• No results found

2012 CIP Spring Compliance Workshop May Testing, Ports & Services and Patch Management

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "2012 CIP Spring Compliance Workshop May Testing, Ports & Services and Patch Management"

Copied!
23
0
0

Loading.... (view fulltext now)

Download now ( 23 Page )

Full text

(1)

2012 CIP Spring

Compliance Workshop

May 7-11

(2)

Purpose

This presentation provides an

overview of the CIP-007-3 R1 Test

Procedures which includes a

discussion on related requirements:

(R2) Ports and Services and (R3)

(3)

Agenda

• Testing Overview

• Identifying assets to be tested

• Developing and documenting test

procedures

• Defining “adversely affects existing cyber

security controls”

(4)

Agenda

• What is a “significant change”?

• Testing for ports and services

• Disabling unused ports and services

• Mitigation of ports and services that

(5)

CIP-007-3 R1

• Test Procedures — The Responsible Entity shall ensure that new Cyber Assets and significant

changes to existing Cyber Assets within the

(6)

Significant Changes

• Includes all parts of a system including, but not limited to:

– Firmware for the system and any peripherals such as Network Interface Cards

– Operating system(s) – Drivers

– Third party applications running on the system

(7)

Identifying Changes for Testing

• Any new Cyber Assets within the Electronic Security Perimeter (ESP), as well as EACMs, and PACS.

• Any existing Cyber Asset that is eligible for:

– implementation of security patches – cumulative service packs

– vendor releases

(8)

Other Considerations

• Replacement of an existing Cyber Asset

– Does the replacement Cyber Asset contain BIOS, system, or other versions of

hardware/software that has not been tested in your environment?

• Any other identified change that may

adversely impact the security controls

(9)

Minimizing Adverse Affects to Cyber Security Controls

• CIP-007-3, R1.1 The Responsible Entity shall create, implement, and maintain cyber security test procedures in a manner that minimizes

(10)

Adverse Affects to Cyber Security Controls

• Ensure that any new system or patches do not negatively impact security controls

• The new system or patch should not:

– Disable any configured security control already in place

– Introduce new vulnerabilities – Modify access privileges

(11)

Testing for Adverse Affects

• Perform Network Packet Analysis in test

environment

• Perform a vulnerability assessment

• For new patches or system software

– Look at your CIP-003-3, R6 Change Control and Configuration Management program for guidance

(12)

Baselining Systems

• The following method may assist in

identifying whether a change causes any

adverse affects to your environment:

– Create a baseline network packet capture,

ports/services scan, and system configuration of existing system or environment

– Create a post-installation capture of network traffic and system configuration

(13)

Ports and Services

• Identify ports used for Normal and

Emergency Operation

• Disable any unnecessary ports and

services

– When introducing new systems, attempt to shutdown unnecessary services to determine impact (i.e. Windows Search, httpd, etc)

(14)

Ports and Services

• Uninstall unnecessary software

– Do you really need Internet Explorer on a system that shouldn’t be accessing the Internet?

• In cases where unused ports and services

cannot be disabled due to technical

limitations, document the compensating

measures applied to mitigate risk

(15)

Test Procedures

• Develop test procedures for each system

type

– Operating Systems

– Virtual environments such as VMWare or Citrix

• If patching a hypervisor, are you testing the virtual hosts running on the hypervisor?

(16)

Test Procedures

• Develop procedures for each application

running on the system

– Ensure that any security controls on these applications are functional

(17)

Testing Environment

• CIP-007-3, R1.2 The Responsible Entity shall document that testing is performed in a manner that reflects the production environment

• Change control window

(18)

18

Documenting Results

• CIP-007-3, R1.3 - The Responsible Entity

shall document test results.

– What did you find?

– Were the results as expected?

– How did you mitigate any newly introduced security issues?

– Does it require a TFE?

– Should you update your documentation?

(19)

19

Patch Management

• Tracking Patches

– Three ways:

• Manual

– Monitoring Mailing lists and a spreadsheet

• Through OS Management Tools

– Red Hat Enterprise Linux Spacewalk

– Windows Management Interface (WMI), Group Policy Objects (GPOs), and Windows Software Update Services (WSUS)

(20)

20

Evaluating Patches

• Track patches for ALL applications in the

environment

• You must demonstrate that you have

evaluated security patches and upgrades

for applicability, within 30 days of the

availability of the patch or upgrade

• Document and schedule implementation

• Best practices – perform risk analysis if

(21)

21

Documenting Patch Implementation

• Document when you implement the

patch

– Keep a running log for each patch type

• Operating system • Application

• Other

• If you do not install a patch:

(22)

Supply Chain Management

• Do you know where your suppliers get

their products?

• Consider wiping and reinstalling OS on

new equipment

• Ensure your patches or system upgrades

come from a trusted source

– Consider a policy that dictates where your

(23)

References

Download now ( PDF - 23 Page - 227.51 KB )

Related documents

The North American Electric Reliability Corporation ( NERC ) hereby submits

Security Patch Management — The Responsible Entity, either separately or as a component of the documented configuration management process specified in CIP-003-2 Requirement R6,

CIP Cyber Security Security Management Controls

Each Responsible Entity, for its high impact and medium impact BES Cyber Systems, shall review and obtain CIP Senior Manager approval at least once every 15 calendar months for one

Patching & Malicious Software Prevention CIP-007 R3 & R4

separately or as a component of the documented configuration management process specified in CIP-003-3 Requirement R6, shall establish, document and implement a security

FERC, NERC and Emerging CIP Standards

While many already have addressed physical security, CIP-004-1 and -006-1 standards direct companies how to create and maintain a physical security plan that complements the

Implementation Plan for Version 5 CIP Cyber Security Standards

For unplanned changes resulting in a higher categorization, the responsible entity shall comply with all applicable requirements in the Version 5 CIP Cyber Security

NERC Cyber Security. Compliance Consulting. Services. HCL Governance, Risk & Compliance Practice

CIP-008-1 – Incident Reporting & Assessment of Incident Incident management procedures Response Planning – Cyber Security management procedures Business Continuity

Alberta Reliability Standard Cyber Security System Security Management CIP-007-AB-5

Each Responsible Entity shall implement, in a manner that identifies, assesses, and corrects deficiencies, one or more documented processes that collectively include each of

When this standard has received ballot approval, the text boxes will be moved to the Guidelines and Technical Basis section of the Standard.

Each Responsible Entity shall implement each of its documented Cyber Security Incident response plans to collectively include each of the applicable requirement parts in