Interactive Remote Access Compliance Workshop October 27, 2016 Eric Weston Compliance Auditor Cyber Security 2 Agenda Interactive Remote Access Overview Review of Use Cases and Strategy 1
Interactive Remote Access Overview What is Interactive Remote Access? User Initiated Access No direct access from outside the ESP except through an Intermediate System Does Not: Originate from an Intermediate System Reside within any ESP or at an EAP Include System to System Process Communications 3 Interactive Remote Access Overview What is an Intermediate System? Cyber Asset or Collection of Cyber Assets Used to Restrict IRA only to Authorized Users Must not be Located inside the Electronic Security Perimeter 4 2
IRA Use Cases Basic Intermediate System 5 Communications Remote User initiates connection User can is then validated be remote must be connection encrypted using established multi factor with to to the Intermediate systems authentication inside the System ESP IRA Use Cases Multiple Device Intermediate System 6 3
IRA Use Cases Protecting Intermediate System with DMZ 7 IRA Use Cases Jump Host / Bastion Host 8 4
IRA Use Cases Proxy Device 9 10 IRA Mitigating Risk Use IRA Only for Support and Maintenance Limit Access Only to Necessary Users Limit Allowable Protocols Limit Connection Times Keep Number of Devices in the Intermediate System as Few as Possible 5
11 IRA Mitigating Risk Keep Security Patches and Malware Signatures up to date Scrutinize & Review Traffic and User Activities Additional Guidance can be found in the NERC document Guidance for Secure Interactive Remote Access 1 1 http://www.nerc.com/pa/rrm/bpsa/alerts%20dl/2011%20alerts/final Guidance_for_Secure_Interactive_Remote_Access.pdf 12 6
In 1 Order No. 822, FERC directed NERC to perform a study to obtain information to the effectiveness of remote access implementations. NERC must assess: The effectiveness of the CIP version 5 remote access controls; The risks posed by remote access related threats and vulnerabilities; and The appropriate mitigating controls for any identified risks. 13 1 FERC, 2016, Revised Critical Infrastructure Protection Reliability Standards, 154 FERC 61,037, P. 13 Entities audited between July 1, 2016 and May 15, 2017 will be included in the study Information sent to NERC/FERC will be generalized No identifying entity information will be included No network addresses, diagrams, host names, etc. will be included 14 7
Evaluate Entity s Electronic Security Perimeters: Applicable Access Controls Intrusion Detection Capabilities Malware Prevention Capabilities 15 Evaluate Interactive Remote Access: Document Any Notable Strengths or Weaknesses Session Protection and Monitoring Identification and Protection of Intermediate Systems Use of Authentication Risks Posed by Corporate Networks to Intermediate Systems 16 8
Evaluate System to System Communications across ESP and: Protections Provided Communications Protocols Used Any Notable Strengths or Weaknesses 17 Evaluate Vulnerabilities relating to Ukraine Specific Remote Access: Any Implemented Controls to Address the Vulnerabilities 18 9
19 Wrap Up All Interactive Remote Access Must be Provided the Protections of CIP 005 5 R2 and its Parts Intermediate Systems and IRA can be Implemented Many Ways Develop Methods that Work for your Organization IRA is a Potential Vulnerability, Take Steps to Mitigate the Risk is to Evaluate Current Risk Remote Access Creates and How the CIP Standards Help Mitigate that Risk 20 Contact Info Eric Weston 801. 819.7630 eweston@wecc.biz 10