CIP Configuration Change Management & Vulnerability Assessments

Transcription

1 CIP Configuration Change Management & Vulnerability Assessments FRCC Spring RE Workshop April 17-18, 2018

2 Objective Change Management to prevent unauthorized modifications to Bulk Electric Systems (BES) Cyber Systems Monitoring processes to detect unauthorized modifications to Bulk Electric Systems (BES) Cyber Systems Vulnerability assessment to ensure proper implementation of cyber security controls and improve security posture of Bulk Electric Systems (BES) Cyber Systems 2

3 Applicable Systems High Impact BES Cyber Systems Applies to BES Cyber Systems (BCS) categorized as high impact Medium Impact BES Cyber Systems Applies to BES Cyber Systems categorized as medium impact Protected Cyber Assets (PCA) Applies to each Protected Cyber Asset associated with a referenced high impact BES Cyber System or medium impact BES Cyber System 3

4 Applicable Systems (continued) Electronic Access Control or Monitoring Systems (EACMS) Applies to each Electronic Access Control or Monitoring System associated with a referenced high impact BES Cyber System or medium impact BES Cyber System. Examples may include, but are not limited to, firewalls, authentication servers, and log monitoring and alerting systems Physical Access Control Systems (PACS) Applies to each Physical Access Control System associated with a referenced high impact BES Cyber System or medium impact BES Cyber System with External Routable Connectivity 4

5 Applicable Systems Summary High Impact Medium Impact Standard Req Part BCS EACMS PACS BCS EACMS PACS CIP R1 1.1 X X X X X X X CIP R1 1.2 X X X X X X X CIP R1 1.3 X X X X X X X CIP R1 1.4 X X X X X X X CIP R1 1.5 X CIP R1 1.6 X X CIP R2 2.1 X X X CIP R3 3.1 X X X X X X X CIP R3 3.2 X X CIP R3 3.3 X X X CIP R3 3.4 X X X X X X X CIP R4 X X X PCA NOTE: CIP-10-3 pending regulatory approval. 5

6 Applicability of Requirements BA, DP, GO, GOP, RC, TO and TOP BA DP GO GOP PA RC RP RSG TO TOP TP TSP R1 X X X X X X X R2 X X X X X X X R3 X X X X X X X 6

7 Configuration Change Management (CCM) R1 (Part 1.1 to 1.5) The configuration change management processes are intended to prevent unauthorized modifications to BES Cyber Systems. 7

8 Configuration Change Management (R1) Part 1.1: A baseline configuration that collectively includes: o Operating system (software, version or firmware) o Application Software (version) o Custom software o Logical network accessible ports o Security patches applied NOTE A "baseline" is an agreed description of the attributes of a product, at a point in time, which serves as a basis for defining change. 8

9 Configuration Change Management (continued) Part 1.2: Authorize and document changes that deviate from the existing baseline configuration Part 1.3: For changes that deviate from the existing baseline configuration, verify you have documented one or more processes for updating the baseline configuration as necessary within 30 calendar days of 9

10 Configuration Change Management (continued) Part 1.4: For a change that deviates from the existing baseline configuration and for each Applicable System, verify you have documented one or more processes to: odetermine, prior to the change, required cyber security controls in CIP-005 and CIP-007 that could be impacted by the change overify, following the change, that required cyber security controls in CIP-005 and CIP-007 are not adversely affected o Document the results of the verification 10

11 Configuration Change Management (continued) Part 1.5: For changes that deviate from the existing baseline configuration, verify you have documented one or more processes that include: o Test the changes in a TEST environment or test the changes in a PROD environment when you can minimize adverse affects o Ensure cyber security controls in CIP-005 and CIP-007 are not affected. o Document the results of the testing If a TEST environment was used, the differences between the test environment and the production environment, including a description of the measures used to account for any differences in operation between the TEST and PROD environments 11

12 Configuration Change Management (R1) Awaiting Regulatory Approval New 1.6 section Verify identity of the software source Verify integrity of the software obtained from the software source o Cryptographic checksums NOTE An example of evidence may include, but is not limited to, a change request record that demonstrates the verification of identity of the software source and integrity of the software was performed prior to the baseline change or a process which documents the mechanisms in place that would automatically ensure the identity of the software source and integrity of the software. 12

13 Examples of Evidence to Consider A spreadsheet identifying the required items of the baseline configuration for each Cyber Asset, individually or by group. A record in an asset management system that identifies the required items of the baseline configuration for each Cyber Asset, individually or by group A change request record (e.g. system or spreadsheet) Authorization by those that are authorized Documentation that the change was performed List of cyber security controls verified and tested along with dated test results 13

14 Industry Best Practices 14

15 Best Practices Policies, inventory and configuration control system Documented processes, procedures and templates for the development and maintenance of baseline configurations Include who can authorize baseline changes, and to what, when authorization(s) needs to occur and how the authorizations will be documented, stored, tracked and communicated. Use checklist or other tools to reduce likelihood of missing controls 15

16 Best Practices (continued) Documentation for Changes: o Identification of the asset(s) and/or system(s) o Attribute(s) that changed o Type of change (add/change/replacement) odate, time and location of change osource, cause or reason for the change o Person(s) or business unit that authorized the change oimpact changes to other assets or configurations items resulting from the change 16

17 Best Practices (continued) Documentation of Test results: owhen did the test occurred and where oidentify steps taken to determine potentially impacted cyber security controls o Why some/certain controls not included ohow the controls are tested and adverse impacts be detected ohow Test Results (expected vs. actual) are documented oconsider different environments or changes for what determining what controls could be impacted 17

18 Best Practices (continued) When Practical: o Maintain a record of agreed authorization levels o Ensure changes are submitted by authorized users o Review controls and integrity procedures to ensure that they will not be compromised by the changes o Identifying all software, information, database entities, and hardware that require amendment o Obtain formal approval for detailed proposals before work commences 18

19 Best Practices (continued) Segregation of Duties o Ensures that there is oversight and review to catch errors o Helps to prevent fraud or theft because it requires two people to collude in order to hide a transaction. Rotation of Duties o Makes it more difficult to collaborate to exercise complete control of a transaction(s) and subvert it for fraudulent purposes 19

20 Configuration Monitoring R2 The configuration monitoring processes are intended to detect unauthorized modifications to BES Cyber Systems. 20

21 Configuration Monitoring (R2) Part 2.1: omonitor every 35 calendar days for changes to the baseline configuration (at minimum) odocument and investigate detected unauthorized changes overify that all detected unauthorized changes are documented and investigated 21

22 Configuration Monitoring Question? How does your company detect for unauthorized accesses? 22

23 Vulnerability Assessments R3 The vulnerability assessment processes are intended to act as a component in an overall program to periodically ensure the proper implementation of cyber security controls as well as to continually improve the security posture of BES Cyber Systems. The vulnerability assessment performed for this requirement may be a component of deficiency identification, assessment, and correction. 23

24 Vulnerability Assessments (R3) Part 3.1: At least once every 15 calendar months: Conduct and document a paper or active vulnerability assessments Part 3.2: At least once very 36 calendar months: Perform and document active vulnerability assessment in a TEST environment or in a PROD environment When a TEST environment is used, document differences between TEST and PROD NOTE When you test in production: minimizes adverse effects models the baseline configuration to ensure that required cyber security controls in CIP- 005 and CIP-007 are not adversely affected. 24

25 Vulnerability Assessments (R3) Part 3.3 and 3.4: When adding a new Cyber Asset to PROD, perform an active vulnerability assessment and document the following: oresults of the assessments oaction plan to remediate or mitigate vulnerabilities identified in the assessments oplanned date of completing the action plan oexecution status of any remediation or mitigation action items ocompletion of the action plan if the date has NOTE A Vulnerability Assessment is not required during CIP Exceptional Circumstances. OK to use baseline configurations that models an existing baseline configuration of the previous or other existing Cyber Asset. 25

26 Vulnerability Assessments Recommended Evidence List the date of the assessment Controls assessed for each BES Cyber System along with the method of assessment Output of any tools used to perform the assessment List of differences between the PROD and TEST Descriptions of differences in the assessment NOTE List the results such as: list of action items, documented proposed dates of completion for the action plan, and records of the status of the action items minutes of a status meeting, updates in a work order system, or a spreadsheet tracking the action items). 26

27 Best Practices Vulnerability assessment(s) should include at minimum: onetwork and access point discovery oport and service identification oreview of default accounts, passwords, an network management community strings owireless access point review 27

28 Best Practices (continued) Define and establish the roles and responsibilities associated with technical vulnerability management, including vulnerability monitoring, risk assessment, patching, asset tracking, and any coordination responsibilities required Information resources that will be used to identify relevant technical vulnerabilities and maintain awareness about them should be identified for software and other technology. Information resources should be updated based on changes in the inventory, or when other new or useful resources are found Timeline should be defined to react to notifications of potentially relevant technical vulnerabilities 28

29 Best Practices (continued) Once a potential technical vulnerability has been identified, the organization should identify the associated risks and the actions to be taken; such action could involve patching of vulnerable systems and/or applying other controls Depending on how urgently a technical vulnerability needs to be addressed, the action taken should be carried out according to the controls related to change management or by following information security incident response procedures If a patch is available, the risks associated with installing the patch should be assessed and the risks posed by the vulnerability should be compared with the risk of installing the patch 29

30 FERC Order 791 Transient Cyber Assets and Removable Media R4 Requirement R4 responds to the directive in FERC Order 791, to address security-related issues associated with Transient Cyber Assets and Removable Media used on a temporary basis for tasks such as data transfer, vulnerability assessment, maintenance, or troubleshooting. 30

31 Definitions of Removable Media (RM) Not Cyber Assets Capable of transferring executable code Can be used to store, copy, move, or access data Examples: floppy disks, compact disks, USB flash drives, external hard drives, and other flash memory cards/drives that contain nonvolatile memory. NOTE A common TCA or RM is directly connected for 30 consecutive calendar days or less to a BES Cyber Asset, a network within an ESP, or a Protected Cyber Asset. 31

32 Definitions of Transient Cyber Asset (TCA) Capable of transmitting or transferring executable code Not included in a BES Cyber System Not a Protected Cyber Asset (PCA) NOTE A common TCA or RM is directly connected for 30 consecutive calendar days or less to a BES Cyber Asset, a network within an ESP, or a Protected Cyber Asset. Examples: Cyber Assets used for data transfer, vulnerability assessment, maintenance, or troubleshooting purposes. 32

33 Transient Cyber Assets & Removable Media Protection Risks associated with Transient Cyber Assets (TCA s) and Removable Media (RM): opreventing unauthorized access or malware propagation to BES Cyber Systems opreventing unauthorized access to BES Cyber System Information NOTE Both Transient Cyber Assets and Removable Media tools are potential vehicles for transporting malicious code into a facility and subsequently into Cyber Assets or BES Cyber Systems. Important: This requirement incorporates the concepts from other CIP requirements in CIP and CIP to help define the requirements for Transient Cyber Assets and Removable Media. 33

34 Plans for Transient Cyber Assets and Removable Media (R4) Each Responsible Entity, for its high impact and medium impact BES Cyber Systems and associated Protected Cyber Assets, shall implement, except under CIP Exceptional Circumstances, one or more documented plan(s) for Transient Cyber Assets and Removable Media that include the sections in Attachment 1 DISTRIBUTE Attachment 1 and 2 to audience 34

35 Attachment 1 Plans for TCA s and RM Plan(s) for Transient Cyber Assets and Removable Media as required under Requirement R4. 35

36 Section 1: TCA Plans Managed by Entity Transient Cyber Asset management Transient Cyber Asset authorization Software vulnerability mitigation Introduction of malicious code mitigation Unauthorized use mitigation 36

37 Attachment 2 Examples of Evidence Example of evidence for the plan(s) for Transient Cyber Assets and Removable Media as required under Requirement R4. 37

38 Attachment 2: Examples of Evidence (Section 1) Method(s) of management. This can be included as part of the plan(s), documentation related to authorization or part of a security policy Documentation from asset management systems, human resource management systems, or forms or spreadsheets that show authorization. This can be documented in the overarching plan document Documentation through policies or procedures of the method(s) to restrict physical access; method(s) of the fulldisk encryption solution along with the authentication protocol; method(s) of the multi-factor authentication solution; or documentation of other method(s) to mitigate the risk of unauthorized use 38

39 Attachment 2: Examples of Evidence (continued) Documentation of the method(s) used to mitigate software vulnerabilities posed by unpatched software such as security patch management implementation, the use of live operating systems from read-only media, system hardening practices or other method(s) to mitigate the software vulnerability posed by unpatched software Change management systems, automated patch management solutions, procedures or processes associated with using live operating systems, or procedures or processes associated with system hardening practices Documentation of the method(s) used to mitigate the introduction of malicious code such as antivirus software and processes for managing signature or pattern updates, application whitelisting practices, processes to restrict communication, or other method(s) to mitigate the introduction of malicious code 39

40 References Creating a Patch and Vulnerability Management Program o NIST Publication SP at Guide for Security-Focused Configuration Management of Information Systems o NIST Publication SP at NERC Cyber Security Configuration Change Management and Vulnerability Assessments o CIP and CIP standards at 40

41 Questions?