Post on 02-Jan-2016
description
Ben ChristensenSenior CIP Enforcement Analyst
CIP-010-1May 15, 2014
SLC, UT
2
• Who invented the electric motor?A. William Sturgeon
B. Thomas Davenport
C. Michael Faraday
Pop Quiz!!
3
• Who invented the electric motor?
Pop Quiz!!
Michael Faraday
4
• Help entities understand and prepare for the upcoming CIP 010-1o Differences and relations to current
requirementso Possible pitfalls to look for while implementing
CIP 010-1o WECC’s audit approacho Best practices
Agenda
5
CIP 010-1
6
• Prevent and detect unauthorized changes to BES Cyber Systems.
• Specify vulnerability assessment requirements in support of protecting BES Cyber Systems from compromise.
• Document and maintain device baselines and periodically verify they are accurate.
Purpose of CIP 010-1
7
Applicable Systems
8
• CIP 003-3 R6: Change Control and Configuration Management
• CIP 007-3 R1: Test procedures• CIP 005-3 R4 and CIP 007-3 R8: Cyber
Vulnerability Assessment(s)• CIP 007-3 R9 and CIP 005-3 R5:
Documentation review and maintenance
CIP 010-1 Similarities with V.3
9
• Who invented the modern automobile?A. Henry Ford
B. Karl Benz
C. Ransom Olds
POP Quiz!!
10
• Who invented the modern automobile?
Pop Quiz!!
Karl Benz
11
CIP 010-1 R1
CIP 010-1 R1.1
CIP 003-3 R6
• Applicable to Protected Cyber Assets (PCA) and specifies information required in device baselines
CIP 010-1 R1.1
13
• CIP 003-3 R6 was previously not applicable to Non-CCAs that resided within an ESP. Thus entity did not create baselines or update procedures to ensure baselines were maintained for these devices.
CIP-010-1 R1.1 - Possible Pitfall #1
14
• Entity does not ensure documented baselines for all devices contain operating system, commercial/open source software, custom software, logical ports, and security patches applied.
CIP-010-1 R1.1 - Possible Pitfall #2
15
• Ensure entity has documented baselines for all devices (or group of devices) in applicable BES Cyber Systemso Verify Baselines include operating
system/firmware, commercial software, custom software, logical network accessible ports, and security patches applied
CIP-010-1 R1.1 Approach
16
• Use combination of automated tools and manual walkthroughs/verifications to ensure lists and baselines are accurate
• Minimize applications on devices to only what is necessary
• Include step to periodically verify accuracy of applicable device lists and baselines
CIP 010-1 R1.1 Best Practice
17
• Discussions and careful planning should be conducted on the method for maintaining device baselineso Review CIP 007 R3 presentation from Oct 2013
CIPUG for common methods to maintain information
o What method is best for your organization: Commercial Software Custom Software Spreadsheet
CIP 010-1 R1.1 Best Practice
18
• Consider Moving away from spreadsheets and other manual methods, look into more advanced methods for retaining information.o See Joe B presentation from
October 2011 CIPUG on advantages of moving from spreadsheet to relational database Includes some labeling schema tips as well for when
implementing a database for device management
CIP 010-1 R1.1 Best Practice
CIP 010-1 R1.2
CIP 010-1 R1.2 CIP 003-3 R6
• Applicable to PCA and requires changes to be authorized
21
• Entity cannot demonstrate all changes made to baseline(s) were authorized
CIP-010-1 R1.2 - Possible Pitfall
22
• Ensure all changes made to baselines have been authorized.
CIP 010-1 R1.2 - Approach
23
• Update procedural documentation to include at minimum:o Who can authorize changes, and to whato When authorization needs to occuro How the authorization will be documented,
stored, and tracked
• Segregation of dutieso The implementer should be different from the
authorizer
CIP 010-1 R1.2 – Best Practice
CIP 010-1 R1.3
CIP 010-1 R1.3CIP 005-3 R5
CIP 007-3 R9
• Baselines must be updated within 30 days of change
25
• Entity cannot demonstrate baselines are updated within 30 days of changes made
CIP 010-1 R1.3 – Possible Pitfall
26
• Ensure entity is updating baselines within 30 days of when change was made.o Start date will be determined by reviewing work
orders, tracking sheet, or other documentation that details when the change actually occurred.
CIP 010-1 R1.3 - Approach
27
• Procedures for updating baselines should address:o Who will communicate the changes made to
the baselineso How changes will be communicatedo Who the changes are communicated to o When the changes will be made
CIP 010-1 R1.3 – Best Practices
28
• Maintain a version history when updating documentation. o Version number o Who performed the update to the
documentation o Who made the change to the deviceo Who authorized the changeo What was changed
CIP 010-1 R1.3 – Best Practices
29
• Who invented the printing press?
POP Quiz!!
30
• Who invented the printing press?
POP Quiz!!
Johannes Gutenberg
CIP 010-1 R1.4
CIP 010-1 R1.4 CIP 007-3 R1
• Impact due to a change must consider security controls in CIP 005 and CIP 007
32
• Entity verifies same controls for all changes made to any baseline.o Thus entity does not account for different
environments, devices, or changes when determining what controls could be impacted May be ok if all controls are verified every time
CIP 010-1 R1.4 – Possible Pitfall
33
• Verify all changes made to device baselines are documented
• Ensure controls that may be impacted were identified and documented prior to the changeo Why were some controls not included?
• Review evidence supporting identified controls were not adversely impacted
CIP 010-1 R1.4 - Approach
34
• Procedures should include:o Documenting date all steps taken to support
cyber security controls were identified prior to change taking place
o How are potential impacted cyber security controls identified? Who does this?
o How will adverse impacts will be detected Who does this and when?
CIP 010-1 R1.4 – Best Practices
35
• Include a peer review step for reviewing what controls may be impacted and when verifying controls weren’t adversely impacted
• Coordinate testing processes between departments, business units, etc. to ensure consistency
CIP 010-1 R1.4 – Best Practices
CIP 010-1 R1.5
CIP 010-1 R1.5 CIP 007-3 R1
37
• Only applicable to High Impact systems• Specific to security controls that must be
testedo Security Controls in CIP 005 and CIP 007
• New test environment requirementso Document if test environment was usedo Document differences between test and
production environment Measures taken to account for these differences
CIP 010-1 R1.5 cont..
38
• Entity does not document differences between production and testing environment
• Entity does not take measures to account for differences in the production and testing environment.
CIP 010-1 R1.5 Possible Pitfall
39
• For each change that deviates from existing baseline:o List of cyber security controls tested
Test results List of differences between the production and test
environments Descriptions of how any differences were accounted
for When testing occurred.
CIP 010-1 R1.5 - Approach
40
• Use checklist or other task managing tool to reduce likelihood of not testing all controls
• Document specific test procedures for all cyber assets or group of assets? o Describe the test procedures
• Describe the test environment and how It reflects the production environment
CIP 010-1 R1.5 – Best Practices
CIP 010-1 R2
42
• When was the atomic bomb first invented?
POP Quiz!!
43
• When was the atomic bomb first invented?
POP Quiz!!
July 1945
CIP 010-1 R2.1
• Must actively search for unauthorized changes to baseline– Automated preferred but can be manual
• Must document and investigate unauthorized changes
CIP 010-1 R2.1 CIP 003-3 R6
45
• Not consistently monitoring for changes every 35 dayso Entity begins process at end of month
Thus entity continuously misses 35 day deadline as it does not have enough time to complete review
o Documentation is inconsistent and SMEs can’t keep track if specific devices have automated or manual process for tracking configuration changes
CIP-010-1 R2.1 – Possible Pitfall
46
• logs from a system that is monitoring configurations
• Work orders, tracking sheets, raw data evidence of manual investigations
• Records investigating detected unauthorized changes
CIP 010-1 R2.1 - Approach
CIP 010-1 R2 – Best Practice
• Consider using a commercial or open source File Integrity Monitoring software for continuous monitoring
• Start monitoring process with enough advance to complete reviewoConsider using an automated task managing
tool
48
• What if you find an unauthorized change? o What change(s) have been made without
authorizationo Who made the change(s)?o When were the change(s) made?o How can a similar issue be prevented?
CIP 010-1 R2 – Best Practice
49
QUIZ Time
CIP 010-1 R1 and R2
50
• Entities are required to test all changes in a test environment that reflects the production environment.
CIP 010-1 R1 and R2
False
51
• Entity baselines are required to include: 1. Operating system/Firmware
2. Commercial/open source software
3. Custom software
4. Logical ports
5. All security patches applied
CIP 010-1 R1 and R2
TRUE
But what about devices where some of these don’t apply?
CIP 010-1 R3
CIP 010-1 R3.1
CIP 010-1 R3.1CIP 007-3 R8
CIP 005-3 R4
• No more annual requirement, and CVA can be active or paper
54
• Entity conducts initial Vulnerability Assessment in January then not again until April the next year (16 months)
• Remember the CIP 003 pitfalls
CIP-010-1 R3.1 – Possible Pitfall
55
• Verify when last CVA was conducted• Verify current CVA was conducted within 15
calendar months of previous CVA• Evidence could include:o A document listing the date of the assessment
and the output of any tools used to perform the assessment.
CIP-010-1 R3.1 – Approach
56
• Vulnerability assessment should include at minimum:o Network and access point discoveryo Port and service Identificationo Review of default accounts, passwords,
and network management community strings
o Wireless access point review
CIP 010-1 R3.2 – Best Practices
57
• Consider keeping Vulnerability Assessments for devices or groups of devices on the same cycle
• Implement a task managing tool to help track needed tasks and deadlines
• Review NIST SP800‐115 for guidance on conducting a vulnerability assessment
CIP-010-1 R3.1 – Best Practice
58
• What was the first home video game console?A. Atari 2600
B. Magnavox Odyssey
C. VES
D. RCA Studio II
POP Quiz!!
59
• What was the first home video game console?
• Developed in 1972
POP Quiz!!
Magnavox Odyssey
CIP 010-1 R3.2
CIP 005-3 R4
CIP 007-3 R8CIP 010-1 R3.2
61
• Only applicable to High Impact BES systems• Required to be performed at least every 36 months• CVA must be active and can be performed in
production or test environmento Test environment must reflect productiono Document differences between test and production
environmento Take and document measures to address the differences
between test and production environment
CIP 010-1 R3.2 cont..
62
• Entity does not conduct active Vulnerability Assessments at least every 36 months
• Entity does manual review on devices that are technically feasible to have active review
CIP 010-1 R3.2 – Possible Pitfall
63
• Verify active Vulnerability Assessments conducted at least every 36 months
• Description of test environment and how differences were account for (if test environment used for assessment)
• Raw data outputs of assessment for applicable devices
CIP 010-1 R3.2 – Approach
64
• Vulnerability assessment should include at minimum:o Network and access point discoveryo Port and service Identificationo Review of default accounts, passwords,
and network management community strings
o Wireless access point review
CIP 010-1 R3.2 – Best Practices
65
• Where possible conduct the Vulnerability Assessment on the production environment
• Implement a task managing tool to help track needed tasks and deadlines
• Document SMEs responsible for conducting the Vulnerability Assessment and for what cyber assets
CIP 010-1 R3.2 – Best Practice
CIP 010-1 R3.3
CIP 010-1 R3.3 CIP 007-3 R1
• New devices need an active Vulnerability Assessment prior to deployment
67
• Entity adds new asset to production without first conducting active Vulnerability Assessment
CIP-010-1 R3.3 – Possible Pitfall
68
• Ensure all newly added assets have had active vulnerability scan conducted prior to device being added to production
• Verify all necessary controls were verified as part of assessment
• Verify raw data output of vulnerability assessment can be provided
CIP 010-1 R3.3 – Approach
69
• Document specific procedures that include:o Responsible personnel for conducting the testo When testing needs to occuro Where testing should occuro How the testing should be conducted for each
cyber asset or group of cyber assets
• Use a checklist and/or peer reviews to reduce chance of human error
CIP 010-1 R3.3 – Best Practice
CIP 010-1 R3.4
CIP 005-3 R4
CIP 007-3 R8CIP 010-1 R3.4
• Document planned completion date for each remediation action
72
• Entity is not actively maintaining an action plan to remediate vulnerabilities found in the CVA.o Entity is not documenting or
updating planned date of completion for remediation actions
CIP-010-1 R3.4 – Possible Pitfall
73
• Document results or the review or assessment
• List of action items to remediate issues• Status of the action itemso Documented proposed dates of completion for
the action plan
CIP-010-1 R3.4 – Approach
74
• Tie actions outlined in the plan to specific SMEs
• Use an automated task managing tool to track all required tasks and ensure they are being completed
• Have steps to ensure action plan is updated and reflects actual proposed completion date of actions
CIP-010-1 R3.4 – Best Practice
75
QUIZ Time
CIP 010-1 R3
76
• Entities are required to test all changes in a test environment that reflects the production environment.
CIP 010-1 R3
FalseActive CVA not required for Medium impact facilities or for like devices with similar baseline configurations
77
• Entity’s will be required to meet expected completion date of action plans to remediate issues found during Vulnerability Assessment
CIP 010-1 R3
However, entity can update the expected date if more time is needed.
If the update is reasonable, justified, and done prior to the due date
TRUE
78
• CIP-010-1• NERC version 4 to version 5 mapping• Glossary
of Terms Used in NERC Reliability Standards
• NIST SP800‐115 – Security testing
Additional Resources
79
• Know what is required for each BES cyber system(s)
• Create and Maintain device baselines• Track and manage deadlines• Review referenced NIST documents for
added guidance
Summary
Ben ChristensenSenior CIP Enforcement Analyst
CIP-011-1May 15, 2014
SLC, UT
81
• Help entities understand and prepare for the upcoming CIP 011-1 standardo Differences and relations to current
requirementso Possible pitfalls to look for while implementing
CIP 011-1o Implementation tips
Agenda
82
• Identify, Assess, and Correct (IAC)o FERC has conditionally approved CIP 011-1 on
the basis that NERC’s Standard Drafting Team make clarifications or remove the IAC language
• BES Cyber Systemo Pay special attention to the applicable BES
cyber systems in each requirement
CIP 011-1 General Pitfalls
83
• Prevent unauthorized access to BES Cyber System Information
Purpose
84
• Information about the BES Cyber System that could be used to gain unauthorized access or pose a security threat to the BES Cyber System – NERC glossary
BES Cyber System Information
85
• Includes:o Security procedures/information
BES Cyber Systems PACS EACMS
o List of devices with IP addresseso Network diagrams
BES Cyber System Information
86
• Does NOT include:o Individual pieces of information that by
themselves do not pose a threat or could not be used to allow unauthorized access Devices names Individual IP addresses ESP names Policy statements
BES Cyber System Information
87
• CIP 003-3 R4: Information Protection • CIP 007-3 R7: Disposal or Redeployment
CIP 011-1 Similarities with V.3
CIP 011-1 similarities to V.3
CIP 003-3 R4
CIP 007-3 R7
CIP 011-1 R1.1
CIP 011-1 R1.2
CIP 011-1 R2.2
CIP 011-1 R2.1
CIP 011-1 R1 - Intro
CIP 011-1 R1
CIP 003-3 R4
CIP 011-1 R1.1
CIP 011-1 R1.2
CIP-011-1 R1.1 Language
• No longer a requirement to classify BES cyber system information
CIP 011-1 R1.1 CIP 003-3 R4
CIP 011-1 R1.2
CIP 003-3 R4CIP 011-1 R1.1
• Procedures for protecting information must now address storage, transit, and use
93
• Documented BES Cyber System Information method
• How you identify BES Cyber System Information (labels, classification)?
• Repository or electronic and physical locations to house BES Cyber System Information
CIP 011-1 R1.1 - Evidence
94
• Procedure for protecting BES Cyber Systemo Storageo Transito Use
• Records information was handled per your procedureso Change control ticket
CIP 011-1 R1.2 - Evidence
95
• Information Protection plan does not address storage, transit, and use of BES Cyber System Information
CIP 011-1 R1 Possible Pitfall
96
• Consider different variables when determining how to properly protect information during transit, storage, and useo Digital information stored locallyo Physical information stored in a PSP or noto Information being held by vendors or accessed
by vendors
CIP 011-1 R1 - Implementation tips
97
QUIZ
CIP 011-1 R1
98
Which of the following would be considered BES Cyber System Information?
A. Device host name
B. ESP diagram
C. PSP name
D. Inventory list with network addresses
CIP 011-1 R1
99
Which of the following would be considered BES Cyber System Information?
A. Device host name
B. ESP diagram
C. PSP name
D. Inventory list with network addresses
CIP 011-1 R1
100
CIP 011-1 R2
CIP 011-1 R2.1
CIP 011-1 R2.1 CIP 007-3 R7
• Focus is now on preventing unauthorized retrieval instead of data destruction
CIP 011-1 R2.2
• Focus is now on preventing unauthorized retrieval instead of data destruction
CIP 011-1 R2.2 CIP 007-3 R7
103
• Records of sanitization actionso Clearingo Purgingo Destroying
• Records trackingo Encryptiono Held in PSP
CIP 011-1 R2.1 – Evidence
104
• Records showing media was destroyed prior to disposal
• Other records of actions taken to prevent unauthorized retrieval of BES Cyber System Information
CIP 011-1 R2.2 – Evidence
105
• Entity secures cyber assets no longer used that contain BES cyber system information in a location that is not restricted to only those individuals with access to the BES cyber system information
CIP 011-1 R2 – Possible Pitfall
106
• Review NIST SP800-88 for guidance on developing media sanitation processes
• Where possible erase, destroy, degauss, or encrypt data as soon as possible after a device is no longer needed to reduce mishandling of devices or BES cyber system information
CIP 011-1 R2 – Implementation tips
107
• What if I have a 3rd party host my email? • Do I need to protect this information under
CIP-011-1?
CIP 011-1 – Scenario 1
108
• I have hard copies of my network diagrams located in a secure facility. Do I need to include these in my CIP-011-1 program?
CIP 011-1 – Scenario 2
109
• Prevent unauthorized access to BES Cyber System information
Purpose
110
• What if I have a 3rd party host my email? • Do I need to protect this information under
CIP-011-1?
It Depends
CIP 011-1 – Scenario 1
111
• What type of information is stored on the exchange server?o BES Cyber System Information
• How do your procedures account for emails containing this information?
CIP 011-1 – Scenario 1
112
• I have hard copies of my network diagrams located in a secure facility. Do I need to include these in my CIP-011-1 program?
YES
CIP 011-1 – Scenario 2
113
• What type of information is on the diagrams?o BES Cyber System Informationo List of all IP addresseso List of all network access points
• What do your procedures state about securing hard copies?
• What facilities might contain this information?
CIP 011-1 – Scenario 2
114
• CIP-011-1• NERC version 4 to version 5 mapping• Glossary
of Terms Used in NERC Reliability Standards
• NIST SP800-88 – Disposal guidance
Additional Resources
115
• Purpose• Differences• Pitfalls• Implementation tips
Summary
Ben Christensen
801.819.7666
bchristensen@wecc.biz
Questions?