Joe Andrews, MsIA, CISSP-ISSEP, ISSAP, ISSMP, CISA, PSP Sr ... · 9/24/2013  · Nve demonstrated at BlackHat the exploitation of (i.e., gaining access to and impersonating legitimate

Joe Andrews, MsIA, CISSP-ISSEP, ISSAP, ISSMP, CISA, PSP

Sr. Compliance Auditor – Cyber Security

CIP-005-3 Audit Approach, ESP Diagrams, Industry Best Practices

September 24 – 25, 2013 SALT LAKE CITY, UTAH

2

•  Joseph A. Andrews o  21 years DoD IT & Information Security / Network

Engineering (Federal Civilian) §  Senior Information Systems Security Engineer §  Information Assurance Program Manager §  Network Security Engineer §  Information Systems Security Officer §  Etc..

o  Academic §  Master of Science in Information Security & Assurance §  Bachelor of Science in IT/Information Security §  Professional Certifications: CISSP-ISSEP, ISSAP, ISSMP,

CISA, PSP, CAP, GCIH, C|CISO, C|EH, CNDA, CBRM, CGEIT, CompTIA Security +

Speaker Introduction

3

•  R1. Identify and document Critical Cyber Assets (CCAs) residing within an Electronic Security Perimeter (ESP) including Access Points (AP) to the ESP

•  R2. Implement and document ESP access controls (i.e., Access Points; deny by default, ports & services, appropriate use banner)

•  R3. Monitor and log access to the ESP

•  R4. Conduct annual Cyber Vulnerability Assessment (CVA) of the Access Points to the ESP

•  R5. Review, update, maintain CIP-005-3 relevant documentation

CIP-005-3 Requirements Overview

4

5

•  Provides network segmentation and restricted access to Critical Cyber Assets within the SCADA and Process Control Network from the Enterprise/Corporate Network and any other untrusted networks and sources.

•  It is the Access Point, which establishes the Electronic Security Perimeter.

R1. Electronic Security Perimeter (ESP)

6

•  An information system, device or appliance that provides access to and/or through (e.g., ingress or egress traffic) the ESP (e.g., Firewall, Gateway, Control device w/modem (TCP, UDP; Telnet, SSH, SSL, VPN, HTTP[s]))

•  May provide access control, monitoring, alerting and/or logging of access to and/or through the ESP o  may require intermediary device(s) for some of

this functionality: Electronic Access Control and Monitoring (EACM) devices

R1. Access Point (AP)

7

ESP Graphical Depiction

8

ESP w/ DMZ Graphical Depiction

9

•  An Electronic Security Perimeter that is typically located in a single geographical location, which may be protected by a single Physical Security Perimeter (PSP) that may or may not traverse multiple rooms, albeit, the cabling infrastructure is protected by the PSP and all rooms are afforded the protections of CIP-006.

Discreet Electronic Security Perimeter

10

11

•  A single Electronic Security Perimeter that may be located in multiple geographical locations, or multiple rooms in the same facility location, protected by one or more Physical Security Perimeters (PSP), albeit, the cabling infrastructure may traverse multiple facility rooms or areas outside of an established PSP.

Extended Electronic Security Perimeter

12

13

ESP-1 (Actual) Front Rack View

14

ESP-1 Front Rack View (CCAs Labeled)

15

Access Point Graphical Depiction

16

Access Point GUI & CLI INTERFACE

17

18

•  ICS components with serial and/or dial-up interfaces can be Access Points: o  A Front End Processor (FEP) or CCA serially

connected to a component of another network beyond your control (e.g., another entity)

o A FEP or media converter device that uses the internet (e.g.,IP;VPN, SSL, AES) to communicate

o  •  Know the backend architecture of your ICS

network!

R1. CAR-005

19

20

21

22

Contrary to popular belief: VLANs were originally created as a network performance and organization feature, not a Security feature. •  Dynamic Trunking protocol (DTP) abuse o Cisco proprietary, no authentication, switches are in

default auto-negotiate, sniff all VLAN traffic •  Trunking protocol (802.1q and ISL) abuse o  PVLAN hopping, Double 802.1q VLAN tagging

•  Virtual Trunking protocol (VTP) abuse •  Common spanning tree (CST) abuse •  Multiple other attacks

YERSINIA (VLAN Exploit Tool)

23

•  Legacy SCADA Networks o Radio and Leased Line communication o RTUs serially connected to Radio Modem or Leased

Line Modem o Radio Modem or Leased Line Modem Connected to

Front End Processor (FEP) at control station •  Secure IP VPN (Vendors are pushing) o  IP network communications o RTU connected to multi-homed and multi-protocol

devices (MPLS/Frame/IP; Fiber, Ethernet, VSAT) o Front End Processors are multi-homed and multi-

protocol capable and scalable devices

Trend: Legacy Networks to IP VPN

24

25

26

•  It’s cheaper o One to one hardware solutions are more expensive

•  It’s scalable & reliable (redundancy) o Multi-homed, multi-protocol and network agnostic

systems are scalable, while eliminating single points of failure

•  It’s safer o VPN-IPSEC, AES256 versus unencrypted legacy

serial communications •  It’s still IP! o Susceptible to the same vulnerabilities plaguing

traditional network architectures o We’re not against it, we just need to check it

Legacy Networks to IP VPN - WHY?

27

•  Spanish Cyber Security Researcher Leonardo Nve demonstrated at BlackHat the exploitation of (i.e., gaining access to and impersonating legitimate users) satellite internet connections using less than $75 worth of tools, which can be purchased on Ebay.

- (1) Skystar “2” PCI satellite receiver card, open source Linux DVB software app, and the free network data analysis tool

Wireshark.

Hacking Satellite

28

•  US Satellites hacked by Chinese Military! •  The hactivist group Anonymous Hacks

NASA Satellite! •  Anonymous hacks Turkish Satellite

provider! •  Three states have demonstrated the ability

to physically damage satellites by intercepting them: the US, Russia and China

EXTRA! EXTRA! Read all about it!

29

•  Verify Critical Cyber Asset (CCA) list

•  Verify Electronic Security Perimeter (ESP) designation documentation

•  Verify Access Points of ESP documentation

•  Cross reference CCA, ESP and AP documentation with network diagrams

R1. CCA, ESP and AP Enumeration

30

•  Access Point Configuration Analysis Checks o  Appropriate Use Banner configured (Not on radar and Not Applicable for CIP-V5) o  Deny by default statement

§  An automatic implicit “deny all” statement after explicit statements is standard for most new firewalls

o  SNMP community string default (i.e. “PUBLIC”) o  Access Control List is restrictive (e.g., No entire Class A IP range left open 255.255.0.0

(65K IP addresses) and justification for entire Class C) o  Authorized ports and services

R2. Access Point Checks

31

•  Validate electronic & manual 24/7 monitoring, logging and alerting

(Including dial-up accessible CCAs with non-routable protocols) o  Validate electronic and/or manual logs o  Verify implemented technical solutions that are

responsible for alerting appropriate personnel (i.e., SMTP, SIEM, Log Server, etc.)

R3. AP Monitoring, Logging, & Alerting

32

•  Remote Access Guidance o  Use encrypted access controls for

remote access o  Use multi-factor authentication o  Consider Proxy device as VPN

termination point o  Implement logging and monitoring o  etc…

NERC Industry Advisories

33

•  Guidance for Secure Remote Access o  Secure interactive remote access

concepts o  Security practices and proposed solutions

for secure interactive remote access o  Assessing the implementation of

interactive remote access controls o  Network architecture decisions

NERC Guidance

34

•  Validate vulnerability assessment process documentation

•  CVA criteria must address: o  Authorized ports and services o  Discovery of all Access Points to ESP o  Review of controls, default accounts,

passwords and network mgmt community strings (PUBLIC)

o  For vulnerabilities discovered, establish a remediation action plan, and ensure the

execution of the action plan

R4. Annual Cyber Vulnerability Assessment (CVA) of APs to ESP

35

•  The CVA summary report should specifically identify, by unique identifiers, the Access Points that were assessed.

•  The auditors will ask for any raw evidence relevant to the assessment.

(e.g., automated scans, Access Point configurations)

R4 Cyber Vulnerability Assessment

36

•  Auditors will cross reference the Access Point ports and services baseline with configuration

•  Excess ports and services found during the CVA should be added to the CVA mitigation/remediation plan

R4 Cyber Vulnerability Assessment

37

Auditors will review of Action Items

Action Item Status Completion Date DON’T LEAVE BLANK!!

38

•  Documentation reflect current configurations

•  Documentation updated within 90 days of change to network or security controls

•  Retain relevant access logs for at least 90 calendar days, however, in the instance of a Cyber Security Incident the retention window is approximately 3 years

R5. Documentation Review and Maintenance

39

•  NERC Industry Advisory: remote access guidance (2011). Retrieved from the North American Electric Reliability Corporate website on January 7, 2012, from, http://www.nerc.com/fileUploads/File/Events%20Analysis/A-2011-08-24-1-Remote_Access_Guidance-Final.pdf

•  NERC Guidance for Secure Interactive Remote Access (2011). Retrieved from the North American

Electric Reliability Corporate website on January 7, 2012, from, http://www.nerc.com/fileUploads/File/Events%20Analysis/FINAL-Guidance_for_Secure_Interactive_Remote_Access.pdf

References

Joe Andrews, CISSP-ISSEP, ISSAP, ISSMP, CISA Sr. Compliance Auditor – Cyber Security Western Electricity Coordinating Council jandrews[@]wecc[.]biz Office: 801.819.7683

Questions?