• No results found

NERC CIP Version 5 and the PI System

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "NERC CIP Version 5 and the PI System"

Copied!
29
0
0

Loading.... (view fulltext now)

Download now ( 29 Page )

Full text

(1)

Presented by

NERC CIP Version 5 and the PI System

Bryan Owen PE – OSisoft Cyber Security Manager

Industry: Transmission/Distribution/Smarts

(2)

Agenda

• Update on OSIsoft Cyber Initiatives

• War Story

• CIP Version 5 Electronic Security Perimeter

• Research for PI System

(3)

OSIsoft Security Engagements

Idaho National Lab

– 2005 Assessment

– 2008 vCampus Live!

– 2009 vCampus Live!

– 2011 Cooperative Research

– 2012 vCampus Live! “Detect & Defend”

US Army NetCom

– 2009 CoN #201006618

– 2013 CoN (recertified)

US NRC

– 2010 DISA, NIST

SAP QBS Certification

– 2012 Veracode

– 2013 Veracode

Azure Penetration Testing

– 2014 PI Cloud Connect (Utility Partner)

– 2014 PI Cloud Access (IOActive)

Microsoft Information Security Consulting

– 2009 PI Server

– 2010 PI Agent

– 2011 PI Coresight

– 2011 PI AF

– 2012 PI ProcessBook

– 2012 Products in Design (3)

– 2013 Engineering Management

– 2013 Products in Design (3)

– 2013 SDL for Security Champions

– 2013/2014 Defensive Programming (Cigital)

Windows Logo Certification

– 2008 Windows 2008 Server Core

– 2011 Windows 2008 R2 Server Core

– 2012 Windows 2012 Server Core

(4)

OSIsoft SDL Leadership

• 4 Security Advisors (Core Team)

– Incident response commanders

• 35 Security Champions

– Senior Engineers

– Every product represented

• IT Security Team

• Customer Support Security Team

(5)

Role 1

Role 2

Doing the “right things”

Doing “everything right”

Building innovative features

Making sure the product

works

Generating user value

Preventing bad surprises

Writing a sustainable

product architecture

Creating a sustainable

infrastructure

Planning for future

capabilities

Identify current/future threats

...

...

Focused on Functionality

Focused on Reliability

Software Developer

in Functionality

Software Developer

in Reliability

Q

UALITY

H

EALTHY

T

ENSION

(6)
(7)
(8)

‘War’ Story

• Critical Infrastructure Environment

– NERC CIP compliance

– Access for external users

– Intrusion prevention appliance

• Technical support activated incident response

– False positive determination

– Unresponsive IPS vendor

• IPS signature development ‘outsourced’

(9)

Lessons Learned

• Technical Support

– Please do call on detections related to the PI System

– Alert semantics matter “Web Attack”

• Signature based IPS

– Automatic signature updates can ‘break’

– False positive and false negative prone

• Blacklisting

(10)

CIP-005-5

(11)

High Level T&D Solution Architecture

Substation / RTU

Corporate Access

Clients

Control Center

PI Coresight

Server

PI Coresight

PI Cloud

Services

SCADA/EMS PI Server

DMZ

PItoPI

PI Server

Cloud

Gateway

External Access

Expected

Direction

of Attack

(12)
(13)
(14)

Homeland Security “Einstein Program”

• IP addresses

• Domains

• E-mail headers

• Files

• Strings

(15)

Einstein sensors for PI Server communication?

• IP addresses

– Internal endpoints with private addresses

• Domains

– Private DNS or alternative

• E-mail headers

– Outbound notifications capable

• Files

– Not a file transfer protocol

• Strings

(16)

Research Project:

(17)

Test Bed

PI Server

(Lab)

PI Client

Detection Logic

Network

Administrator

Email Alert

PI

Interfaces

PI Server

(Production)

Network Packets

TX

RX

PI Message Log

PItoPI

(18)

Network Stack

Approach: Baseline Normal Communication

“Whitelisting”

Application Service

Communication Baseline

(19)

Packet Detection “Whitelist”

• Test Case: Client Authentication

– Timing

• How long has it been between consecutive authentication attempts?

– Ordering

• Did the packets arrive in the correct sequence?

– Consistency

(20)
(21)

PI Message Log Baselines

• Normally ‘Good’

– OSIsoft NOC Data Set

• Normally ‘Bad’

– Fuzz Test Runs

Communication Baseline

Normal

(NOC only)

Exception

(Both NOC & Fuzz)

Anomaly

(Fuzz only)

(22)

Authentication Logs – Frequency Chart

0

5000

10000

15000

20000

25000

30000

35000

Logs From Fuzzing

Logs From NOC

Statistical Based Anomalies

“NOC Big Data”

(23)

Detection Capability with Both Sources

Class

Packet Inspection

PI Message Log

Timing

Sequence

Consistency

(24)
(25)

Electronic Security Perimeter

• Compliance

– [CIP-005-5 R1.5]

Access point firewall with commercial IDS module

– Define “known or suspicious” malicious communication

• Security

– Keep web servers and ‘surfers’ out of DMZ

– Use PItoPI across ESP

– Configure “Read Only” access where possible

(26)

Thoughts on Intrusion Detection for PI System

• Lower expectations

– Intruders look like insiders

– Deep packet inspection insufficient

• Higher expectations

– Big Data approach

(27)

• Attendant threats and mitigations understood

• Increased logging, telemetry and response

• Transport security everywhere

• Data infrastructure and partner you can count on

(28)

References

KB00354 - Windows Security Requirements for PI Server

KB00833 - Seven best practices for securing your PI Server

KB00994 - Whitelisting with AppLocker

KB01062 - Anti-virus Software and the PI System

2820OSI8 - Which firewall ports should be opened for a PI Server?

Microsoft Security Patch Compatibility

(29)

Thank you

© Co p yrig h t 2 0 1 4 OS Iso f t, L L C.

7 7 7 Da vis S t., S a n L e a n d ro , CA 9 4 5 7 7

References

Download now ( PDF - 29 Page - 1.95 MB )

Related documents

Utilization of Poly(A)-Binding Protein in Monitoring the Formation of mRNP Granules in Toxoplasma gondii

Due to the native interaction of PABP and the poly(A) tract of mRNAs, TgPABP is considered an excellent diagnostic tool in monitoring of the location and the formation of

Herbicide sequence for weed management in direct seeded rice

Pooled data revealed that, application of pyrazosulfuron ethyl 10 % WP at 20 g a.i./ha as pre-emergent herbicide followed by the application of Bispyribac sodium 10 % SC @ 250

Comprehensive Assessment Results and Envisaged Capital Actions Plan. November 2015

Certain statements in this presentation constitute forward-looking statements, including statements relating to NBG’s strategy, its additional capital needs, asset values,

The effect of seed quality on the developmentaldynamics, yield and quality of sunflower

Analizirane su sledeće osobine: klijavost i vigor semena, enzimska aktivnost, nicanje u polju, nakupljanje suve materije (po biljnim organima i ukupno po biljci), visina

Associations between deprivation, attitudes towards eating breakfast and breakfast eating behaviours in 9-11-year-olds.

Simple regression models indicated: (1) a significant negative association between deprivation and the school- level mean number of healthy items eaten for breakfast (b ¼ 2 0.007, P

On the sign characteristics of Hermitian matrix polynomials

We formulate our results in terms of Hermitian matrices, pencils, polynomials, or analytic functions and eigenvalues on the real line; however, at least in the complex case there

New implementations of Lanczos method

Jumping over the nonregular polynomials is made possible by using the generalized recurrence relations of Draux [4-1 between regular orthogonal polynomials. Baheux,

Passivity-preserving parameterized model order reduction using singular values and matrix interpolation

The truncation of the singular values of the merged Krylov subspaces computed from the models at the vertices of each cell generates a common projection matrix per design space