i-pcgrid WORKSHOP 2016 INTERACTIVE REMOTE ACCESS siemens.com/ruggedcom
INTERACTIVE REMOTE ACCESS INTELLIGENT ELECTRONIC DEVICES Intelligent Electronic Devices (IEDs) Devices that can provide real-time monitoring, measurements, control, and protection of the high voltage power grid assets. These may include meters, relays, Remote Terminal Units (RTUs), Digital Fault Recorders (DFRs), breakers, and transformer monitors.
INTERACTIVE REMOTE ACCESS MOTIVATION ICS-CERT Responses to sector specific cyber security threats across the critical infrastructure sectors in the U.S. in 2014 The most published vulnerabilities in critical infrastructure are in the Energy area. Number of incidents Percentage of incidents Source: The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) https://ics-cert.us-cert.gov/sites/default/files/monitors/ics-cert_monitor_sep2014-feb2015.pdf Percentages related to the total response for 2014
INTERACTIVE REMOTE ACCESS - GUIDANCE Following Key-Guidelines Describing What should be done NERC CIP NIST Cyber Sec. Framework BDEW white paper Compliant with Key-Standards Describing How should it be done ISO/IEC 62443 (System Security) ISO/IEC 62351 (Communication Security) ISO/IEC 27001/27019 (Security Mgmt) Conform to regulatory requirements Describing what must be done IT Security Law Security Catalogue Protection Profile Follow industry standards, i.e. bdew Report on incidents Implementation and Certification of an Information Security Management System (ISMS) Cryptographic requirements for Smart Metering Assessment and certification of ICS systems Auditable compliance is required for bulk power systems (since 2010)
INTERACTIVE REMOTE ACCESS DEFENSE IN DEPTH Defense in depth is the concept of protecting a computer network with a series of defensive mechanisms such that if one mechanism fails, another will already be in place to thwart an attack.
INTERACTIVE REMOTE ACCESS DEFENSE IN DEPTH DEFENSE IN DEPTH House Lights Dog barking House alarm Police called In general, one line of defense may not be enough, but with several systems in place, it can to help to deter.
INTERACTIVE REMOTE ACCESS - NERC CIP REQUIREMENTS CIP STANDARD CIP REQUIREMENT DESCRIPTION CIP-002-5.1 CIP-002-5.1 - Attachment 1 Situational Awareness - includes activities, actions and conditions established by policy, directive or standard operating procedure necessary to assess the current condition of the BES and anticipate effects of planned and unplanned changes to conditions. CIP-005-5 Electronic Security Perimeter To manage electronic access to BES Cyber Systems by specifying a controlled Electronic Security Perimeter in support of protecting BES Cyber Systems against compromise that could lead to misoperation or instability in the BES. CIP-007-5 CIP-007-6 System Security Management To manage system security by specifying select technical, operational, and procedural requirements in support of protecting BES Cyber Systems against compromise that could lead to misoperation or instability in the BES. CIP-010-1 CIP-010-2 Configuration Change Management and Vulnerability Assessments To prevent and detect unauthorized changes to BES Cyber Systems by specifying configuration change management and vulnerability assessment requirements in support of protecting BES Cyber Systems from compromise that could lead to misoperation or instability in the Bulk Electric System (BES). NERC addresses security and remote access in requirements like those listed above.
INTERACTIVE REMOTE ACCESS NERC CIP DEFENSE IN DEPTH CIP Table Part Applicability Requirements CIP-004-5.1 R1 1.1 High Impact BES Cyber Systems and Medium Impact BES Cyber Systems CIP-005-5 R1 1.1 High/Medium CIP-005-5 R1 1.2 CIP-005-5 R1 1.3 CIP-005-5 R1 1.5 High w/erc & Medium w/erc EAP for High BES & EAP for Medium BES Cyber Systems EAP for High BES & EAP for Medium BES Cyber Systems Security awareness that, at least once each calendar quarter, reinforces cyber security practices (which may include associated physical security practices) for the Responsible Entity s personnel who have authorized electronic or authorized unescorted physical access to BES Cyber Systems. All applicable Cyber Assets connected to a network via a routable protocol shall reside within a defined ESP All External Routable Connectivity must be through an identified Electronic Access Point (EAP). Require inbound and outbound access permissions, including the reason for granting access, and deny all other access by default. Have one or more methods for detecting known or suspected malicious communications for both inbound and outbound communications. Just some of the process requirements NERC has that help to address Defense in Depth
INTERACTIVE REMOTE ACCESS INTERACTIVE REMOTE ACCESS MGMT NERC requirement for an Intermediate System for High and Medium Impact BES Cyber Systems
INTERACTIVE REMOTE ACCESS - DEFINITIONS Relevant Definitions in the NERC Glossary of Terms: Interactive Remote Access User-initiated access by a person employing a remote access client or other remote access technology using a routable protocol. Remote access originates from a Cyber Asset that is not an Intermediate System and not located within any of the Responsible Entity s Electronic Security Perimeter(s) (ESP) or at a defined Electronic Access Point (EAP). Remote access may be initiated from: 1) Cyber Assets used or owned by the Responsible Entity 2) Cyber Assets used or owned by employees, and 3) Cyber Assets used or owned by vendors, contractors, or consultants. Interactive remote access does not include system-to-system process communications. SOURCE: Lesson Learned : CIP Version 5 Transition Program CIP-005-5 R2: Interactive Remote Access1 Version: April 29, 2015
INTERACTIVE REMOTE ACCESS - DEFINITIONS Relevant Definitions in the NERC Glossary of Terms: Intermediate System A Cyber Asset or collection of Cyber Assets performing access control to restrict Interactive Remote Access to only authorized users. The Intermediate System must not be located inside the Electronic Security Perimeter. SOURCE: Lesson Learned : CIP Version 5 Transition Program CIP-005-5 R2: Interactive Remote Access1 Version: April 29, 2015
INTERACTIVE REMOTE ACCESS REMOTE ACCESS METHODS TUNNELING: Tunnels are typically established through virtual private network (VPN) technologies. Once a VPN tunnel has been established between a remote client device and the organization s VPN gateway, the remote user can access the remote devices. APPLICATION PORTALS: An application portal is a server that offers access to one or more applications through a single centralized interface. REMOTE DESKTOP APPLICATIONS: A remote desktop access solution gives a user the ability to remotely control a particular IED from their remote location. The user has control over the remote device and can access, log in, and configure the remote device. DIRECT APPLICATION ACCESS: Remote access can be accomplished without using remote access software. A teleworker can access an individual application directly, with the application providing its own security (communications encryption, user authentication, etc.)
INTERACTIVE REMOTE ACCESS INTERMEDIATE SYSTEM REQUIREMENTS / INTENT TWO FACTOR AUTHENTICATION ENCRYPTION TERMINATES AT INTERMEDIATE SYSTEM PROVIDES PROTOCOL BREAK
INTERACTIVE REMOTE ACCESS - SUMMARY Cyber Security attacks are up Embrace Cyber Security Best Practices Implement a SECURE Interactive Remote Access solution. There are two types of companies in the world: those that know they've been hacked, and those that don't. *Misha Glenny
INTERACTIVE REMOTE ACCESS Thank you. Questions?
INTERACTIVE REMOTE ACCESS Jeff Foley Business Development Manager SIEMENS RUGGEDSOLUTION Process Industries and Drives Division Phone: +1 (954) 922-7938 E-mail: jeff.foley@siemens.com