KEY CONSIDERATIONS FOR MIGRATING TO THE VERSION 5 NERC CIP CYBER SECURITY STANDARDS

K

EY

C

ONSIDERATIONS FOR

M

IGRATING TO THE

V

ERSION

5

NERC CIP C

YBER

S

ECURITY

S

TANDARDS

January 29, 2014

Lenny Mansell

Director, Consulting Services

A

GENDA

•

Introduction

•

Multiple paradigm shifts ahead…

•

How to determine whether your D-SCADA is

coming into scope

•

CANs and CARs – what meaning will these

documents have in relation to CIP Version 5?

•

Highlights: NERC CIP v5 Implementation

Plan

•

Introducing the Encari

I

NTRODUCTION

FERC Order NO. 791 was issued on Nov 22,

2013. It approved many aspects of CIP v5,

representing several significant departures

from prior versions of CIP.

Question:

How will this impact the Industry?

Answer:

We have some work to do!

P

ARADIGM SHIFTS AHEAD

:

I

DENTIFYING

S

YSTEMS OF

C

YBER

A

SSETS

•

The concept of CCA identification will be

abandoned

•

We will identify

systems

(BES Cyber Systems)

as opposed to

boxes

(Cyber Assets, critical or otherwise)

•

Is this the beginning of a shift toward NIST

standards for the BES?

Sys-tem: a group of

related parts that move

or work together

BES C

YBER

S

YSTEMS AND

A

SSETS

BES Cyber System:

One or more

BES Cyber Assets logically grouped by a

responsible entity to perform one or more

reliability tasks for a functional entity.

BES Cyber Asset:

A Cyber Asset that if

rendered unavailable, degraded, or misused

would, within 15 minutes of its required

operation, mis-operation, or non-operation,

adversely impact one or more Facilities, systems,

or equipment, which, if destroyed, degraded, or

otherwise rendered unavailable when needed,

would affect the reliable operation of the Bulk

Electric System.

I

DENTIFYING

BES C

YBER

S

YSTEMS

Okay, we have a new definition, now

what?

•

How do we identify system boundaries?

•

Which Cyber Assets are members of

the System?

•

Does published guidance exist for

identifying system boundaries?

Specific guidance for identifying BES-Cyber

Systems has not yet been published (though

S

ELECTED

(

)

QUOTES FROM

NIST 800-18

WHICH ARE USEFUL AS GUIDANCE IN IDENTIFYING

BES C

YBER

S

YSTEM BOUNDARIES

NIST SP800-18 Guide for Developing Security Plans for Federal Information Systems Section 2.1 System Boundaries

• Great flexibility in determining what constitutes an information system

• [Information systems] should generally be under the same direct management control. • It is also possible for an information system to contain multiple subsystems.

• A subsystem is a major subdivision or component of an information system consisting of information, information technology, and personnel

that perform one or more specific functions.

• Subsystems typically fall under the same management authority and are included within a single system security plan. • Information systems:

– Have the same function or mission objective and essentially the same operating characteristics and security needs.

– Reside in the same general operating environment (or in the case of a distributed information system, reside in various locations with similar operating environments).

Section 2.2 Major Applications

• Certain applications, because of the information they contain, process, store, or transmit, or because of their criticality to the agency's mission, require special management oversight. These applications are major applications.

• An information system that requires special management attention because of its importance to an agency mission

• Systems that perform clearly defined functions for which there are readily identifiable security considerations and needs

• May comprise many individual programs and hardware, software, and telecommunications components

• Components can be a single software application or a combination of hardware/software focused on supporting a specific, mission-related function.

• May also consist of multiple individual applications if all are related to a single mission function Section 2.3 General Support Systems

• Interconnected set of information resources under the same direct management control that shares common functionality

• Normally includes hardware, software, information, data, applications, communications, facilities, and people and provides support for a variety of users and/or applications (limited list of examples: LAN including smart terminals that support a branch office; Backbone (e.g., agency-wide); Communications network; Agency data processing center including its operating system and utilities, Tactical radio network; or Shared information processing service facility

• A major application can be hosted on a general support system. Definitions:

• Information System [44 U.S.C., Sec. 3502] [OMB Circular A-130, Appendix III]: A discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information.

A

DDITIONAL GUIDANCE

•

Devices connected to the same network segment

as your High and Medium BES Cyber Systems

should be moved elsewhere if they do not “belong”.

(Think Low-impact BES Cyber Systems mixed w/

High or Medium)

•

How the network and devices are actually

connected has everything to do with determining

“who is part of the [networked] family”.

•

If a device is within the boundary, it is a member

of the system.

(same goes for determining ESPs under

CIP v3)

S

YSTEM

B

OUNDARIES FOR

D

IRECT

S

ERIAL

, N

ON

-R

OUTABLE

C

ONNECTIONS

Meeting the challenge in identifying system

boundaries: direct serial, non-routable

connections where there is no perimeter or

firewall type security.

1 0

S

TILL EXEMPT

•

Cyber Assets associated with

communication networks and data

communication links between discrete

Electronic Security Perimeters.

(Exemptions, section 4.2.3 of each

Standard)

•

For Distribution Providers, the systems

and equipment that are not included in

“section 4.2.1 above.”

11

CIP-010-1, R2.1

“Monitor at least once every 35 calendar days for changes to

the baseline Configuration… Document and investigate detected

unauthorized changes.”

Baseline (minimum)=

•

OS w/ version

•

software packages “intentionally installed” with

versions

•

any custom software installed

•

any patches

•

any logical network accessible ports

P

ARADIGM SHIFTS AHEAD

:

M

ONITOR THE

B

ASELINE

P

ARADIGM SHIFTS AHEAD

:

A

CTIVE

V

ULNERABILITY

A

SSESSMENT

•

Active required every 36 months (H); paper or active required

every 15 months (H&M); new Cyber Assets to prod (H).

•

Typically involves sending “probes” to devices over the network

to look for open ports and known vulnerabilities.

•

In a nutshell: scanning tools are now part of it

•

Examples of active tools:

•

Vulnerability scanning

•

Port scanning w/ misc. fingerprinting

•

War dialers

Warning:

It is relatively easy to “break things” using

active vulnerability assessment tools.

Always walk before you run.

A

CTIVE

V

ULNERABILITY

A

SSESSMENT

G

UIDELINES

Responsible Entities are strongly encouraged

to include at least the following elements:

1.

Network Discovery

Use of active discovery tools to discover active devices and identify communication

paths in order to verify that the discovered network architecture matches the

documented architecture.

2.

Network Port and Service Identification

Use of active discovery tools (such as Nmap) to discover open ports and services.

3.

Vulnerability Scanning

Use of a vulnerability scanning tool to identify network accessible ports and services

along with the identification of known vulnerabilities associated with services running

on those ports.

4.

Wireless Scanning

Use of a wireless scanning tool to discover wireless signals and networks in the

physical perimeter of a BES Cyber System. Serves to identify unauthorized wireless

devices within the range of the wireless scanning tool.

REs are strongly encouraged to see NIST 800-115 for

vulnerability assessment guidance and best practices.

P

ARADIGM SHIFTS AHEAD

: P

ORTS AND

…

NOT SO MUCH

S

ERVICES

•

CIP-005-5 doesn’t mention services at all, and only mentions ports with

respect to firewall rules/ACLs; CIP-007-5 handles locally listening ports on

EACMS

(which includes ESP Access Points)

•

007-5 R1.1 “… enable only logical network accessible ports … needed …

including port ranges or

services

where needed to handle

dynamic ports

…”

•

“The SDT intends for the entity to know what

network accessible (“listening”) ports and associated services

are accessible on their assets and systems, whether they

are needed for that Cyber Asset’s function, and disable or

restrict access to all other ports…”

•

(R1.1) When no provision exists for disabling or restricting a port, it is deemed

to be a needed port.

•

[Disabling ports] is, “…most often accomplished by disabling the

corresponding service or program…can also be accomplished through

using host-based firewalls, TCP_Wrappers, or other means on the Cyber

Asset to restrict access”

P

ARADIGM SHIFTS AHEAD

:

DETECTING MALICIOUS COMMUNICATIONS

•

Detecting “malicious communications” is now required for High and Medium

impact BES Cyber Systems.

•

Many Entities will use IDS or IPS.

•

They can detect malicious items within any kind of traffic.

•

Multipurpose.

•

IPS are newer generation. They can inspect a packet all the way up to Layer 7 (i.e. the

data, like the words of a sentence in an email or naughty code snippets)

•

Proxy servers (a.k.a. application layer firewalls/gateways) are another

example mentioned.

•

Only works for specific application protocols.

•

May be a good option for ESPs with very limited traffic in and out of the ESP, probably

not including remote administration or remote access.

See NIST 800-82 for

guidance on IDS

placement (and a whole lot

more INFOSEC) for

Industrial Control Systems

The little blue dots are IDS sensors

(from NIST SP800-82 page 70)

CIP

V

5

AND

D-SCADA

•

The “Applicability” section in each standard has an entry

to describe if and when the standard applies to various

Functional Entities. Section 4.1.2 of each standard

pertains to Distribution Providers with respect to:

•

Certain UFLS or UVLS Systems (see sub-requirements)

•

Certain Special Protection System or Remedial Action Schemes

•

Certain Protection System (excluding UFLS and UVLS) that apply to

Transmission

•

Certain Cranking Path and group of Elements meeting the initial switching

requirements from a Blackstart Resource

How to determine whether your

D-SCADA is coming into scope?

CAN

S AND

CAR

S

–

WHAT MEANING WILL THESE

DOCUMENTS HAVE IN RELATION TO

CIP V

ERSION

5?

•

The Guidelines and Technical Basis

section of each Standard appears to

have intentions of replacing CANs and

CARs.

•

Many of the CANs and CARs use

deprecated terminology. If there are no

more CCAs, one could surmise that the

guidance around CCAs may no longer

apply.

NERC CIP V5

IMPLEMENTATION PLAN:

HIGHLIGHTS

•

The Transition Guidance (

LINK

) document is

meant to assist Responsible Entities in the

process of identifying Critical Assets (CA) in

the interim timeframe before V5 takes effect on

the effective date for High and Medium Impact,

April 1, 2016

•

Effective date for Low Impact: April 1, 2017

•

Book-end requirements: What does the new list of

book-ends look like? (see the index)

I

NTRODUCING THE

E

NCARI

NERC CIP V

ERSION

5 I

NDEX

2

1

•

A consolidated resource for your NERC CIP RTFM needs!

•

Index, all CIP V5 standards and more, consolidated into a single PDF

document.

•

Comes in two fun flavors:

Regular

and

Senior Manager !

•

We’ll keep it updated, and provide the world with a link to the most

recent version

•

Intelligent selection of words and terms for which index entries would

be created. For those entries, the location of all instances are

indexed.

•

Today’s webinar registrants get a special pre-release version

•

Contains frequency of recurring NERC CIP activities correlated by

duration between occurrences (e.g., 30 days, 90 days).

•

There is no other resource like this that we are aware of. We made

the index the “old fashioned” way. Index of calendar days.

More changes to come

Unresolved Lineup:

–

_{What protections will a “Low-Impact” BES}

Cyber System need?

–

_{The risks posed by transient devices}

–

_{The protection of communication networks}

–

“Identify, assess and correct” language;

what is going to happen with that?

H

ANDY

NIST

GUIDANCE DOCUMENTS

(

TO BE DISTRIBUTED WITH PRESENTATION MATERIALS

)

•

SP800-15 –Technical Guide to Information Security

Testing and Assessment

•

CIP-010-1, Guidelines and Technical Basis for R3 calls

this document out and Res are “strongly encouraged to

review [800-15] for additional guidance”

•

SP800-18 - Guide for Developing Security Plans

(see section on “System Boundary Analysis”)

•

Guidance on defining the boundaries of a system

•

Can be used as source materials for developing BES

Cyber System identification methodology

•

SP800-82r1 - Guide to Industrial Control Systems

(ICS) Security

Q

UESTIONS

/D

ISCUSSION

N

EXT

W

EBINAR

Thursday, February 20, 2014,

10:30 am CST

Topic:

“What changes to my existing

CIP technical operations

should I plan for CIP v5?”

Got Webinar suggestions?

[email protected]

We are recruiting the best of the best:

[email protected]