Electronic Access Controls June 27, 2017 Kevin B. Perry Director, Critical Infrastructure Protection kperry.re@spp.org 501.614.3251 1
Electronic Access Point 2
What does your access control look like? 3
Corp Network Satellite Clock VLAN 20 / 192.168.20.0/24 VLAN 22 / 192.168.22.0/24 VLAN 24 / 192.168.24.0/24 A B C D Jump Host VLAN 21 / 192.168.21.0/24 VLAN 23 / 192.168.23.0/24 App DB HMI AD CFE Terminal s A, B, and C A/V WSUS RHEL Syslog Historian ESP Microsoft Windows Field Network Redhat Linux Firmware-based 4
Corp Network Satellite Clock VLAN 20 / 192.168.20.0/24 VLAN 22 / 192.168.22.0/24 VLAN 24 / 192.168.24.0/24 A B C D Jump Host VLAN 21 / 192.168.21.0/24 VLAN 23 / 192.168.23.0/24 App DB HMI AD CFE Terminal s A, B, and C A/V WSUS RHEL Syslog Historian ESP HTTP, HTTPS Listening Field Network 5
Corp Network ESP-Group Satellite Clock VLAN 20 / 192.168.20.0/24 VLAN 22 / 192.168.22.0/24 VLAN 24 / 192.168.24.0/24 A B C D Jump Host VLAN 21 / 192.168.21.0/24 VLAN 23 / 192.168.23.0/24 ESP App DB HMI AD CFE Terminal s A, B, and C A/V WSUS RHEL Syslog Historian DMZ-Group Field Network 6
Consider this object-group network ESP-Group network-object 192.168.20.0 255.255.255.0 network-object 192.168.21.0 255.255.255.0 network-object 192.168.22.0 255.255.255.0 object-group network DMZ-Group network-object 192.168.23.0 255.255.255.0 network-object 192.168.24.0 255.255.255.0 object-group service WSUS service-object icmp echo service-object icmp echo-reply service-object icmp time-exceeded service-object icmp unreachable service-object tcp destination eq www service-object tcp destination eq 443 service-object tcp destination eq 135 service-object tcp destination range 8530 8531 permit ESP_allow_in extended permit object-group WSUS object-group DMZ-Group object-group ESP-Group permit ESP_allow_out extended permit object-group WSUS object-group ESP-Group object-group DMZ-Group 7
Audience Participation Time What are the compliance concerns with the rules just shown? What are the risks posed by the rules as written? How would you make the access control lists better? (No fair looking ahead ) 8
Compliance Concerns CIP-005-5, Requirement R1, Part 1.3 states: Require inbound and outbound access permissions, including the reason for granting access, and deny all other access by default Expectation: Inbound and outbound permissions are demonstrably needed Inbound and outbound permissions are tightly restricted 9
Compliance Concerns Object groups are not sufficiently granular ESP-Group encompasses every Cyber Asset within the ESP DMZ-Group encompasses every Cyber Asset in the DMZ WSUS defines every port (service) that is required for any reason to support WSUS, plus some not required by WSUS No consideration of reason for the port No consideration of direction of traffic flow This example will result in a Potential Non-Compliance 10
Compliance Concerns From Microsoft TechNet: Configure the firewall to allow communication for the HTTP and HTTPS ports used by the WSUS server. By default, a WSUS server that is configured for the default Web site uses port 80 for HTTP and port 443 for HTTPS. By default, the WSUS server uses port 8530 for HTTP and port 8531 for HTTPS if it is using the WSUS custom Web site References: https://technet.microsoft.com/en-us/library/bb693717.aspx https://technet.microsoft.com/en-us/library/bb632477.aspx 11
Risks Posed by the Rules Full DMZ ESP inbound and outbound access Even with port limitation, such broad IP ranges are not warranted in a Control Center network environment Reciprocal rules not required with a stateful firewall Unnecessarily increases the attack surface ICMP not required for WSUS purposes Although limited to only the ping and traceroute commands, ICMP can be used by a malicious attacker to perform network reconnaissance 12
Risks Posed by the Rules WSUS uses either ports 80/443 or 8530/8531 per the TechNet bulletins. Ports only listening on the WSUS server Listening ports configured when WSUS is installed Ports required to download patches from an upstream server or Microsoft web site. No requirement for the WSUS server to connect to the client Cyber Assets, thus inbound rules not required 13
Risks Posed by the Rules Only Microsoft Windows-based Cyber Assets are supported by WSUS Outbound rules should permit either ports 80/443 or 8530/8531 from the operator consoles and Active Directory server to the WSUS server Permitting broad outbound access increases the ability of malware to contact its command and control system through a compromised proxy in the non-esp networks 14
Risks Posed by the Rules Permitting port 80 and 443 from every Cyber Asset in the DMZ inadvertently exposes the CFE terminal servers to malicious configuration interface access Any external remote access to the CFE terminal servers using web services needs to go through the Intermediate System (jump host) Malicious actor could access and reconfigure the CFE terminal servers and disrupt SCADA/EMS communication with the generating plants and substations 15
Corp Network Satellite Clock VLAN 20 / 192.168.20.0/24 VLAN 22 / 192.168.22.0/24 VLAN 24 / 192.168.24.0/24 A B C D Jump Host VLAN 21 / 192.168.21.0/24 VLAN 23 / 192.168.23.0/24 App DB HMI AD CFE Terminal s A, B, and C A/V WSUS RHEL Syslog Historian ESP HTTP, HTTPS Listening Field Network Windows Clients in the ESP 16
Improving the Access Control Lists object-group network Windows-Systems network-object object _A network-object object _B network-object object _C network-object object _D network-object object AD_ object network WSUS- host 192.168.23.102 object-group service WSUS service-object tcp destination range 8530 8531 permit ESP_allow_out extended permit object-group WSUS object-group Windows-Systems object WSUS- Define similar tight rules for interaction with the Active Directory server, RHEL update server, anti-virus server, the syslog server, and between the primary and backup Control Center ESPs 17
Active Directory Current design AD server is inside the ESP to allow normal operation with the outside interface of the firewall disconnected in an emergency DMZ Cyber Assets have to reach into the ESP to access the AD server Default AD server configuration (Dynamic RPC) exposes the ESP to approximately 95% of all possible ports Exposure is magnified if inbound access is not limited to just the AD server 18
Active Directory Required ports Dynamic RPC (default) configuration Service RPC endpoint mapper Network basic input/output system (NetBIOS) name service NetBIOS datagram service NetBIOS session service RPC dynamic assignment message block (SMB) over IP (Microsoft-DS) Lightweight Directory Access Protocol (LDAP) LDAP ping LDAP over SSL Global catalog LDAP Global catalog LDAP over SSL Kerberos Domain Name Service (DNS) Windows Internet Naming Service (WINS) resolution (if required) WINS replication (if required) Source: https://technet.microsoft.com/en-us/library/bb727063.aspx Port/protocol 135/tcp, 135/udp 137/tcp, 137/udp 138/udp 139/tcp 1024-65535/tcp 445/tcp, 445/udp 389/tcp 389/udp 636/tcp 3268/tcp 3269/tcp 88/tcp, 88/udp 53/tcp1, 53/udp 1512/tcp, 1512/udp 42/tcp, 42/udp 19
Active Directory Dynamic RPC (default) configuration Pros: No special server configuration Cons: Turns the firewall into "Swiss cheese" Random incoming high-port connections Insecure firewall configuration 20
Active Directory Required Ports Limited RPC configuration Service Port/protocol RPC endpoint mapper 135/tcp, 135/udp NetBIOS name service 137/tcp, 137/udp NetBIOS datagram service 138/udp NetBIOS session service 139/tcp RPC static port for AD replication <AD-fixed-port>/TCP RPC static port for FRS <FRS-fixed-port>/TCP SMB over IP (Microsoft-DS) 445/tcp, 445/udp LDAP 389/tcp LDAP ping 389/udp LDAP over SSL 636/tcp Global catalog LDAP 3268/tcp Global catalog LDAP over SSL 3269/tcp Kerberos 88/tcp, 88/udp DNS 53/tcp, 53/udp WINS resolution (if required) 1512/tcp, 1512/udp WINS replication (if required) 42/tcp, 42/udp Source: https://technet.microsoft.com/en-us/library/bb727063.aspx 21
Active Directory Limited RPC configuration Pros: More secure than dynamic RPC only two open high ports Cons: Registry modification to all Active Directory servers Instructions for selecting the high ports and modifying the Registry are found in: https://technet.microsoft.com/en-us/library/bb727063.aspx 22
Active Directory But wait It can get even better Currently, the DMZ Cyber Assets need to punch through the firewall to access the Active Directory server Every permitted port is another opportunity for exploit A read-only domain controller (RODC) is a new type of domain controller in the Windows 2008 operating system. Eliminates need for inbound port permissions to the Active Directory server inside the ESP 23
Corp Network Satellite Clock VLAN 20 / 192.168.20.0/24 VLAN 22 / 192.168.22.0/24 VLAN 24 / 192.168.24.0/24 A B C D Jump Host VLAN 21 / 192.168.21.0/24 VLAN 23 / 192.168.23.0/24 App DB HMI AD CFE Terminal s A, B, and C AD (RODC) A/V WSUS RHEL Syslog Historian ESP Field Network 24
Read-Only Active Directory Read-only AD DS database Except for account passwords, an RODC holds all the Active Directory objects and attributes that a writable domain controller holds. However, changes cannot be made to the database that is stored on the RODC. Changes must be made on a writable domain controller and then replicated back to the RODC. Unidirectional replication Because no changes are written directly to the RODC, no changes originate at the RODC. Accordingly, writable domain controllers that are replication partners do not have to pull changes from the RODC. This means that any changes or corruption that a malicious user might make to the DMZ Active Directory cannot replicate from the RODC to the rest of the forest. Source: https://technet.microsoft.com/en-us/library/cc732801(v=ws.10).aspx 25
Read-Only Active Directory One more thing to do Point the Cyber Assets inside the ESP to the Active Directory server inside the ESP Point the Cyber Assets outside the ESP to the Active Directory server in the DMZ Eliminate all AD-related permissions through the firewall from the DMZ into the ESP Frustrates the malicious actor too bad, so sad 26
Interactive Remote Access 27
28
What is Multi-Factor Authentication? Something you know: Password, passphrase, PIN Something you have: RSA token, CRYPTOcard, challenge/response card, cell phone Something you are: Biometrics (fingerprint, facial features, iris) 29
Something You Have This is the most misunderstood factor You need to be in physical possession You cannot stop off somewhere (electronically) and pick it up It cannot be publicly available The Guidelines and Technical Basis for CIP-005-5, Requirement R2 simply says See Secure Remote Access Reference Document (see remote access alert). Guidance for Secure Interactive Remote Access 30
Multi-Factor Scenario 1 Authentication is performed by the following sequence: Enter username and password One-time token is sent by the authentication server to your company email account Enter the one-time token value found in the email body You are authenticated Question: Is this a valid form of multi-factor authentication? NO 31
Multi-Factor Scenario 2 Authentication is performed by the following sequence: Enter username and password One-time token is generated using an app on your smart phone Enter the one-time token You are authenticated Question: Is this a valid form of multi-factor authentication? YES 32
Multi-Factor Scenario 3 Authentication is performed by the following sequence: Enter username and password to authenticate to a Citrix server (not the Intermediate System) Connect to the Intermediate System from the Citrix server Enter your username and password Enter the password to enable use of your digital certificate, stored in your user profile on the Citrix server You are authenticated Question: Is this a valid form of multi-factor authentication? NO 33
Multi-Factor Scenario 4 Authentication is performed by the following sequence: Connect to the Intermediate System from your laptop Enter your username and password Enter the password to enable use of your digital certificate, stored in your user profile on your laptop You are authenticated Question: Is this a valid form of multi-factor authentication? Yes, but 34
Multi-Factor Scenario 5 Authentication is performed by the following sequence: Enter username and password The authentication system places a call to a pre-registered phone number (cell or landline) Answer the phone and respond as instructed You are authenticated Question: Is this a valid form of multi-factor authentication? YES (cell phone would be best) 35
Multi-Factor Scenario 6 Authentication is performed by the following sequence: Insert USB key containing your digital certificate into your laptop Launch your VPN client on your laptop and connect to the VPN concentrator (upstream from the Intermediate System) Enter the passcode required to use your digital certificate You are authenticated Question: Is this a valid form of multi-factor authentication? YES 36
Multi-Factor Scenario 7 Authentication is performed by the following sequence: Log into your laptop using your fingerprint in lieu of entering your username and password Once logged in, connect to the Intermediate System with a username and password You are authenticated Question: Is this a valid form of multi-factor authentication? You would think so, but, NO 37
Summary Electronic Access Point You want tight ingress and egress access controls Access in and out needs to be limited to what is necessary to operate, not for convenience Multi-Factor Authentication Two of three: something you know, something you have, something you are You need to be in sole possession of something you have 38
SPP RE CIP Team Kevin Perry, Director of Critical Infrastructure Protection (501) 614-3251 Shon Austin, Lead Compliance Specialist-CIP (501) 614-3273 Ted Bell, Senior Compliance Specialist-CIP (501) 614-3535 Jeremy Withers, Senior Compliance Specialist-CIP (501) 688-1676 Robert Vaughn, Compliance Specialist II-CIP (501) 482-2301 Sushil Subedi, Compliance Specialist II-CIP (501) 482-2332 39