Two-Part Webinar Part One: MRO Socialization of 2016-02 CIP SDT - - PowerPoint PPT Presentation

two part webinar
SMART_READER_LITE
LIVE PREVIEW

Two-Part Webinar Part One: MRO Socialization of 2016-02 CIP SDT - - PowerPoint PPT Presentation

Nov 06, 2022 20 likes •243 views

Two-Part Webinar Part One: MRO Socialization of 2016-02 CIP SDT Draft Virtualization Changes Part Two: Risk Considerations for BCSI in the Cloud Brian Kinstad, Sr. Risk Assessment and Mitigation Engineer MRO Jay Cribb and Matthew Hyatt, Project

slide-1
SLIDE 1

Brian Kinstad, Sr. Risk Assessment and Mitigation Engineer MRO Jay Cribb and Matthew Hyatt, Project 2016-02 CIP Standard Drafting Team Co-Chairs December 12, 2019

Two-Part Webinar

Part One: MRO Socialization of 2016-02 CIP SDT Draft Virtualization Changes Part Two: Risk Considerations for BCSI in the Cloud

slide-2
SLIDE 2

2016-02 CIP SDT Virtualization Timeline

2016-02 CIP Standard Drafting Team nomination: March 2016 Unresolved issues (including virtualization) transitioned from CIPv5 Standard Drafting Team: July 2016 Virtualization became a dedicated effort in 2017 Early virtualization terms developed and socialized through comment request: November 2017 Drafts posted for informal comment: December 2018 Industry comments addressed through June 2019 CIP-005-7 draft + definitions informal posting: September 2019

slide-3
SLIDE 3

WIFM-What’s in it for Me? (Us?)

Properly configured VLANs get security credit above low impact Properly configured hypervisors (with policies and affinity rules) can span zones of different trust levels Super ESP architecture permitted

  • Contiguous logically isolated perimeter that spans disparate

geographic locations

slide-4
SLIDE 4

What’s in it for Me?

Objective-based approaches extended into CIP-007

  • Protections for logical ports on Shared Cyber Infrastructure

(SCI–new term) elevated to the service level

  • System hardening and malicious code mitigation relief for

Electronic Access Monitoring Systems (EAMS–new term)

CIP-010 baseline administration simplified

  • Baseline and baseline tracking eliminated (shift to change

detection). Change management retained.

  • Logical isolation elements added to change management
slide-5
SLIDE 5

Control Center Today

slide-6
SLIDE 6

Control Center of Tomorrow

slide-7
SLIDE 7

Control Center Tomorrow Extended

Post webinar clarification: Example is theoretically possible, but current hypervisor technology does not generally support pinning physical memory and physical CPU cores to specific virtual machines

slide-8
SLIDE 8

Substation with Medium Impact BCS Today

slide-9
SLIDE 9

Substation with Medium Impact BCS Tomorrow

slide-10
SLIDE 10

2016-02 CIP SDT Project Update

Jay Cribb Matthew Hyatt

Project 2016-02 Co-Chairs

slide-11
SLIDE 11

BCSI in the Cloud Risk Considerations

slide-12
SLIDE 12

BCSI in the Cloud Risk Considerations

Risk considerations from a BCSI in the Cloud perspective:

  • Service Level Agreements (SLAs)
  • Protection of data in use
  • Service models
  • Encryption
  • Certifications
  • Data sovereignty
  • Data transformation
slide-13
SLIDE 13

Service Level Agreements (SLA)

Governance for vendor access to entity data  Risk Neutral  Risk Increaser if absent Governance for evidence transmittal for vendor access  Risk Reducer Vendor program declaration for

  • Encryption or encryption key management processes  Risk Neutral  Risk Increaser if absent
  • Entity specific data sanitization and disposal methods  Risk Neutral  Risk Increaser if absent
  • Background verification of vendor personnel  Risk Reducer

Containerization of entity content  Risk Neutral  Risk Increaser if absent General entity autonomy  Risk Reducer for full autonomy  Risk Increaser for none

slide-14
SLIDE 14

Protection of Data in Use

Three states of electronic data: At Rest, In Transit, In Use Electronic data in Use

  • Wikipedia: Active data which is stored in a non-persistent digital state… typically in RAM, CPU

caches, or registers

  • MRO: Data that is processed in Real-time by a Cyber Asset, and is not at rest or in transit

Data enters ‘in use’ state within vendor infrastructure  Risk Increaser Access controls for data in use by vendor  Risk Neutral Cloud hybrid solution on premise  Risk Reducer Encryption of data in use (homomorphic encryption – future technology)  Risk Reducer

slide-15
SLIDE 15

Service Models

SaaS (Software as a Service)  Risk Increaser PaaS (Platform as a Service)  Risk Increaser IaaS (Infrastructure as a Service)  Risk Increaser? If service model has tertiary cloud dependencies  Risk Increaser There is not much risk difference between the service

  • models. All have potential vendor access to data
slide-16
SLIDE 16

Encryption of Data at Rest or in Transit

Cipher strength (RSA-xxx, SHA-xxx, AES-xxx)

  • If meeting or exceeding current NSA/NIST requirements  Risk Reducer
  • If public vulnerabilities for cipher are known  Risk Increaser

Consider NSA sources and NIST requirements:

  • https://apps.nsa.gov/iaarchive/programs/iad-initiatives/cnsa-suite.cfm
  • https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf

Encryption typically required in cloud environment

  • CIP equivalent physical protections in place of encryption  Risk Neutral
  • Encryption absent and no physical protections  Risk Increaser
slide-17
SLIDE 17

Certifications

Most certifications or accreditations only offer risk considerations for the underlay Examples:

  • FedRAMP  Risk Neutral
  • SOC 1 Not applicable, attestational in nature
  • SOC 2 (Type 1, 2)

─ If the report describes program (Type 1) and performance (Type 2) adequacies under

Security, Processing Integrity, and Confidentiality headings  Risk Neutral

─ If report identifies inadequacies  Risk Increaser

  • SOC 3  Risk Neutral with compliance seal,  Risk Increaser without
  • Other  Risk Neutral; draw comparisons with known certifications
  • Certification absent?  Risk Increaser
slide-18
SLIDE 18

Data Sovereignty

A consideration related to the potential geographic location of the data

  • Certification or agreement declaration of US Domestic Only

 Risk Neutral

  • Certification or agreement declaration of US or Canada

Domestic Only (Canadian entities)  Risk Neutral

  • International or undeclared  Risk Increaser
slide-19
SLIDE 19

Data Transformation

Encryption: A strong but reversible means to protect data  Risk Neutral Obfuscation: A reversible clear text replacement according to a key. Easy to reverse engineer.  Risk Increaser

  • Obfuscation in Real-time communication protocols where efficient data processing is

required (typically not BCSI)  Risk Neutral

  • Lines between obfuscation and encryption can be blurred. When assessing risk,

assess obfuscation qualities against encryption benchmarks.

Redaction: Some electronic formats retain redacted content  Risk Neutral Sanitization – Permanent and irreversible transformation of data  Risk Reducer

slide-20
SLIDE 20

Conclusion

“BCSI in the Cloud” risk considerations overlap and should be considered collectively MRO will use professional judgement based on the BCSI in the Cloud risk considerations, and the “ERO Enterprise CMEP Practice Guide” to determine overall compliance risk

slide-21
SLIDE 21

References

ERO Enterprise CMEP Practice Guide

  • https://www.nerc.com/pa/comp/guidance/CMEPPracticeGuidesDL/ERO%20Enterprise%20CMEP%20Practice%20Gu

ide%20_%20BCSI%20-%20v0.2%20CLEAN.pdf 2019-02 Project Page

  • https://www.nerc.com/pa/Stand/Pages/Project2019-02BCSIAccessManagement.aspx

CIPC Security Guideline, Cloud Computing

  • https://www.nerc.com/comm/Pages/Reliability-and-Security-Guidelines.aspx

Homomorphic encryption:

  • https://en.wikipedia.org/wiki/Homomorphic_encryption

Data Sovereignty:

  • https://en.wikipedia.org/wiki/Data_sovereignty

Obfuscation in software:

  • https://en.wikipedia.org/wiki/Obfuscation_(software)

Sanitization:

  • https://en.wikipedia.org/wiki/Sanitization_(classified_information)
slide-22
SLIDE 22

22

HEROS@mro.net