logical ports and services
play

Logical Ports and Services David Sopata 4/14/2016 Agenda High - PowerPoint PPT Presentation

Mar 12, 2024 •377 likes •836 views

Logical Ports and Services David Sopata 4/14/2016 Agenda High level methodology and tips from a recovering CIP Auditor on how to: Identify Ports and Services for BES Cyber Systems and/or Assets CIP-007-6 Justifying the use of Ports

  1. Logical Ports and Services David Sopata 4/14/2016

  2. Agenda  High level methodology and tips from a recovering CIP Auditor on how to: • Identify Ports and Services for BES Cyber Systems and/or Assets CIP-007-6 • Justifying the use of Ports and Services CIP-007-6 • Incorporating the information into a baseline CIP-010-2 • Monitoring the Baseline CIP-010-2, CIP-008-5 2 Forward Together • ReliabilityFirst

  3. A little bit about me…  I am a recovering CIP Auditor  I love technology  I enjoy helping others  I’m not afraid of a terminal  I enjoy learning from others  I consider myself a process improvement hacker  I also enjoy memes! 3 Forward Together • ReliabilityFirst

  4. WARNING!!!!  I might just get silly and talk about things outside of the standards. However, these would be the next maturity step towards good practice.  Also… 4 Forward Together • ReliabilityFirst

  5. CIP-007-6 Part 1.1 Asset Level Requirement, High and Medium Impact 5 Forward Together • ReliabilityFirst

  6. CIP-007-6 R1.1  CIP-007-6 R1.1: Protecting Logical Port s • This is similar to CIP-007-3 R2 • This includes: ‒ All enabled logical ports that are generally associated with “layer 4” of the OSI Network model on BES Cyber Assets/other cyber assets. ‒ “windows services” for Windows environments or PID for the “*nix” type environments. • Other appliances/devices may call this something different. 6 Forward Together • ReliabilityFirst

  7. CIP-007-6 R1.2  CIP-007-7-6 R1.2: Protecting Physical Ports • Additional documentation in the key Lessons Learned and FAQs • This includes ‒ Disabling all unnecessary input/output ports on BES Cyber Assets i.e. (Ethernet, Serial, USB, and/or other common/proprietary ports) ‒ This is to try to prevent plugging in unauthorized removable storage, and/or transient devices  This can be accomplished through logical and physical means of disabling the ports and through signage . 7 Forward Together • ReliabilityFirst

  8. 8 Forward Together • ReliabilityFirst

  9. CIP-007-6 R1.1 Evidence/Audit Approach  Need to provide one or more documented processes for disabling or restricting ports  Need a complete list of EACMS, PACS, and PCA that are included in your High and Medium BES Cyber Systems.  Need to provide a list/document of what is needed and/or a baseline of ports that are used and what services they are tied to for ALL Cyber Assets included in your High and Medium BES Cyber Systems. • This can be shown through: ‒ Command Line output such as “netstat –boan” for Windows or “netstat – pault” for *nix ‒ Configuration files ‒ Vendor/third-party device configuration/policy management tools and reports  Bottom Line, need to see ports and protocols tied to a program/PID that are listening/active, and justified! 9 Forward Together • ReliabilityFirst

  10. CIP-007-6 R1.1 Evidence/Audit Approach  Need to provide how these baselines are being enforced for ALL BES Cyber Assets. • This can be shown through: ‒ Vendor/third-party device configuration/policy management tools ‒ Device-level/host-based firewalls systems/tools  “Where technically feasible,” indicates that if a BES Cyber Asset can not enforce/restricts these ports and services, TFEs may be required.  As always… go to the vendor documentation and/or vendor for guidance. 10 Forward Together • ReliabilityFirst

  11. 11 Forward Together • ReliabilityFirst

  12. Need to start at our foundation!!!  This all starts at CIP-002-5 • Need to start with how BES Cyber assets make up the BES Cyber Systems ‒ It may be found that there could be some better logical grouping of assets. • Remember, Entities have the ability to slice and dice BES Cyber System assets however they see fit. It can even be different between standards and requirements. * * In order to survive CIP-010-2 baselines, it has to get down to the Cyber Asset Level.  Now that we have our foundation, we can now start digging around and start poking cyber assets right?... 12 Forward Together • ReliabilityFirst

  13. We Research! 13 Forward Together • ReliabilityFirst

  14. Sources to start the search  Vendor Documentation • The best place to start is with the vendor documentation for your BES Cyber System and specific BES Cyber Assets i.e. EMS, DCS, ICS, SCADA systems • Some vendors realize this need, and are providing a list of needed ports and services required to run the system. Some don’t…  Other outside sources might be needed or we may need to do some technical device interrogation. (I hope in a lab!) 14 Forward Together • ReliabilityFirst

  15. Sources to start the search cont.  Other Vendor documentation • Hardware/Software vendors generally have marketing and/or technical manuals that show capabilities, what ports and protocols are available, and even example configurations and/or configuration options.  Third-party baselines • In addition to vendor documentation, there are also some suggested best practice baselines such as ‒ NIST Special Publications (NIST-SP-800-XXX) (some are device specific, but most are more general best practice) ‒ SANS Institute (some are device specific, but most are more general best practice) ‒ Center for Internet Security (CIS)* baselines and benchmarks (device specific, line-by- line configuration)  * Caution!…. There will be a need to modify these baselines to meet your environment!!!! 15 Forward Together • ReliabilityFirst

  16. Sources to start the search cont.  What if I have Cyber Assets or programs that can’t be found in these sources or the vendor site is not easy to navigate? 16 Forward Together • ReliabilityFirst

  17. Search Engine Hacking  Known as “Google Hacking” or “Google Dorking” • These are general terms. You can use your favorite search engine.  • These techniques are used to search hard to find documents and information, and even vulnerabilities! Aka... Open- source Intelligence (OSTIN) • This is using the built-in operators of the search engine • Example : Google operator search: site:www.url.com – ext:pdf • Google will only search the specific site containing all files ending in .pdf . https://www.ethicalhacker.net/features/book-reviews/google- hacking-ten-simple-security-searches-that-work Google Hacking for Pentesters 3 rd Addition, by Johnny Long 17 Forward Together • ReliabilityFirst

  18. Search Engine Hacking cont.  WayBack machine • http://archive.org/web/ • It’s an internet archive site that allows you to search previously cached webpages from back in the past  User forums… • User forums can be a wealth of information where someone can find problem and/or answers to issues found with different devices.  A word of caution !!!… • Be Careful what you post to these sites!!! People with malicious intent search these sites too! 18 Forward Together • ReliabilityFirst

  19. How do I find Ports and Protocols?  IANA Service Name and Transport Protocol Port Number Registry • http://www.iana.org/assignments/service-names-port- numbers/service-names-port-numbers.xhtml • It’s a great reference of ‒ System Ports ( 0-1023 ) assigned by IETF ‒ User Ports ( 1024-49151 ) assigned by IETF ‒ Dynamic and/or Private Ports ( 49152 – 65535 ) assigned by IANA using the IETF review process ‒ Transport Protocol used (udp/tcp) ‒ RFCXXXX reference of known protocols • This information can be downloaded in many formats. (CVS, XML, HTML, Plain Text) • Millage will very … Some software/OS vendors take liberties with protocols and do not follow protocols as they were defined in the RFCs. • On that note.. If you want some “light” reading it’s a good to read through some of the RFCs (Don’t operate heavy machinery while reading.) 19 Forward Together • ReliabilityFirst

  20. Quiz Time…  What are the common port numbers of these protocols commonly found in ESPs? • DNP/DNP3 • MODBUS • HTTP • HTTPS • DNS • NTP • SSH 20 Forward Together • ReliabilityFirst

  21. I found it, now what do I do with it?  STORE THE INFORMATION!!!!  This can help in building a good knowledge base system of your BES Cyber System Assets and other cyber assets  If it took this much time and effort to find it, why would you want to go hunting for it again? Why make someone else hunt for it?  This information can be used in helping to develop your baselines for CIP-010-2, monitoring rules for the SIEM, help new hires understand your systems. etc. 21 Forward Together • ReliabilityFirst

  22. Who’s talking to whom? Why?  What should we know by now? • A list BES Cyber Assets and other associated cyber assets/devices/appliances • The additional programs and services that are running on the assets/devices • Hopefully at this point we only have a subset of assets/devices that are unknown where we would need to do additional technical interrogation.  We should have some rules from CIP-005-5 as a starting point telling us some port ranges. 22 Forward Together • ReliabilityFirst

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

1 May 2006 - the provisional declaration of the BHP Billiton Mt Newman railway line to

1 May 2006 - the provisional declaration of the BHP Billiton Mt Newman railway line to

PORTS AND LANDSIDE LOGISTICS: CHANGING PERSPECTIVES PROFESSOR ROSS ROBINSON A NEW FUNCTIONALITY FOR PORTS? Is there a new role and functionality emerging for ports? And for Australian ports? July 1 2003 The Port Services

295 views • 8 slides
Presentation for 1 - Overview of Ports of Normandy What is Ports of Normandy ? Ports of

Presentation for 1 - Overview of Ports of Normandy What is Ports of Normandy ? Ports of

Presentation for 1 - Overview of Ports of Normandy What is Ports of Normandy ? Ports of Normandy is a public entity jointly created by : - Normandy Region - Calvados, Manche, Seine-Maritime Departments, - Caen, Cherbourg, Dieppe

387 views • 38 slides
Transnet National Ports Authority Tariff Application FY 2015/16 Ports Regulator Roadshows 1 15

Transnet National Ports Authority Tariff Application FY 2015/16 Ports Regulator Roadshows 1 15

Transnet National Ports Authority Tariff Application FY 2015/16 Ports Regulator Roadshows 1 15 22 September 2014 Contents NPA Strategic Focus Aligned to Transnet MDS Functions of the Authority Services within the Ports

639 views • 53 slides
Fertiliser ports in the Baltic Sea co-funded by EU LIFE Programme Fertiliser ports in the Baltic

Fertiliser ports in the Baltic Sea co-funded by EU LIFE Programme Fertiliser ports in the Baltic

Fertiliser ports in the Baltic Sea co-funded by EU LIFE Programme Fertiliser ports in the Baltic Sea Over 70 ports 33 million tons 10 largest ports: Klaipeda, St Petersburg, Gdansk, Gdynia, Szczecin Swinoujscie, Port of

844 views • 68 slides
LATVIAN PORTS PORTS Three main ports of Latvia: Advantages: Freeport of Riga

LATVIAN PORTS PORTS Three main ports of Latvia: Advantages: Freeport of Riga

LATVIAN PORTS PORTS Three main ports of Latvia: Advantages: Freeport of Riga Freeport statuss Freeport of Ventspils Tax advantages for investments Liepaja Special Economic Zone Free land plots available Up to

537 views • 49 slides
UK Ports EFF & EMFF schemes ESPO smaller ports meeting 5 October 2016 Richard Ballantyne

UK Ports EFF & EMFF schemes ESPO smaller ports meeting 5 October 2016 Richard Ballantyne

UK Ports EFF & EMFF schemes ESPO smaller ports meeting 5 October 2016 Richard Ballantyne British Ports Association British Ports Association 100 port members, owning and managing more than 350 ports, harbours and piers around the

415 views • 28 slides
SAUDI INDUSTRIAL SERVICES COMPANY GENERAL ASSEMBLY MEETING PRESENTATION Your Partner in Ports

SAUDI INDUSTRIAL SERVICES COMPANY GENERAL ASSEMBLY MEETING PRESENTATION Your Partner in Ports

SAUDI INDUSTRIAL SERVICES COMPANY GENERAL ASSEMBLY MEETING PRESENTATION Your Partner in Ports & Terminals | Logistics Parks & Services | Water Solutions DISCLAIMER This presentation is strictly confidential and is being shown to you

705 views • 25 slides
OREGON PUBLIC PORTS ASSOCIATION SDAO UPDATE OCTOBER 2018 SDAO AND SDIS SERVICES Consulting

OREGON PUBLIC PORTS ASSOCIATION SDAO UPDATE OCTOBER 2018 SDAO AND SDIS SERVICES Consulting

OREGON PUBLIC PORTS ASSOCIATION SDAO UPDATE OCTOBER 2018 SDAO AND SDIS SERVICES Consulting Services 8 hours free Board Practices Assessment 4% premium credit Board Training & Mediation Organization Assessments

550 views • 31 slides
Ports of Qingdao, Shanghai and Tianjin . Subsidiary for Services and Sales in France at

Ports of Qingdao, Shanghai and Tianjin . Subsidiary for Services and Sales in France at

China : Shandong Province Between Beijing and Shanghai Ports of Qingdao, Shanghai and Tianjin . Subsidiary for Services and Sales in France at Strasbourg. Center of Europe SINCHEM GROUP XINXU HONGTAI SINCHEM SINCERE PET SINCHEM

460 views • 27 slides
SOUTH CAR SOUTH CAROLINA PORTS AUTHORITY OLINA PORTS AUTHORITY HOUSE WAYS AND MEANS ECONOMIC

SOUTH CAR SOUTH CAROLINA PORTS AUTHORITY OLINA PORTS AUTHORITY HOUSE WAYS AND MEANS ECONOMIC

SOUTH CAR SOUTH CAROLINA PORTS AUTHORITY OLINA PORTS AUTHORITY HOUSE WAYS AND MEANS ECONOMIC DEVELOPMENT AND NATURAL RESOURCES SUBCOMMITTEE JANUARY 15, 2020 SC PORTS AUTHORITY SC PORTS AUTHORITY VISION VISION & VA & VALUES LUES

500 views • 20 slides
Terminals Inc. Rediscover the Strength of Americas Inland Rivers Inland Rivers, Ports &

Terminals Inc. Rediscover the Strength of Americas Inland Rivers Inland Rivers, Ports &

Inland Rivers, Ports and Terminals Inc. Rediscover the Strength of Americas Inland Rivers Inland Rivers, Ports & Terminals, Inc. National Trade Association Resource for river-borne services to promote value of system Provide

351 views • 14 slides
Update on EPAs Ports Initiative Army Corps Principal Ports and EPA Regions 1 Overview of

Update on EPAs Ports Initiative Army Corps Principal Ports and EPA Regions 1 Overview of

Update on EPAs Ports Initiative Army Corps Principal Ports and EPA Regions 1 Overview of EPAs Ports Initiative Through EPA tools and assistance in the five program areas, we are accelerating adoption of: Clean air planning

427 views • 23 slides
Expanding Freight on our W Waterways and d Modernizing our Ports Modernizing our Ports U.S.

Expanding Freight on our W Waterways and d Modernizing our Ports Modernizing our Ports U.S.

Expanding Freight on our W Waterways and d Modernizing our Ports Modernizing our Ports U.S. Department of Transportation Maritime Administration May 2014 May 2014 Americas Marine Highways: g y From Concept to Reality!

385 views • 20 slides
The Use of Simulation as a Tool for Developing Resilience of Ports Kamal Achuthan Andrew

The Use of Simulation as a Tool for Developing Resilience of Ports Kamal Achuthan Andrew

The Use of Simulation as a Tool for Developing Resilience of Ports Kamal Achuthan Andrew Grainger (Nottingham University Business School) Taku Fujiyama (Centre for Transport Studies, UCL) Why ports need to be resilient? Ports are critical

221 views • 18 slides
CONDITIONAL EXECUTION: PART 2 yes no x > y? max = y; max = x; logical AND logical OR

CONDITIONAL EXECUTION: PART 2 yes no x > y? max = y; max = x; logical AND logical OR

CONDITIONAL EXECUTION: PART 2 yes no x > y? max = y; max = x; logical AND logical OR logical NOT && || ! Fundamentals of Computer Science I Outline Review: The if-else statement The switch statement A look at

536 views • 25 slides
Time, Clocks, and State Machine Replication Dan Ports, CSEP 552 Todays question How

Time, Clocks, and State Machine Replication Dan Ports, CSEP 552 Todays question How

Time, Clocks, and State Machine Replication Dan Ports, CSEP 552 Todays question How do we order events in a distributed system? physical clocks logical clocks snapshots (break) application: state machine replication

1.06k views • 80 slides
ICANN Update UNGEGN & UNCSGN Patrick Jones 30 July 2012 ICANN ICANN is a global

ICANN Update UNGEGN & UNCSGN Patrick Jones 30 July 2012 ICANN ICANN is a global

ICANN Update UNGEGN & UNCSGN Patrick Jones 30 July 2012 ICANN ICANN is a global organization formed in 1998 to support a multi stakeholder model which coordinates the Internets unique identifier systems for worldwide public

248 views • 10 slides
IPv4 Exhaustion Its almost here so what comes next? Ingrid Wijte | April 2019 | MENOG 19

IPv4 Exhaustion Its almost here so what comes next? Ingrid Wijte | April 2019 | MENOG 19

IPv4 Exhaustion Its almost here so what comes next? Ingrid Wijte | April 2019 | MENOG 19 Sound Familiar? (Headlines from 2012) Ingrid Wijte | MENOG 19 | April 2019 2 Timeline IPv4 exhausted (soft-landing) 14 Sep 2012 3 Feb 2011

758 views • 34 slides
PeeringDB Update Stefan Funke stefan@peeringdb.com Greetings from PeeringDB What is

PeeringDB Update Stefan Funke stefan@peeringdb.com Greetings from PeeringDB What is

PeeringDB Update Stefan Funke stefan@peeringdb.com Greetings from PeeringDB What is PeeringDB? Why should my facility, IXP or network be listed in PeeringDB? A look into PeeringDBs data Austria, Germany, Luxembourg, Switzerland

410 views • 24 slides
Understanding the Clean Truck Litigation Part IV: 4 years, million dollars, and tens of thousand

Understanding the Clean Truck Litigation Part IV: 4 years, million dollars, and tens of thousand

Understanding the Clean Truck Litigation Part IV: 4 years, million dollars, and tens of thousand of pages later... And the driver - IC MC relationship Presented by Cameron W. Roberts & Ted H. Adkinson Roberts & Kehagiaras LLP

585 views • 47 slides
University of Wisconsin System Joni Finney December 4, 2003 1 A Context: The State of Financial

University of Wisconsin System Joni Finney December 4, 2003 1 A Context: The State of Financial

University of Wisconsin System Joni Finney December 4, 2003 1 A Context: The State of Financial Aid in I. America State Financing of Higher Education II. State Financial Aid Options III. The Wisconsin Context IV. Some Suggestions V. 2

444 views • 31 slides
Extraction of Authors Definitions Using Indexed Reference Identification Marc Bertin, Iana

Extraction of Authors Definitions Using Indexed Reference Identification Marc Bertin, Iana

Background Framework Implementation Demo Evaluation Conclusion Extraction of Authors Definitions Using Indexed Reference Identification Marc Bertin, Iana Atanassova and Jean-Pierre Descl es Paris-Sorbonne University, LaLIC Laboratory

531 views • 36 slides
Outcomes of Public Consultation Transition from IPv4 to IPv6 Trilok Dabeesing Director of IT

Outcomes of Public Consultation Transition from IPv4 to IPv6 Trilok Dabeesing Director of IT

Outcomes of Public Consultation Transition from IPv4 to IPv6 Trilok Dabeesing Director of IT ICTA 22 September 2011 Agenda IPv4 consumption in Mauritius 1. Recommendations from Public Consultation exercise 2. Compiled results of technical

448 views • 19 slides
Standard I.C Institutional Integrity I.C: Institutional Integrity How define institutional

Standard I.C Institutional Integrity I.C: Institutional Integrity How define institutional

Standard I.C Institutional Integrity I.C: Institutional Integrity How define institutional integrity? What evidence shows BC is trustworthy? I.C: Institutional Integrity Standard #1: We make sure the information we give is

227 views • 6 slides

More recommend