1 / 41

Cyber System-Centric Approach To Cyber Security and CIP

Cyber System-Centric Approach To Cyber Security and CIP. Morgan King Senior Compliance Auditor – Cyber Security WECC Reliability and Security Workshop San Diego CA – October 23 – 24, 2018. We got CIP v5 so right System-centric approach never fully realized

egerald
Télécharger la présentation

Cyber System-Centric Approach To Cyber Security and CIP

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Cyber System-Centric Approach To Cyber Security and CIP Morgan King Senior Compliance Auditor – Cyber Security WECC Reliability and Security Workshop San Diego CA – October 23 – 24, 2018 Western Electricity Coordinating Council

  2. We got CIP v5 so right • System-centric approach never fully realized • Need all perspectives in identifying and resolving the issues • Making CIP more manageable, auditable, secure, and resilient Did We Get CIP v5 Right? Western Electricity Coordinating Council

  3. By the Numbers https://www.nerc.com/gov/bot/BOTCC/Compliance%20Committee%202013/Presentations_CC_Open_Meeting_August_15_2018.pdf#search=2018%20violations Western Electricity Coordinating Council

  4. By The Risk https://www.nerc.com/gov/bot/BOTCC/Compliance%20Committee%202013/Presentations_CC_Open_Meeting_August_15_2018.pdf#search=2018%20violations Western Electricity Coordinating Council

  5. By The Events https://www.nerc.com/AboutNERC/StrategicDocuments/2018_ERO_Enterprise_Metrics_Approved_by_the_NERC_Board_on_November_9_2017.pdf#search=2018%20violations Western Electricity Coordinating Council

  6. CIP is a PROGRAM and its elements. • CIP-002, CIP-003, CIP-004, CIP-006, CIP-008, CIP-009, CIP-011, CIP-014 • CIP has TECHNICAL architecture requirements. • CIP-005, CIP-007, CIP-010 Two Aspects in CIP Western Electricity Coordinating Council

  7. Paradigm Shift https://www.biggreendoor.com/wp-content/uploads/znvn774tlxdrpv3lzqhu.png Western Electricity Coordinating Council

  8. CIP v3 Critical Cyber Assets • CIP v5 original concept was to be a paradigm shift from device-centric to a system-centric approach. • Cyber Asset • Programmable electronic device • BES Cyber Asset • BES Cyber System • Per BES Cyber System / Cyber Asset Capability Device-Centric Western Electricity Coordinating Council

  9. Device-Centric Approach BES Cyber System BES Cyber System BES Cyber System Baseline Baseline Baseline Cyber Asset Cyber Asset Cyber Asset Western Electricity Coordinating Council

  10. Consider that cyber technology in support of reliability is not just a piece of hardware or software, or a communication circuit, but a system intimately associated with the reliability functions it supports. One of the fundamental differences between Versions 4 and 5 of the CIP Cyber Security Standards is the shift from identifying Critical Cyber Assets to identifying BES Cyber Systems.  System-Centric Western Electricity Coordinating Council

  11. System-Centric Approach Baselines For Like Device Types BES Cyber System BES Cyber System BES Cyber System Western Electricity Coordinating Council

  12. We retire some definitions • We modify existing or create new definitions concerning devices and networking to include virtualization concepts • We create additional technical requirements for securing today’s version of virtualization technology? • We change requirements to security-objective-based • Technology agnositic • Nonprescriptive • Backward compatible • Future Proof technology agnostic What If…? Western Electricity Coordinating Council

  13. SDT has worked for over a year on designing virtualization-specific language and requirements • Electronic Security Zone – to logically isolate systems on shared infrastructure • Centralized Management System – to address the risk of virtualization management systems; “fewer, bigger buttons” • Issues • Very complex • Today’s technology and products • Continues to evolve CIP Modifications Drafting Team Western Electricity Coordinating Council

  14. CIP SDT White Paper https://www.nerc.com/pa/Stand/Project%20201602%20Modifications%20to%20CIP%20Standards%20RF/2016-02_Virtualization_Outreach_Webinar_Slides_06292018.pdf Western Electricity Coordinating Council

  15. Definitions Proposed for Retirement • BES Cyber Asset • Protected Cyber Asset • Electronic Security Perimeter • Electronic Access Point • Electronic Access Control or Monitoring Systems CIP Modifications Drafting Team Western Electricity Coordinating Council

  16. Cyber Asset only applicable to (TCA, Removable Media) BES Cyber System Protected Cyber System Electronic Access Control System Electronic Access Monitoring Systems External Routable Connectivity with new objective-based isolation model Interactive Remote Access to address IP-serial conversion scenarios More Change Upon Us Western Electricity Coordinating Council

  17. CIP-007-6 R3 Part 3.1 • “Deploy method(s) to deter, detect, or prevent malicious code.” • CIP-007-6 R3 Guidance • “Due to the wide range of equipment comprising the BES Cyber Systems and the wide variety of vulnerability and capability of that equipment to malware as well as the constantly evolving threat and resultant tools and controls, it is not practical within the standard to prescribe how malware is to be addressed on each Cyber Asset. Rather, the Responsible Entity determines on a BES Cyber System basis which Cyber Assets have susceptibility to malware intrusions and documents their plans and processes for addressing those risks and provides evidence that they follow those plans and processes.” Nonprescriptive Western Electricity Coordinating Council

  18. Virtualized Architecture https://www.nerc.com/pa/Stand/Project%20201602%20Modifications%20to%20CIP%20Standards%20RF/2016-02_Virtualization_Outreach_Webinar_Slides_06292018.pdf Western Electricity Coordinating Council

  19. Electronic Security Zone https://www.nerc.com/pa/Stand/Project%20201602%20Modifications%20to%20CIP%20Standards%20RF/2016-02_Virtualization_Outreach_Webinar_Slides_06292018.pdf Western Electricity Coordinating Council

  20. Is a containerized application a BCA? Or is it just an application? An entities Electronic Access Point is now a policy-based “firewall,” dynamically placed in front of workloads. Access control is now beyond a layer 3 routable protocol level. How does an entity demonstrate compliance with CIP-005? Is SAN part of the same BES Cyber Asset as the virtual machine, is a SAN its own BES Cyber Asset, or is it just a BES Cyber System Information repository since it alone does not perform any BES functions? CIP Modifications Drafting Team Western Electricity Coordinating Council

  21. Make “BES Cyber System” the foundational object. • Requirements apply at the system level. • Implement on system as a whole • Implement on components that make sense • Allows for dynamic components System-Centric Approach Western Electricity Coordinating Council

  22. Current CIP-005-5 R1, R2 Western Electricity Coordinating Council

  23. Western Electricity Coordinating Council

  24. Logical Isolation Zone • One or more cyber systems isolated by logical controls that only allow known and controlled communications to or from those systems. • External Routable Connectivity • Inbound and outbound communication to a logically isolated BES Cyber system initiated from a system that is outside of the Logical Isolation Zone. Logical Isolation Zone / External Routable Connectivity Western Electricity Coordinating Council

  25. ` Proposed CIP-005-6 R1 Western Electricity Coordinating Council

  26. Logical Isolation https://www.nerc.com/pa/Stand/Project%20201602%20Modifications%20to%20CIP%20Standards%20RF/2016-02_CIP_Virtualization_Webinar_Slides_04182017.pdf Western Electricity Coordinating Council

  27. Logical Isolation https://www.nerc.com/pa/Stand/Project%20201602%20Modifications%20to%20CIP%20Standards%20RF/2016-02_CIP_Virtualization_Webinar_Slides_04182017.pdf Western Electricity Coordinating Council

  28. Sufficient Logical Isolation https://www.nerc.com/pa/Stand/Project%20201602%20Modifications%20to%20CIP%20Standards%20RF/2016-02_CIP_Virtualization_Webinar_Slides_04182017.pdf Western Electricity Coordinating Council

  29. Sufficient Logical Isolation https://www.nerc.com/pa/Stand/Project%20201602%20Modifications%20to%20CIP%20Standards%20RF/2016-02_CIP_Virtualization_Webinar_Slides_04182017.pdf Western Electricity Coordinating Council

  30. Logical Isolation Compared https://www.nerc.com/pa/Stand/Project%20201602%20Modifications%20to%20CIP%20Standards%20RF/2016-02_CIP_Virtualization_Webinar_Slides_04182017.pdf Western Electricity Coordinating Council

  31. Implications of Cloud Services for CIP Assets Underlay / Overlay Certifications Meeting security objectives for applicable systems NERC CIPC/CIWG Cloud Project  Western Electricity Coordinating Council

  32. Tri-State SMUD APS MISO AES Ameren? KCP&L? CIWG Cloud ProjectTabletop Participants Western Electricity Coordinating Council

  33. CoalFire AWS IBM ServiceNow Microsoft FedRAMP PMO? Service Provider Participants Western Electricity Coordinating Council

  34. Overlay / Underlay  http://bradhedlund.com/2012/10/06/mind-blowing-l2-l4-network-virtualization-by-midokura-midonet/ Western Electricity Coordinating Council

  35. CIP Obligations / Certifications CIP Obligations Certifications http://bradhedlund.com/2012/10/06/mind-blowing-l2-l4-network-virtualization-by-midokura-midonet/ Western Electricity Coordinating Council

  36. CIP Obligations http://techgenix.com/iam-security-best-practices/ Western Electricity Coordinating Council

  37. CIP Obligations http://techgenix.com/iam-security-best-practices/ Western Electricity Coordinating Council

  38. Should there be a notification to utilities when CIP standard are violated? Service provider audit report not shared with others Ensuring the security plan and actual implementation are adequate Potential Gaps Western Electricity Coordinating Council

  39. Compliance risks for utilities when vendors don’t perform • How to address changes to CIP standards with service providers? • Mapping to the CMEP • How will this be audited and PNCs addressed? • Mitigating violations that impact CIP Compliance Concerns Western Electricity Coordinating Council

  40. CIP v5 continues to evolve • System-centric approach closer to being fully developed • Need all perspectives in identifying and resolving the issues • Ensuring CIP is more manageable, auditable, secure, and resilient Review Western Electricity Coordinating Council

  41. Post for informal comment period October 29, 2018. Seeking Standards Committee (SC) authorization to post March 2019. Initial posting March 2019 (if authorized to post by SC). November 1, 2018 Virtualization Webinar. Next Steps Western Electricity Coordinating Council

More Related