virtualization and cip 005
play

Virtualization and CIP-005 Project 2016-02 Project Update Project - PowerPoint PPT Presentation

Oct 26, 2022 •207 likes •408 views

Virtualization and CIP-005 Project 2016-02 Project Update Project 2016-02 CIP SDT Members Decemb er 2019 Purpose Virtualization changes to CIP standards are to ENABLE new methods/models NOT REQUIRE Them 2 RELIABILITY | ACCOUNTABILITY Agenda

  1. Virtualization and CIP-005 Project 2016-02 Project Update Project 2016-02 CIP SDT Members Decemb er 2019

  2. Purpose Virtualization changes to CIP standards are to ENABLE new methods/models NOT REQUIRE Them 2 RELIABILITY | ACCOUNTABILITY

  3. Agenda • Discuss current security state and issues • Discuss emerging security models (Zero Trust) • CIP-005 changes to allow ESP plus other models 3 RELIABILITY | ACCOUNTABILITY

  4. Current State • Network Perimeter (ESP) based • Castle & Moat  Everything inside the castle = good  All the bad is outside the castle  The moat (FW) provides separation and controlled access • Trust is based on your network location  Internet, Corporate network, DMZ, ICS network, Controller network  Your trust level = Which perimeter are you within  Security controls are mostly for North/South traffic (crossing perimeters)  All your network peers are same trust level (PCAs in CIP)  East/West traffic within the perimeter has no security controls 4 RELIABILITY | ACCOUNTABILITY

  5. Typical Network Model Internet Corporate Control System Accounting Network Engineer Dept Desktop Desktop DMZ Network Data Historian Database Server Control System Operator Network HMI 5 RELIABILITY | ACCOUNTABILITY Controller(s)

  6. Issues • Adversaries are intelligent, highly adaptable, often with more resources than defenders • As perimeter model improved -> Attackers adapt and hack the humans instead (phishing, watering hole attacks, etc.) • Result – the “inside” is also hostile and the model provides for easy lateral movement (network access controlled at perimeter, not inside) • Ransomware – get on one system inside the perimeter and spread laterally 6 RELIABILITY | ACCOUNTABILITY

  7. Typical Security Breach Internet Corporate Control System Accounting Network Engineer Dept Desktop Desktop DMZ Network Data Historian Database Server Control System Operator Network HMI 7 RELIABILITY | ACCOUNTABILITY Controller(s)

  8. Other Perimeter Issues • Remote access, VPN, Cloud services, Vendor access, etc. • The true perimeter is dynamic • “Inside” and “outside” a perimeter – is there another way to think about network security models? 8 RELIABILITY | ACCOUNTABILITY

  9. Virtualization Enables Other Models  Virtualized environments are enabling new and different ways to think about network security to address these issues  Security controls – network or host  Network – isolation, but lose context  Host – context but not isolation  Enter the Hypervisor with ubiquitous context 9 RELIABILITY | ACCOUNTABILITY

  10. Zero Trust Architecture • New and evolving security strategy that fundamentally changes networking from implicit trust to zero trust • The basic premise is there is no implicit trust granted to systems based on their physical or network location  Treats EVERY network as hostile (thus the zero trust name)  DOESN’T CARE what network address you have or where you are  DOES CARE who you are as a person or process, the state of your machine, whether you are authorized RIGHT NOW for what type of access to the particular data or resource  ALL traffic is encrypted/protected because no network is trusted • ONLY authorized communications are allowed 10 RELIABILITY | ACCOUNTABILITY

  11. Security Breaches in Zero Trust This Photo by Unknown Author is licensed under CC BY-NC-ND 11 RELIABILITY | ACCOUNTABILITY

  12. Zero Trust Model • Assumes ANY network is hostile - NO implicit trust • Access granted only when access needed and only for duration of access • Authorize the user and device at the time access is needed • Protects resources and data, not network segments • Network location is no longer a prime component of security posture • Attacker reconnaissance and lateral movement not allowed • This is a fundamentally different model than ESP 12 RELIABILITY | ACCOUNTABILITY

  13. Policies and Zones • Network segments and perimeters replaced with policies and zones • Based on “need to know” preconfigured access policies • Protects access to data, assets, applications, and services, not network segments • Policies can include machines, users, processes, services regardless of where they are on a network . • Get access control as granular as possible. 13 RELIABILITY | ACCOUNTABILITY

  14. Policy Example • Individuals in AD group “Historian_Access” on a device with OS=“Windows” can only use TLS-Version =“1.2” encrypted communication to access workloads with Tag= “Control_Historian_APP” • This policy defines allowed communications • With no reference to where anything is on a network • An encrypted temporary “network” is established between the user/process/app wherever they are to the historian app wherever it is • No other communication allowed • Policy is enforced end to end and everywhere in-between 14 RELIABILITY | ACCOUNTABILITY

  15. CIP-005 • Current • 1.1 All applicable Cyber Assets connected to a network via a routable protocol shall reside within a defined ESP. • 1.2 All External Routable Connectivity must be through an identified Electronic Access Point. • Proposed • 1.1 Have one or more methods for allowing only needed and controlled communications to and from applicable systems either individually or as a group and logically isolating all other communications. 15 RELIABILITY | ACCOUNTABILITY

  16. Hybrid Models • Typically not “either/or” network models • Hybrid environments will be the norm • Security objectives allow for current/future/hybrid models 16 RELIABILITY | ACCOUNTABILITY

  17. ESP Conforming Changes • PCA • Current – One or more Cyber Assets connected using a routable protocol within or on an ESP… • Proposed – Cyber Assets that are not logically isolated from a BES Cyber System… • 4.2.3.2 Exemption • Current – Cyber Assets associated with communication networks and data communication links between discrete ESPs. • Proposed – Cyber Assets associated with communication links logically isolated from BES Cyber Systems or SCI. 17 RELIABILITY | ACCOUNTABILITY

  18. Future Steps • Three CIP Standard Drafting Teams • BCSI / Cloud • Supply Chain • CIP Modifications (Virtualization) • Project 2016-02 will delay posting until other SDT’s reach final ballot • Outreach • Mini Webinars • NERC Technical Workshop in Spring 2020 18 RELIABILITY | ACCOUNTABILITY

  19. Questions and Answers Jordan Mallory NERC Senior Standards Developer for Project 2016-02 CIP Modifications Jordan.Mallory@nerc.net 19 RELIABILITY | ACCOUNTABILITY

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Virtualization Virtualization Memory virtualization Process feels like it has its own

Virtualization Virtualization Memory virtualization Process feels like it has its own

4/25/08 Virtualization Virtualization Memory virtualization Process feels like it has its own address space Created by MMU, configured by OS Storage virtualization Logical view of disks connected to a machine External

441 views • 8 slides
Virtualization What is Virtualization? Virtualization is the simulation of the software and/

Virtualization What is Virtualization? Virtualization is the simulation of the software and/

Virtualization What is Virtualization? Virtualization is the simulation of the software and/ or hardware upon which other software runs. This simulated environment is called a virtual machine --Wikipedia 2 Computer Systems Arch.

1.26k views • 26 slides
AMD Pacifica Virtualization Technology AMD Unveils Virtualization Platform AMD Pacifica

AMD Pacifica Virtualization Technology AMD Unveils Virtualization Platform AMD Pacifica

AMD Pacifica Virtualization Technology AMD Unveils Virtualization Platform AMD Pacifica Tutorial 2 Virtual Machine Approaches Carve a Server into Many Virtual Machines Hosted Hypervisor-based Virtualization Virtualization App App

539 views • 18 slides
Virtualization and SDN Applications 2 Virtualization Network Virtualization Sharing

Virtualization and SDN Applications 2 Virtualization Network Virtualization Sharing

4/1/2013 Virtualization and SDN Applications 2 Virtualization Network Virtualization Sharing physical hardware or software resources by Share physical network resources to form multiple multiple users and/or use cases diverse virtual

511 views • 5 slides
4/22/2009 Virtualization Memory virtualization Process feels like it has its own address

4/22/2009 Virtualization Memory virtualization Process feels like it has its own address

4/22/2009 Virtualization Memory virtualization Process feels like it has its own address space Created by MMU, configured by OS Distributed Systems Storage virtualization Logical view of disks connected to a machine

407 views • 3 slides
Virtualization. A dream within a dream Type 1 Virtualization Hypervisor run on bare

Virtualization. A dream within a dream Type 1 Virtualization Hypervisor run on bare

Virtualization. A dream within a dream Type 1 Virtualization Hypervisor run on bare metal. Dedicated virtualization machine. Higher performance. Typical for servers. Type 2 Virtualization Hypervisor sits on

571 views • 17 slides
Virtualization and Containerization What is Virtualization? What is Containerization? What does

Virtualization and Containerization What is Virtualization? What is Containerization? What does

Virtualization and Containerization What is Virtualization? What is Containerization? What does this do for us? Virtual Machines: Terminology Types of Hypervisors VirtualBox and VMWare

2.8k views • 30 slides
Virtualization Technology Zhiming Shen Virtualization: rejuvenation 1960s: first track of

Virtualization Technology Zhiming Shen Virtualization: rejuvenation 1960s: first track of

Virtualization Technology Zhiming Shen Virtualization: rejuvenation 1960s: first track of virtualization Time and resource sharing on expensive mainframes IBM VM/370 Late 1970s and early 1980s: became unpopular Cheap

924 views • 34 slides
Hardware / Virtualization / Architectures Foundations of the cloud Implementing Virtualization

Hardware / Virtualization / Architectures Foundations of the cloud Implementing Virtualization

Hardware / Virtualization / Architectures Foundations of the cloud Implementing Virtualization Technologies Cloud Computing relies heavily on the concept of virtualization In fact not possible without it. But they are separate

835 views • 32 slides
Linux Virtualization Kir Kolyshkin <kir@openvz.org> OpenVZ project manager What is

Linux Virtualization Kir Kolyshkin <kir@openvz.org> OpenVZ project manager What is

Linux Virtualization Kir Kolyshkin <kir@openvz.org> OpenVZ project manager What is virtualization? Virtualization is a technique for deploying technologies. Virtualization creates a level of indirection or an abstraction layer between a

388 views • 27 slides
IO Virtualization Kedar & Ozzie Overview Benefits Challenges Full Virtualization

IO Virtualization Kedar & Ozzie Overview Benefits Challenges Full Virtualization

IO Virtualization Kedar & Ozzie Overview Benefits Challenges Full Virtualization Paravirtualization Front-ends, Back-ends Pass through mode Virtualization : Review Create a Virtual machine that can emulate

327 views • 20 slides
Introduction to Virtual Machines Carl Waldspurger (SB SM 89 PhD 95) VMware R&D Overview

Introduction to Virtual Machines Carl Waldspurger (SB SM 89 PhD 95) VMware R&D Overview

Introduction to Virtual Machines Carl Waldspurger (SB SM 89 PhD 95) VMware R&D Overview Virtualization and VMs Processor Virtualization Memory Virtualization I/O Virtualization I/O Virtualization Types of Virtualization

574 views • 33 slides
KVM MMU Virtualization Xiao Guangrong <xiaoguangrong@cn.fujitsu.com> Index What is MMU

KVM MMU Virtualization Xiao Guangrong <xiaoguangrong@cn.fujitsu.com> Index What is MMU

KVM MMU Virtualization Xiao Guangrong <xiaoguangrong@cn.fujitsu.com> Index What is MMU Virtualization? How to implement MMU Virtualization? How to optimize MMU Virtualization? What will I do? 2 What is MMU Virtualization

621 views • 28 slides
Distributed Systems Virtualization Paul Krzyzanowski pxk@cs.rutgers.edu Except as otherwise

Distributed Systems Virtualization Paul Krzyzanowski pxk@cs.rutgers.edu Except as otherwise

Distributed Systems Virtualization Paul Krzyzanowski pxk@cs.rutgers.edu Except as otherwise noted, the content of this presentation is licensed under the Creative Commons Attribution 2.5 License. Virtualization Memory virtualization

471 views • 15 slides
A Fault Tolerant Virtualization Server Based on Xen Jrgen Gro Virtualization Kernel

A Fault Tolerant Virtualization Server Based on Xen Jrgen Gro Virtualization Kernel

A Fault Tolerant Virtualization Server Based on Xen Jrgen Gro Virtualization Kernel Developer SUSE Linux GmbH, jgross@suse.com Status Quo Standard Xen Virtualization Server dom0 HVM pv Net- Block- xenstore qemu backend backend

421 views • 23 slides
Network Virtualization What is Network Virtualization? Abstraction of the physical network

Network Virtualization What is Network Virtualization? Abstraction of the physical network

Network Virtualization What is Network Virtualization? Abstraction of the physical network Support for multiple logical networks running on a common shared physical substrate A container of network services Aspects of the

589 views • 21 slides
CompSci 356: Computer Network Architectures Lecture 24: Network Security Xiaowei Yang

CompSci 356: Computer Network Architectures Lecture 24: Network Security Xiaowei Yang

CompSci 356: Computer Network Architectures Lecture 24: Network Security Xiaowei Yang xwy@cs.duke.edu Overview Why studying network security? The topic itself is worth another class Basic cryptography building blocks

768 views • 49 slides
Ken Birman i Cornell University. CS5410 Fall 2008. Last time: standards We looked mostly at

Ken Birman i Cornell University. CS5410 Fall 2008. Last time: standards We looked mostly at

Ken Birman i Cornell University. CS5410 Fall 2008. Last time: standards We looked mostly at big architectural standards But there are also standard ways to build cloud i f infrastructure support. Today: review many of the things one

549 views • 36 slides
Com puter Security Part Four Last tim e Cryptography Authentication Threats

Com puter Security Part Four Last tim e Cryptography Authentication Threats

Com puter Security Part Four Last tim e Cryptography Authentication Threats Key Management KDC Policy Symmetric keys Specification Asymmetric keys PKI Design Security Protocols Kerberos

617 views • 39 slides
You can keep your firewall (if you want to ) Practical, simple and cost saving applications

You can keep your firewall (if you want to ) Practical, simple and cost saving applications

You can keep your firewall (if you want to ) Practical, simple and cost saving applications of OpenDaylight you can implement today John Sobanski, Engineer, Solers Inc. July 2015 @OpenDaylightSDN #OpenSDN What You Will Learn today (By

872 views • 66 slides
SAC-PA2 June 15, 2018 Computing Services and Systems Development MINI-DMZ @ PITT USE CASE #2

SAC-PA2 June 15, 2018 Computing Services and Systems Development MINI-DMZ @ PITT USE CASE #2

Computing Services and Systems Development SAC-PA2 June 15, 2018 Computing Services and Systems Development MINI-DMZ @ PITT USE CASE #2 Christopher Keslar Computing Services and Systems Development Background Lab Equipment that can

794 views • 15 slides
IOT SECURITY SOFTWARE SOLUTIONS DANNY DE COCK 22 September 2015 SENIOR RESEARCHER

IOT SECURITY SOFTWARE SOLUTIONS DANNY DE COCK 22 September 2015 SENIOR RESEARCHER

IOT SECURITY SOFTWARE SOLUTIONS DANNY DE COCK 22 September 2015 SENIOR RESEARCHER HTTP://GODOT.BE/SLIDES STANDARD CRYPTO-TECHNICAL CONSIDERATIONS IOT = big data, focused on functionality, not security Security is afterthought Each

483 views • 14 slides
Management of Exceptions in Access Control Policies J. G. Alfaro, F. Cuppens, N. Cuppens ENST

Management of Exceptions in Access Control Policies J. G. Alfaro, F. Cuppens, N. Cuppens ENST

Management of Exceptions in Access Control Policies J. G. Alfaro, F. Cuppens, N. Cuppens ENST Bretagne, Rennes RSM/SERES Outline - 2 - Problem domain Main strategies Use of full expressiveness Conclusions and Perspectives

562 views • 28 slides
The Processing and Archiving Unit of the Javalambre Astrophysical Observatory. A. Ederoclite CE

The Processing and Archiving Unit of the Javalambre Astrophysical Observatory. A. Ederoclite CE

The Processing and Archiving Unit of the Javalambre Astrophysical Observatory. A. Ederoclite CE F CA A. Ederoclite UPAD OAJ Heidelberg, 10 June 2013 1 of 17 J-PAS Expected Beginning: 2015 Expected Duration: 5 7 years A. Ederoclite

397 views • 21 slides

More recommend