1 / 35

Out-of-Band Management

Out-of-Band Management. April 9, 2019. Holly Eddy, CISA, CRISC, CISSP Auditor, Cyber Security. “lights out management". Opening Statement.

cranford
Télécharger la présentation

Out-of-Band Management

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Out-of-Band Management April 9, 2019 Holly Eddy, CISA, CRISC, CISSP Auditor, Cyber Security

  2. “lights out management"

  3. Opening Statement Out-of-band management is often referred to as managing the “keys to the kingdom” given the high set of privileges that come with such access. To ensure the “keys to the BES kingdom” are protected, how to identify components of Cyber Assets applicable to out-of-band management and determine applicable protections will be reviewed.

  4. What can be controlled with out-of-band management interfaces enabled?

  5. Common Capabilities of Out-of-Band Management • Remotely: • start up • shutdown • reboot • install operating system • Sensor monitoring (fan speed, power voltages, chassis intrusion) • Access local media (DVD drive, disk images) • Adjust BIOS, RAID or RAM timing settings

  6. Privileges with Out-of-Band Management • Device configurations can be changed • Communication ports can be modified • Data can be copied • User accounts and privileges changed • Difficult to detect an active exploit

  7. Out-of-Band (OOB) Management Aliases • Lights-out Management (LOM) • Integrated Lights-Out (iLO) • Dell Remote Access Controller (DRAC) • Intelligent Platform Management Interface (IPMI) • IBM Remote Supervisor Adaptor • Etc.

  8. Assessing Out-of-Band Management • Are Cyber Assets’ network management ports physically connected? • If so, to what? • What methods are in place to manage access to the interfaces? • ACLs configured? • Access logs feasible/captured? • Alerting? • Shared accounts identified?

  9. What is the Risk of Not Assessing the Use of Out-of-Band Management on Devices?

  10. Challenge: Identify Use of Out-of-Band Management • Ask SMEs if Cyber Assets associated with BES Cyber Systems utilize components such as: • iLO, DRAC, LOM, etc. • Inventory physical connections on Cyber Assets for console management connectivity

  11. Exercise: Identify Use of Out-of-Band Management In the provided example, prepare to discuss your table’s observations of: • How many instances of out-of-band management are connected? • What devices are using it? • Was the inventory helpful in assessing use? • What other methods could be used?

  12. EXERCISE

  13. Identifying Use of Out-of-Band Management Review baseline configurations to determine if any commonly used logically network accessible ports are configured • SSH • HTTP • Terminal services • IPMI-over-LAN • Remote console • Virtual media port

  14. Next Steps

  15. Low Impact BES Cyber Systems • Evaluate communications between low impact BES Cyber Systems and Cyber Assets outside the asset containing low impact BES Cyber Systems for out-of-band management use. • If identified, ensure CIP-003-7 Attachment 1 Section 3 controls afforded to permit only necessary electronic access.

  16. High & Medium Impact BES Cyber Systems Protections

  17. High & Medium Impact BES Cyber Systems Protections

  18. Maintaining an Inventory Can entities inventory out-of-band management interfaces as separate Cyber Assets? • Yes, however, entities must ensure applicable security controls are afforded pursuant to the host Cyber Asset: • High impact BES Cyber System • Medium impact BES Cyber System • Low impact BES Cyber System • The audit team verifies protections for out-of-band management as a component of the host Cyber Asset.

  19. Access Management Protections • Have individuals with access to interfaces had a personnel risk assessment completed? • Do individuals with access to interfaces have documented and authorized access pursuant to CIP-004-6 R4? • If interfaces are accessible via Interactive Remote Access, are they addressed in CIP-004-6 R5 revocation processes?

  20. ESP Protections • As applicable to the host Cyber Asset, do the out-of-band management interfaces reside within an ESP-defined subnet? • If interfaces are accessible via Interactive Remote Access, are they accessed pursuant to CIP-005-5 R2? • Intermediate System • Encrypted session • Multi-factor authentication

  21. System Security Management As applicable throughout CIP-007-6: • Are only needed logical ports for out-of-band management enabled and documented? • Are patch sources identified for platforms used with out-of-band management and included in patch management programs? • Are the interfaces included in malicious code prevention processes? • Are the interfaces configured to log and alert pursuant to R4? • Have the interfaces been evaluated and afforded applicable R5 protections for account management?

  22. Change Configuration and Vulnerability Assessments • Have the out-of-band management interfaces been included in entity’s developed baseline configurations? • Have applicable changes to interfaces followed entities’ CIP-010-2 R1 processes pursuant to Parts 1.2 – 1.5? • If associated with high impact BCS, are the interfaces included in the R2 monitoring processes? • Do vulnerability assessment processes consider interfaces?

  23. Looking Forward… CIP-005-6 • Active vendor session (R2 Part 2.4) • Method(s) to disable active vendor remote access (R2 Part 2.5) CIP-010-3 • Verifying identity of software sources and integrity of software obtained as applicable to R1 Part 1.6 CIP-013-1 • Devices with out-of-band management capabilities should be procured in accordance with Supply Chain Risk Management Plans

  24. Best Practices for Out-of-Band Management • Shared accounts • Default passwords • Least privilege • Change default passwords and certificates • Alert on creation of new accounts • Monitor for new vulnerabilities • Reduce number of Transient Cyber Assets

  25. WECC’s Audit Approach • Out-of-band management interfaces will be reviewed pursuant to the host Cyber Assets to ensure applicable CIP controls are afforded to the interfaces. • Notice of Audit Package will request if management interfaces are applicable to Cyber Assets identified in an entity’s response to the CIP Data Set.  • Cyber Assets with configured interfaces could be included in CIP-007/CIP-010 Sample Set data request to ensure CIP protections are afforded.

  26. CIP Data Set andManagement Interface Information

  27. CIP Data Set and Management Interface Information

  28. What Are The Risks… If out-of-band management interfaces are not protected, a malicious actor could utilize such access and impact a Cyber Asset’s: • Operating System configuration • Communication and network configuration • Data • User accounts and privileges • Health (power, fans, temperatures)

  29. What can be controlled with out-of-band management interfaces enabled?

  30. Out-of-Band Management Review • Out-of-band management interfaces of Cyber Assets are important components to protect. • If unprotected, interfaces represent concerning risk to BES Cyber Systems. • Proper identification and application of CIP protections will help secure access to BES Cyber Systems. • What to expect during audits when verifying protections for out-of-band management components.

  31. Protecting the BES Kingdom In identifying out-of-band management interfaces and affording required protections, “keys to the BES kingdom” (BES Cyber Systems) will have limited vectors of compromise and the security and reliability of the BES is further guarded.

  32. For CIP Questions

  33. Holly Eddy, CISA, CRISC, CISSP Cyber Security Auditor heddy@wecc.org

More Related