Ports and Services An Audit Approach ReliabilityFirst CIP Webinar Thursday, September 30, 2010 Lew Folkerth, Senior Engineer - Compliance 1 CIP-005: ESP Access Points CIP-005-3 R2.2: “At all access points to the Electronic Security Perimeter(s), the Responsible Entity shall enable only ports and services required for operations and for monitoring Cyber Assets within the Electronic Security Perimeter, and shall document, individually or by specified grouping, the configuration of those ports and services.” CIP-005-3 R4.2 requires that the Cyber Vulnerability Assessment (CVA) include: “A review to verify that only ports and services required for operations at these access points are enabled” CIP-005-3 R5 requires annual review and update within 2 90 days of change CIP-007: Systems Within ESP CIP-007-3 R2.1: “The Responsible Entity shall enable only those ports and services required for normal and emergency operations.” CIP-007-3 R8.2 requires that the CVA include: “A review to verify that only ports and services required for operation of the Cyber Assets within the Electronic Security Perimeter are enabled” CIP-007-3 R9 requires annual review and update within 30 days of change 3 Audit Approach What follows is an example of how the compliance review might proceed. Since each entity is different, this example is offered only as general guidance on what to present to the audit team. 4 Baseline The baseline configuration is one or more lists of ports and services that have been determined to be needed for normal and/or emergency operations. The baseline includes: • • • • Port or range of ports The associated service The operational purpose of the port and/or service For firewalls, the source and destination address ranges Once baseline configurations have been established, changes and exceptions should be managed by a change management process The configuration of authorized ports and services should be able to be produced for any given time period 5 Operational Purpose Operational Purpose: The reason a port and/or service is needed for normal or emergency operations Demonstrates that a port and/or service is “required for operations” per the language of the standard Examples: • Insufficient: Port 22/tcp is Secure Shell (SSH). • Sufficient: Port 22/tcp is associated with the Secure Shell (SSH) service, which is required for remote administration of the SCADA system and other applications. • Sufficient: Port 22/tcp, the SSH service, is needed for unknown reasons. The service was disabled in a test environment, after which the SCADA system operated in an anomalous manner. See testing document ABC234. 6 Audit of Baseline For the baseline configurations, the audit team will seek to determine: • Do the baselines collectively cover all applicable cyber assets? • For each port or port range listed, is there an associated service identified? • What is the operational purpose of the port and/or service? • For firewalls, are the source and destination address ranges sufficiently restricted? • Are variations from the baseline properly documented? 7 Audit of Firewalls For a sample of firewalls, the audit team will ask the entity to demonstrate that the actual configuration of the firewall matches the expected configuration – that is, the baseline plus any documented variances The audit team will ask the entity to demonstrate that this determination has been made at least annually (per CIP-005 R4 and CIP-005 R5) 8 Audit of Systems Within ESP For a sample of systems within an ESP, the audit team will ask the entity to demonstrate that the actual ports open and services running match the expected configuration – that is, the baseline plus any documented variances The entity is free to use any desired tool, but the audit team will accept the output of “netstat –an” if no other tool is available. The audit team will ask the entity to demonstrate that this determination has been made at least annually (per CIP-007 R8 and CIP-007 R9) 9 CVA vs. Document Maintenance One question that usually arises from this discussion is: “What is the difference between the Cyber Vulnerability Assessment (CVA) (in CIP-005 R4 and CIP-007 R8) and Documentation Review and Maintenance (in CIP-005 R5 and CIP-007 R9)? The Documentation Review and Maintenance provisions require the documentation to be kept up with changes to the actual systems. The documentation should be compared against the actual systems to ensure the documentation accurately reflects the configuration of the systems. The CVA requires a review of the system configurations, not just the documentation. All ports and services should be reviewed to ensure that each is still necessary for normal or emergency operations. 10 Questions Questions should be emailed to Karen Yoder (karen.yoder@rfirst.org) Subject: “CIP WEBINAR” Questions will be considered in the order they are received Clarifying questions are welcome and we will do our best to answer during the question period Challenges to a position should be addressed to the presenter and will be taken offline