CIP 101 Training CIP-007-3a Cyber Security System Security - - PowerPoint PPT Presentation

CIP 101 Training CIP-007-3a Cyber Security – System Security Management Overview September 24-25, 2013 Salt Lake City, UT

Wally Magda, CISSP, PSP, CISA Compliance Auditor, Cyber Security Eric Weston Compliance Auditor, Cyber Security

2

No animals were hurt in the production of this presentation!

3

4

• Agenda
• Requirement Overview
• Why do we need it?
• Overview – What is it?
• What makes it so difficult?
• Relation to other standards
• Audit Approach – What are we looking for?
• Additional Resources – tools, tasks, tips…

CIP-007-3a Cyber Security System Security Management

5

• Systems Security Management
• R1 – Test Procedures
• R2 – Ports and Services
• R3 – Security Patch Management
• R4 – Malicious Software Prevention
• R5 – Account Management
• R6 – Security Status Monitoring
• R7 – Disposal or Redeployment
• R8 – Cyber Vulnerability Assessment
• R9 – Document Review and Maintenance

CIP-007-3a Requirement Overview

6

• Control Systems experiencing same issues

and vulnerabilities that are in IT

• Security Through Obscurity is not security
• Reduce attack vectors for CCA compromise by

securing not only the CCAs but all cyber assets

• Consistent, reliable and reasonable security

management practices for all cyber assets within the ESP

CIP-007-3a Why do we need it?

7

• Protect from the weakest link syndrome –

the security of the ESP is only as strong as the least protected assets

• Utilities and related vendors are high risk

targets

• Raise the bar in assuring cyber assets are

afforded a level of protections

• CIPs specify rigorous minimum standards

CIP-007-3a Why do we need it?

8

http://xanthus-consulting.com/IntelliGrid_Architecture/High_Level_Concepts/HLC_Network_Management.htm

CIP-007-3a Why do we need it?

9

http://bit.ly/10gWIrm

CIP-007-3a Why do we need it?

10

CIP-007-3a Why do we need it?

11

• Isolated networks
• Proprietary protocols
• Serial communication (point-to-point)
• Modem access for operational management
• Separate management
• IT versus EMS personnel, aka IT and OT
• Non-IT based architectures
• Long life of devices – 20+ years

CIP-007-3a Why do we need it?

12

CIP-007-3a Why do we need it?

13

• Increasing integration of IT based technologies
• TCP/IP enabled controllers and IO devices that

utilize traditional “IT” technology

§ HTTP, SNMP, FTP, DHCP, OPC, DCOM, ActiveX, Java

• Open communication protocols for automation

§ Modbus/TCP, Ethernet/IP, Foundation Fieldbus High Speed Ethernet (HSE), Interface for Distributed Automation (IDA), PROFInet

• Significant remote access capabilities (intentional

and unintentional) to critical devices controlling the Bulk Electric System (BES)

CIP-007-3a Why do we need it?

14

• Increasing integration of IT based

technologies

• COTS Operating systems - Windows, Unix,

Linux, etc.

• Network/system management being integrated

with general IT support personnel

• IT based Security solutions

CIP-007-3a Why do we need it?

15

• Retrofit of old equipment with newer

technologies

• CIP Standards require investment in cyber

and physical security controls and management practices

• InfoSec awareness increasing

CIP-007-3a Why do we need it?

16

• Perceived “air-gapped network” may lead to

lax security controls

• Functional testing and not Security testing
• Not understanding all communication paths
• n the network
• Vulnerable protocols (http, snmp, ftp, telnet,

etc.)

• Malware (Stuxnet, Duqu, Flame, Aurora and

Shamoon)

CIP-007-3a Why do we need it?

17

• Vendor / contractor access – their level of

InfoSec practices – trust them? Attackers look for trust relationships to exploit

• User account management –use of shared

accounts

• Insider risk – continued high levels of trust
• Privilege escalation
• Miss-operation -- oops

CIP-007-3a Why do we need it?

18

http://pwnieexpress.com/products/power-pwn

CIP-007-3a Why do we need it?

19

• Onboard high-gain 802.11b/g/n wireless
• Onboard high-gain Bluetooth (up to 1000')
• Onboard dual-Ethernet
• Fully functional 120/240v AC outlets!
• Includes 16GB internal disk storage
• Preloaded with Debian 6, Metasploit, SET, Fast-

Track, w3af, Kismet, Aircrack, SSLstrip, nmap, Hydra, dsniff, Scapy, Ettercap, Bluetooth/VoIP/ IPv6 tools, & more!

• Unpingable and no listening ports in stealth mode

CIP-007-3a Why do we need it?

20

CIP-007-3a Why do we need it?

21

• How do we keep the lights on when the

switch is connected to the internet?

CIP-007-3a Why do we need it?

22

• 1. Unstructured threat
• Insiders
• Recreational
• Institutional hackers
• 2. Structured (or organized) threat
• Organized crime
• Industrial espionage
• Terrorists
• 3. State sponsored threats
• Intelligence agencies of other nation states
• Information warriors, operating under the direction of foreign

governments

CIP-007-3a Why do we need it?

Threat Overview-- Identify, Analyze, Warn & Protect

23

http://www.forbes.com/sites/andygreenberg/2012/03/23/shopping-for-zero-days- an-price-list-for-hackers-secret-software-exploits/

CIP-007-3a Why do we need it?

Shopping For Zero-Days: A Price List

24

• Advanced -- skilled
• Utilizes latest attack techniques
• Leverages readily available software and Social Networks
• Usually involves knowledge of specific operating system and/or application

weaknesses/vulnerabilities – prefer new zero-day

• May involve Code Reversing and Fuzzing techniques to identify weaknesses in

specific targeted systems

• Persistent – patient
• Intent is permanence - even after system reboot
• Back channel communication to (C&C) Command and Control system
• Not in any hurry- may be dormant for long periods
• Threat – well funded
• Focused attack
• May evolve over time – add signatures and or additional attack vectors

Advanced Persistent Threat [APT]

CIP-007-3a Why do we need it?

25

• Security Countermeasures & Controls
• “Know Thyself”
• Defense in Depth security strategy
• Firewalls
• IDS
• Encryption
• log, monitor, alert
• access controls
• operational security practices
• CIP Standards
• Outbound controls – identification of covert channels

CIP-007-3a Why do we need it?

26

• Application white-listing/black listing
• Secure SCADA Control Protocol (SSCP) – being

tested

• Bi-directional authenticated devices – encrypted

tunnels

• Firmware code validation on the fly
• Information sharing – other utilities and ES-ISAC
• US Labs are actively involved with testing and

building new tool sets for Smartgrid and current state of cyber attacks against control systems

CIP-007-3a Why do we need it?

27

• “Standard CIP-007-3 requires Responsible

Entities to define methods, processes, and procedures for securing those systems determined to be Critical Cyber Assets, as well as the other (non-critical) Cyber Assets within the Electronic Security Perimeter(s).”

• Includes ALL Cyber Assets within the Electronic

Security Perimeter (ESP) (CIP-007-3 Purpose statement)

• Includes ALL physical and electronic access

control and monitoring systems (CIP-005-3 EACM R1.5 & CIP-006-3 PACS R2.2)

CIP-007-3 Overview – What is it?

28

• 9 Requirements, 32 sub-requirements
• Requires many detailed procedures
• All require significant documentation
• All require lots of performance evidence
• There are no shortcuts

What makes it so difficult?

29

http://www.nerc.com/pa/comp/Compliance%20Violation%20Statistics%20DL/Key%20Compliance%20Trend%20for%20May %20BOTCC-%20FINAL.pdf

What makes it so difficult?

30

What makes it so difficult?

http://www.nerc.com/pa/comp/Compliance%20Violation%20Statistics%20DL/Key%20Compliance%20Trend%20for%20May %20BOTCC-%20FINAL.pdf

31

What makes it so difficult?

http://www.nerc.com/pa/comp/Compliance%20Violation%20Statistics%20DL/Key%20Compliance%20Trend%20for%20May %20BOTCC-%20FINAL.pdf

32

• Analyzing Publicly Available Enforcement

Data Webinar

• Analyzing Enforcement Data
• Identifying pertinent reliability issues and trends

§ Ed Kichline, Associate Director, Enforcement Processing, August 29, 2013

What makes it so difficult?

http://www.nerc.com/pa/comp/compenforcewebinars/How%20to%20Navigate %20Enforcement%20Public%20Information%20(8_29_13)%20(2).pdf https://cc.readytalk.com/cc/playback/Playback.do?id=22kjjx http://www.nerc.com/pa/comp/Pages/Enforcement-and-Mitigation.aspx

33

• Technical Feasibility Exemptions (TFE)

Applicability

§ R2.3 (cannot disable ports and services) § R3.2 (cannot implement security patch) § R4 (cannot install anti-virus/anti-malware) § R5.3; R5.3.1; R5.3.2; R5.3.3 (cannot meet password requirements) § R6; R6.3 (cannot log or monitor security events)

What makes it so difficult?

34

What makes it so difficult?

• Over 3,800 TFE Requests last 3 years
• Proposed Revisions – ROP Appendix 4D
• The revisions streamline and simplify the

current process

• FERC approved 3 September 2013
• Stay tuned

§ http://elibrary.ferc.gov/idmws/common/opennat.asp? fileID=13342539

35

• CIP-005 -- Access Point focused
• TO and THROUGH the access points
• Ensure adequate controls are in place to protect the Access

Points

• Ensure access THROUGH the Access Point is controlled (bi-

directional restrictive controls)

• CIP-007 – ESP cyber asset focused
• TO every cyber asset within ESP
• TO and THROUGH infrastructure devices (switches/routers)

within the ESP (not access point)

• Ensure adequate security controls are implemented on all

cyber assets within the ESP to provide protections for the CCAs within the ESP

• End Point security (authentication, AV, logging, etc.)

Relation to other standards

36 CorpNet

EMS WAN

Firewall Firewall Router Workstations Workstations File Server Access Control Server EMS Servers Printer Printer Router Switch Switch CCA CCA CCA CCA CCA CCA CCA CCA

CIP-007

EMS Electronic Security Perimeter

Access Point Access Point

CIP-005 CIP-005

Relation to other standards

37 CorpNet

EMS WAN

Firewall Firewall Router Workstations Workstations CCA File Server Access Control Server EMS Servers Printer Printer Router Switch Switch CCA CCA CCA CCA CCA CCA CCA

CIP-007

EMS Electronic Security Perimeter

Access Point Access Point

CIP-005 CIP-005

Relation to other standards

38

• Performance evidence for all requirements and sub

requirements

• Logs
• Emails
• Screenshots
• Configuration files
• Testing evidence
• CVA assessment report
• Change control evidence
• Anything else that demonstrates compliance

Audit Approach – What are we looking for?

39

• Auditors are fact finders – we want to see all

pertinent facts

• Entity must demonstrate compliance
• We want to see documented processes and

procedures

• We want to see an auditable trail of evidence
• Evidence should be in common application

formats (.pdf, text, Word, Excel – please export Visio drawings to .pdf)

Audit Approach– What are we looking for?

40

• Actively manage all cyber assets in the ESPs
• Testing – changes to devices requires security testing
• Configurations – current baselines, ports/services, etc.
• Updates – process, procedures, testing and implementation
• Anti-Virus/ Anti-Malware – current and active
• Manage user access – process, procedures, shared/default
• Logging and Alerts – active, reviewed, response
• Device inventory management – disposal and redeployment
• Vulnerability Assessment – all devices, annually
• Document, Document, Document – is there an audit trail

Audit Approach – What are we looking for?

41

• Security controls overview
• Testing procedures for all cyber assets

including actual testing evidence

• Architectural drawings
• Ports and services documentation
• Log files for past 90 days from notice of

audit

• Alert configurations and evidence of

performance and response

Audit Approach – What are we looking for?

42

• User access list and logging of security

events

• Current Anti-Virus/Anti-Malware status –

demonstrate active & current

• Bookend data – proof of performance for

previous period (annual) –, R5.1.1, R5.1.3, R5.3.3, R8, R9

• Approvals and signatures for policy and

procedures

Audit Approach – What are we looking for?

43

• Vulnerability Assessment evidence
• Raw files
• Vulnerability Assessment findings mitigation

evidence

• Destruction and redeployment evidence

Audit Approach – What are we looking for?

44

• 6.56 Auditors must obtain sufficient, appropriate evidence

to provide a reasonable basis for their findings and conclusions…

• 6.57 …In assessing the sufficiency of evidence, auditors

should determine whether enough evidence has been

• btained to persuade a knowledgeable person that the

findings are reasonable.

• 6.60 Appropriateness is the measure of the quality of

evidence that encompasses the relevance, validity, and reliability of evidence used for addressing the audit

• bjectives and supporting findings and conclusions…

GAGAS-Government Auditing Standards -2011.pdf (2011 Revision) www.gao.gov/govaud/iv2011gagas.pdf

Audit Approach – What are we looking for?

45

• Clarification of evidence – RSAW, procedures,

performance data, etc.

• Missing evidence – performance and/or

procedures

• Bookend evidence (R5.1.1, R5.1.3, R5.3.3,

R8, R9)

• Attestations

Ensuring the auditors have sufficient and appropriate evidence to determine and support the findings

Audit Approach – What are we looking for?

46

• Describe….. various requirement procedures and

processes (testing, production-like testing, Anti- Virus management, Vulnerability Assessment process, Alerting process, logging controls, ports and services identification, configuration management, etc.)

• Describe your access management controls
• Any questions that are a result of evidence

analysis (explanation and clarification)

Interviews often lead to additional data requests

Audit Approach – What are we looking for?

47

• WECC outreach presentations website
• https://www.wecc.biz/compliance/outreach/Pages/

default.aspx

• WECC Compliance website– note country links
• http://www.wecc.biz/compliance/Pages/default.aspx

Additional Resources – tools, tasks, tips…

48

Additional Resources – tools, tasks, tips…

49

• WECC – call us with questions – prefer use of WECC CIP SME list for

specific standard

Additional Resources – tools, tasks, tips…

http://www.wecc.biz/compliance/United_States/Documents/WECC%20Subject%20Matter %20Experts%20List.pdf

50

We are here as a resource for you

• CIPUG events
• WECC.biz and NERC.com
• Google is your friend-watch out for dis-info
• Audit Notice – Appendix G
• Tools
• OS tools: netstat
• network scanners: nmap, Nessus
• vulnerability & penetration tools: Nessus, Core Impact,

Metasploit

• Assessments: CSET

Additional Resources – tools, tasks, tips…

51

• Cyber Security Evaluation Tool (CSET)
• Department of Homeland Security (DHS) tool provides

users with a systematic and repeatable approach for assessing the security posture of their cyber systems and networks

• High-level and detailed questions related to all

industrial control and IT systems

• At no extra cost; paid for by our tax dollars J

http://www.us-cert.gov/control_systems/csetdownload.html

Additional Resources – tools, tasks, tips…

52

• Mapping Document Showing Translation of CIP-002-4 to

CIP-009-4 into CIP-002-5 to CIP-009-5, CIP-010-1, and CIP-011-1

• Note: CIP-003-3 thru CIP-009-3 similar to CIP-00x-4 series
• http://www.nerc.com/docs/standards/sar/

Mapping_Document_for_CIP_V5_Clean_(2012-0911).pdf

Additional Resources – tools, tasks, tips…

53

• Summary of Agenda
• Requirement Overview
• Why do we need it?
• Overview – What is it?
• What makes it so difficult?
• Relation to other standards
• Audit Approach – What are we looking for?
• Additional Resources – tools, tasks, tips…

CIP-007-3a Cyber Security System Security Management

Questions?

Eric Weston Compliance Auditor, Cyber Security Western Electricity Coordinating Council (WECC) Eweston@wecc.biz Phone: 801-819-7630 Wally Magda, CISSP, PSP, CISA Compliance Auditor - Cyber Security Western Electricity Coordinating Council (WECC) wmagda@wecc.biz Mobile: 385-227-0724

CIP 101 Training CIP-007-3a Cyber Security – System Security Management September 24-25, 2013 Salt Lake City, UT

Wally Magda, CISSP, PSP, CISA Compliance Auditor, Cyber Security Eric Weston Compliance Auditor, Cyber Security

56

• The WECC Cyber Security team has

created a sample Registered Entity, Billiam Power Company (BILL) and fabricated evidence to illustrate key points in the CIP audit processes.

• Any resemblance of BILL to any

actual Registered Entity is purely coincidental.

• All evidence presented, auditor

comments, and findings made in regard to BILL during this presentation and the mock audit are fictitious, but are representative of audit team activities during an actual audit.

WECC CIP-101 Disclaimer

57

• Review of WECC audit approach by the

auditors for each CIP-007-3 requirement

• Review of ‘Billiam’ Evidence
• Sample Data Requests
• Sample Interview questions
• Discussion and interactive audit of

requirements

Mock Audit Approach

58

• Per Data Retention in Standard section 1.4
• “The Responsible Entity shall keep all

documentation and records from the previous full calendar year ……

• Does that statement give you a documentation

“get out of jail card” for the full audit period?

Data Retention

59

• The Registered Entity will be expected to

demonstrate compliance [for the entire audit period]

• If a Reliability Standard specifies a document

retention period that does not cover [the entire audit period], the Registered Entity will not be found in noncompliance solely on the basis of the lack of specific information that has rightfully not been retained based on the retention period specified in the Reliability Standard

Data Retention

60

• However, in such cases, the Compliance

Enforcement Authority will require the Registered Entity to demonstrate compliance [for the entire audit period] through other means

• (NERC, 2013 June 25, Compliance Monitoring and Enforcement Program:

Appendix 4C, Section 3.1.4.2, para 2, p. 9)

• 90 day logs prior to date of audit notice letter

Data Retention

61

• Cyber Assets – Programmable electronic devices

and communication networks including hardware, software, and data.

• Critical Cyber Assets – Cyber Assets essential

to the reliable operation of Critical Assets.

• Electronic Security Perimeter – The logical

border surrounding a network to which Critical Cyber Assets are connected and for which access is controlled.

Terms used in NERC Reliability Standards

62

• CIP-005-3 R1.5 (EACMs)
• Cyber Assets used in the access control and/or

monitoring of the Electronic Security Perimeter(s) shall be afforded the protective measures as a specified in Standard CIP- 003-3; Standard CIP-004-3 Requirement R3; Standard CIP-005-3 Requirements R2 and R3; Standard CIP-006-3 Requirement R3; Standard CIP-007-3 Requirements R1 and R3 through R9; Standard CIP-008-3; and Standard CIP-009-3.

Catch-All Requirements

63

• CIP-006-3c R2.2 (PACS)

Protection of Physical Access Control Systems — Cyber Assets that authorize and/or log access to the Physical Security Perimeter(s), exclusive of hardware at the Physical Security Perimeter access point such as electronic lock control mechanisms and badge readers, shall:

• R2.2. Be afforded the protective measures specified in Standard

CIP-003-3; Standard CIP- 004-3 Requirement R3; Standard CIP-005-3 Requirements R2 and R3; Standard CIP- 006-3 Requirements R4 and R5; Standard CIP-007-3; Standard CIP-008-3; and Standard CIP-009-3.

Catch-All Requirements

64

• Critical Cyber Asset (CCA) list(s), even if

null, determined through review of all cyber assets associated with every identified Critical

• Asset. The review must include all criteria

found in CIP-002-3 R3.

CIP-002-3 R3

65

CIP-002-3 R3 Critical Cyber Asset List

66

CIP-002-3 R3 CCA list

67

Billiam EMS Architecture

CorpNet

EMS WAN

WKS1-2

Billiam Electronic Security Perimeters

LogRhythm Syslog1

BUCC WAN WON

Access Point

HMI-2 DMZ1 BUCC EMS Net SUB1

CCA CCA CCA CCA

EMS 1- 4

CCA CCA

ICCP 1- 2 EMS Console 1-4

CCA CCA

DC1 HMI1 HPUX 1- 2 EMS Net

CCA CCA

EMS 5 - 6

CCA CCA CCA CCA CCA CCA

EMS Console 5-6

CCA

DC2

CCA CCA CCA

Relay 1- 3 Access Point

Access Point

Access Point PIX FW ASA FW2 ASA FW1 WKS3 HP PTR1-2 ASA FW3

RTR 1-2 CCA CCA RTR 3 SW3 CCA CCA RTR 4 SW4 CCA

BU1 CC1 SU1 CIP CONFIDENTIAL

68

• Any Hypervisor running a VM determined to

be a CCA brings the Host in as a CCA

• In addition ALL VM Cyber Assets on the

Host machine are in-scope of CIP Standards

Is Hypervisor in-scope?

69

• Configuration where both in-

scope and out-of-scope virtual Cyber Assets are running on the same hypervisor or host

• Mixing VMs of different trust

levels is not a recommended configuration

Mixed-Mode

CIP Protected (in-scope)

Not CIP Protected (out-of-scope)

70

• CCA designation of management console

for virtual machine (VM) technology

• With the Management Console having the capabilities

for impacting the CCA VM Client, the Management Console should be considered a CCA

• With the expanded usage of Virtual Machine technology

it is in the best interest of the industry to have this clearly outlined to make sure the overall reliability of the BES is maintained

CAN-0051 (in Development ????)

http://www.nerc.com/files/CAN%20Status%20and%20Priority%20List %2020120608.xls http://www.nerc.com/page.php?cid=3|22|354

71

• Not a new CIP concept
• Cyber Assets that should be considered include, at a

minimum:

• Hardware platforms running virtual machines or virtual

storage

§ Identifying Critical Cyber Assets, Version 1.0, pg. 6 § Approved by: Critical Infrastructure Protection Committee Effective Date: June 17, 2010

Virtual Machines & Storage

http://www.nerc.com/fileUploads/File/Standards/Critcal %20Cyber%20Asset_approved%20by%20CIPCl%20and %20SC%20for%20Posting%20with %20CIP-002-1,%20CIP-002-2,%20CIP-002-3.pdf

72

Cyber Assets

Identifying Critical Cyber Assets, Version 1.0, pg. 6

73

• Test Procedures — The Responsible Entity shall ensure

that new Cyber Assets and significant changes to existing Cyber Assets within the Electronic Security Perimeter do not adversely affect existing cyber security controls.

• significant change shall, at a minimum,
• security patches
• cumulative service packs
• vendor releases
• version upgrades -- operating systems, applications, database

platforms, or other third-party software or firmware.

CIP-007-3 R1 – Test Procedures

74

• Technical narrative describing testing environment(s)
• Documented testing procedures for each cyber asset

within the ESP – must verify security controls (R1.1)

• Entity definition of “significant change”
• Evidence of security testing- not functional testing –

before and after change evaluation

• How is test environment similar/dissimilar to production

environment

• Are controls in place to protect production environment

[CIP-007-3 R1] Audit Approach – What are we looking for?

75

• Definition of testing environment for each asset or asset

type

• Testing and Change Control processes – integrated in

CIP-003 R6?

• Define asset baselines – approved and documented

configurations

• Documentation of testing being performed
• what tests are performed and why
• testing results (compared to baselines?)
• approvals – clear processes and documentation trail to audit

(R1.3)

[CIP-007-3 R1] Audit Approach – what are we looking for? [continued]

76

• Evidence that the test plans were followed
• Baselines updated as part of Testing Procedures – who/

when/why/how

• Approvals prior to production

[CIP-007-3 R1] Audit Approach – what are we looking for? [continued]

77

• P 609. “… the Commission understands that test

systems do not need to exactly match or mirror the production system in order to provide useful test results. However, to perform active testing, the responsible entities should be required at a minimum to create a “representative system” – one that includes the essential equipment and adequately represents the functioning of the production system. …”

• P 609 states “representative system”. No mention of using

production backup

FERC NOPR

78

• Original v1 FAQs developed in 2004
• Filed with FERC in 2006
• Good to help understand original approach
• Tread carefully—FAQ not the final answer
• FAQ is not the CIP
• Experience, lessons learned, events

analysis factored into audit approach and used in addition to FAQs

§ http://www.nerc.com/pa/Stand/Cyber%20Security %20Permanent/Cyber_Security_FAQ.pdf

Frequently Asked Questions (FAQ’s)

79

• 1. Question: Is an isolated test environment required?
• Answer: Electronic isolation is not required; the test environment is

not required to be outside the Electronic Security Perimeter. A controlled non-production system can be used.

• Audit team: Will look at controls in place, expect thorough review
• 2. Question: Can a redundant system be used for testing?
• Answer: The entity is responsible for determining the non-

production systems in its environment. It is possible depending on the entity’s environment that a redundant system can be used for testing if it can be configured such that it does not introduce additional risk to production operations.

• Audit team: Key words: “Such that it does not introduce

additional risk”

Frequently Asked Questions (FAQ’s)

80

• CIP-007-3a R1 moved to CIP-010-1 R1.4
• Assess security controls following changes - Provides clarity on when

testing must occur, and requires additional testing to ensure that accidental consequences of planned changes are appropriately

• managed. This change addresses FERC Order No. 706, Paragraphs

397, 609, 610, and 611.

• CIP-007-3a R1.1 moved to CIP-010-1 R1.5
• Test procedures – This requirement provides clarity on when testing

must occur and requires additional testing to ensure that accidental consequences of planned changes are appropriately managed.

• This change addresses FERC Order No. 706, Paragraphs 397, 609,

610, and 611.

What does v5 look like?

81

• CIP-007-3a R1.2 moved to CIP-010-1 R1.5
• Testing reflects production environment - This requirement provides

clarity on when testing must occur and requires additional testing to ensure that accidental consequences of planned changes are appropriately managed. This change addresses FERC Order No. 706, Paragraphs 397, 609, 610, and 611.

• CIP-007-3a R1.3 moved to CIP-010-1 R1.4 & 1.5
• The Responsible Entity shall document test results. The SDT

attempted to provide clarity on when testing must occur and removed requirement for specific test procedures because it is implicit in the performance of the requirement.

• http://www.nerc.com/docs/standards/sar/

Mapping_Document_for_CIP_V5_Clean_(2012-0911).pdf

What does v5 look like?

82

CIP-007-3 R1 BPC Initial Evidence

83

• Change Control log for audit period
• Provide test procedures for each device type or system within the

EMS networks (EMS servers, routers/switches, workstations, etc.) that are used to determine if security related changes have taken place (CIP-007-3 R1.1).

• Provide complete change control documentation (forms, baseline

documents, testing procedures used, testing results documentation, approvals, etc.) for the following significant changes (NERC sampling methodology) [sample list]

• Performance of testing to obtain current configuration versus baseline.

[sample list]

[CIP-007-3 R1] Typical Data Requests

84

Confidence level for the Sampling Methodology is set at 95%

NERC Sampling Methodology

85

86

[CIP-007-3 R1] Interview Topics

• Are there specific test procedures for all cyber

assets or group of assets?

• Describe the test procedures – sample device

types

• Describe the test environment and how testing

closely reflects the production environment – controls to protect production

• How do you validate ports/services?

87

[CIP-007-3 R1] Interview Topics

• Have there been any significant changes during

the audit period?

• Are there baseline configuration to compare test

results against?

• Are there any circumstances where security

testing must be performed on the production environment? How is it performed and what controls are in place?

88

• Windows Test Procedures
• Security test checklist

R1 Audit Evidence Examples

89

CIP-007-3 R1 Test Procedures

90

CIP-007-3 WMI Test Procedures

91

CIP-007-3 R1 BPC Security Checklist

92

• The Responsible Entity shall establish, document and

implement a process to ensure that only those ports and services required for normal and emergency operations are enabled.

• Normal and Emergency operations
• TFEs? – Compensating measures (R2.3)

CIP-007-3 R2 – Ports and Services

93

CIP-007

• Responsible Entities should work with all

vendors of systems and applications of applicable cyber assets in their infrastructure to determine required ports and services. Most if not all vendors will have some form of documentation detailing this information.

ERO Compliance Analysis Report Reliability Standards CIP-006 and CIP-007 -- December 2010

http://www.nerc.com/files/ERO%20CIP-006%20and%20CIP-007%20Compliance %20Analysis%20Report%20for%20Posting.pdf

94

• Documentation of procedures to identify and manage

required ports/services

• What service is running on what port
• TCP and UDP ports (listening and established states)
• Vendor documentation may assist in defining required

ports and services and their operational purpose

• Required ports defined and documented
• Cyber Asset specific
• Normal or Operational requirement?
• Are high risk ports/services running?

[CIP-007-3 R2] Audit Approach – What are we looking for?

95

• Procedures to ensure only required ports/

services are enabled for new/changed devices (R1)

• What tests are performed to validate correct

configurations– who, when, how, tools (R1,R8)

• TFE required? Why not feasible, vendor

evidence, compensating measures in place (R2.3)

[CIP-007-3 R2] Audit Approach – What are we looking for? [continued]

96

C:\HMI-1>netstat Active Connections Proto Local Address Foreign Address State TCP HMI-1:2111 localhost:33333 ESTABLISHED TCP HMI-1:3616 localhost:10525 ESTABLISHED TCP HMI-1:5152 localhost:1573 CLOSE_WAIT TCP HMI-1:10525 localhost:3616 ESTABLISHED TCP HMI-1:33333 localhost:2111 ESTABLISHED TCP HMI-1:netbios-ssn 172.16.105.1:56761 TIME_WAIT TCP HMI-1:netbios-ssn 172.16.105.1:56762 TIME_WAIT TCP HMI-1:netbios-ssn 172.16.105.1:56765 TIME_WAIT TCP HMI-1:netbios-ssn 172.16.105.1:56766 TIME_WAIT

CIP-007-3 R2 Initial Evidence

97

• For the following servers and workstations (cyber

assets) provide current “netsat” (netstat –b –o –a - n / netstat –p –a -l) or port scan (TCP/UDP) results. [sample list]

• For the following network devices, provide current

configuration files (i.e., show run all), ports and services running (scan results if exists)

• Provide a spreadsheet identifying all cyber assets,

associated TFEs, and associated requirements

[CIP-007-3 R2] Typical Data Requests

98

[CIP-007-3 R2] Typical Interview Questions

• Describe the procedures used to identify

the required ports/services

• Are vendors involved with the definition of

required ports/services?

• Are there Cyber Assets, which ports and

services cannot be disabled?

• If so, what are the compensating measures in

place

99

• Netstat:
• Netstat -b -o -a -n > netstat_boan.txt
• Netstat -p -a -l > netstat_pal.txt
• NMAP scan results
• Nmap –sT –sV –p T:0-65535 <IP_address>

>>nmap_tcp.txt

• Nmap –sU –sV –p U:0-65535 <IP_address> >>

nmap_udp.txt

• show control-plane host open-ports
• Manual review – show run config file (router or firewall)

R2 Audit Evidence Examples

100

C:\Documents and Settings\HMI-1>netstat -b -o -a -n > netstat_boan.txt Active Connections Proto Local Address Foreign Address State PID TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 952 C:\WINDOWS\system32\svchost.exe TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4 [System] TCP 0.0.0.0:6002 0.0.0.0:0 LISTENING 428 [spnsrvnt.exe] TCP 0.0.0.0:7001 0.0.0.0:0 LISTENING 248 [sntlkeyssrvr.exe] TCP 0.0.0.0:7002 0.0.0.0:0 LISTENING 248 [sntlkeyssrvr.exe] TCP 127.0.0.1:1025 0.0.0.0:0 LISTENING 1656 [dirmngr.exe] TCP 127.0.0.1:1029 0.0.0.0:0 LISTENING 2484 [alg.exe] TCP 127.0.0.1:5152 0.0.0.0:0 LISTENING 1764 [jqs.exe] TCP 127.0.0.1:33333 0.0.0.0:0 LISTENING 1856 [PGPtray.exe] TCP 172.16.105.220:139 0.0.0.0:0 LISTENING 4 [System] TCP 127.0.0.1:2111 127.0.0.1:33333 ESTABLISHED 1616 UDP 0.0.0.0:7001 *:* 248 [sntlkeyssrvr.exe] UDP 0.0.0.0:500 *:* 700 [lsass.exe] UDP 0.0.0.0:4500 *:* 700 [lsass.exe] UDP 0.0.0.0:445 *:* 4 [System] UDP 127.0.0.1:123 *:* 1084 c:\windows\system32\WS2_32.dll UDP 172.16.105.220:6001 *:* 428 [spnsrvnt.exe]

HMI-1 Baseline Evidence

101

HMI-1 Evidence [continued]

root@bt# nmap -sT -sV -p T:0-65535 172.16.105.220 Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-01-03 10:28 EST Nmap scan report for 172.16.105.220 Host is up (0.00084s latency). Not shown: 65528 closed ports PORT STATE SERVICE VERSION 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn 445/tcp open microsoft-ds Microsoft Windows XP microsoft-ds 777/tcp open multiling-http? 6002/tcp open http SafeNet Sentinel License Monitor httpd 7.3 7001/tcp open afs3-callback? 7002/tcp open http SafeNet Sentinel Keys License Monitor httpd 1.0 (Java Console) MAC Address: 00:0C:29:07:09:3B (VMware) Service Info: Host: HMI-1; OS: Windows

102

HMI-1 Evidence [continued]

root@bt# nmap -sU -sV -p U:0-65535 172.16.105.220 Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-01-03 10:28 EST Nmap scan report for 172.16.105.220 Host is up (0.00084s latency). Not shown: 65527 closed ports PORT STATE SERVICE VERSION 123/udp open ntp Microsoft NTP 137/udp open netbios-ns Microsoft Windows NT netbios-ssn (workgroup: WORKGROUP) 138/udp open|filtered netbios-dgm 445/udp open|filtered microsoft-ds 500/udp open|filtered isakmp 1900/udp open|filtered upnp 4500/udp open|filtered nat-t-ike 6001/udp open|filtered X11:1 MAC Address: 00:0C:29:07:09:3B (VMware) Service Info: Host: HMI-1; OS: Windows

103

EMS1 Evidence

104

EMS1 Evidence [continued]

EMS1 root@bt:/# nmap -sT -sV -p T:0-65535 172.16.105.151 Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-01-18 12:15 EST Nmap scan report for 172.16.105.151 Host is up (0.034s latency). Not shown: 65531 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 5.3p1 Debian 3ubuntu6 (protocol 2.0) 80/tcp open http Apache httpd 2.2.14 ((Ubuntu)) 111/tcp open rpcbind (rpcbind V2) 2 (rpc #100000) 42851/tcp open status (status V1) 1 (rpc #100024) MAC Address: 00:0C:29:66:05:65 (VMware) Service Info: OS: Linux Service detection performed. Please report any incorrect results at http://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 13.25 seconds

105

EMS1 Evidence [continued]

EMS1 root@bt:/# nmap -sU -sV -p U:0-65535 172.16.105.151 Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-01-18 12:15 EST Nmap scan report for 172.16.105.151 Host is up (7.57s latency). Not shown: 65533 closed ports PORT STATE SERVICE VERSION 68/udp open|filtered dhcpc 111/udp open rpcbind MAC Address: 00:0C:29:66:05:65 (VMware) Nmap done: 1 IP address (1 host up) scanned in 1081.98 seconds Service detection performed. Please report any incorrect results at http://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 123.25 seconds

106

Router Ports/Services

107 #show run … ip http server ! access-list 23 permit 172.16.105.200 0.0.0.0 access-list 23 permit 172.16.105.201 0.0.0.0 ! line vty 5 15 transport input ssh ! access-class 23 in ! ntp-server 172.16.105.88 ...

Manual Review of Configs

108

McAfee Engine Service What is it? EngineServer service loads instances of the Engine and DATs to facilitate scanning for the features Email Scan, Script Scan, and the memory scan portion of On Demand Scan. Is it required? YES - For systems belonging to the CIP Domain IP Port numbers used: None (https://kc.mcafee.com/corporate/index?page=content&id=KB66797) Reference: https://kc.mcafee.com/corporate/index?page=content&id=KB59389 McAfee Framework Service What is it? The Framework Service controls the scheduled tasks and updating portion of the VirusScan Enterprise application. Is it required? YES - If disabled, the McAfee VirusScan agent will not function correctly. IP Port numbers used: https://kc.mcafee.com/corporate/index?page=content&id=KB66797 Default Port Protocol Traffic direction 8081 TCP Inbound connection to the McAfee server. 8082 TCP Inbound connection to the McAfee server. 80 TCP Outbound connection from the McAfee server. 443 UDP Outbound connection from the McAfee server.

CIP-007-3 R2 Ports/Service

109

• …shall establish, document and implement a security

patch management program for tracking, evaluating, testing, and installing applicable cyber security software patches for all Cyber Assets within the Electronic Security Perimeter(s).

• Change Control (CIP-003-3 R6)?
• Documented assessment – 30 day timeframe (R3.1)
• Compensating measures? (R3.2)

CIP-007-3 R3 – Security Patch Management

110

CIP-007

• Responsible Entities should consider

leveraging a corporate level Patch Management Program if one does not exist for their Real-time systems area. Typically, the corporate level program will be established and include the necessary tracking, evaluating, testing, and installation of applicable cyber security patches required for all Cyber Assets within the Electronic Security Perimeter(s).

ERO Compliance Analysis Report Reliability Standards CIP-006 and CIP-007 -- December 2010

http://www.nerc.com/files/ERO%20CIP-006%20and%20CIP-007%20Compliance %20Analysis%20Report%20for%20Posting.pdf

111

• Documented procedures for the tracking, evaluating, testing and implementing
• f patches and updates
• Evidence of monitoring of all installed software and firmware
• Develop a list of all monitored applications/OS/firmware
• Identify and document process and location for notifications of updates
• Look to vendors where possible
• Evidence of identification and evaluation of applicability within 30 days of

availability

• Evidence of implementation of patches as defined in documented procedures,

evidence of testing prior to release to production

• Provide evidence of the patch analysis and implementation of compensating

measures if applicable patch/updates will not be implemented within 30 days

• Risk of NOT implementing patches/updates – expectation of implementation
• Submit TFE if applicable patch cannot be installed

[CIP-007-3 R3] Audit Approach – what are we looking for?

112

• Hardware vendors do provide security

patches and security upgrade to mitigate/ eliminate vulnerabilities identified in their drivers and firmware.

Cyber Security software patches

113

114

CIP-007-3 R3 Initial Evidence

115

• Provide evidence of Cyber Security patch

management tracking for the audit period for the following devices …

• Provide list of all software (OS, firmware,

applications) being monitored for security updates/patches and method used for monitoring

• Provide evidence of security patch

assessment of applicable systems within 30 days

[CIP-007-3 R3] Typical Data Requests

116

[CIP-007-3 R3] Typical Interview Questions

• Describe your patch management process
• What technical and procedural controls are in

place?

• Describe the process to determine if a security

patch/update is applicable

• Are vendors involved with the determination?
• Describe the decision process to decide if an

update/patch will be installed

• What are the compensating measures if an

applicable patch will not be installed?

117

R3 Audit Evidence Examples

118

R3 Audit Evidence Examples

119

• …use anti-virus software and other malicious software

(“malware”) prevention tools, where technically feasible, to detect, prevent, deter, and mitigate the introduction, exposure, and propagation of malware on all Cyber Assets within the Electronic Security Perimeter(s).

• Signature updates
• TFE
• Compensating measures

CIP-007-3 R4 – Malicious Software Prevention

120

Question: What is “malware?” Answer: Malware generally means malicious software such as viruses, worms, time-bombs, and Trojan horses. This software may be distributed through email attachments, unsecured remote procedure calls, Internet downloads, and opening infected files. Malware may delete or modify files, attempt to crack passwords, capture keystrokes, present unwanted pop-ups on screen, fill-up disc space, or other malicious and destructive activity, without the authorization or knowledge of the person using the infected computer.

CIP-007 FAQ

121

• Documentation of the AV/anti-malware technical and

procedural controls in place

• Evidence of current AV/anti-malware implemented on all

cyber assets with the ESP

• Identification of all Cyber Assets that are unable to run AV/

anti-malware

• Is a TFE submitted?
• What appropriate compensating controls are in place
• Validate real-time scanning is active or performed on an

appropriate cycle

[CIP-007-3 R4] Audit Approach – what are we looking for?

122

• Validate that users cannot disable the AV/anti-malware or

have alert mechanism to monitor

• Validate that signature updates are being performed on a

regular basis after defined testing is performed

• Evidence that AV alerts are generated and notification is

performed

• Evidence of defined procedures to respond to virus or

malware alerts

[CIP-007-3 R4] Audit Approach – what are we looking for?

123

• Provide evidence of current running AV

application version and AV signature version on the following devices [sample list]

[CIP-007-3 R4] Typical Data Requests

124

[CIP-007-3 R4] Interview Topics

• Describe your AV/anti-malware technical and

procedural controls

• Is the AV/anti-malware application at the

current release version

• What is the testing and approval process for

AV signature updates?

• How current are the signature files? How long
• f delay between release and implementation?
• How often is the application updated?
• Are “Application Whitelist” techniques used?

125

Application Whitelisting Defined

• What is Application Whitelisting?
• Proactive security technique where only a

limited set of approved programs are allowed to run

• All other programs (including most malware)

are blocked from running by default

• Blocks most current malware if maintained
• Performance overhead hit to enforce list

126

R4 Audit Evidence

127

R4 AV/Ant-Malware Status

128

R4 AV/Anti-Malware Status

129

R4 AV/Anti-Malware Status

130

• …shall establish, implement, and document technical and

procedural controls that enforce access authentication of, and accountability for, all user activity, and that minimize the risk of unauthorized system access.

• Default and Shared accounts
• Logs sufficient to uniquely identify individual – audit trail
• Passwords
• Compensating measures
• TFE

CIP-007-3 R5 – Account Management

131

• Evidence of active management of all of user accounts
• Operating system user accounts
• Local user accounts
• Ensure all cyber assets are included
• Shared and default accounts
• Evidence of a documented authorization and review process
• Access authorization – appropriate reviews and authorized

approvals

• Revocation – documentation of system access removal
• Appropriate access rights – reviewed and approved –

systems, roles

[CIP-007-3 R5] Audit Approach – what are we looking for?

132

• Evidence of logging of all user access for security events
• successful/unsuccessful logins (wrong passwords, no valid access

rights, etc.)

• Evidence of changing the shared user account password

when approved shared user list changes

• Evidence that the password complexity enforcement is

enabled where technically feasible

• Reviews performed of all users and associated access

rights at least annually (bookend requirement)

• Evidence of a TFE when you cannot enforce full password

complexity requirements

[CIP-007-3 R5] Audit Approach – what are we looking for? [continued]

133

• CIP-007 R5 Technical and Procedural

System Access and Password Controls

CAN-0017

http://www.nerc.com/files/CAN-0017%20CIP-007%20Technical%20and%20Procedural%20System%20Access %20and%20Password%20Controls%20(Revised).pdf

134

• CIP-007 R5 Technical and Procedural

System Access and Password Controls

• Procedural controls alone insufficient
• Must technically enforce
• TFE if you can not technically enforce
• File TFE by end of Q1 if needed
• R5.3.1 & R5.3.3
• Similar to 5.3.2 filing

CAN-0017

http://www.nerc.com/files/CAN-0017%20CIP-007%20Technical%20and%20Procedural%20System%20Access %20and%20Password%20Controls%20(Revised).pdf

135

• Provide shared/default account management

process

• Provide the account validation report for the

following devices….

• Provide evidence identifying those individuals with

access to shared accounts on Cyber Assets

• Provide evidence of audit trail for use of shared

accounts to establish specific identity of user accessing shared accounts

• Provide evidence of required password policy

configuration

• Provide evidence of the annual password change

[CIP-007-3 R5] Typical Data Requests

136

• Provide evidence of individual user account

access activity (logs) as required by CIP‐007 R5.1.2. (audit trails)

• Provide a list of transferred and terminated

personnel, including non-employees, who had access to shared user accounts during the audit period.

• Provide evidence of access removal (change

control documentation) of the above personnel from shared access list

[CIP-007-3 R5] Typical Data Requests [continued]

137

[CIP-007-3 R5] Typical Interview Questions

• Describe the account management process
• How are Shared accounts managed?
• How is a user audit trail created while using

shared accounts to ensure specific user is associated with the shared account activity?

• Have all passwords been changed at least

annually?

• How do you determine and restrict “need to

know” access

138

Question: What is the concept of “need to know” with respect to work functions performed? Answer: The authorized requirement of a person to know, access, or possess information that is necessary for the performance of an authorized, assigned job responsibility

CIP-007 FAQ

139

• User Access Request form
• Shared Account List
• Last password change report per user

account

• User access logs
• Group password policy

R5 Audit Evidence Examples

140

User Access Request Form

141

Shared Account List (R5.2.2)

142

Accounts Implemented as Approved? (R5.1.1)

143

Accounts Implemented as Approved? (R5.1.1)

144

Shared Account Manual Logs (R5.2.3)

145

User Access Log (R5.1.2)

146

R5 Evidence

147

R5 Evidence (R5.3.2)

148

• …shall ensure that all Cyber Assets within the Electronic

Security Perimeter, as technically feasible, implement automated tools or organizational process controls to monitor system events that are related to cyber security..

• Monitor security events
• Alerts
• Logs
• Review - documented

CIP-007-3 R6 – Security Status Monitoring

149

• Evidence that all cyber assets within the ESPs

are enabled for logging (if feasible) security events

• Is a central Syslog server implemented aggregating

devices logs – easier to review

§ Security Information and Event Management (SIEM) (provides logging, monitoring and alerts) § Using TCP or UDP or a combination?

• Ensure OS and critical application logs are

included in logging

• Procedures to ensure the logs are being

reviewed on every device or aggregation device (SIEM, syslog, etc.).

[CIP-007-3 R6] Audit Approach – what are we looking for?

150

• Automated or procedural processes (or combination) for

monitoring

• Log reviews must be documented (who, system, date,

findings, response)

• Evidence of ability to detect and respond to security related

events

• Documented response requirements for security alerts –

unauthorized access attempts

• Evidence of logging and alerts by all cyber assets (except

TFE)

• Monitored security events should include failed access

attempts, anti-virus and anti-malware alerts, etc..

• Provide 90 days of security logs

[CIP-007-3 R6] Audit Approach – what are we looking for? [continued]

151

• Review of initial evidence provided by BPC

did not include any proof of performance for Alerts – manual or automatic

• Entity states that all devices within ESP are

configured to log to syslog or LogRythym servers

• Log reviews are performed at the syslog

and LogRythym servers

R6 Audit Initial Evidence

152

User Access Log [sample]

153

• Provide evidence that all cyber assets security monitoring logs

are enabled. [sample list]

• Provide list of TFEs and related devices that cannot meet the

R6 requirements

• Provide evidence of security event logging for [period of time] –

failed logins, etc.

• Provide security alerts and alert contact list for [period of time]
• Provide evidence that the review of logs of system events

related to Cyber Security have been occurring as required in CIP-007 R6.5

• Provide evidence that logs related to security monitoring have

been retained for 90 days. (CIP‐007 R6.4)

[CIP-007-3 R6] Typical Data Requests

154

[CIP-007-3 R6] Typical Interview Questions

• Describe the Logging and Monitoring tools

and procedures

• Describe the Alerting tools and response

procedures – triggers, who receives, what response required, escalation

• Storage and archival procedures for logs –

both 90 day and 3 year requirements

155

#show run … no logging ip http server ! access-list 23 permit 172.16.105.200 0.0.0.0 access-list 23 permit 172.16.105.201 0.0.0.0 ! line vty 5 15 transport input ssh ! access-class 23 in ! no logging console debug condition interface no snmp-server ntp-server 172.16.105.88 ...

Manual Review of Configs [logging]

156

Log Review Evidence

157

R6 System Log Review

158

• …shall establish and implement formal methods,

processes, and procedures for disposal or redeployment

• f Cyber Assets within the Electronic Security Perimeter(s)

as identified and documented in Standard CIP-005-3.

CIP-007-3 R7 – Disposal & Redeployment

159

• Documentation of the process and procedures to ensure that CIP

utilized data and devices are “wiped” prior to leaving PSP controls

• Evidence that data is securely wiped or drives physically destroyed,

prior to leaving CIP controlled area

• Evidence that all data is securely wiped prior to reuse (multi-pass

wipe)

• Physically destroying media may be simplest method
• Deleting data is not adequate
• Evidence that accurate records are kept for every CIP devices

removed from ESPs – process followed

• The records must identify the device and where stored (securely) or

how, when, and by whom the data was destroyed

[CIP-007-3 R7] Audit Approach – what are we looking for?

160

• Paragraph 81 regarding CIP-007-3 R7.3
• Pending retirement
• Encouraged to retain information pending FERC approval
• P81 does not mean record retention not required
• Entity still required to maintain records that demonstrate

compliance for R7.1 & R7.2

• R7.3 was redundant

§ http://www.nerc.com/pa/comp/Resources/ResourcesDL/ Guidance_for_Compliance_Monitoring_and_Enforcement_pending_retirement _pursuant_to_Paragraph_81_040913.pdf

[CIP-007-3 R7] Audit Approach – what are we looking for?

161

• Entity stated in their RSAW that only one

applicable cyber asset redeployment or destruction event occurred during the audit period

• No BPC evidence was provided to substantiate

the statement

• Attestation from 3rd party provided

R7 Audit Initial Evidence

162

Willie’s Data Destruction attestation

163

• Provide evidence of data destruction of any

devices removed from ESP

• Describe security controls for the storage of

removed media that has not been destroyed

• Provide evidence of disposal and or

redeployment for all Cyber Assets within the ESP(s) for [dates].

• If no disposal or redeployment has occurred

[dates], provide an attestation of this fact.

[CIP-007-3 R7] Typical Data Requests

164

Willie’s Data Destruction

165

[CIP-007-3 R7] Typical Interview Questions

• Describe the process for the destruction or

redeployment of cyber assets

• What tools are used for wiping or destroying media?
• Is there a defined location where devices are stored

prior to wipe/destruction?

• What controls are in place for the storage location?
• Do you outsource the destruction or wipe of media?
• If so what processes and controls are in place

166

R7 Destruction of Data Form

167

CIP-007-3 R8 – Cyber Vulnerability Assessment

http://www.haaretz.com/business/cutting-remarks-israel-electric-will-send-brownout-alerts-by-sms-online-1.450043

168

• …shall perform a cyber vulnerability assessment of all

Cyber Assets within the Electronic Security Perimeter at least annually.

• Documented process
• Ports and services
• Default accounts
• Documented results
• Remediation/Mitigation plan

CIP-007-3 R8 – Cyber Vulnerability Assessment

169

• Documentation of the annual vulnerability assessment process.

The process must include:

• assessment of open ports and services (R8.2)
• assessment of default accounts (R8.3)
• Results of the assessment must be documented – detailed

evidence available (R8.4)

• Documentation of the action plan for identified vulnerabilities
• Evidence of performance of the action plan and current update

status

• Manual assessment is acceptable (procedures must be

documented and include R8 sub-requirements)

[CIP-007-3 R8] Audit Approach – what are we looking for?

170

• Evidence should demonstrate that the CVA was

performed according to the defined process

• Electronic or manual review
• Bookend evidence – previous years assessment

and mitigation plan

• Evidence of action plan to mitigate high risk

vulnerabilities and progress of that action plan

• Evidence of “execution status” of action plan
• Dates, progress, documentation, tracking

[CIP-007-3 R8] Audit Approach – what are we looking for? [continued]

171

R8 Evidence – Nessus Summary

172

Nessus Summary

173

2012 Cyber Vulnerability Assessment

174

• Provide 2012 and 2011 cyber vulnerability

assessment report

• Provide detailed (RAW DATA) vulnerability

assessment results for the following specific Cyber Assets, EACMs and PACS [sample list]

• Provide mitigation plan and results (current status)

for previous annual CVA

• Provide action Plan and current status

[CIP-007-3 R8] Typical Data Requests

175

[CIP-007-3 R8] Typical Interview Questions

• Describe the vulnerability assessment process
• Who performs the assessment? Is the

assessment performed in-house or outsourced

• Does the assessment include all cyber assets in

all ESPs? – specific addresses or entire networks

• Describe procedures/tools utilized to identify open

ports/services and user accounts

• Is there a baseline to compare ports/services and

user accounts with?

176

2012 Cyber Vulnerability Assessment

177

2012 BPC CVA

178

2012 BPC CVA

179

2012 CVA- HMI1 Software Vulnerability

Security vulnerability - exploit available to execute arbitrary code. http://www.exploit-db.com/exploits/15957/ Exploit Title: KingView 6.53 SCADA HMI Heap Overflow PoC 9/28/2010 http://www.exploit-db.com/exploits/16936/ # Exploit Title: KingView 6.5.3 SCADA ActiveX TCP 777

180

#show run … no logging ip http server ! access-list 23 permit 172.16.105.200 0.0.0.0 access-list 23 permit 172.16.105.201 0.0.0.0 ! line vty 5 15 transport input telent Login Password *********** ! access-class 23 in ! no logging console debug condition interface no snmp-server ntp-server 172.16.105.88 ...

Manual Vulnerability Assessment

181

EMS1 Baseline Evidence

182

Account Name :Administrator The Administrator account is an ADMINISTRATOR, and the password was changed 1207 days ago. This account has been used 70 times to logon. The default Administrator account has not been renamed. Comment :Built-in account for administering the computer/domain Account Name :bill The ubill account is an ADMINISTRATOR, and the password was changed 548 days ago. This account has been used 0 times to logon. Comment :auto-logon account Account Name :billiam The billiam account is an ADMINISTRATOR, and the password was changed 548 days

• ago. This account has been used 233 times to logon.

Comment :shared account

CIS Scan results [Local Account Results]

WARNING Administrator's password is blank

183

Nessus Results – Services

184

3rd Party CVA Sample – 1 host

185

CIP-007-3 R2.1. The Responsible Entity shall enable only those ports and services required for normal and emergency operations. BPC mitigation plan – There is work in progress within BPC as well from current vendors to document correct Ports/Services required. The vendor will be on-site in March to assist with the finalization of this effort. Expected completion of the definitions for each host/group of hosts, to be completed June 30, 2012. CIP-007-3 R2.2. The Responsible Entity shall disable other ports and services, including those used for testing purposes, prior to production use of all Cyber Assets inside the Electronic Security Perimeter(s). BPC mitigation plan – After the completion of the R2.1 mitigation plan BPC will begin a validation and change process to ensure that all systems within the ESPs have the approved ports and services configured and un-needed ports/services disabled or removed. The expected completion date for this effort will be by September 31, 2012.

R8 BPC Mitigation Plan

186

R8 Mitigation Plan

http://www.dsd.gov.au/images/top35-table-2012.png

187

• …shall review and update the documentation specified in

Standard CIP-007-3 at least annually.

• Evidence of review
• Changes documented within 30 days

CIP-007-3 R9 – Documentation Review and Maintenance

188

• Provide evidence that all required documentation has been

reviewed and approved at least annually

• Test procedures (R1)
• Process to ensure only required ports and services are open

(R2)

• Security patch management program (R3)
• AV/Anti-malware tools and test/implementation procedures

(R4)

• Account management procedures and controls (R5)
• Security event monitoring procedures (R6)
• Disposal/redeployment procedures (R7)
• Vulnerability assessment process (R8)

[CIP-007-3 R9] Audit Approach – what are we looking for?

189

• Evidence includes signed and dated reviews of the

documents

• Bookend is required – evidence of the last two reviews
• Evidence that document changes are updated within 30

days of changes

• Differentiate between a review and an update

[CIP-007-3 R9] Audit Approach – what are we looking for?

190

• Provide evidence of annual review bookend

– evidence for previous year review

• Provide signed reviewed evidence

(scanned copy) for the following documentation [list of documents with no review evidence]

[CIP-007-3 R9] Typical Data Requests

191

[CIP-007-3 R9] Typical Interview Questions

• How do you ensure that documentation is

updated within 30 days of a change?

• Describe the review process
• Describe the documentation change

process – communications, controls, etc.

192

Sample R9 Evidence

193

R9 Review Form Details

194

• We are a team to work together to improve the reliability of the BES.

We (WECC and you) each play a part in the BES reliability and security.

• Each Registered Entity is responsible for its own security/compliance

efforts, not WECC

• The WECC Cyber Security team will evaluate compliance efforts

based on its audit approach

• We look for evidence that all required processes and procedures are

documented and for performance evidence demonstrating compliance

CIP-007-3: CIP101 Summary

195

• Auditors will request additional evidence as required to demonstrate

performance of all requirements

• It is up to the entity to demonstrate compliance
• Review data requests from previous audit to evaluate what evidence

was not initially provided and was requested

• This may assist you with the next audit.
• The auditors will “trust but verify” the entities compliance assertions
• We look for actual evidence (documentation, logs, screenshots, direct
• bservation, interviews, certifications, configuration, test responses,

etc.)

CIP-007-3: CIP101 Summary

196

• We will keep looking until we have ‘reasonable assurance’ of

acceptable performance or possible violation

• However, audit does have closing time limit for the finding call to be

made

• Auditors use a consensus approach for all findings – no one auditor

can make a finding without a team consensus

• No evidence can be generated during the audit, however evidence

can be aggregated, rearranged for ease of presentation or response to data request

CIP-007-3: CIP101 Summary [continued]

197

• Review of WECC audit approach by the

auditors for each CIP-007-3 requirement

• Review of ‘Billiam’ Evidence
• Sample Data Requests
• Sample Interview questions
• Discussion and interactive audit of

requirements

Mock Audit Approach Summary

Wally Magda, CISSP, PSP, CISA Compliance Auditor - Cyber Security Western Electricity Coordinating Council (WECC) wmagda@wecc.biz Phone: 385-227-0724

Thank You! Any Questions?

Eric Weston Compliance Auditor, Cyber Security Western Electricity Coordinating Council (WECC) eweston@wecc.biz Phone: 801-819-7630