Cyber Asset Lifecycle and Change Management Management- Cole.pdf · Management Asset, Change And...

Cyber Asset Lifecycle and Change Management

CSWG Salt Lake, UT

July 25, 2018

1

Speaker Introduction-Michael Cole• TID Control System Cybersecurity Analyst

• U.S. Navy: Aviation Electronics Technician (97-2002)

• B.S. Computer Science, Cal-State University Stanislaus (2006)

• CCNP-Cisco Certified Network Professional (2013)

• CISSP-Certified Information Systems Security Professional (2016)

• 7 years in IT, 5 years in OT/EMS/Compliance

• Married 14 years, 4 Children2

Agenda• Change Management Overview

• NIST Cybersecurity Framework

• NIST.SP.800-53 Controls

• TID’s Cybersecurity Program

• TID’s Asset and Change Management Policy

• TID’s Implementation

3

CIP-010-2 R1,R2• 1.1-Develop a baseline configuration

• 1.2-Authorize and document changes

• 1.3-For changes, update the baseline configuration

• 1.4-Verify and document cyber security controls

• 1.5-Test and document changes prior to implementation

• 2.1-Monitor changes to the baseline configuration

4

Cyber Asset Lifecycle• Cyber Asset Lifecycle (IEEE 1220)

– Development: Planning and execution– Manufacturing: Test model and prototypes– Test: Evaluation against requirements– Distribution: Transport and deliver– Operations: System usage– Support: Maintenance and materials– Training: Knowledge/Skills to perform operations– Disposal: Destroyed per requirements

5



6



7

Holistic Cyber Asset Lifecycle View• What are the Cyber Security requirements for

Cyber Asset Lifecycle?

• How do they fit into the overall Cyber Security strategy?

• What additional standards can be managed beyond CIP-010? (CIP-005, CIP-007, CIP-011)

8

NIST Cybersecurity Framework

9


10

CIP-010 R1.1,R1.3

CIP-010 R1.1.1-R1.1.5

CIP-010 R2

CIP-010 R1.2,R1.4


11

CIP-010 R1.1.1-R1.1.5

Identify: Asset Management• ID.AM-2: Software platforms and applications

within the organization are inventoried

– CIP-010 R1.1.1 Operating Systems

– CIP-010 R1.1.2-1.1.3 Software

– CIP-010 R1.1.4 Network ports

– CIP-010 R1.1.5 Security Patches

12

Identify: Asset Management• Configuration Management Controls

– CM-8: Information System Component Inventory

• Develops and documents an inventory of information system components

• Reviews and updates the Information system component inventory

13

Identify: Asset Management• Enhancements for CM-8: Information System

Component Inventory

– Updates during installations and removals

• Integral part of the process is updates

– Automated maintenance

• Software assisted detection and validation of baseline/assets

– Accountability Information

• The inventory contains ownership information

14


15

CIP-010 R1.1,R1.3CIP-010 R1.2,R1.4

Protect: Information Protection• PR.IP-1: A baseline configuration of

information technology/industrial control systems is created and maintained

– CIP-010 R1.1 Develop a baseline configuration

– CIP-010 R1.3 For a change that deviates from the baseline, update the baseline configuration

16

Protect: Information Protection• Configuration Management Controls

– CM-2: Baseline Configuration

• Establish a baseline configuration that contains software, OS, patches, network topology, and placement in system architecture

• Formally documented and reviewed

• New baselines are built based on changing requirements

17

Protect: Information Protection• Enhancements for CM-2: Baseline

Configuration– Reviews and updates

• Recurring frequency not driven by change

• Part of installation or upgrade

– Automation support for accuracy • Hardware, software and patch inventory tools

• Configuration management tools

18

Protect: Information Protection• Enhancements for CM-2: Baseline

Configuration– Retention of previous configurations

• Restore points

– Development and test environments• Baselining test and production systems

• The results of testing are representative of the proposed changes to operational systems

19


– CM-6: Configuration Settings

• Configuration settings based on checklists and reflect most restrictive mode consistent with requirements

• Implements configuration settings

• Identifies any deviations from organizational requirements

20

Protect: Information Protection• Enhancements for CM-6: Configuration

Settings

– Automated centralized management/application/verification

• Software assisted management of applications and verification

21

Protect: Information Protection• PR.IP-3: Configuration change control

processes are in place

– CIP-010 R1.2 Authorize and document changes that deviate from the existing baseline configuration.

– CIP-010 R1.4 Security controls verification and documentation

22


– CM-3: Configuration Change Control

• Determines which changes are configuration-controlled

• Reviews and approves proposed configuration with an understanding of the security impact

• Documents rationality for change

• Retains change documentation

• Audits and review activities associated with changes

23

Protect: Information Protection• Enhancements for CM-3: Configuration Settings

– Automated document, notification and prohibition of change• The change is documented in a system and is automatically

sent to designation personnel to approval

• The change cannot proceed without approval

• Notification that change is complete

– Test, validate and document• Testing does not interfere with production

24


– CM-4: Security Impact Analysis

• Security impact analysis is conducted prior to the change

25

Protect: Information Protection• Enhancements for CM-4: Security Impact

Analysis– Separate test environments

• Physical or logical separation

• Virtual machine copies of production

– Verification of security functions• Security software and settings are functioning as

required

26


27

CIP-010 R2

Detect: Security Continuous Monitoring

• DE.CM-1: The network is monitored to detect potential cybersecurity events

– CIP-010 R2 Monitor changes to the baseline configuration. Investigate unauthorized changes.

28

Detect: Security Continuous Montoring

• Configuration Management Controls

– CM-6: Configuration Settings

• Monitors and controls changes to the configuration settings

29

Detect: Security Continuous Monitoring

• Enhancements for CM-6: Configuration Settings

– Automated central management

• The same system that manages baseline configurations also monitors for changes

– Respond to unauthorized changes

• Email notification of detected unauthorized changes sent to designated personnel

30

NIST/ES-C2M2 Abstracted ArchitectureCIP Documentation Architecture

RiskManagement

Asset, ChangeAnd Configuration

Management

Identity andAccess

Management

Threat andVulnerabilityManagement

SituationalAwareness

Event and Incident Response,

Continuity of Operations

Cyber SecurityPolicy

CIP-002R1 BES Cyber System Identification

CIP-002R2 Identification Review

CIP-003R1-R3 Cyber Security Policy

CIP-003R4 Delegations

CIP-004R1-R2 Security Awareness Program

CIP-004R3 Personnel Risk Assessment

CIP-004R4 Access Management Program

CIP-004R5 Access Revocation

CIP-005R1 Electronic Security Perimeter

CIP-005R2 Interactive Remote Access

CIP-006P1.1-P1.2 Physical Security Plan

CIP-006R2 Visitor Control Program

CIP-006R3 PACS Maintenance and Testing

CIP-007R1 Ports and Services

CIP-007R2 Security Patch Management

CIP-007R3 Malicious Code Prevention

CIP-007R4 Security Event Monitoring

CIP-007R5 System Access Control

CIP-008R1-R3 Incident Response Plans

CIP-009R1-R3 Recovery Plans

CIP-010R1 Configuration Change Management

CIP-010R2 Configuration Monitoring

CIP-010R3 Vulnerability Assessments

CIP-011R1 Information Protection

CIP-014R1 Physical Security Risk Assessment

CIP-014R2-R3 Assessment Review and Notification

CIP-014R4 Physical Security Vulnerability

Assessment

CIP-014R5 Physical Security Plan

CIP-014R6 Physical Security Plan Review

WorkForce Management

CIP-006P1.4-P1.9 Physical Security Plan

CIP-011R2 BES Cyber Asset Reuse and Disposal

CIP-007R5.7 System Access Control

31

NIST/ES-C2M2 Abstracted Architecture

Asset, ChangeAnd Configuration

Management

CIP-005R1 Electronic Security Perimeter

CIP-005R2 Interactive Remote Access

CIP-007R1 Ports and Services

CIP-010R1 Configuration Change Management

CIP-011R2 BES Cyber Asset Reuse and Disposal

CIP-010R2 Configuration Monitoring

32

Asset & Configuration Management Policy

33

Configuration Change Management Process

34

Speaker Introduction

• TID Control System Cybersecurity Analyst

• Senior IT Analyst City of Turlock(2002-2015)

• B.S. Computer Information Systems (2012)

• 13 years in IT, 3 years in OT/EMS/Compliance

• Married 13 years, 3 Children

35

36

“A goal without a plan is just a wish.”

– Antoine de Saint-Exupéry

Planning for Automation

37

• Holistic view of Cyber Security and Data management • Standard data schema / Define once reference many

times.• Create data definitions for input.• Leverage database driven comparison methods for

controls.• Supplement Data inputs with required compliance

information.• Summarize data for reporting.

Keys to Success• Established and performed processes manually

before we automated anything

• Have not automated everything. Still a lot more that we can do.

• Perform processes manually for items that fall outside of our automation scope.

• Review automated processes regularly to ensure accuracy and consistency.

38

ID.AM-2: Software Platforms/Applications Inventory

• Starting point is our CIP-2 R5.1 Cyber asset list.• Create a new or associate assets with an existing

baseline• CIP-010 R1.1-R1.5 Baseline Components

– CIP-010 R1.1.1 Operating Systems– CIP-010 R1.1.2-1.1.3 Software– CIP-010 R1.1.4 Network ports– CIP-010 R1.1.5 Security Patches

39

Management of CIP 2 R5.1 Asset Example

40

Baseline Association Example

41

Baseline Creation Example

42

PR.IP-3 Configuration change control

• CCM required for any changes.

• CCM recorded for the summary of changes.

• Security controls verification produced to document that security controls have not changed.

43

CM Process Example

44

Baseline Change to CM Relationships

45

Security Controls Verification

46

PR.IP-1 Baseline changes/Updates

• Gather inputs from multiple systems.

• Use database comparison methods against those inputs.

• Accept changes to baselines and add supplemental compliance information

• Summarize data for reporting

• Generate required evidence to demonstrate compliance.

47

Baseline Change Example

48

DE.CM-1 Baseline changes/Updates

• Gather inputs from multiple systems.

• Use database comparison methods against those inputs.

• Accept changes to baselines and add supplemental compliance information

• Summarize data for reporting

• Generate required evidence to demonstrate compliance.

49

Change Management

Ticket

Security Controls

Verfication

Are there any baseline

changes?

Associated Baseline changes to a Change

Management Number

Baseline Software Inventory

Report

Start End

DatabaseClient

Automation

Compliance Database

Application

BCA

BCA

Native Commands Validation

Validation

Perform Security Controls

Verification

Baseline Changes

Summary Report

Review Evidence

Complete Change

Management Ticket

NO

YES

Validate Baseline

50

References• DHS, DOE, Carnegie Mellon University. (2014 February).

Electric Subsector Cybersecurity Capability Maturity Model Version 1.1.

• NIST. (February 2014). Framework for Improving Critical Infrastructure Cybersecurity Version 1.0.

• NIST. (April 2013). NIST Special Publication 800-53- Security and Privacy Controls for Federal Information Systems and Organizations, Revision 4.

51

Questions?• Dave Arounsack, CCIE #43254

Water & Energy Management System [email protected] 209-883-8657

• Michael Cole, CCNP, CISSP Control System Cybersecurity [email protected] 209-883-8245

• Daniel LourencoControl System Cybersecurity [email protected] 209-883-8208

52

Cyber Asset Lifecycle and Change Management Management- Cole.pdf · Management Asset, Change And...

Documents

Transcript of Cyber Asset Lifecycle and Change Management Management- Cole.pdf · Management Asset, Change And...