CIP-005-5 R1.5 Spring CIP Audit Workshop April 14, 2016 Scott - - PowerPoint PPT Presentation

cip 005 5 r1 5 spring cip audit workshop
SMART_READER_LITE
LIVE PREVIEW

CIP-005-5 R1.5 Spring CIP Audit Workshop April 14, 2016 Scott - - PowerPoint PPT Presentation

Sep 21, 2022 419 likes •816 views

CIP-005-5 R1.5 Spring CIP Audit Workshop April 14, 2016 Scott Pelfrey, CISA, CISSP, GISP, MBA Senior Technical Auditor CIP-005-5 Part 1.5 Learning Objectives Terminology Discussion of IPS/IDS & firewall Questions Answered

slide-1
SLIDE 1

CIP-005-5 R1.5 Spring CIP Audit Workshop

April 14, 2016 Scott Pelfrey, CISA, CISSP, GISP, MBA Senior Technical Auditor

slide-2
SLIDE 2

Forward Together • ReliabilityFirst

CIP-005-5 Part 1.5 – Learning Objectives

2

  • Terminology
  • Discussion of IPS/IDS & firewall
  • Questions Answered
  • Overview of Requirement
  • Audit Approach by RF
slide-3
SLIDE 3

Forward Together • ReliabilityFirst

CIP-005-5 Part 1.5 – Terminology

  • BES Cyber Asset (BCA)
  • High Impact BES Cyber Systems (BCS)
  • Protected Cyber Asset (PCA)
  • Electronic Security Perimeter (ESP)
  • Electronic Access Point (EAP)
  • Intrusion Prevention System (IPS)
  • Intrusion Detection System (IDS)
  • Firewall

3

slide-4
SLIDE 4

Forward Together • ReliabilityFirst

CIP-005-5 Part 1.5 – Discussion

4

  • Firewalls, Intrusion Detection Systems

(IDS), Intrusion Prevention Systems (IPS)

slide-5
SLIDE 5

Forward Together • ReliabilityFirst

CIP-005-5 Part 1.5 - Firewall

5

  • Firewall – Analyzes packet headers,

enforces policy ‒Policy based on:

  • Protocol Type
  • Source Address
  • Destination Address
  • Source Port
  • Destination Port

‒Transparent and Fast

slide-6
SLIDE 6

Forward Together • ReliabilityFirst

CIP-005-5 Part 1.5 – Firewall Details (1)

6

  • Capabilities
  • Single point for monitoring, exclusion of attacks,

unauthorized users, malware, viruses, etc.

  • Convenient platform for Internet functions not

security related

  • Can log or audit ingress / egress activities
  • Stateful Inspection

‒ Keeps “directory” of TCP connections ‒ Only allows incoming traffic for “known” connections ‒ May also keep track of TCP sequence numbers as well

slide-7
SLIDE 7

Forward Together • ReliabilityFirst

CIP-005-5 Part 1.5 – Firewall Details (2)

7

  • Limitations
  • Cannot protect against attacks bypassing

device (Transient devices)

  • May not fully protect against threats

‒May be vulnerable to IP address spoofing, source route attacks & tiny fragment attacks ‒Vulnerable to TCP/IP protocol bugs

  • Improper configuration may lead to breaches
  • Wireless connections may circumvent firewall
slide-8
SLIDE 8

Forward Together • ReliabilityFirst

CIP-005-5 Part 1.5 – Firewall Example

8

slide-9
SLIDE 9

Forward Together • ReliabilityFirst

CIP-005-5 Part 1.5 – IDS

9

  • Intrusion Detection System (IDS)
  • Analyzes packets – both header and

payload – looks for known events ‒ known event detected; a log message generated detailing event

slide-10
SLIDE 10

Forward Together • ReliabilityFirst

CIP-005-5 Part 1.5 – IDS Details (1)

10

  • Two Physical Types
  • Host-Based

‒ Resident on one system ‒ Monitors only that system’s activity ‒ Can detect both Internal / External intrusions

  • Network-Based

‒ Monitors particular network segments or devices ‒ May be inline (as part of another net device)

  • r passive (copy of traffic through tap or

mirrored port)

slide-11
SLIDE 11

Forward Together • ReliabilityFirst

CIP-005-5 Part 1.5 – IDS Details (2)

11

  • Two Detection Types
  • Signature or Rules Detection

‒ Analyze records for match with current rules or signatures ‒ Requires constant updates for protection ‒ Issue: only knows known intrusions, new intrusions may not be found

  • Anomaly Detection

‒ Builds profile or keeps thresholds ‒ Matches incoming packets to profiles or thresholds ‒ Issue: May have false positives during “extreme” events

  • Events generated from deviations of either
slide-12
SLIDE 12

Forward Together • ReliabilityFirst

CIP-005-5 Part 1.5 – IDS Example

12

Corporate Network

slide-13
SLIDE 13

Forward Together • ReliabilityFirst

CIP-005-5 Part 1.5 – IPS

13

  • Intrusion Prevention System (IPS)

analyzes packets – both header and payload – looks for known events ‒ known event detected the packet is rejected

slide-14
SLIDE 14

Forward Together • ReliabilityFirst

CIP-005-5 Part 1.5 – IPS Details (1)

14

  • Host Based
  • Resident on one system
  • Monitors only that system’s activity
  • Can detect both Internal / External intrusions
  • Uses both Signature/Rules & Anomaly

Detection

  • Can be tailored for specific purpose

‒Web, Database, General

  • May use sandbox to monitor behavior
  • May give file, registry, or I/O protection
slide-15
SLIDE 15

Forward Together • ReliabilityFirst

CIP-005-5 Part 1.5 – IPS Details (2)

15

  • Network Based
  • Inline IPS can discard packets or terminate TCP

connections

  • Uses both Signature/Rules & Anomaly Detection
  • May provide content flow protection
  • Identifies malicious packets using multiple

methods

slide-16
SLIDE 16

Forward Together • ReliabilityFirst

CIP-005-5 Part 1.5 – IPS Example

16

Host-Based IPS

slide-17
SLIDE 17

Forward Together • ReliabilityFirst

CIP-005-5 Part 1.5 – Differences (1)

17

  • Firewall – use of rules to “pass” traffic

through (looking for a rule to allow packets through)

  • IPS – use of rules to “block” traffic

through (looking for a rule to drop packets)

  • Firewall/IPS – “control” devices, sitting

inline and controlling packets

  • IDS – “visibility” tool
slide-18
SLIDE 18

Forward Together • ReliabilityFirst

CIP-005-5 Part 1.5 – Differences (2)

18

  • IPS/IDS – Functional difference very

subtle between two

  • IPS/IDS – Sometimes only configuration

setting

  • IPS/IDS – May or may not be physical

modules

  • IPS/IDS – Often functionally

indistinguishable (even if they are two separate devices or modules)

slide-19
SLIDE 19

Forward Together • ReliabilityFirst

CIP-005-5 Part 1.5 – IDS/IPS Management

19

slide-20
SLIDE 20

Forward Together • ReliabilityFirst

CIP-005-5 Part 1.5 – NGFW (1)

20

  • Next Generation Firewall (NGFW)
  • Newer concept
  • Single device converges FW and

IDS/IPS

  • Deep packet inspection of both

Header and Payload in one action

  • Decision-making capabilities for

policy enforcement

slide-21
SLIDE 21

Forward Together • ReliabilityFirst

CIP-005-5 Part 1.5 – NGFW (2)

21

  • Supports typical FW capabilities

(NAT, VPN, QoS, packet filtering)

  • Adds
  • Intrusion Prevention
  • SSL / SSH inspection
  • Reputation-based Malware detection
  • Application Awareness
  • Signature-based antivirus
slide-22
SLIDE 22

Forward Together • ReliabilityFirst

CIP-005-5 Part 1.5 – NGFW (3)

22

slide-23
SLIDE 23

Forward Together • ReliabilityFirst

CIP-005-5 Part 1.5 – NGFW

23

Single Pass Architecture

slide-24
SLIDE 24

Forward Together • ReliabilityFirst

CIP-005-5 Part 1.5 – Overview (1)

24

slide-25
SLIDE 25

Forward Together • ReliabilityFirst

CIP-005-5 Part 1.5 – Overview (2)

25

  • Applies to only Electronic Access Points (EAPs)
  • Applies only to High/Medium Control Centers
  • specifically RC, BA, TO, GO
  • Best Practice – apply to all EAPs…
slide-26
SLIDE 26

Forward Together • ReliabilityFirst

CIP-005-5 Part 1.5 – Questions

26

  • A couple of questions answered first…
slide-27
SLIDE 27

Forward Together • ReliabilityFirst

CIP-005-5 Part 1.5 – Question 1

27

  • Why include outbound communications?
slide-28
SLIDE 28

Forward Together • ReliabilityFirst

CIP-005-5 Part 1.5 – Answer

28

  • Compromised BCA – outside communication

(Command and Control)

  • First level of defense to stop Command &

Control (C&C) exploit

  • Know what you connect to and limit traffic to

those communications needs to include:

  • Normal Operations
  • Emergency Operations
  • Support
  • Maintenance
  • Troubleshooting
slide-29
SLIDE 29

Forward Together • ReliabilityFirst

CIP-005-5 Part 1.5 – Question 2

29

  • Do we need two separate devices?
  • Part 1.5 direct result of FERC Order 706,

Paragraphs 496-503

  • ESPs required to have two DISTINCT security

measures

  • Further explanation in FERC Order 706-A,

paragraph 66 - requirement for two separate and distinct electronic devices (but that doesn’t necessarily mean two physical devices) for defense-in-depth

slide-30
SLIDE 30

Forward Together • ReliabilityFirst

CIP-005-5 Part 1.5 - Answer

30

  • Short Answer: No.
  • CIP Version 5 FAQs – Need one or more

METHODS… not physical devices… modules CAN reside on same appliance

slide-31
SLIDE 31

Forward Together • ReliabilityFirst

CIP-005-5 Part 1.5 – Guidelines

31

  • Guidelines and Technical Basis Overview
slide-32
SLIDE 32

Forward Together • ReliabilityFirst

CIP-005-5 Part 1.5 – Guidelines (1)

32

  • Large ranges of internal addresses allowed

(ephemeral ports…)

  • You know what ranges are required –

(Document)

  • Suggest communication through EAP to

Entities address space ONLY – no internet

  • Know what you talk to – both inside and
  • utside of ESP – (Document)
  • Need to detect rogue connections and block
slide-33
SLIDE 33

Forward Together • ReliabilityFirst

CIP-005-5 Part 1.5 – Guidelines (2)

33

  • “Deny by default” – need to see explicit (or

implicit) “deny all” in ruleset

  • Direct serial or non-routable connections not

included

  • Use common sense and due diligence
  • Fail “open” but maintain perimeter protection
  • Show malicious traffic inspection – (Document)
  • Require “deep packet inspection”
  • Redundancy of firewalls does NOT count
slide-34
SLIDE 34

Forward Together • ReliabilityFirst

CIP-005-5 Part 1.5 – Audit Approach

34

  • ReliabilityFirst’s Audit Approach
slide-35
SLIDE 35

Forward Together • ReliabilityFirst

CIP-005-5 Part 1.5 – Audit Approach (1)

35

  • Most entities – EAP is firewall (Juniper, Cisco,

Microsoft, Check Point, Palo Alto, Sophos, WatchGuard, Barracuda, many others…) - first line of defense

  • May add modules, separate systems, taps to

monitor ingress – egress traffic on EAP

  • May be host-based or network-based for

malicious communications – Entity decision – (Document)

  • Updates – Software / Firmware
  • Change control for updates
slide-36
SLIDE 36

Forward Together • ReliabilityFirst

CIP-005-5 Part 1.5 – Audit Approach (2)

36

  • Testing signatures and rules prior to

deployment

  • Testing of recovery from failure
  • Process updates from new or unknown

alarms or alerts

  • Process for false positives?
  • Tell us your story – help audit team

understand your environment

slide-37
SLIDE 37

Forward Together • ReliabilityFirst

CIP-005-5 Part 1.5 – Review

37

  • Need to show separation of method
  • Failure of IPS/IDS must be “open”
  • Deny by default rules
  • Justification for rules
  • Outgoing rules required
  • Testing of signatures and rules updates
  • Unrestricted rules (any any) heavily

scrutinized

  • Tell your story – know your connections
slide-38
SLIDE 38

Forward Together • ReliabilityFirst

Questions & Answers

Forward Together ReliabilityFirst

38