CIP Baseline Configuration Management Overview. FRCC Spring Compliance Workshop April 14-16, 2015

Transcription

1 CIP Baseline Configuration Management Overview FRCC Spring Compliance Workshop April 14-16, 2015

2 Overview Review the configuration change management requirements found in CIP R1 and R2 2

3 R1.1 Baseline Configuration Develop a baseline configuration that includes the following items: o Operating system(s) (including version) or firmware where no independent operating system exists; o Any commercially available or open source application software (including version) intentionally installed; o Any custom software installed; o Any logical network accessible ports; and o Any security patches applied. 3

4 R1.1 Evidence Audit approach may include: o Reviewing your documentation that outlines the baseline requirements for applicable systems and devices o Reviewing evidence that demonstrates that you were tracking assets containing the required baseline information o During physical walkthrough, review applicable systems for adherence to the baseline configuration Applies to Medium and High Impact BES Cyber Systems and their associated EACMs, PACS, and PCAs 4

5 R1.2 Baseline Configuration Changes Authorize and document changes that deviate from the existing baseline configuration Audit approach may include: o Reviewing change management documentation, change tickets, or inventory control documentation that clearly identified that the change deviated from the baseline and were approved Note: Deviations from the baseline should still maintain compatibility with the requirements 5

6 R1.3 Baseline Configuration Updates For a change that deviates from the existing baseline configuration, update the baseline configuration as necessary within 30 calendar days of completing the change. Audit approach may include: Reviewing documentation such as an updated baseline configuration document that has been dated within 30 days of the change to the baseline Applies to Medium and High Impact BES Cyber Systems and their associated EACMs, PACS, and PCAs 6

7 R1.4 Baseline Configuration Updates For a change that deviates from the existing baseline configuration : R1.4.1 Prior to the change, determine required cyber security controls in CIP 005 and CIP 007 that could be impacted by the change; R Following the change, verify that required cyber security controls determined in are not adversely affected; and R1.4.3 Document the results of the verification. 7

8 R1.4 Baseline Configuration Updates For any changes that deviates from the existing baseline configuration perform the following steps: R1.4.1 Determine the required cyber security controls in CIP 005 and CIP 007 that could be impacted by the change Change the Baseline Configuration R1.4.2 Verify that required cyber security controls determined in are not adversely affected R1.4.3 Document the results of the verification. 8

9 R1.4 Baseline Change Testing Audit approach may include: Reviewing documentation demonstrating the method used to determine the impact of the change to the CIP-005 and CIP-007 security controls. Reviewing a documented output of the impact analysis A list of cyber security controls verified or tested along with the dated test results Applies to Medium and High Impact BES Cyber Systems and their associated EACMs, PACS, and PCAs 9

10 R1.5 Testing Baseline Changes Prior to implementing any change in the production environment, ensure that the required cyber security controls in CIP 005 and CIP 007 are not adversely affected by either: a) Testing the changes in a test environment or; b) Test the changes in a production environment where the test is performed in a manner that minimizes adverse effect 10

11 R1.5 Testing Baseline Changes (cont.) What are the auditors looking for? Documentation of the results of the testing A list of cyber security controls tested along with successful test results For test environments, a list of differences between the production and test environments with descriptions of how differences were accounted for, including of the date of the test. 11

12 R2 Monitoring Baseline Changes Monitor for changes to the baseline configuration at least once every 35 calendar days Document and investigate any detected unauthorized changes Evidence may include: Logs from a configuration change monitoring system Records of investigation for any unauthorized changes that were detected. Applies to High Impact BES Cyber Systems and their associated EACMs, and PCAs 12

13 R2 Monitoring Baseline Changes (cont.) How do I monitor baseline changes? Automated Process through change management software Some solutions can be expensive Can require tuning Manual process Spreadsheet method of tracking each applicable system or asset Can be used in conjunction with existing tools such as Cisco Security Device Manager or Microsoft Service Control Manager Time consuming Must review all assets within 35 days 13

14 Configuration Management Resources NIST NSA uration_guides/index.shtml Cisco Oracle Microsoft Linux (Red Hat) 14

15 Questions? 15