Security Questions for Smart Grid Vendors
advertisement
Attachment Security Questions Supplier Brief Response INSTRUCTIONS: The items listed below are paraphrased from the NISTIR 7628 Volume 1, which we understand to be in draft form. These are not requirements. We would like to learn more about the security characteristics of your product that are provided now or will be provided in the future. Please answer the questions clearly "yes" or "no," and if the proposed system is capable of accomplishing the security characteristic, please briefly describe how. If your system or product includes any security characteristics above and beyond the listed items, such as any additional considerations or enhancements as described in the NISTIR 7628, please describe those as well. Note: the term "system" shall mean software, hardware, etc. that may exist at the head-end and/or equipment that is located remotely within the electric distribution grid. 1 Reference: SG.AC-4 Access Enforcement. Can the proposed system enforce assigned authorizations for controlling access to the Smart Grid information system in accordance with organization-defined policy? If so, please briefly describe how this is accomplished. # Description 2 Reference: SG.AC-5 Information Flow Enforcement. Does the proposed system enforce assigned authorizations for controlling the flow of information within the Smart Grid information system and between interconnected Smart Grid information systems in accordance with applicable policy? If so, please briefly describe how this is accomplished. 3 Reference: SG.AC-8 Unsuccessful Login Attempts. Can the proposed system enforce a limit of organizationdefined number of consecutive invalid login attempts by a user during an organization-defined time period? If so, briefly describe how this is accomplished. 4 Reference: SG.AC-9 Smart Grid Information System Use Notification. Does the proposed system display an approved system use notification message or banner before granting access to the Smart Grid information system that provides privacy and security notices consistent with applicable laws, directives, policies, regulations, standards, and guidance? If so, briefly describe how this is accomplished. 5 Reference: SG.AC-10 Previous Logon Notification. Does the proposed system notify the user, upon successful logon, of the date and time of the last logon and the number of unsuccessful logon attempts since the last successful logon? If so, briefly describe how this is accomplished. 6 Reference: SG.AC-12 Session Lock. Does the proposed system— 1. Prevent further access to the Smart Grid information system by initiating a session lock after an organizationdefined time period of inactivity or upon receiving a request from a user? 2. Retain the session lock until the user reestablishes access using appropriate identification and authentication procedures? If so, briefly describe how this is accomplished. Reference: SG.AC-13 Remote Session Termination. Does the proposed system terminate a remote session at the end of the session or after an organization-defined time period of inactivity? If so, briefly describe how this is accomplished. Reference: SG.AU-3 Content of Audit Records. Does the proposed system produce an audit record, containing the following information, for each event: • Data and time of the event, • The component of the Smart Grid information system where the event occurred, • Type of event, • User/subject identity, and • The outcome of the events? If so, briefly describe how this is accomplished. 7 8 9 Reference: SG.AU-5 Response to Audit Processing Failures. Does the proposed system— 1. Alert designated organizational officials in the event of an audit processing failure? 2. Execute an organization-defined set of actions to be taken (e.g., shutdown Smart Grid information system, overwrite oldest audit records, and stop generating audit records)? If so, briefly describe how this is accomplished. 10 Reference: SG.AU-7 Audit Reduction and Report Generation. Does the proposed system provide an audit reduction and report generation capability? If so, briefly describe how this is accomplished. 11 Reference: SG.AU-8 Time Stamps. Does the proposed system use internal system clocks to generate time stamps for audit records? If so, briefly describe how this is accomplished. 12 Reference: SG.AU-9 Protection of Audit Information. Does the proposed system protect audit information and audit tools from unauthorized access, modification, and deletion? If so, briefly describe how this is accomplished. 13 Reference: SG.AU-15 Audit Generation. Does the proposed system— 1. Provide audit record generation capability and generates audit records for the selected list of auditable events? 2. Provide audit record generation capability and allows authorized users to select auditable events at the organization-defined Smart Grid information system components? If so, briefly describe how this is accomplished. Reference: SG.AU-16 Non-Repudiation. Does the proposed system protect against an individual falsely denying having performed a particular action? If so, briefly describe how this is accomplished. 14 15 Reference: SG.CP-11 Fail-Safe Response. Does the proposed system have the ability to execute an appropriate fail-safe procedure upon the loss of communications with other Smart Grid information systems or the loss of the Smart Grid information system itself? If so, briefly describe how this is accomplished. 16 Reference: SG.IA-4 User Identification and Authentication. Does the proposed system uniquely identify and authenticate users (or processes acting on behalf of users)? If so, briefly describe how this is accomplished. 17 Reference: SG.IA-5 Device Identification and Authentication. Does the proposed system uniquely identify and authenticate an organization-defined list of devices before establishing a connection? If so, briefly describe how this is accomplished. 18 Reference: SG.IA-6 Authenticator Feedback. Do the authentication mechanisms in the proposed system obscure feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals? If so, briefly describe how this is accomplished. 19 Reference: SG.ID-5 Automated Labeling. Does the proposed system automatically label information in storage, in process, and in transmission in accordance with— 1. Access control requirements; 2. Special dissemination, handling, or distribution instructions; and 3. Otherwise as required by the Smart Grid information system security policy? If so, briefly describe how this is accomplished. Reference: SG.SA-5 Smart Grid Information System Documentation. 1. Does the proposed system documentation include how to configure, install, and use the information system and the information system’s security features? 2. Will the organization be able to obtain from the Supplier information describing the functional properties of the security controls employed within the proposed system? If so, briefly describe how this is accomplished. 20 21 22 23 Reference: SG.SC-2 Communications Partitioning. Does the proposed system partition the communications for telemetry/data acquisition services and management functionality? If so, briefly describe how this is accomplished. Reference: SG.SC-3 Security Function Isolation. Does the proposed system isolate security functions from nonsecurity functions? If so, briefly describe how this is accomplished. Reference: SG.SC-4 Information Remnants. Does the proposed system prevent unauthorized or unintended information transfer via shared Smart Grid information system resources? If so, briefly describe how this is accomplished. 24 Reference: SG.SC-5 Denial-of-Service Protection. Does the proposed system mitigate or limit the effects of denial-of-service attacks based on an organization-defined list of denial-of-service attacks? If so, briefly describe how this is accomplished. 25 Reference: SG.SC-6 Resource Priority. Does the propsoed system prioritize the use of resources? If so, briefly describe how this is accomplished. 26 Reference: SG.SC-7 Boundary Protection. 1. Does the proposed system monitor and control communications at the external boundary of the system and at key internal boundaries within the system? 2. Does the proposed system connect to external networks or information systems only through managed interfaces consisting of boundary protection devices? 3. Does the managed interface implement security measures appropriate for the protection of integrity and confidentiality of the transmitted information? If so, briefly describe how this is accomplished. 27 Reference: SG.SC-8 Communication Integrity. Does the proposed system protect the integrity of electronically communicated information? If so, briefly describe how this is accomplished. 28 Reference: SG.SC-9 Communication Confidentiality. Does the proposed system protect the confidentiality of communicated information? If so, briefly describe how this is accomplished. 29 Reference: SG.SC-10 Trusted Path. Does the proposed system establish a trusted communications path between the user and the Smart Grid information system? If so, briefly describe how this is accomplished. Reference: SG.SC-12 Use of Validated Cryptography. Are all of the cryptography and other security functions (e.g., hashes, random number generators, etc.) which are required for use in a Smart Grid information system NIST Federal Information Processing Standard (FIPS) approved or allowed for use in FIPS modes? If so, briefly describe how this is accomplished. 30 31 32 Reference: SG.SC-14 Transmission of Security Parameters. Does the proposed system reliably associate security parameters with information exchanged between the enterprise information systems and the Smart Grid information system? If so, briefly describe how this is accomplished. Reference: SG.SC-18 System Connections. Are all external Smart Grid information system and communication connections identified and protected from tampering or damage? If so, briefly describe how this is accomplished. 33 Reference: SG.SC-19 Security Roles. Does the Smart Grid information system design and implementation specify the security roles and responsibilities for the users of the proposed system? If so, briefly describe how this is accomplished. 34 Reference: SG.SC-20 Message Authenticity. Does the proposed system provide mechanisms to protect the authenticity of device-to-device communications? If so, briefly describe how this is accomplished. 35 Reference: SG.SC-22 Fail in Known State. Does the proposed system fail to a known state for defined failures? If so, briefly describe how this is accomplished. 36 Reference: SG.SC-23 Thin Nodes. Does the proposed system employ processing components that have minimal functionality and data storage? If so, briefly describe how this is accomplished. 37 Reference: SG.SC-24 Honeypots. Does the proposed system include components specifically designed to be the target of malicious attacks for the purpose of detecting, deflecting, analyzing, and tracking such attacks? If so, briefly describe how this is accomplished. 38 Reference: SG.SC-25 Operating System-Independent Applications. Can the proposed system include organization-defined applications that are independent of the operating system? If so, briefly describe how this is accomplished. 39 Reference: SG.SC-26 Confidentiality of Information at Rest. Does the proposed system employ cryptographic mechanisms for all critical security parameters (e.g., cryptographic keys, passwords, security configurations) to prevent unauthorized disclosure of information at rest? If so, briefly describe how this is accomplished. 40 Reference: SG.SC-29 Application Partitioning. Does the proposed system separate user functionality (including user interface services) from Smart Grid information system management functionality? If so, briefly describe how this is accomplished. 41 Reference: SG.SI-3 Malicious Code and Spam Protection. Does the proposed information system prevent users from circumventing malicious code protection capabilities? If so, briefly describe how this is accomplished. 42 Reference: SG.SI-6 Security Functionality Verification. Does the proposed system notify the management authority when anomalies are discovered? If so, briefly describe how this is accomplished. 43 Reference: SG.SI-7 Software and Information Integrity. Does the proposed system monitor and detect unauthorized changes to software and information? If so, briefly describe how this is accomplished. 44 Reference: SG.SI-8 Information Input Validation. Does the proposed system employ mechanisms to check information for accuracy, completeness, validity, and authenticity? If so, briefly describe how this is accomplished. 45 Reference: SG.SI-9 Error Handling. Does the proposed system — 1. Identify error conditions? 2. Generate error messages that provide information necessary for corrective actions without revealing potentially harmful information that could be exploited by adversaries? If so, briefly describe how this is accomplished. INSTRUCTIONS: Please provide answers to the questions below in the space provided. 46 Security Approach. Describe the current security approach for your product. Specifically, what is your firm’s approach to ensuring your product meets customer expectations for IT security, software security, and compliance? 47 System Boundaries. Provide one or more diagrams or technical descriptions for each of the following: (1) A network-oriented view of where each part of your product is installed in the cooperative’s networks; (2) A network-oriented view of each of the communications protocols used by your product; (3) An architecture-oriented diagram that shows each of the security components (authentication, authorization, cryptography, and so on) included with your product. a. Also include with each diagram or description: (1) the demarcation points where your product expects to interface with a cooperative’s previously existing technology; (2) the interface requirements at each demarcation point; (3) any specific security requirements required for a secure interface at the demarcation point. 48 Certification and Compliance. Provide a list of standards, recommendations, guidance, statutes, and related items with which you claim compliance or certification for any part of your product. 49 Asset Identification. Provide a list of all components of your product that would be considered “critical assets” or “critical cyber assets” under the definitions in the current NERC CIPs. 50 Key Management. If cryptographic key management is required as part of the product’s operation, describe the procedures, hardware, software, skill sets, and any other resources required for the various key management activities (e.g., generation, distribution, and so on). 51 Dependence on Existing Systems. If acceptable security for the product (hardware, software, and protocols) relies on certain security technologies and procedures being in place at the cooperative, describe the recommended security technologies and procedures that should be in place. 52 Security of Out-Sourced Components. If some part of the product or its operation (e.g., hardware, software, command and control, data) will remain outside the cooperative's direct control (e.g., in a remote data center, as part of a SaaS offering, and so on), describe and diagram the parts outside the cooperative's control and describe the security practices applied to keeping those parts both safe and compliant with all applicable regulatory needs. External Connections. If installation or continued operation of the product requires Supplier remote access to some part of the cooperative networks or systems, describe how this is done securely. Training. Describe the training available to the cooperative on the installation, configuration, and operation of security-related settings, components, and related characteristics for your product. 53 54 55 56 57 58 Documentation. Describe the detailed documentation available for the primary security configuration items associated with your product, along with detailed guidance to help cooperatives make good security choices during both installation and ongoing operations. Protection for Data in Transit. Describe how the product provides protection for all associated functional and administrative data communications (i.e., data in transit). Protection for Data at Rest. Describe how the product provides protection for all associated data storage (i.e., data at rest). Product Access Controls and Separation of Duties. Describe how the product provides protection (e.g., access control, authorizations, permissions, encryption) and separation of duties for all functional and administrative access. 59 Protection of Sensitive Data. List and describe how the product creates, processes , and stores sensitive data (e.g., customer personal data, credit card data, customer usage data, etc.) in full compliance with all applicable security standards. 60 Audit and Forensics Support. Describe how the product logs or provides for the logging of administrative actions and other important events to support incident response and forensic analysis. 61 Firmware and Software Integrity. Describe how the product periodically verifies its software and/or firmware to ensure its validity and detect tampering. 62 Account and Password Controls. Describe how the product provides for unique user accounts and the ability to change default passwords and/or other credentials. 63 Cryptographic Certification. Provide a list of the cryptographic components included in the product and detail the current compliance status of each with respect to NIST standards. 64 Equipment Removal. Describe the security procedures required for safely removing the product from the field (sunsetting, end-of-life, recall, swap out, etc.). Supply Chain. Describe the hardware and software supply chain for all security-related hardware and software components in your product. Software Development Lifecycle. Describe the security aspects of the software development lifecycle used to build the current version of your product (regardless of whether the codebase was developed by your firm or a subcontractor). 65 66 67 Threat Modeling. Describe the threat model used to decide on the appropriate security features, security configuration controls, security designs, and software security approaches present in your product. 68 Security Testing. Describe all types of security testing applied to your product and list any current security testing artifacts available for review. Desired artifacts include results from a static code review tool, a dynamic analysis tool, a fuzz testing tool, a penetration test, an architecture risk assessment, an industry or government certification, and/or any similar security-specific review. Attachment Security Questions - Communications # 1 Description Please explain how your product can be configured to protect sensitive data being transmitted over the wireless path, protect sensitive data being stored, and verify that critical commands (whether provided locally or remotely) originate from authorized users or devices. Supplier Brief Response
