Morgan King Senior Compliance Auditor Cyber Security WECC Reliability and Security Workshop San Diego CA October 23 24 2018 Western Electricity Coordinating Council Did We Get CIP v5 Right ID: 1028747
Download Presentation The PPT/PDF document "Cyber System-Centric Approach To Cyber S..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
1. Cyber System-Centric Approach To Cyber Security and CIPMorgan KingSenior Compliance Auditor – Cyber SecurityWECC Reliability and Security WorkshopSan Diego CA – October 23 – 24, 2018Western Electricity Coordinating Council
2. Did We Get CIP v5 Right?We got CIP v5 so rightSystem-centric approach never fully realizedNeed all perspectives in identifying and resolving the issuesMaking CIP more manageable, auditable, secure, and resilient2Western Electricity Coordinating Council
3. By the Numbers3Western Electricity Coordinating Councilhttps://www.nerc.com/gov/bot/BOTCC/Compliance%20Committee%202013/Presentations_CC_Open_Meeting_August_15_2018.pdf#search=2018%20violations
4. By The Risk4Western Electricity Coordinating Councilhttps://www.nerc.com/gov/bot/BOTCC/Compliance%20Committee%202013/Presentations_CC_Open_Meeting_August_15_2018.pdf#search=2018%20violations
5. By The Events5Western Electricity Coordinating Councilhttps://www.nerc.com/AboutNERC/StrategicDocuments/2018_ERO_Enterprise_Metrics_Approved_by_the_NERC_Board_on_November_9_2017.pdf#search=2018%20violations
6. Two Aspects in CIP6Western Electricity Coordinating CouncilCIP is a PROGRAM and its elements.CIP-002, CIP-003, CIP-004, CIP-006, CIP-008, CIP-009, CIP-011, CIP-014CIP has TECHNICAL architecture requirements.CIP-005, CIP-007, CIP-010
7. Paradigm Shift7Western Electricity Coordinating Councilhttps://www.biggreendoor.com/wp-content/uploads/znvn774tlxdrpv3lzqhu.png
8. Device-Centric8Western Electricity Coordinating CouncilCIP v3 Critical Cyber AssetsCIP v5 original concept was to be a paradigm shift from device-centric to a system-centric approach. Cyber AssetProgrammable electronic deviceBES Cyber AssetBES Cyber SystemPer BES Cyber System / Cyber Asset Capability
9. Device-Centric Approach9Western Electricity Coordinating CouncilBES Cyber SystemCyber AssetBES Cyber SystemCyber AssetBES Cyber SystemCyber AssetBaselineBaselineBaseline
10. System-Centric10Western Electricity Coordinating CouncilConsider that cyber technology in support of reliability is not just a piece of hardware or software, or a communication circuit, but a system intimately associated with the reliability functions it supports.One of the fundamental differences between Versions 4 and 5 of the CIP Cyber Security Standards is the shift from identifying Critical Cyber Assets to identifying BES Cyber Systems.
11. System-Centric Approach11Western Electricity Coordinating CouncilBaselines For Like Device TypesBES Cyber SystemBES Cyber SystemBES Cyber System
12. What If…?12Western Electricity Coordinating CouncilWe retire some definitionsWe modify existing or create new definitions concerning devices and networking to include virtualization conceptsWe create additional technical requirements for securing today’s version of virtualization technology?We change requirements to security-objective-basedTechnology agnositicNonprescriptiveBackward compatibleFuture Proof technology agnostic
13. CIP Modifications Drafting Team13Western Electricity Coordinating CouncilSDT has worked for over a year on designing virtualization-specific language and requirementsElectronic Security Zone – to logically isolate systems on shared infrastructureCentralized Management System – to address the risk of virtualization management systems; “fewer, bigger buttons”IssuesVery complexToday’s technology and productsContinues to evolve
14. CIP SDT White Paper14Western Electricity Coordinating Councilhttps://www.nerc.com/pa/Stand/Project%20201602%20Modifications%20to%20CIP%20Standards%20RF/2016-02_Virtualization_Outreach_Webinar_Slides_06292018.pdf
15. CIP Modifications Drafting Team15Western Electricity Coordinating CouncilDefinitions Proposed for RetirementBES Cyber Asset Protected Cyber Asset Electronic Security PerimeterElectronic Access PointElectronic Access Control or Monitoring Systems
16. More Change Upon Us16Western Electricity Coordinating CouncilCyber Asset only applicable to (TCA, Removable Media)BES Cyber System Protected Cyber SystemElectronic Access Control System Electronic Access Monitoring Systems External Routable Connectivity with new objective-based isolation modelInteractive Remote Access to address IP-serial conversion scenarios
17. Nonprescriptive17Western Electricity Coordinating CouncilCIP-007-6 R3 Part 3.1“Deploy method(s) to deter, detect, or prevent malicious code.”CIP-007-6 R3 Guidance“Due to the wide range of equipment comprising the BES Cyber Systems and the wide variety of vulnerability and capability of that equipment to malware as well as the constantly evolving threat and resultant tools and controls, it is not practical within the standard to prescribe how malware is to be addressed on each Cyber Asset. Rather, the Responsible Entity determines on a BES Cyber System basis which Cyber Assets have susceptibility to malware intrusions and documents their plans and processes for addressing those risks and provides evidence that they follow those plans and processes.”
18. Virtualized Architecture 18Western Electricity Coordinating Councilhttps://www.nerc.com/pa/Stand/Project%20201602%20Modifications%20to%20CIP%20Standards%20RF/2016-02_Virtualization_Outreach_Webinar_Slides_06292018.pdf
19. Electronic Security Zone19Western Electricity Coordinating Councilhttps://www.nerc.com/pa/Stand/Project%20201602%20Modifications%20to%20CIP%20Standards%20RF/2016-02_Virtualization_Outreach_Webinar_Slides_06292018.pdf
20. CIP Modifications Drafting Team20Western Electricity Coordinating CouncilIs a containerized application a BCA? Or is it just an application? An entities Electronic Access Point is now a policy-based “firewall,” dynamically placed in front of workloads. Access control is now beyond a layer 3 routable protocol level. How does an entity demonstrate compliance with CIP-005?Is SAN part of the same BES Cyber Asset as the virtual machine, is a SAN its own BES Cyber Asset, or is it just a BES Cyber System Information repository since it alone does not perform any BES functions?
21. System-Centric Approach21Western Electricity Coordinating CouncilMake “BES Cyber System” the foundational object.Requirements apply at the system level.Implement on system as a wholeImplement on components that make senseAllows for dynamic components
22. Current CIP-005-5 R1, R222Western Electricity Coordinating Council
23. 23Western Electricity Coordinating Council
24. Logical Isolation Zone / External Routable Connectivity 24Western Electricity Coordinating CouncilLogical Isolation ZoneOne or more cyber systems isolated by logical controls that only allow known and controlled communications to or from those systems.External Routable ConnectivityInbound and outbound communication to a logically isolated BES Cyber system initiated from a system that is outside of the Logical Isolation Zone.
25. Proposed CIP-005-6 R125Western Electricity Coordinating Council`
26. Logical Isolation26Western Electricity Coordinating Councilhttps://www.nerc.com/pa/Stand/Project%20201602%20Modifications%20to%20CIP%20Standards%20RF/2016-02_CIP_Virtualization_Webinar_Slides_04182017.pdf
27. Logical Isolation27Western Electricity Coordinating Councilhttps://www.nerc.com/pa/Stand/Project%20201602%20Modifications%20to%20CIP%20Standards%20RF/2016-02_CIP_Virtualization_Webinar_Slides_04182017.pdf
28. Sufficient Logical Isolation28Western Electricity Coordinating Councilhttps://www.nerc.com/pa/Stand/Project%20201602%20Modifications%20to%20CIP%20Standards%20RF/2016-02_CIP_Virtualization_Webinar_Slides_04182017.pdf
29. Sufficient Logical Isolation 29Western Electricity Coordinating Councilhttps://www.nerc.com/pa/Stand/Project%20201602%20Modifications%20to%20CIP%20Standards%20RF/2016-02_CIP_Virtualization_Webinar_Slides_04182017.pdf
30. Logical Isolation Compared30Western Electricity Coordinating Councilhttps://www.nerc.com/pa/Stand/Project%20201602%20Modifications%20to%20CIP%20Standards%20RF/2016-02_CIP_Virtualization_Webinar_Slides_04182017.pdf
31. NERC CIPC/CIWG Cloud Project 31Western Electricity Coordinating CouncilImplications of Cloud Services for CIP AssetsUnderlay / OverlayCertifications Meeting security objectives for applicable systems
32. CIWG Cloud ProjectTabletop Participants 32Western Electricity Coordinating CouncilTri-StateSMUDAPSMISOAESAmeren?KCP&L?
33. Service Provider Participants33Western Electricity Coordinating CouncilCoalFireAWSIBMServiceNowMicrosoftFedRAMP PMO?
34. Overlay / Underlay 34Western Electricity Coordinating Councilhttp://bradhedlund.com/2012/10/06/mind-blowing-l2-l4-network-virtualization-by-midokura-midonet/
35. CIP Obligations / Certifications35Western Electricity Coordinating CouncilCIP ObligationsCertificationshttp://bradhedlund.com/2012/10/06/mind-blowing-l2-l4-network-virtualization-by-midokura-midonet/
36. CIP Obligations36Western Electricity Coordinating Councilhttp://techgenix.com/iam-security-best-practices/
37. CIP Obligations37Western Electricity Coordinating Councilhttp://techgenix.com/iam-security-best-practices/
38. Potential Gaps38Western Electricity Coordinating CouncilShould there be a notification to utilities when CIP standard are violated?Service provider audit report not shared with othersEnsuring the security plan and actual implementation are adequate
39. Concerns39Western Electricity Coordinating CouncilCompliance risks for utilities when vendors don’t performHow to address changes to CIP standards with service providers?Mapping to the CMEPHow will this be audited and PNCs addressed?Mitigating violations that impact CIP Compliance
40. ReviewCIP v5 continues to evolveSystem-centric approach closer to being fully developedNeed all perspectives in identifying and resolving the issuesEnsuring CIP is more manageable, auditable, secure, and resilient40Western Electricity Coordinating Council
41. Next StepsPost for informal comment period October 29, 2018.Seeking Standards Committee (SC) authorization to post March 2019. Initial posting March 2019 (if authorized to post by SC). November 1, 2018 Virtualization Webinar.41Western Electricity Coordinating Council