Electronic Access Controls June 27, Kevin B. Perry Director, Critical Infrastructure Protection

Similar documents
CIP Workshop. SPP.org ->Regional Entity -> CIP Workshop: Questions? Wireless. SPP GUEST network. Enter your address on the login page.

Global Information Assurance Certification Paper

CIP 007 Compliance. Kevin B. Perry Dir, Critical Infrastructure Protection

Security in the Privileged Remote Access Appliance

Securing IEDs against Cyber Threats in Critical Substation Automation and Industrial Control Systems

Distributed Systems. 27. Firewalls and Virtual Private Networks Paul Krzyzanowski. Rutgers University. Fall 2013

Table of Contents Table of Contents Disclaimer...4 Executive Summary...5 Background...6 Scope... 6 Audience... 6 Intent... 6 Other Materials... 6 Crit

Alberta Reliability Standard Cyber Security Electronic Security Perimeter(s) CIP-005-AB-5

SEL-3620 ETHERNET SECURITY GATEWAY

Presenter Jakob Drescher. Industry. Measures used to protect assets against computer threats. Covers both intentional and unintentional attacks.

Window Server Firewall Configuration

Merge physical security and cybersecurity for field operations.

Active Directory in Networks Segmented by Firewalls

Distributed Systems. 29. Firewalls. Paul Krzyzanowski. Rutgers University. Fall 2015

INCREASE APPLICATION SECURITY FOR PCI DSS VERSION 3.1 SUCCESS AKAMAI SOLUTIONS BRIEF INCREASE APPLICATION SECURITY FOR PCI DSS VERSION 3.

Locking down a Hitachi ID Suite server

Security in Bomgar Remote Support

CIP 005 R2: Electronic Access Controls

The Privileged Remote Access Appliance in the Network

Russian Cyber Attack Warning and Impact on AccessEnforcer UTM Firewall

90% 191 Security Best Practices. Blades. 52 Regulatory Requirements. Compliance Report PCI DSS 2.0. related to this regulation

The Bomgar Appliance in the Network

Independent DeltaV Domain Controller

The Privileged Access Appliance in the Network

Domain Restructuring Windows Server 2008

Three interface Router without NAT Cisco IOS Firewall Configuration

HP ArcSight Port and Protocol Information

Network Communication Requirements for SecureAuth IdP

Deploying VMware Identity Manager in the DMZ. JULY 2018 VMware Identity Manager 3.2

PROPOSAL OF WINDOWS NETWORK

Introduction. The Safe-T Solution

Bomgar PA Integration with ServiceNow

Installing and Configuring VMware Identity Manager Connector (Windows) OCT 2018 VMware Identity Manager VMware Identity Manager 3.

Indicate whether the statement is true or false.

RSA Ready Implementation Guide for. Checkpoint Mobile VPN for ios v1.458

Deploying VMware Identity Manager in the DMZ. SEPT 2018 VMware Identity Manager 3.3

Interactive Remote Access FERC Remote Access Study Compliance Workshop October 27, Eric Weston Compliance Auditor Cyber Security.

Barracuda Networks NG Firewall 7.0.0

Security. Bob Shantz Director of Infrastructure & Cloud Services Computer Guidance Corporation. All Rights Reserved.

Securing CS-MARS C H A P T E R

CompTIA SY CompTIA Security+

Access Rules. Controlling Network Access

Privileged Identity App Launcher and Session Recording

CCNA Security PT Practice SBA

How to Configure a Remote Management Tunnel for an F-Series Firewall

HySecure Quick Start Guide. HySecure 5.0

Premediation. The Art of Proactive Remediation. Matthew McWhirt, Senior Manager Manfred Erjak, Principal Consultant OCTOBER 1 4, 2018 WASHINGTON, D.C.

Identity Firewall. About the Identity Firewall

Paloalto Networks PCNSA EXAM

: Administration of Symantec Endpoint Protection 14 Exam

HikCentral V1.3 for Windows Hardening Guide

IC32E - Pre-Instructional Survey

Becoming the Adversary

Vendor: Citrix. Exam Code: 1Y Exam Name: Implementing Citrix NetScaler 10.5 for App and Desktop Solutions. Version: Demo

vshield Administration Guide

VMware Identity Manager Connector Installation and Configuration (Legacy Mode)

Support for policy-based routing applies to the Barracuda Web Security Gateway running version 6.x only.

Computer Security. 12. Firewalls & VPNs. Paul Krzyzanowski. Rutgers University. Spring 2018

Page 1 of 15. Applicability. Compatibility EACMS PACS. Version 5. Version 3 PCA EAP. ERC NO ERC Low Impact BES. ERC Medium Impact BES

Context Based Access Control (CBAC): Introduction and Configuration

GLOBALPROTECT. Key Usage Scenarios and Benefits. Remote Access VPN Provides secure access to internal and cloud-based business applications

Lab - Troubleshooting ACL Configuration and Placement Topology

Secure Industrial Automation Remote Access Connectivity. Using ewon and Talk2M Pro solutions

Simple and Powerful Security for PCI DSS

Chapter 11: Networks

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

NERC CIP Compliance Matrix of RUGGEDCOM CROSSBOW Operating System

New Features for ASA Version 9.0(2)

Teacher s Reference Manual

Monitoring the Device

Troubleshooting. Testing Your Configuration CHAPTER

Fundamentals of Network Security v1.1 Scope and Sequence

Cisco ISE Ports Reference

Configuration Guide. BlackBerry UEM. Version 12.9

Applied IT Security. System Security. Dr. Stephan Spitz 6 Firewalls & IDS. Applied IT Security, Dr.

Infinite Device Management

Chapter 11: It s a Network. Introduction to Networking

GUIDE. MetaDefender Kiosk Deployment Guide

Windows Server Security Guide

Gigabit SSL VPN Security Router

TCP, UDP Ports, and ICMP Message Types1

Reviewer s guide. PureMessage for Windows/Exchange Product tour

<Partner Name> <Partner Product> RSA SECURID ACCESS. Pulse Secure Connect Secure 8.3. Standard Agent Client Implementation Guide

The StrideLinx Remote Access Solution comprises the StrideLinx router, web-based platform, and VPN client.

McAfee Endpoint Security Firewall Product Guide. (McAfee epolicy Orchestrator)

Configuring Authentication Proxy

Guide to DDoS Attacks November 2017

Cisco IOS Firewall Authentication Proxy

Facilities Manager Technical Overview

Application Firewalls

Configuring Management Access

Google Cloud Platform: Customer Responsibility Matrix. April 2017

Stripe Terminal Implementation Guide

SurePassID Local Agent Guide SurePassID Authentication Server 2016

VPN Connection through Zone based Firewall Router Configuration Example

Lab - Troubleshooting Standard IPv4 ACL Configuration and Placement Topology

Radius, LDAP, Radius, Kerberos used in Authenticating Users

Deploying F5 with Citrix XenApp or XenDesktop

HP Load Balancing Module

Security Aspects Control Rationale Best Practices Self-Assessment (Click all that applicable) 1. Security Policy and Security Management

Transcription:

Electronic Access Controls June 27, 2017 Kevin B. Perry Director, Critical Infrastructure Protection kperry.re@spp.org 501.614.3251 1

Electronic Access Point 2

What does your access control look like? 3

Corp Network Satellite Clock VLAN 20 / 192.168.20.0/24 VLAN 22 / 192.168.22.0/24 VLAN 24 / 192.168.24.0/24 A B C D Jump Host VLAN 21 / 192.168.21.0/24 VLAN 23 / 192.168.23.0/24 App DB HMI AD CFE Terminal s A, B, and C A/V WSUS RHEL Syslog Historian ESP Microsoft Windows Field Network Redhat Linux Firmware-based 4

Corp Network Satellite Clock VLAN 20 / 192.168.20.0/24 VLAN 22 / 192.168.22.0/24 VLAN 24 / 192.168.24.0/24 A B C D Jump Host VLAN 21 / 192.168.21.0/24 VLAN 23 / 192.168.23.0/24 App DB HMI AD CFE Terminal s A, B, and C A/V WSUS RHEL Syslog Historian ESP HTTP, HTTPS Listening Field Network 5

Corp Network ESP-Group Satellite Clock VLAN 20 / 192.168.20.0/24 VLAN 22 / 192.168.22.0/24 VLAN 24 / 192.168.24.0/24 A B C D Jump Host VLAN 21 / 192.168.21.0/24 VLAN 23 / 192.168.23.0/24 ESP App DB HMI AD CFE Terminal s A, B, and C A/V WSUS RHEL Syslog Historian DMZ-Group Field Network 6

Consider this object-group network ESP-Group network-object 192.168.20.0 255.255.255.0 network-object 192.168.21.0 255.255.255.0 network-object 192.168.22.0 255.255.255.0 object-group network DMZ-Group network-object 192.168.23.0 255.255.255.0 network-object 192.168.24.0 255.255.255.0 object-group service WSUS service-object icmp echo service-object icmp echo-reply service-object icmp time-exceeded service-object icmp unreachable service-object tcp destination eq www service-object tcp destination eq 443 service-object tcp destination eq 135 service-object tcp destination range 8530 8531 permit ESP_allow_in extended permit object-group WSUS object-group DMZ-Group object-group ESP-Group permit ESP_allow_out extended permit object-group WSUS object-group ESP-Group object-group DMZ-Group 7

Audience Participation Time What are the compliance concerns with the rules just shown? What are the risks posed by the rules as written? How would you make the access control lists better? (No fair looking ahead ) 8

Compliance Concerns CIP-005-5, Requirement R1, Part 1.3 states: Require inbound and outbound access permissions, including the reason for granting access, and deny all other access by default Expectation: Inbound and outbound permissions are demonstrably needed Inbound and outbound permissions are tightly restricted 9

Compliance Concerns Object groups are not sufficiently granular ESP-Group encompasses every Cyber Asset within the ESP DMZ-Group encompasses every Cyber Asset in the DMZ WSUS defines every port (service) that is required for any reason to support WSUS, plus some not required by WSUS No consideration of reason for the port No consideration of direction of traffic flow This example will result in a Potential Non-Compliance 10

Compliance Concerns From Microsoft TechNet: Configure the firewall to allow communication for the HTTP and HTTPS ports used by the WSUS server. By default, a WSUS server that is configured for the default Web site uses port 80 for HTTP and port 443 for HTTPS. By default, the WSUS server uses port 8530 for HTTP and port 8531 for HTTPS if it is using the WSUS custom Web site References: https://technet.microsoft.com/en-us/library/bb693717.aspx https://technet.microsoft.com/en-us/library/bb632477.aspx 11

Risks Posed by the Rules Full DMZ ESP inbound and outbound access Even with port limitation, such broad IP ranges are not warranted in a Control Center network environment Reciprocal rules not required with a stateful firewall Unnecessarily increases the attack surface ICMP not required for WSUS purposes Although limited to only the ping and traceroute commands, ICMP can be used by a malicious attacker to perform network reconnaissance 12

Risks Posed by the Rules WSUS uses either ports 80/443 or 8530/8531 per the TechNet bulletins. Ports only listening on the WSUS server Listening ports configured when WSUS is installed Ports required to download patches from an upstream server or Microsoft web site. No requirement for the WSUS server to connect to the client Cyber Assets, thus inbound rules not required 13

Risks Posed by the Rules Only Microsoft Windows-based Cyber Assets are supported by WSUS Outbound rules should permit either ports 80/443 or 8530/8531 from the operator consoles and Active Directory server to the WSUS server Permitting broad outbound access increases the ability of malware to contact its command and control system through a compromised proxy in the non-esp networks 14

Risks Posed by the Rules Permitting port 80 and 443 from every Cyber Asset in the DMZ inadvertently exposes the CFE terminal servers to malicious configuration interface access Any external remote access to the CFE terminal servers using web services needs to go through the Intermediate System (jump host) Malicious actor could access and reconfigure the CFE terminal servers and disrupt SCADA/EMS communication with the generating plants and substations 15

Corp Network Satellite Clock VLAN 20 / 192.168.20.0/24 VLAN 22 / 192.168.22.0/24 VLAN 24 / 192.168.24.0/24 A B C D Jump Host VLAN 21 / 192.168.21.0/24 VLAN 23 / 192.168.23.0/24 App DB HMI AD CFE Terminal s A, B, and C A/V WSUS RHEL Syslog Historian ESP HTTP, HTTPS Listening Field Network Windows Clients in the ESP 16

Improving the Access Control Lists object-group network Windows-Systems network-object object _A network-object object _B network-object object _C network-object object _D network-object object AD_ object network WSUS- host 192.168.23.102 object-group service WSUS service-object tcp destination range 8530 8531 permit ESP_allow_out extended permit object-group WSUS object-group Windows-Systems object WSUS- Define similar tight rules for interaction with the Active Directory server, RHEL update server, anti-virus server, the syslog server, and between the primary and backup Control Center ESPs 17

Active Directory Current design AD server is inside the ESP to allow normal operation with the outside interface of the firewall disconnected in an emergency DMZ Cyber Assets have to reach into the ESP to access the AD server Default AD server configuration (Dynamic RPC) exposes the ESP to approximately 95% of all possible ports Exposure is magnified if inbound access is not limited to just the AD server 18

Active Directory Required ports Dynamic RPC (default) configuration Service RPC endpoint mapper Network basic input/output system (NetBIOS) name service NetBIOS datagram service NetBIOS session service RPC dynamic assignment message block (SMB) over IP (Microsoft-DS) Lightweight Directory Access Protocol (LDAP) LDAP ping LDAP over SSL Global catalog LDAP Global catalog LDAP over SSL Kerberos Domain Name Service (DNS) Windows Internet Naming Service (WINS) resolution (if required) WINS replication (if required) Source: https://technet.microsoft.com/en-us/library/bb727063.aspx Port/protocol 135/tcp, 135/udp 137/tcp, 137/udp 138/udp 139/tcp 1024-65535/tcp 445/tcp, 445/udp 389/tcp 389/udp 636/tcp 3268/tcp 3269/tcp 88/tcp, 88/udp 53/tcp1, 53/udp 1512/tcp, 1512/udp 42/tcp, 42/udp 19

Active Directory Dynamic RPC (default) configuration Pros: No special server configuration Cons: Turns the firewall into "Swiss cheese" Random incoming high-port connections Insecure firewall configuration 20

Active Directory Required Ports Limited RPC configuration Service Port/protocol RPC endpoint mapper 135/tcp, 135/udp NetBIOS name service 137/tcp, 137/udp NetBIOS datagram service 138/udp NetBIOS session service 139/tcp RPC static port for AD replication <AD-fixed-port>/TCP RPC static port for FRS <FRS-fixed-port>/TCP SMB over IP (Microsoft-DS) 445/tcp, 445/udp LDAP 389/tcp LDAP ping 389/udp LDAP over SSL 636/tcp Global catalog LDAP 3268/tcp Global catalog LDAP over SSL 3269/tcp Kerberos 88/tcp, 88/udp DNS 53/tcp, 53/udp WINS resolution (if required) 1512/tcp, 1512/udp WINS replication (if required) 42/tcp, 42/udp Source: https://technet.microsoft.com/en-us/library/bb727063.aspx 21

Active Directory Limited RPC configuration Pros: More secure than dynamic RPC only two open high ports Cons: Registry modification to all Active Directory servers Instructions for selecting the high ports and modifying the Registry are found in: https://technet.microsoft.com/en-us/library/bb727063.aspx 22

Active Directory But wait It can get even better Currently, the DMZ Cyber Assets need to punch through the firewall to access the Active Directory server Every permitted port is another opportunity for exploit A read-only domain controller (RODC) is a new type of domain controller in the Windows 2008 operating system. Eliminates need for inbound port permissions to the Active Directory server inside the ESP 23

Corp Network Satellite Clock VLAN 20 / 192.168.20.0/24 VLAN 22 / 192.168.22.0/24 VLAN 24 / 192.168.24.0/24 A B C D Jump Host VLAN 21 / 192.168.21.0/24 VLAN 23 / 192.168.23.0/24 App DB HMI AD CFE Terminal s A, B, and C AD (RODC) A/V WSUS RHEL Syslog Historian ESP Field Network 24

Read-Only Active Directory Read-only AD DS database Except for account passwords, an RODC holds all the Active Directory objects and attributes that a writable domain controller holds. However, changes cannot be made to the database that is stored on the RODC. Changes must be made on a writable domain controller and then replicated back to the RODC. Unidirectional replication Because no changes are written directly to the RODC, no changes originate at the RODC. Accordingly, writable domain controllers that are replication partners do not have to pull changes from the RODC. This means that any changes or corruption that a malicious user might make to the DMZ Active Directory cannot replicate from the RODC to the rest of the forest. Source: https://technet.microsoft.com/en-us/library/cc732801(v=ws.10).aspx 25

Read-Only Active Directory One more thing to do Point the Cyber Assets inside the ESP to the Active Directory server inside the ESP Point the Cyber Assets outside the ESP to the Active Directory server in the DMZ Eliminate all AD-related permissions through the firewall from the DMZ into the ESP Frustrates the malicious actor too bad, so sad 26

Interactive Remote Access 27

28

What is Multi-Factor Authentication? Something you know: Password, passphrase, PIN Something you have: RSA token, CRYPTOcard, challenge/response card, cell phone Something you are: Biometrics (fingerprint, facial features, iris) 29

Something You Have This is the most misunderstood factor You need to be in physical possession You cannot stop off somewhere (electronically) and pick it up It cannot be publicly available The Guidelines and Technical Basis for CIP-005-5, Requirement R2 simply says See Secure Remote Access Reference Document (see remote access alert). Guidance for Secure Interactive Remote Access 30

Multi-Factor Scenario 1 Authentication is performed by the following sequence: Enter username and password One-time token is sent by the authentication server to your company email account Enter the one-time token value found in the email body You are authenticated Question: Is this a valid form of multi-factor authentication? NO 31

Multi-Factor Scenario 2 Authentication is performed by the following sequence: Enter username and password One-time token is generated using an app on your smart phone Enter the one-time token You are authenticated Question: Is this a valid form of multi-factor authentication? YES 32

Multi-Factor Scenario 3 Authentication is performed by the following sequence: Enter username and password to authenticate to a Citrix server (not the Intermediate System) Connect to the Intermediate System from the Citrix server Enter your username and password Enter the password to enable use of your digital certificate, stored in your user profile on the Citrix server You are authenticated Question: Is this a valid form of multi-factor authentication? NO 33

Multi-Factor Scenario 4 Authentication is performed by the following sequence: Connect to the Intermediate System from your laptop Enter your username and password Enter the password to enable use of your digital certificate, stored in your user profile on your laptop You are authenticated Question: Is this a valid form of multi-factor authentication? Yes, but 34

Multi-Factor Scenario 5 Authentication is performed by the following sequence: Enter username and password The authentication system places a call to a pre-registered phone number (cell or landline) Answer the phone and respond as instructed You are authenticated Question: Is this a valid form of multi-factor authentication? YES (cell phone would be best) 35

Multi-Factor Scenario 6 Authentication is performed by the following sequence: Insert USB key containing your digital certificate into your laptop Launch your VPN client on your laptop and connect to the VPN concentrator (upstream from the Intermediate System) Enter the passcode required to use your digital certificate You are authenticated Question: Is this a valid form of multi-factor authentication? YES 36

Multi-Factor Scenario 7 Authentication is performed by the following sequence: Log into your laptop using your fingerprint in lieu of entering your username and password Once logged in, connect to the Intermediate System with a username and password You are authenticated Question: Is this a valid form of multi-factor authentication? You would think so, but, NO 37

Summary Electronic Access Point You want tight ingress and egress access controls Access in and out needs to be limited to what is necessary to operate, not for convenience Multi-Factor Authentication Two of three: something you know, something you have, something you are You need to be in sole possession of something you have 38

SPP RE CIP Team Kevin Perry, Director of Critical Infrastructure Protection (501) 614-3251 Shon Austin, Lead Compliance Specialist-CIP (501) 614-3273 Ted Bell, Senior Compliance Specialist-CIP (501) 614-3535 Jeremy Withers, Senior Compliance Specialist-CIP (501) 688-1676 Robert Vaughn, Compliance Specialist II-CIP (501) 482-2301 Sushil Subedi, Compliance Specialist II-CIP (501) 482-2332 39

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback