Out-of-Band Management

Transcription

1 Out-of-Band Management April 9, 2019 Holly Eddy, CISA, CRISC, CISSP Auditor, Cyber Security

2 2

3 3

4 Opening Statement Out-of-band management is often referred to as managing the keys to the kingdom given the high set of privileges that come with such access. To ensure the keys to the BES kingdom are protected, how to identify components of Cyber Assets applicable to out-of-band management and determine applicable protections will be reviewed. 4

5 What can be controlled with out-of-band management interfaces enabled? 5

6 Common Capabilities of Out-of-Band Management Remotely: start up shutdown reboot install operating system Sensor monitoring (fan speed, power voltages, chassis intrusion) Access local media (DVD drive, disk images) Adjust BIOS, RAID or RAM timing settings 6

7 Privileges with Out-of-Band Management Device configurations can be changed Communication ports can be modified Data can be copied User accounts and privileges changed Difficult to detect an active exploit 7

8 Out-of-Band (OOB) Management Aliases Lights-out Management (LOM) Integrated Lights-Out (ilo) Dell Remote Access Controller (DRAC) Intelligent Platform Management Interface (IPMI) IBM Remote Supervisor Adaptor Etc. 8

9 Assessing Out-of-Band Management Are Cyber Assets network management ports physically connected? If so, to what? What methods are in place to manage access to the interfaces? ACLs configured? Access logs feasible/captured? Alerting? Shared accounts identified? 9

10 What is the Risk of Not Assessing the Use of Out-of-Band Management on Devices? 10

11 Challenge: Identify Use of Out-of-Band Management Ask SMEs if Cyber Assets associated with BES Cyber Systems utilize components such as: ilo, DRAC, LOM, etc. Inventory physical connections on Cyber Assets for console management connectivity 11

12 Exercise: Identify Use of Out-of-Band Management In the provided example, prepare to discuss your table s observations of: 1. How many instances of out-of-band management are connected? 2. What devices are using it? 3. Was the inventory helpful in assessing use? 4. What other methods could be used? 12

13 EXERCISE 13

14 Identifying Use of Out-of-Band Management Review baseline configurations to determine if any commonly used logically network accessible ports are configured SSH HTTP Terminal services IPMI-over-LAN Remote console Virtual media port 14

15 Next Steps 15

16 Low Impact BES Cyber Systems Evaluate communications between low impact BES Cyber Systems and Cyber Assets outside the asset containing low impact BES Cyber Systems for out-ofband management use. If identified, ensure CIP Attachment 1 Section 3 controls afforded to permit only necessary electronic access. 16

17 High & Medium Impact BES Cyber Systems Protections CIP Ensure individuals with authorized electronic to out-of-band management interfaces are afforded necessary access management protections. CIP As applicable, ensure out-of-band management interfaces are evaluated for Electronic Security Perimeter [ESP] and Interactive Remote Access [IRA] protections.

18 High & Medium Impact BES Cyber Systems Protections Validate all Systems Security Management protections are afforded to out-of-band management interfaces. Confirm applicable outof-band management interfaces are afforded protections of configuration change management and vulnerability assessment. CIP CIP

19 Maintaining an Inventory Can entities inventory out-of-band management interfaces as separate Cyber Assets? Yes, however, entities must ensure applicable security controls are afforded pursuant to the host Cyber Asset: High impact BES Cyber System Medium impact BES Cyber System Low impact BES Cyber System The audit team verifies protections for out-of-band management as a component of the host Cyber Asset. 19

20 Access Management Protections Have individuals with access to interfaces had a personnel risk assessment completed? Do individuals with access to interfaces have documented and authorized access pursuant to CIP R4? If interfaces are accessible via Interactive Remote Access, are they addressed in CIP R5 revocation processes? 20

21 ESP Protections As applicable to the host Cyber Asset, do the out-of-band management interfaces reside within an ESP-defined subnet? If interfaces are accessible via Interactive Remote Access, are they accessed pursuant to CIP R2? Intermediate System Encrypted session Multi-factor authentication 21

22 System Security Management As applicable throughout CIP-007-6: Are only needed logical ports for out-of-band management enabled and documented? Are patch sources identified for platforms used with out-of-band management and included in patch management programs? Are the interfaces included in malicious code prevention processes? Are the interfaces configured to log and alert pursuant to R4? Have the interfaces been evaluated and afforded applicable R5 protections for account management? 22

23 Change Configuration and Vulnerability Assessments Have the out-of-band management interfaces been included in entity s developed baseline configurations? Have applicable changes to interfaces followed entities CIP R1 processes pursuant to Parts ? If associated with high impact BCS, are the interfaces included in the R2 monitoring processes? Do vulnerability assessment processes consider interfaces? 23

24 Looking Forward CIP Active vendor session (R2 Part 2.4) Method(s) to disable active vendor remote access (R2 Part 2.5) CIP Verifying identity of software sources and integrity of software obtained as applicable to R1 Part 1.6 CIP Devices with out-of-band management capabilities should be procured in accordance with Supply Chain Risk Management Plans 24

25 Best Practices for Out-of-Band Management Shared accounts Default passwords Least privilege Change default passwords and certificates Alert on creation of new accounts Monitor for new vulnerabilities Reduce number of Transient Cyber Assets 25

26 26

27 WECC s Audit Approach Out-of-band management interfaces will be reviewed pursuant to the host Cyber Assets to ensure applicable CIP controls are afforded to the interfaces. Notice of Audit Package will request if management interfaces are applicable to Cyber Assets identified in an entity s response to the CIP Data Set. Cyber Assets with configured interfaces could be included in CIP-007/CIP-010 Sample Set data request to ensure CIP protections are afforded. 27

28 CIP Data Set and Management Interface Information 28

29 CIP Data Set and Management Interface Information 29

30 What Are The Risks If out-of-band management interfaces are not protected, a malicious actor could utilize such access and impact a Cyber Asset s: Operating System configuration Communication and network configuration Data User accounts and privileges Health (power, fans, temperatures) 30

31 What can be controlled with out-of-band management interfaces enabled? 31

32 Out-of-Band Management Review Out-of-band management interfaces of Cyber Assets are important components to protect. If unprotected, interfaces represent concerning risk to BES Cyber Systems. Proper identification and application of CIP protections will help secure access to BES Cyber Systems. What to expect during audits when verifying protections for out-of-band management components. 32

33 Protecting the BES Kingdom In identifying out-of-band management interfaces and affording required protections, keys to the BES kingdom (BES Cyber Systems) will have limited vectors of compromise and the security and reliability of the BES is further guarded. 33

34 For CIP Questions 34

35 Contact: Holly Eddy, CISA, CRISC, CISSP Cyber Security Auditor 35