cip 005 5 r1 5 spring cip audit workshop
play

CIP-005-5 R1.5 Spring CIP Audit Workshop April 14, 2016 Scott - PowerPoint PPT Presentation

Sep 21, 2022 •419 likes •813 views

CIP-005-5 R1.5 Spring CIP Audit Workshop April 14, 2016 Scott Pelfrey, CISA, CISSP, GISP, MBA Senior Technical Auditor CIP-005-5 Part 1.5 Learning Objectives Terminology Discussion of IPS/IDS & firewall Questions Answered

  1. CIP-005-5 R1.5 Spring CIP Audit Workshop April 14, 2016 Scott Pelfrey, CISA, CISSP, GISP, MBA Senior Technical Auditor

  2. CIP-005-5 Part 1.5 – Learning Objectives  Terminology  Discussion of IPS/IDS & firewall  Questions Answered  Overview of Requirement  Audit Approach by RF 2 Forward Together • ReliabilityFirst

  3. CIP-005-5 Part 1.5 – Terminology  BES Cyber Asset (BCA)  High Impact BES Cyber Systems (BCS)  Protected Cyber Asset (PCA)  Electronic Security Perimeter (ESP)  Electronic Access Point (EAP)  Intrusion Prevention System (IPS)  Intrusion Detection System (IDS)  Firewall 3 Forward Together • ReliabilityFirst

  4. CIP-005-5 Part 1.5 – Discussion  Firewalls, Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS) 4 Forward Together • ReliabilityFirst

  5. CIP-005-5 Part 1.5 - Firewall  Firewall – Analyzes packet headers, enforces policy ‒ Policy based on: • Protocol Type • Source Address • Destination Address • Source Port • Destination Port ‒ Transparent and Fast 5 Forward Together • ReliabilityFirst

  6. CIP-005-5 Part 1.5 – Firewall Details (1)  Capabilities • Single point for monitoring, exclusion of attacks, unauthorized users, malware, viruses, etc. • Convenient platform for Internet functions not security related • Can log or audit ingress / egress activities • Stateful Inspection ‒ Keeps “directory” of TCP connections ‒ Only allows incoming traffic for “known” connections ‒ May also keep track of TCP sequence numbers as well 6 Forward Together • ReliabilityFirst

  7. CIP-005-5 Part 1.5 – Firewall Details (2)  Limitations • Cannot protect against attacks bypassing device (Transient devices) • May not fully protect against threats ‒ May be vulnerable to IP address spoofing, source route attacks & tiny fragment attacks ‒ Vulnerable to TCP/IP protocol bugs • Improper configuration may lead to breaches • Wireless connections may circumvent firewall 7 Forward Together • ReliabilityFirst

  8. CIP-005-5 Part 1.5 – Firewall Example 8 Forward Together • ReliabilityFirst

  9. CIP-005-5 Part 1.5 – IDS  Intrusion Detection System (IDS)  Analyzes packets – both header and payload – looks for known events ‒ known event detected; a log message generated detailing event 9 Forward Together • ReliabilityFirst

  10. CIP-005-5 Part 1.5 – IDS Details (1)  Two Physical Types • Host-Based ‒ Resident on one system ‒ M onitors only that system’s activity ‒ Can detect both Internal / External intrusions • Network-Based ‒ Monitors particular network segments or devices ‒ May be inline (as part of another net device) or passive (copy of traffic through tap or mirrored port) 10 Forward Together • ReliabilityFirst

  11. CIP-005-5 Part 1.5 – IDS Details (2)  Two Detection Types • Signature or Rules Detection ‒ Analyze records for match with current rules or signatures ‒ Requires constant updates for protection ‒ Issue: only knows known intrusions, new intrusions may not be found • Anomaly Detection ‒ Builds profile or keeps thresholds ‒ Matches incoming packets to profiles or thresholds ‒ Issue: May have false positives during “extreme” events • Events generated from deviations of either 11 Forward Together • ReliabilityFirst

  12. CIP-005-5 Part 1.5 – IDS Example Corporate Network 12 Forward Together • ReliabilityFirst

  13. CIP-005-5 Part 1.5 – IPS  Intrusion Prevention System (IPS) analyzes packets – both header and payload – looks for known events ‒ known event detected the packet is rejected 13 Forward Together • ReliabilityFirst

  14. CIP-005-5 Part 1.5 – IPS Details (1)  Host Based • Resident on one system • M onitors only that system’s activity • Can detect both Internal / External intrusions • Uses both Signature/Rules & Anomaly Detection • Can be tailored for specific purpose ‒ Web, Database, General • May use sandbox to monitor behavior • May give file, registry, or I/O protection 14 Forward Together • ReliabilityFirst

  15. CIP-005-5 Part 1.5 – IPS Details (2)  Network Based • Inline IPS can discard packets or terminate TCP connections • Uses both Signature/Rules & Anomaly Detection • May provide content flow protection • Identifies malicious packets using multiple methods 15 Forward Together • ReliabilityFirst

  16. CIP-005-5 Part 1.5 – IPS Example Host-Based IPS 16 Forward Together • ReliabilityFirst

  17. CIP-005-5 Part 1.5 – Differences (1)  Firewall – use of rules to “pass” traffic through (looking for a rule to allow packets through)  IPS – use of rules to “block” traffic through (looking for a rule to drop packets)  Firewall/IPS – “control” devices, sitting inline and controlling packets  IDS – “visibility” tool 17 Forward Together • ReliabilityFirst

  18. CIP-005-5 Part 1.5 – Differences (2)  IPS/IDS – Functional difference very subtle between two  IPS/IDS – Sometimes only configuration setting  IPS/IDS – May or may not be physical modules  IPS/IDS – Often functionally indistinguishable (even if they are two separate devices or modules) 18 Forward Together • ReliabilityFirst

  19. CIP-005-5 Part 1.5 – IDS/IPS Management 19 Forward Together • ReliabilityFirst

  20. CIP-005-5 Part 1.5 – NGFW (1)  Next Generation Firewall (NGFW)  Newer concept  Single device converges FW and IDS/IPS  Deep packet inspection of both Header and Payload in one action  Decision-making capabilities for policy enforcement 20 Forward Together • ReliabilityFirst

  21. CIP-005-5 Part 1.5 – NGFW (2)  Supports typical FW capabilities (NAT, VPN, QoS, packet filtering)  Adds • Intrusion Prevention • SSL / SSH inspection • Reputation-based Malware detection • Application Awareness • Signature-based antivirus 21 Forward Together • ReliabilityFirst

  22. CIP-005-5 Part 1.5 – NGFW (3) 22 Forward Together • ReliabilityFirst

  23. CIP-005-5 Part 1.5 – NGFW Single Pass Architecture 23 Forward Together • ReliabilityFirst

  24. CIP-005-5 Part 1.5 – Overview (1) 24 Forward Together • ReliabilityFirst

  25. CIP-005-5 Part 1.5 – Overview (2)  Applies to only Electronic Access Points (EAPs)  Applies only to High/Medium Control Centers • specifically RC, BA, TO, GO  Best Practice – apply to all EAPs… 25 Forward Together • ReliabilityFirst

  26. CIP-005-5 Part 1.5 – Questions  A couple of questions answered first… 26 Forward Together • ReliabilityFirst

  27. CIP-005-5 Part 1.5 – Question 1  Why include outbound communications? 27 Forward Together • ReliabilityFirst

  28. CIP-005-5 Part 1.5 – Answer  Compromised BCA – outside communication (Command and Control)  First level of defense to stop Command & Control (C&C) exploit  Know what you connect to and limit traffic to those communications needs to include: • Normal Operations • Emergency Operations • Support • Maintenance • Troubleshooting 28 Forward Together • ReliabilityFirst

  29. CIP-005-5 Part 1.5 – Question 2  Do we need two separate devices? • Part 1.5 direct result of FERC Order 706, Paragraphs 496-503 • ESPs required to have two DISTINCT security measures • Further explanation in FERC Order 706-A, paragraph 66 - requirement for two separate and distinct electronic devices (but that doesn’t necessarily mean two physical devices) for defense-in-depth 29 Forward Together • ReliabilityFirst

  30. CIP-005-5 Part 1.5 - Answer  Short Answer: No.  CIP Version 5 FAQs – Need one or more METHODS… not physical devices… modules CAN reside on same appliance 30 Forward Together • ReliabilityFirst

  31. CIP-005-5 Part 1.5 – Guidelines  Guidelines and Technical Basis Overview 31 Forward Together • ReliabilityFirst

  32. CIP-005-5 Part 1.5 – Guidelines (1)  Large ranges of internal addresses allowed (ephemeral ports…)  You know what ranges are required – (Document)  Suggest communication through EAP to Entities address space ONLY – no internet  Know what you talk to – both inside and outside of ESP – (Document)  Need to detect rogue connections and block 32 Forward Together • ReliabilityFirst

  33. CIP-005-5 Part 1.5 – Guidelines (2)  “Deny by default” – need to see explicit (or implicit) “deny all” in ruleset  Direct serial or non-routable connections not included  Use common sense and due diligence  Fail “open” but maintain perimeter protection  Show malicious traffic inspection – (Document)  Require “deep packet inspection”  Redundancy of firewalls does NOT count 33 Forward Together • ReliabilityFirst

  34. CIP-005-5 Part 1.5 – Audit Approach  ReliabilityFirst’s Audit Approach 34 Forward Together • ReliabilityFirst

  35. CIP-005-5 Part 1.5 – Audit Approach (1)  Most entities – EAP is firewall (Juniper, Cisco, Microsoft, Check Point, Palo Alto, Sophos, WatchGuard, Barracuda, many others…) - first line of defense  May add modules, separate systems, taps to monitor ingress – egress traffic on EAP  May be host-based or network-based for malicious communications – Entity decision – (Document)  Updates – Software / Firmware  Change control for updates 35 Forward Together • ReliabilityFirst

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Conducting The Field Audit The Field Audit Conducting IFTA / IRP 2005 Annual Audit Workshop

Conducting The Field Audit The Field Audit Conducting IFTA / IRP 2005 Annual Audit Workshop

Conducting The Field Audit The Field Audit Conducting IFTA / IRP 2005 Annual Audit Workshop Workshop IFTA / IRP 2005 Annual Audit Wayne Brown Mark Byrne Joel Foreman Russ Jakes Rick LaRose 1/20/2005 1 Introduction REVIEW OF RECORD

867 views • 66 slides
Audit Sub-Committee Workshop Members of the Regions Audit Sub Committee & Halton

Audit Sub-Committee Workshop Members of the Regions Audit Sub Committee & Halton

Audit Sub-Committee Workshop Members of the Regions Audit Sub Committee & Halton Community Housing Corporations (HCHC) Audit Committee April 10, 2019 Presented by: Cyndy Winslow, Director, Financial Services & Payroll Karen

547 views • 54 slides
Single Audit Training Workshop Assessing Single Audit Quality of Local Governments in Virginia

Single Audit Training Workshop Assessing Single Audit Quality of Local Governments in Virginia

Single Audit Training Workshop Assessing Single Audit Quality of Local Governments in Virginia _____________________________________ August 6, 2015 Michael A. Sidell, CGFM Audit Supervisor Auditor of Public Accounts Quote The goal is to

496 views • 49 slides
Task: Draw up an audit programme Please take the following facts and instructions as a basis: The

Task: Draw up an audit programme Please take the following facts and instructions as a basis: The

Audit Case Workshop about applying the checklist on Financial Audit of Public Procurement Task: Draw up an audit programme Please take the following facts and instructions as a basis: The audit plan for the next six months includes an audit of

229 views • 5 slides
Community College Audit and Fiscal Compliance Workshop VAVRINEK, TRINE, DAY & CO., LLP May

Community College Audit and Fiscal Compliance Workshop VAVRINEK, TRINE, DAY & CO., LLP May

Community College Audit and Fiscal Compliance Workshop VAVRINEK, TRINE, DAY & CO., LLP May 23, 2017 Audit Responsibilities Overview An annual financial statement and compliance audit of California Community College Districts is

295 views • 28 slides
Network - Edinburgh workshop 2016 Tim Bridle 14 September 2016 Areas to cover New audit

Network - Edinburgh workshop 2016 Tim Bridle 14 September 2016 Areas to cover New audit

CIPFA Pensions Network - Edinburgh workshop 2016 Tim Bridle 14 September 2016 Areas to cover New audit appointments & code Overview of other stakeholder activity The annual reports and accounts 2015-16 Audit issues arising

1.14k views • 50 slides
Farmersville, Texas Audit Presentation September 30, 2017 Presented By: Louis Breedlove, Audit

Farmersville, Texas Audit Presentation September 30, 2017 Presented By: Louis Breedlove, Audit

Farmersville, Texas Audit Presentation September 30, 2017 Presented By: Louis Breedlove, Audit Manager June 26, 2018 1 OVERVIEW OF THE AUDIT PROCESS Audit Planning and Risk Assessment Audit Standards The audit was performed in

425 views • 13 slides
Section 3 Risk ASJ Stages of an Audit Audit Approaches ASJ In this approach, audit

Section 3 Risk ASJ Stages of an Audit Audit Approaches ASJ In this approach, audit

ASJ Section 3 Risk ASJ Stages of an Audit Audit Approaches ASJ In this approach, audit resources are targeted on testing large volumes of transactions and account balances without any particular focus on specified Substantive areas of

271 views • 16 slides
Presentation on Bank Audit Audit Procedures, LFAR, Tax Audit, Certification , Demonetization etc.

Presentation on Bank Audit Audit Procedures, LFAR, Tax Audit, Certification , Demonetization etc.

Presentation on Bank Audit Audit Procedures, LFAR, Tax Audit, Certification , Demonetization etc. VIP Chartered Accountants Study Circle By Rishi Khator FCA, CPA(US), CIFRS March 26, 2017 Traditional banking to high level financial

868 views • 64 slides
ACF Audit Resolution Process and Areas of Interest in Grants Administration, Head Start, TANF,

ACF Audit Resolution Process and Areas of Interest in Grants Administration, Head Start, TANF,

ACF Audit Resolution Process and Areas of Interest in Grants Administration, Head Start, TANF, Foster Care, and Child Support Enforcement NEAR Single Audit Workshop August 6, 2015 ACF Presenters Sharon Sims , Team Lead, Audit Resolution /

433 views • 10 slides
OpenAFS Audit Interface Enhancements Cheyenne Wills OpenAFS 2019 Workshop 1 Overview

OpenAFS Audit Interface Enhancements Cheyenne Wills OpenAFS 2019 Workshop 1 Overview

OpenAFS Audit Interface Enhancements Cheyenne Wills OpenAFS 2019 Workshop 1 Overview Multiple Interfaces Multiple Instances of an interface New FIFO (named pipe) interface Collecting information from the audit facility 2

422 views • 17 slides
Striving Towards a Better PRESENTATION HERE> Audit in 2017 Who we are At Audit Solutions

Striving Towards a Better PRESENTATION HERE> Audit in 2017 Who we are At Audit Solutions

<INSERT TITLE OF Striving Towards a Better PRESENTATION HERE> Audit in 2017 Who we are At Audit Solutions Queensland, our focus is on providing a comprehensive, independent and efficient audit process. Our difference is our personal

606 views • 59 slides
Audit Partner Characteristics, Audit Quality and Audit Pricing in the U.S. Ally Zimmerman,

Audit Partner Characteristics, Audit Quality and Audit Pricing in the U.S. Ally Zimmerman,

Audit Partner Characteristics, Audit Quality and Audit Pricing in the U.S. Ally Zimmerman, Northern Illinois University, azimmerman5@niu.edu Al Nagy, John Carroll University, alnagy@jcu.edu 2016 Deloitte/KU Audit Symposium, May 20 8/16/2016 1

553 views • 17 slides
Audit Committee denvergov.org/Auditor Timothy M. O'Brien, CPA, Auditor 2 Audit Committee

Audit Committee denvergov.org/Auditor Timothy M. O'Brien, CPA, Auditor 2 Audit Committee

1 Audit Committee denvergov.org/Auditor Timothy M. O'Brien, CPA, Auditor 2 Audit Committee Affordable Housing Audit December 2018 Jared Miller, Audit Supervisor Pat Schafer, Audit Supervisor Shaun Wysong, Senior Auditor Chris Wilson,

485 views • 47 slides
MUS Workforce Data Reporting Performance Audit Audit Conducted by the Montana Legislative Audit

MUS Workforce Data Reporting Performance Audit Audit Conducted by the Montana Legislative Audit

MUS Workforce Data Reporting Performance Audit Audit Conducted by the Montana Legislative Audit Division Presented to the Montana Legislature, Legislative Audit Committee on February 2, 2016 Office of the Commissioner of Higher Education

605 views • 25 slides
Dependent Eligibility Audit Dependent Eligibility Audit Purpose: The dependent eligibility audit

Dependent Eligibility Audit Dependent Eligibility Audit Purpose: The dependent eligibility audit

Quick Guide to the Dependent Eligibility Audit Dependent Eligibility Audit Purpose: The dependent eligibility audit will help us comply with regulatory requirements and control costs by confirming that only eligible dependents receive coverage

506 views • 6 slides
High Performance String Matching Algorithm for a Network Intrusion Prevention System (NIPS) Yaron

High Performance String Matching Algorithm for a Network Intrusion Prevention System (NIPS) Yaron

High Performance String Matching Algorithm for a Network Intrusion Prevention System (NIPS) Yaron Weinsberg Shimrit Tzur-David Danny Dolev Tal Anker The Hebrew University Of Jerusalem Radlan - a Marvell Company Email: { wyaron,shimritd,dolev

183 views • 7 slides
Expansion of the SURFnet Intrusion Detection System R. Buijs P. Siekerman System and Network

Expansion of the SURFnet Intrusion Detection System R. Buijs P. Siekerman System and Network

Expansion of the SURFnet Intrusion Detection System R. Buijs P. Siekerman System and Network Engineering 7-2-2007 R. Buijs P. Siekerman (SNE) Expansion of SURFnet IDS 7-2-2007 1 / 18 Contents Assignment 1 Intrusion Detection Systems 2

454 views • 18 slides
Real-time Network Intrusion Detection System with Supporting Cyber Security Regulations for

Real-time Network Intrusion Detection System with Supporting Cyber Security Regulations for

Transactions of the Korean Nuclear Society Virtual Spring Meeting July 9-10, 2020 Real-time Network Intrusion Detection System with Supporting Cyber Security Regulations for Nuclear Power Plants Jae-Hee Roh a , Seok-Ki Lee a , Choul-Woong Son

362 views • 4 slides
Board recommends accelerated dividend progression Preliminary results for the 12 months

Board recommends accelerated dividend progression Preliminary results for the 12 months

Board recommends accelerated dividend progression Preliminary results for the 12 months ended 31 March 2011 26 May 2011 Business overview Bill Halbert, Executive Chairman Summary financial results Revenue in the second half

482 views • 21 slides
Perimeter Intrusion Detection Mikro Tek Detection Technologies Ltd | +44 (0) 1773 744750 |

Perimeter Intrusion Detection Mikro Tek Detection Technologies Ltd | +44 (0) 1773 744750 |

Perimeter Intrusion Detection Mikro Tek Detection Technologies Ltd | +44 (0) 1773 744750 | info@detection-technologies.com | www.detection-technologies.com Mikro Tek Key Advantages One analyzer - up to 300m detection range! A single Mikro Tek

874 views • 6 slides
Massively distributed intrusions detection : goals, challenges and possible solutions. SEC2 2015,

Massively distributed intrusions detection : goals, challenges and possible solutions. SEC2 2015,

Massively distributed intrusions detection : goals, challenges and possible solutions. SEC2 2015, Lille Michal Hauspie CRIStAL, CNRS UMR 9189 quipe 2XS . . . . . . . . . . . . . . . . . . . . . . . . . . . .

643 views • 40 slides
Securing Networks in the Programmable Data Plane Era Luciano Gaspary paschoal@inf.ufrgs.br

Securing Networks in the Programmable Data Plane Era Luciano Gaspary paschoal@inf.ufrgs.br

Securing Networks in the Programmable Data Plane Era Luciano Gaspary paschoal@inf.ufrgs.br Instituto de Informtica UFRGS Securing Networks in the Programmable Data Plane Era Network softwarization : the first wave P4 programs are

607 views • 12 slides
Data Driven Assessment of Cyber Risk: Challenges in Assessing and Mitigating Cyber Risk

Data Driven Assessment of Cyber Risk: Challenges in Assessing and Mitigating Cyber Risk

Data Driven Assessment of Cyber Risk: Challenges in Assessing and Mitigating Cyber Risk Challenges in Assessing and Mitigating Cyber Risk Mustaque Ahamad, Saby Mitra and Paul Royal Georgia Tech Information Security Center Georgia Tech

763 views • 16 slides

More recommend