened?o CIP-010-1 Part 1.1

"Develop a baseline configuration, individually or by group, which shall include the following items:

1.1.4. Any logical network accessible ports;’

o need for a port to be open and not an actual authorization request for the port to be opened.

Question

31

• CIP-010-1 Part 1.2 o "Authorize and document changes that deviate

from the existing baseline configuration.”oMeasure:

A change request record and associated electronic authorization (performed by the individual or group with the authority to authorize the change) in a change management system for each change; or"

Authorizations

32

• CIP-010-1 baseline configuration requirementsoCIP-010-1 Part 1.1.4

Develop a baseline configuration of any logical network accessible ports

Documented list of enabled ports • CIP-007-5 Part 1.1 is concerned only with the

enabling of needed ports • Performance (CIP-007-5) versus documentation

(CIP-010-1)

CIP-007-5 / CIP-010-1 Relationship

33

• Failing to maintain the baseline configuration and failing to disable unnecessary ports are two different requirement violationso CIP-007-5 Part 1.1 refers to listings of ports as

evidence, but that evidence could be the same evidence required for CIP-010-1.

o Utilizing a single piece of evidence for proof of compliance with two different requirements is not double jeopardy

Double Jeopardy?

34

• Accurate enablement of required ports, services and port ranges

• Understanding critical data flows and communications within ESP and EAPs

• Logical ports include 65535 TCP & 65535 UDP ports• Managing changes of both logical and physical ports• Initial identification of physical port usage and controls – port

use mapping• VA, approved baselines, and implemented logical ports and

services should always agree (CIP-010-1 and CIP-007-5)• Focus on EAPs inward to ESP Cyber Systems and Cyber

Assets

R1.1 Issues & Pitfalls

35

CIP-007-5 Part 1.2


36

CIP-007-5 Part 1.2


37

CIP-007-3 CIP-007-5 Change

CIP-007-3 CIP-007-5

Logical Ports only Includes Physical Ports (R1)

38

• Change Bios • Upgrade Firmware • Set Baseline Configuration • Build-out devices that have components

(like servers) • Perform a variety of Administrative functions • Perform emergency repair or failure

recovery when no other port is accessible

Configuration Ports

http://www.tditechnologies.com/whitepaper-nerc-cip-007-5-r1

39

• physical I/O portsoNetworko SerialoUSB ports external to the device casing

Part 1.2 Physical Ports

40

• All ports should be either secured or disabled • Ports can be protected via a common method not

required to be per port• “Protect against the use”

o Requirement is not to be a 100% preventative control

o Last measure in a defense in depth layered control environment to make personnel think before attaching to a BES Cyber System in the highest risk areas


41

• Disabling all unneeded physical ports within the Cyber Asset’s configuration

• Prominent signage, tamper tape, or other means of conveying that the ports should not be used without proper authorization

• Physical port obstruction through removable locks

Guidelines

42

Port Locks

http://www.blackbox.com/resource/genPDF/Brochures/LockPORT-Brochure.pdf

43

Physical Access to Ports

http://www.supernap.com/supernap-gallery-fullscreen/

44

• Would a Cyber Asset locked in a cage meet this requirement?

• AnsweroNo, the required control needs to be applied on

the Cyber Asset level

Question

45

• Documented approach to ensure unused physical ports are controlled (identify controls in place)

• Controls in place for ensuring that attempts of physical port usage are identifiedo Think before you plug anything into one of these systemso Controls: 802.1x, physical plugs, port block, signage

• Physical port usage documentation – know what is in use versus existing ports not required

• Site tours may validate physical port documentation


46

• A routable device with all of its physical network ports blocked which would have otherwise been identified as routable device, now cannot route.o The ability to communicate outside of itself is

not a determining factor as to whether a Cyber Asset is or is not a BES Cyber Asset or BES Cyber System

o The Cyber Asset’s function as it pertains to BES reliability determines system identification

Physical Ports and Applicable Systems

47

CIP-007-5 Part 2.1


48


CIP-007-3 CIP-007-5

No time frames to implement patches

Patch management required actions and timelines (R2)

49

• Patch management documented process• List of sources monitored for BES Cyber Systems

and/or BES Cyber Assets• List of Cyber Assets and software used for patch

management• Watching and being aware of vulnerabilities within

BES Cyber Systems, whether they are routably connected or not, and mitigating those vulnerabilities

• Applicable to BES Cyber Systems that are accessible remotely as well as standalone systems

Part 2.1 Patch Management Process

50

• Requirement allows entities to focus on a monthly ‘batch’ cycle of patches rather than tracking timelines for every individual patch

• Tracking can be on a monthly basis for all patches released that month rather than on an individual patch basis

• Decision to install/upgrade security patch left to the Responsible Entity to make based on the specific circumstances

Part 2.1 Tracking

51

• Is applicability based on original source of patch (e.g. Microsoft) or the SCADA vendor?o Some may consider it a best practice that

vulnerabilities be mitigated in the shortest timeframe possible, even before the patch is certified by the SCADA vendor.

o Appropriate source dependent on the situation

Tracking for Applicability

52

• Electricity Sector Information Sharing and Analysis Center (ES-ISAC)o https://www.esisac.com/

• Common Vulnerabilities and Exposureso http://cve.mitre.org/

• BugTraqo http://www.securityfocus.com/vulnerabilities

• National Vulnerability Databaseo http://nvd.nist.gov/

• ICS-CERTo http://ics-cert.us-cert.gov/all-docs-feed

Patch Sources

https://www.esisac.com/

https://www.esisac.com/

http://cve.mitre.org/



http://www.securityfocus.com/vulnerabilities

http://www.securityfocus.com/vulnerabilities

http://nvd.nist.gov/

http://nvd.nist.gov/

http://ics-cert.us-cert.gov/all-docs-feed

53

Sources

https://ics-cert.us-cert.gov/ICS-CERT-Vulnerability-Disclosure-Policy

54

• Cyber Security focusedoRequirement does not cover patches that are

purely functionality related with no cyber security impact

oCyber Asset Baseline documentation with patch tracking (CIP-010-1 R1.1.5)

oOperating system/firmware, commercially available software or open-source application software, custom software

Patch Update Issues

55

• Hardware vendors do provide security patches and security upgrade to mitigate/eliminate vulnerabilities identified in their drivers and firmware

Cyber Security software patches

57

‘that are updateable’

58

• April 2014 there are no more security patches forthcoming for XPo No Software Updates from Windows Updateo No Security Updateso No Security Hotfixeso No Free Support Optionso No Online Technical Content Updates

Windows XP (EOL 4-8-2014)

59

• Are entities required to enter into a very expensive, per-Cyber Asset custom support contract with Microsoft in order to continue to receive support

• $200,000 - $500,000 (2006)• $200,000 cap (2010) • $600,000 - $5 million for first year (2014)

XP Custom Support

http://www.computerworld.com/s/article/9237019/Microsoft_gooses_Windows_XP_s_custom_support_prices_as_deadline_nears?pageNumber=1

60

• April 2014 there are no more security patches forthcoming for XPoNo patches to assess or apply

• No patches issued means no action required• No TFEs in R2 language

o TFEs are not required at any step in the R2 process

• Still required to track, evaluate and install security patches outside of the OS

Windows XP (EOL 4-8-2014)

61

• Document vendor end dates• Document BCS Assets affected• Ensure latest applicable patch is implemented• Deploy mitigation measures for vulnerabilities not

able to patch• Monitor US-CERT, and other vulnerability tracking

sites to be aware of newly identified vulnerabilities that would affect your assets

• Where possible, implement mitigation measures for the newly identified vulnerability

End of Life Systems & Devices

62

• Cyber Assets running the Microsoft Windows XP Embedded SP3 operating system have until January 12, 2016, before support ends for that version of the operating system

• Support for systems built on the Windows Embedded Standard 2009 operating system ends on January 8, 2019. The Windows Embedded operating system normally runs on appliances

Windows XP Embedded

63

CIP-007-5 Part 2.2 Patch Evaluation


64

• At least every CIP Month (35 days) evidence of patch release monitoring and evaluation of patches for applicability

• Evaluation Assessmento Determination of Risko Remediation of vulnerabilityo Urgency and timeframe of remediationo Next steps

• Entity makes final determination for their environment if it is more of a reliability risk to patch a running system than the vulnerability presentso Date of patch release, source, evaluation performed, date of performance

and resultso Listing of all applicable security patches

Part 2.2 Patch Evaluation

65

Part 2.2 Patch Evaluation

66

• DHS o “Quarterly Report on Cyber Vulnerabilities of Potential Risk

to Control Systems” http://www.oig.dhs.gov/assets/Mgmt/2013/OIG_13-39_Fe

b13.pdf

o “Recommended Practice for Patch Management of Control Systems” http://ics-cert.us-cert.gov/sites/default/files/recommended

_practices/PatchManagementRecommendedPractice_Final.pdf

Guidelines

http://www.oig.dhs.gov/assets/Mgmt/2013/OIG_13-39_Feb13.pdf



http://ics-cert.us-cert.gov/sites/default/files/recommended_practices/PatchManagementRecommendedPractice_Final.pdf



67

Vulnerability Footprint


68

CIP-007-5 Part 2.3


69

CIP-007-5 Part 2.3 [Patch Response]

Document Patch Management process &

sources

High Impact BCS

Medium Impact BCS

PCA

R2.1

EACM

PACS

PCA

EACM

PACSDocumented Patch

evaluation (max 35 days)

R2.2

Required patch

identified?

Install patch

NOYESWithin 35 days

Create Mitigation plan

Update Mitigation plan

OR

OR

Implement Plan within time frame

R2.3


70

• Evidence of performance of:o Installation of patches

Not an “install every security patch” requirement

o Mitigation plan created – includes specific mitigation/mediation of identified security vulnerability, date of planned implementation and rational for delay

o Mitigation plan update evidenceo Evidence of Mitigation plan completion with dates

Part 2.3 Actions

Note: referenced mitigation plan is a entity plan and not associated at all with the Enforcement Mitigation plans.

71

• Timeframe is 70 days totalo 35 days for tracking and determining

applicability o 35 days for either installing or determining the

mitigation plan

Timeframe

72

• It is compliant with the requirement to state a timeframe of the phrase “End of Life Upgrade”

• Mitigation timeframe is left up to the entity oRequirement is to have a plan

Date of the plan in requirement part 2.3 is what part 2.4 depends upon

oMust work towards that plan

Maximum Timeframes

73

• Timeframes do not have to be designated as a particular calendar day but can have event designations such as “at next scheduled outage of at least two days duration”

Timeframes Guidelines

74

CIP-007-5 Part 2.4


75

CIP-007-5 Part 2.4 [Mitigation Plan]

Document Patch Management process &

sources

High Impact BCS

Medium Impact BCS

PCA

R2.1

EACM

PACS

PCA

EACM

PACS

Required patch

identified?

Documented Patch evaluation (max 35 days)

R2.2

Install patch

NOYESWithin 35 days

Create Mitigation plan

Update Mitigation plan

OR

OR

Implement Plan within time frame

CIP SM or Delegate approval

Plan Revision or Extension?

R2.3

R2.4

R2.4

YES

76

• Evidence of CIP Senior Manager’s approval for updates to mitigation plans or extension requestso Per Mitigation plan

• Revising the plan, if done through an approved process such that the revision or extension, must be approved by the CIP Senior Manager or delegate

Part 2.4 Mitigation Plan

77

• Some patches may address vulnerabilities that an entity has already mitigated through existing means and require no action

• Lack of external routable connectivity may be used as a major factor in many applicability decisions and/or mitigation plans where that is the case

Part 2.3 Mitigation

78

• When documenting the remediation plan measures it may not be necessary to document them on a one to one basis

• The remediation plan measures may be cumulative

Part 2.3 Mitigation Guidelines

79

• The ‘implement’ in the overall requirement is for the patch management processo ‘Implement’ in R2.4 (Mitigation Plan) is for the

individual patcho If R2.4 does not have an implement

requirement at the patch level, then the ‘implement’ in the overall requirement only applies to drafting a plan

Part 2.4 Implement

80

• Measures – oRecords of the implementation of the plano Installing the patch/record of the installationoDisabling of any affected serviceo Adding of a signature to an IDSoChange to a host based firewall oRecord of the completion of these changes

Demonstrating implementation of Mitigation Plan

81

Proposed CIP-007 R2.5

82

• Asset level requirements• Know, track, and mitigate the known software vulnerabilities

associated with BES Cyber Assets • Not including a complete listing of BES Cyber Systems and

assets that are applicableo Firmware devices (relays, appliances, etc.)o Infrastructure devices within ESPo OS based systems

• Cyber Asset applications (tools, EMS, support applications, productivity applications, etc.)

• If something is connected to or running on the BES Cyber Assets that releases security patcheso required to be included in the monitoring for patches

R2 Issues & Pitfalls

83

CIP-007-5 Part 3.1

BES Cyber System level requirement

84


CIP-007-3 CIP-007-5

AV on ALL cyber assets or TFE

Malicious code controls can be at cyber system level, rather than per asset (R3)

85

• Deter OR detect OR prevent - any one or combination will meet the wording of the requiremento Avoids zero-defect language o R3.2 requires ability to detect malicious code

• Methods = processes, procedures, controls• Applicability is at the ‘system’ level

o Methods do not have to be used on every single Cyber Asset

• Allows entities to adapt as the threat adapts while also reducing the need for TFEs

Part 3.1 Malicious Code

86

AV/Anti-Malware

87

Defense-N-Depth

https://www.lumension.com/vulnerability-management/patch-management-software/third-party-applications.aspx

88

• Identifying specific executable and software libraries which should be permitted to execute on a given system

• Preventing any other executable and software libraries from functioning on that system

• Preventing users from being able to change which files can be executed

Application Whitelisting

http://www.asd.gov.au/publications/csocprotect/application_whitelisting.htm

89

• Application File Attributes• Digital Certificates• File Hash• File Ownership• Location• Reference Systems• Signed Security Catalogs• Software Packages

Application Whitelisting

90

Virtual Systems

http://www.vmware.com/products/vshield-endpoint/overview.html

http://www.vmware.com/products/vshield-endpoint/overview.html

91

• Network isolation techniques• Portable storage media policies• Intrusion Detection/Prevention (IDS/IPS)

solutions

Guidelines

92

• Is an awareness campaign to deter ok?o ‘or’ and ‘deter’ to avoid zero-defect language

• Requirement is not to detect or prevent all malicious code

• Approach is not to require perfection in an imperfect environment with imperfect tools

Part 3.1 Malicious Code

93

• Associated PCAs’ are included at a Cyber Asset (device) level, not system level

• How will the ‘system’ concept apply?oMalware prevention is at a BCS levelo The associated PCA’s could be included by

reference in the documentation an entity supplies for Requirement R3.1

‘Associated PCAs’

94

CIP-007-5 R3.2


95

• Requires processes• No maximum timeframe or method

prescribed for the removal of the malicious code

• Mitigation for the Associated Protected Assets may be accomplished through other applicable systemso Entity can state how the mitigation covers the

associated PCA’s

Part 3.2 Detected Malicious Code

96

CIP-007-5 R3.3


97

• Requires processes that address:• Testing

• Does not imply that the entity is testing to ensure that malware is indeed detected by introducing malware into the environment

• Ensuring that the update does not negatively impact the BES Cyber System before those updates are placed into production

• Installation• No timeframe specified

• Requirement R3.1 allows for any method to be used and does not preclude the use of any technology or tool

Requires process for updates

98

• Specific sub requirement is conditional and only applies to “for those methods identified in requirement part 3.1 that use signatures or patterns”o If an entity has no such methods, the

requirement does not apply. oRequirement does not require signature useoCan an entity rely on AV vendor testing?

Part 3.3 Signatures

99

• Requirement has been written at a much higher level than previous versions

• Requirement no longer prescriptively requires a single technology tool for addressing the issueo TFEs are not required for equipment that does

not run malicious code tools

TFEs

100

• Technical selection and implementation• Coverage for all cyber assets• Combination of solutions• BCS and ESP coverage• Clear documentation demonstrating

coverage• Identification, alerts and response

procedures


101

CIP-007-5 Part 4.1

BES Cyber System and/or Asset level requirement

102


CIP-007-3 CIP-007-5

Security logs Identification of specific log collection events (R4)

Sampling and or summarization not mentioned

Log reviews for High impact Cyber Systems can be summarization or sampling (R4)

CIP-007-3 CIP-007-5

Log reviews every 90 days when applicable

Log reviews for High Impact Cyber Systems must be reviewed every 15 days (R4)

103

• Entity determines which computer generated events are necessary to log, provide alerts and monitor for their particular BES Cyber System environment

• Logging is required for both local access at the BES Cyber Systems themselves, and remote access through the EAP

• Evidence of required logs (4.1.1 4.1.3)o Successful and failed loginso Failed ACCESS attempts

blocked network access attempts successful and unsuccessful remote user access attempts blocked network access attempts from a remote VPN successful network access attempts or network flow information

o Detection of malicious code

Part 4.1 Log Events

104

• Types of events • Requirement does not apply if the device does not log the events

o Devices that cannot log do not require a TFE o logging should be enabled wherever it is available

• 100% availability is not required o Entity must have processes in place to respond to outages in a

timely manner

Part 4.1 Log Events

105

CIP-007-5 Part 4.2

BES Cyber System and/or Cyber Asset (if supported) level requirement

106

• Detected known or potential malware or malicious activity (Part 4.2.1)

• Failure of security event logging mechanisms (Part 4.2.2)

• Alert Formso Email, text, system display and alarming

• Alerting Exampleso Failed login attempt threshold exceededo Virus or malware alerts

Part 4.2 Alerting

107

• Consideration in configuring real-time alerts:o Login failures for critical accountso Interactive login of system accountso Enabling of accountso Newly provisioned accountso System administration or change tasks by an unauthorized

usero Authentication attempts on certain accounts during non-

business hourso Unauthorized configuration changeso Insertion of removable media in violation of a policy

Part 4.2 Alerting Guidelines

108

• Is an alert required for malicious activity if it is automatically quarantined? o Alerts are required for detection of malicious

code regardless of any subsequent mitigation actions taken

Question

109

• Guidance implies that only technical means are allowed for alerting on a ‘detected cyber security event’oRequirement language is the ruling language

and guidance is not auditable and is provided to provide further context, examples or assistance in how entities may want to approach meeting the requirement

oRequirement does not preclude procedural controls

Guidance

110

CIP-007-5 Part 4.3 – Part 4.4

BES Cyber System and/or Cyber Asset (if supported) level requirement

111

• Timeframe:o Response timeframe begins with the alert of the

failure o After something or someone has detected the failure

and has generated an alert as in R4.2 o For the compliance period, the applicable cyber

systems maintain 90 days of logs. (All High BCS as well as Medium BCS at Control Center)

• Retention methods are left to Responsible Entityo On or before April 15, 2016

Part 4.3 ‘Retain Applicable Event Logs’

112

Part 4.3 ‘Retain Applicable Event Log’s’

113

• Is the audit approach to ask for any single day’s logs in past three years?oCompliance evidence requirement is that the

entity be able to show that for the historical compliance period, the applicable cyber systems maintained 90 days of logs

o ‘records of disposition’ of logs after their 90 days is up

Part 4.3 ‘Retain Applicable Event Logs’

114

• Summarization or sampling of logged events o log analysis can be performed top-down

starting with a review of trends from summary reports

oDetermined by the Responsible Entity• Electronic Access Points to ESP’s are EACMs,

this is one of the primary logs that should be reviewed

Part 4.4 Review Logs Guidelines

115

• Purpose is to identify undetected security incidents

• Paragraph 525 of Order 706 o Even if automated systems are used, the manual

review is still requiredo Manually review logs ensure automated tools are tuned

and alerting on real incidents

• What if an entity identifies events in R 4.4 that should have been caught in R4.1 is this a violation?

Part 4.4 Review Logs

117

• Ensure all EACMs are identified o “Cyber Assets that perform electronic access control or

electronic access monitoring of the Electronic Security Perimeter(s) or BES Cyber Systems. This includes Intermediate Systems.’ – NERC glossary

• Documentation of log collection architectureo Log collection data flowso Aggregation pointso Analysis processes and/or technologies

• Validation of the required logs and alert configurations


118

Cloud Computing

http://www.ipspace.net/Webinars

119

Monitoring-as-a-Service

http://www.symantec.com/content/en/us/enterprise/other_resources/b-nerc_cyber_sercurity_standard_21171699.en-us.pdf

120

CIP-007-5 Part 5.1

BES Cyber System and/or Cyber Asset level requirement

121

CIP-007-3 CIP-007-5 Highlights

CIP-007-3 CIP-007-5

TFE required for devices that cannot meet password requirements

Password requirement may be limited to device capabilities as opposed to filing TFE (R5)

Not specified in V3 Failed access threshold and alerts (R5)

122

• Ensure the BES Cyber System or Cyber Asset authenticates individuals with interactive access oGPO (Group Policy Object)

• Interactive user accessoDoesn’t include read-only

front panel displays, web-based reports

• Procedural Controls

Part 5.1 Enforce Authentication

123

Part 5.1 Enforce Authentication

124

CIP-007-5 Part 5.2


125

• Identifying the use of account typeso Default and other generic accounts remaining enabled must be

documented o Avoids prescribing an action to address these accounts without

analysis Removing or disabling the account could have reliability

consequences. • Not inclusive of System Accounts• For common configurations, documentation can be performed at a

BES Cyber System or more granular level• Restricting accounts based on least privilege or need to know covered

in CIP-004-5

Part 5.2 Identify Accounts

126

CIP-007-5 Part 5.3


127

CIP-007-3 Requirement 5.1.2

128

• CIP-004-5 to authorize access o Authorizing access does not equate to knowing

who has access to a shared account

• “authorized” o An individual storing, losing or inappropriately

sharing a password is not a violation of this requirement

• Listing of all shared accounts and personnel with access to each shared account

Part 5.3 Identify Individuals

129

CIP-007-5 Part 5.4


130

oCases where the entity was not aware of an undocumented default password by the vendor would not be a possible violation

oOnce entity is made known of this default password may require action per CIP-007-5 R2

Part 5.4 Known

131

• When is a default password required to be changed? oNo timeframe specified in requirement

As with all requirements of CIP-007-5, this requirement must be met when a device becomes one of the applicable systems or assets

Part 5.4 Timeframe

132

CIP-007-5 Part 5.5


133

• Eight characters or max supported• 5.5.2 Three or more different types of chars

or maximum supported

Part 5.5 Passwords

134

• CAN-0017 o Compliance Application Notices do not carry forward to

new versions of the standard

• Requirement explicitly addressed the issue raised by CAN-0017 that either technical or procedural mechanisms can meet the requirement

• Guidelines Sectiono Physical security suffices for local access configuration

if the physical security can record who is in the Physical Security Perimeter and at what time

Part 5.5 Passwords

135

• Password Group Policy Object (GPO) evidence

• Password configuration for all applicable devices

• Where device cannot support the requirement, document why (evidence) and the allowed configurations, and the configuration that is enabled

Part 5.5 Passwords

136

CIP-007-5 Part 5.6


137

• Password change procedures• Evidence of password changes at least

every CIP Year (15 months)• Disabled Accounts

o Password change is not required because these do not qualify as providing interactive user authentication

Part 5.6 Password Changes

138

CIP-007-5 Part 5.7


139

• Requirement does not duplicate CIP-007-5 part 4.2 o Part 4.2 alerts for security eventso Part 5.7 alert after threshold is not required to be

configured by the R4.2 Requirement

• TFEso TFE triggering language qualifies both optionso TFE would only be necessary based on failure to

implement either option (operative word ‘or’)

Part 5.7 Authentication Thresholds

140

• Threshold for unsuccessful login attempts o “The threshold of failed authentication attempts

should be set high enough to avoid false-positives from authorized users failing to authenticate.”

• Minimum threshold parameter for account lockout oNo value specified

Part 5.7 Authentication Thresholds

141

• Setting the lockout setting to low can shut out account access – Caution

• TFEs• Password change management• Identification and documentation of device

password limitations• Ensuring all interactive access has

implemented authentication


Morgan King CISSP-ISSAP, CISA

Senior Compliance Auditor, Cyber Security

Western Electricity Coordinating Council

Salt Lake City, UT

[email protected]

(C) 801.608.6652 (O)801.819.7675

Questions?

mailto:[email protected]

Morgan King CISSP- ISSAP, CISA Senior Compliance Auditor – Cyber Security

Documents

Transcript of Morgan King CISSP- ISSAP, CISA Senior Compliance Auditor – Cyber Security