Designing Secure Remote Access Solutions for Substations

Transcription

1 Designing Secure Remote Access Solutions for Substations John R Biasi MBA, CISA, CISSP October 19, 2017

2 Agenda Brief Biography Interactive Remote Access Dial-Up Access Examples Transient Devices Vendor Access Compliance vs. Security Additional Reference Information (not presented) 2

3 Brief Biography John Biasi Senior Cybersecurity Specialist at Burns & McDonnell 17 years in IT Eight years in the utility industry Five years at a large investor-owned utility Three years at Burns & McDonnell Hands-on experience developing solutions for a broad range of regulations and security frameworks, including HIPAA, ISO 27001, NEI 08-09, NERC CIP, NIST, PCI-DSS and SOX 3

4 Interactive Remote Access External Routable Connectivity (ERC) is not necessarily Interactive Remote Access (IRA): System-to-System communication Reporting/Telemetry data Logging ESP-to-ESP communication For medium- and high-impact BCS, IRA requires the use of an intermediate system. There is NO low-impact requirement for IRA. 4

5 Dial-Up Access Medium-impact: CIP Requirement R1.4 Where technically feasible, perform authentication when establishing dial-up connectivity with applicable cyberassets. Low-impact: CIP Attachment 1, Section 3.2: Authenticate all dial-up connectivity, if any, that provides access to lowimpact BES Cyber System(s), per cyberasset capability. Examples Local authentication Dial-out Dial-back authentication Access control on the BCS 5

6 Outside Example 1 Medium-impact site, with ERC and IRA Intermediate System System To System (non-ira) IRA Medium Impact BCS 6

7 Outside Example 2 Low-impact BCS, with LERC and IRA System To System (non-ira) IRA (equivalent) Low Impact BCS 7

8 Outside Example 3 Low-, medium- or high-impact BCS, with a unidirectional gateway Inbound Data (blocked) Outbound Data (allowed) Low Impact BCS 8

9 Transient Cyberassets For medium- and high-impact BCS, need to have a plan that addresses CIP Attachment 1 Transient Cyber Asset Management Transient Cyber Asset Authorization Software Vulnerability Mitigation Malicious Code Mitigation Unauthorized Use Mitigation Low-impact BCS will have a similar requirement in CIP Need to have a plan that addresses CIP Attachment 1 Section 5 Responsible Entity shall implement, except under CIP Exceptional Circumstances, one or more plan(s) to achieve the objective of mitigating the risk of the introduction of malicious code to low-impact BES Cyber Systems through the use of Transient Cyber Assets or Removable Media. 9

10 Vendor Access Best case have the vendor use your transient asset. Next best option have a way to scan their asset before connecting it to your devices. Vendors will need to have a way to comply with CIP for medium- and high-impact BCS, and CIP Attachment 1 Section 5 for low-impact BCS. 10

11 Compliance vs. Security Compliance Rigid requirements Requirements lag behind current threats (>3 years) One size fits all approach Security Risk-based requirements Can be more responsive to current threats Unique to each organization 11

12 QUESTIONS?

13 Additional Reference Information 13

14 External Routable Connectivity Two versions: External Routable Connectivity (ERC) for medium- and high-impact BCS. Low-Impact External Routable Connectivity (LERC) for low-impact BES Cyber Systems (BCS) The NERC definition of ERC is: The ability to access a BES Cyber System from a cyberasset that is outside of its associated Electronic Security Perimeter (EAP) via a bi-directional routable protocol connection. 14

15 Interactive Remote Access The NERC definition of IRA is: User-initiated access by a person employing a remote access client or other remote access technology using a routable protocol. Remote access originates from a cyberasset that is not an Intermediate System and not located within any of the Responsible Entity s Electronic Security Perimeter(s) or at a defined EAP. Remote access may be initiated from: 1) cyberassets used or owned by the Responsible Entity, 2) cyberassets used or owned by employees, and 3) cyberassets used or owned by vendors, contractors, or consultants. Interactive remote access does not include system-to-system process communications. 15

16 Low-Impact Version of ERC The NERC CIP version 5 definition of Low-Impact External Routable Connectivity (LERC) is: Direct user initiated interactive access or a direct device to device connection to a low impact BES Cyber System(s) from a cyberasset outside the asset containing those low-impact BES Cyber System(s) via a bi directional routable protocol connection. Point to point communications between intelligent electronic devices that use routable communication protocols for time sensitive protection or control functions between transmission station or substation assets containing low-impact BES Cyber Systems are excluded from this definition (examples of this communication include, but are not limited to, IEC GOOSE or vendor proprietary protocols). This definition has been removed in NERC CIP

17 New Low-Impact Requirement CIP Attachment 1, Section 3.1: Permit only necessary inbound and outbound electronic access as determined by the Responsible Entity for any communications that are: i. between a low-impact BES Cyber System(s) and a cyberasset(s) outside the asset containing low-impact BES Cyber System(s); ii. using a routable protocol when entering or leaving the asset containing the low-impact BES Cyber System(s); and iii. not used for time-sensitive protection or control functions between intelligent electronic devices (e.g., communications using protocol IEC TR R-GOOSE). 17

18 Reference Model 1 From CIP Supplemental Material, page 36 18

19 Reference Model 2 From CIP Supplemental Material, page 37 19

20 Reference Model 3 From CIP Supplemental Material, page 38 20

21 Reference Model 4 From CIP Supplemental Material, page 39 21

22 Reference Model 5 From CIP Supplemental Material, page 40 22

23 Reference Model 6 From CIP Supplemental Material, page 41 23

24 Reference Model 7 From CIP Supplemental Material, page 42 24

25 Reference Model 8 From CIP Supplemental Material, pages

26 Reference Model 9 From CIP Supplemental Material, pages

27