Thursday, April 6, 2017

Trial Balloon

Open up the current CIP-005, and go to page 15 (towards the bottom) to see the original, then compare it side by side to this (unofficial, non-authoritative, completely speculative, proposed, draft) language... What do you think?

*********************************************************************************

Requirement R1 requires isolation of BES Cyber Systems from other systems of differing trust levels by requiring Boundary Protection and controlled Network Ports, Protocols, and Services via identified Electronic Access Points between the applicable BCS and Non-CIP Cyber Systems. Electronic Security Perimeters are also used to identify a defense boundary for some BES Cyber Systems that may not inherently have sufficient cyber security functionality, such as devices that lack authentication capability.


All applicable BES Cyber Systems that are connected to a network must reside in a defined Electronic Security Zone (ESZ). Even standalone networks that have no external connectivity to other networks must have a defined ESZ. The ESP is a demarcation of the security zone containing the BES Cyber System, and it also provides clarity for entities to determine what systems or Cyber Assets are in scope and what requirements they must meet. The ESP is used in:

  • Defining the isolation boundary between CIP-applicable Cyber Assets and Non-CIP Cyber assets, including the location where certain controls are applied, i.e. Electronic Access Points (EAP).
  • Defining the scope of ‘Associated Protected Cyber Assets’ that must also meet certain CIP requirements.
  • Defining the boundary inside of which:
    • All of the Cyber Assets meet the requirements of the highest impact BES Cyber System that is in the zone (the ‘high water mark’) –or-
    • Cyber Assets reside in security zones characterized by specific sets of controls applied to a class or classes of BCS according to risk or impact criteria


The CIP Cyber Security Standards do not require network segmentation of BES Cyber Systems by impact classification. Many different impact classifications may be mixed within an ESP. However, all of the Cyber Assets and BES Cyber Systems within the ESP must either be protected at the level of the highest impact BES Cyber System present in the ESP (i.e., the “high water mark”) where the term “Protected Cyber Assets” is used, or grouped into security zones with discrete security controls applied to each zone.

-The CIP Cyber Security Standards accomplish the high water mark by associating all other Cyber Assets within the ESP, even other BES Cyber Systems of lesser impact, as “Protected Cyber Assets” of the highest impact system in the ESP. For example, if an ESP contains both a high impact BES Cyber System and a low impact BES Cyber System, each Cyber Asset of the low impact BES Cyber System is an “Associated Protected Cyber Asset” of the high impact BES Cyber System and must meet all requirements with that designation in the applicability columns of the requirement tables.
-The alternative to the high water mark approach is to categorize BCS and Associated PCA into security zones according to their risk or impact and apply those controls which are required for the impact rating to the zone in which they reside. Security zones are isolated from other zones of differing risk or impact rating by controlling traffic, allowing only that which is explicitly identified as necessary.

If there is external routable connectivity to any CIP-applicable Cyber Asset, then an Electronic Access Point (EAP) must be identified where inbound and outbound access controls are applied to traffic traversing the ESP. Responsible Entities should know what traffic needs to cross an EAP and document those reasons to ensure the EAPs limit the traffic to only those known communication needs. These include, but are not limited to, communications needed for normal operations, emergency operations, support, maintenance, and troubleshooting.

The control strategy implemented at the EAP should apply to both inbound and outbound traffic. The standard added outbound traffic control, as it is a prime indicator of compromise and a first level of defense against zero day vulnerability-based attacks. If Cyber Assets within the ESZ become compromised and attempt to communicate to unknown hosts outside the ESP (usually ‘command and control’ hosts on the Internet, or compromised ‘jump hosts’ within the Responsible Entity’s other networks acting as intermediaries), the EAPs should function as a first level of defense in stopping the exploit. This does not limit the Responsible Entity from controlling outbound traffic at the level of granularity that it deems appropriate and large ranges of internal addresses may be allowed.

The SDT’s intent is that the Responsible Entity knows what other Cyber Assets or ranges of addresses a BES Cyber System needs to communicate with and limits the communications to that known range. For example, most BES Cyber Systems within a Responsible Entity should not have the ability to communicate through an EAP to any network address in the world, but should probably be at least limited to the address space of the Responsible Entity, and preferably to individual subnet ranges or individual hosts within the Responsible Entity’s address space.

The SDT’s intent is not for Responsible Entities to document the inner workings of stateful firewalls, where connections initiated in one direction are allowed a return path. The intent is to know and document what systems can talk to what other systems or ranges of systems on the other side of the EAP, such that rogue connections can be detected and blocked.
This requirement applies only to communications for which access lists and ‘deny by default’ type requirements can be universally applied, which today are those that employ routable protocols. Direct serial, non-routable connections are not included as there is no perimeter or firewall type security that should be universally mandated across all entities and all serial communication situations. There is no firewall or perimeter capability for a serial cable run between two Cyber Assetsand such a requirement would mostly generate technical feasibility exceptions (“TFEs”) rather than increased security. However, the technical security control does not need to be applied at the device level. The security control can be applied at the system level.

For example, a relay may be controlled via a serial connection (RS-232, etc.) from a device with an Ethernet port. This device, generally a terminal server or computer, may have multiple serial connections, a console port, and one or more Ethernet connections capable of interacting with a remote access client via a routable protocol. The terminal server generally has the capability to act as an AAA client, requesting authentication, authorization, and providing or participating in logging for Accounting purposes with a network based service or combination of services such as RADIUS, TACACS+ or LDAP directory services. This provides the opportunity for enhanced security such as multi-factor authentication which is typically not natively available in relays or terminal servers.

The security objective of providing controlled access and isolation is achieved by controlling the external addressability of the serial device rather than placing a security mechanism between the serial ports of the device and its immediate upstream serial controller. An IP-serial converter that has an Ethernet port outside and serial connection(s) inside is externally addressable, and on a practical level passes through that external addressability to the device receiving the serial connection. The control should be applied to the security zone where the Ethernet connection resides, upstream of the relay.

As for dial-up connectivity, the Standard Drafting Team’s intent of this requirement is to prevent situations where phone number alone can establish direct connectivity to the BES Cyber Asset.  If a dial-up modem is implemented in such a way that it simply answers the phone and connects the line to the BES Cyber Asset with no authentication of the calling party, it is a vulnerability to the BES Cyber System. The requirement calls for some form of authentication
of the calling party before completing the connection to the BES Cyber System. Some examples of acceptable methods include dial-back modems, modems that must be remotely enabled or powered up, and modems that are only powered on by onsite personnel when needed along with policy that states they are disabled after use. If the dial-up connectivity is used for Interactive Remote Access, then Requirement R2 also applies.

The standard adds a requirement to detect malicious communications for Control Centers. This is in response to FERC Order No. 706, Paragraphs 496-503, where ESPs are required to have two distinct security measures such that the BES Cyber Systems do not lose all perimeter protection if one measure fails or is misconfigured. The Order makes clear that this is not simply redundancy of firewalls, thus the SDT has decided to add the security measure of malicious traffic inspection as a requirement for these ESPs. Technologies meeting this requirement include Intrusion Detection or Intrusion Prevention Systems (IDS/IPS) or other forms of deep packet inspection. These technologies go beyond source/destination/port rule sets and thus provide another distinct security measure at the ESP.

1 comment:

  1. Nice blog... I really appreciate your work which you have done about the Securing OT Networks, many thanks and keep it up.

    ReplyDelete