NERC CIP Compliance
Defining your Electronic Security Perimeter
(ESP) and Access Point Security
Agenda
Specific
NERC CIP-005 Requirements
Underlying fundamentals of the ESP architecture
Building ESPs using Security Enclaves and DinD
Vulnerability Assessment Methodology
Simple Principles
Disclaimer

CAUTION: Every
environment is different and
requires a direct correlation.
The material contained in
this presentation may not
represent your corporate or
architectural requirements

ADVISORY: Education,
consulting and compliance is
about correctly interpreting
and conveying information a requirement for this
content
NERC CIP Compliance
Specific NERC CIP-005 Requirements
Specific NERC CIP-005 Requirements
 CIP-005-1
– Cyber Security – Electronic
Security
 Perimeters: Requires the identification and
protection of an electronic security
perimeter and access points. The electronic
security perimeter is to encompass the
critical cyber assets identified pursuant to
the methodology required by CIP-002-1.
Specific NERC CIP-005 Requirements
 Requirement
1 - Electronic Security Perimeter
—Define an ESP and its access points to protect Critical Cyber
Assets
 Requirement 2 - Electronic Access Controls
—Deny by default
—Enable only required ports and services
—Securing dial-up access
—Documentation
—Appropriate Use Banner
 Requirement 3 - Monitoring Electronic Access (covered in the
SEIM Presentation in two weeks)
 Requirement 4 - Cyber Vulnerability Assessment
 Requirement 5 - Documentation Review and Maintenance
 Monitor
FERC Order 706 Activity
Specific NERC CIP-005 Requirements
 The
following are exempt from Standard
CIP-005:
—4.2.1 Facilities regulated by the U.S. Nuclear
Regulatory Commission or the Canadian Nuclear
Safety Commission.
—4.2.2 Cyber Assets associated with
communication networks and data
communication links between discrete Electronic
Security Perimeters.
—4.2.3 Responsible Entities that, in compliance
with Standard CIP-002, identify that they have
no Critical Cyber Assets.
NERC CIP Compliance
Underlying fundamentals of the
ESP architecture
Architecting your ESP to provide the appropriate
access control and monitoring capabilities
 Approach,
controls, monitoring, assessment and documentation
requirements defined in CIP-005
 Challenging to define an electronic perimeter around
geographically disperse systems collecting information and
performing automated and manual control operations
 Organizations must think methodically about their approach and
intrinsically understand the environment and type of controls
 Define an ESP access point access control request, review and
response workflow
 Define an appropriate trust model for your systems (enclaves)
 Ensure the adequacy of protection and continued high availability
of authorized access and control
Integrating ESP high availability identity
management solutions
 Understand
your organization’s trust model based upon
the enclave approach outlined in the methodology
—Select your identity type, system and appropriate audit
trail for each ESP enclave
—Define the appropriate administrative and operational
trusts for system access
—Separate technical administrative, developers, system
operators and general users
—Correlate your physical and cyber identities as
appropriate
—Ensure identity integrity throughout the ESP
—Define operational procedures to support high
availability access to ensure safety
Control System Network Architecture
Control System Network
Architecture
Traditional Isolation of
Corporate and Control Domains
Source: Idaho National Laboratory, Control Systems Cyber Security: Defense in Depth Strategies (May, 2006)
Overview of Contemporary
Control System Architectures
Source: Idaho National Laboratory, Control Systems Cyber Security: Defense in Depth Strategies (May, 2006)
Database Attack Vector
Source: Idaho National Laboratory, Control Systems Cyber Security: Defense in Depth Strategies (May, 2006)
Common Security Zones
Source: Idaho National Laboratory, Control Systems Cyber Security: Defense in Depth Strategies (May, 2006)
Firewall Deployment for Common
Security Zones
Source: Idaho National Laboratory, Control Systems Cyber Security: Defense in Depth Strategies (May, 2006)
Defense in Depth with IDS
Source: Idaho National Laboratory, Control Systems Cyber Security: Defense in Depth Strategies (May, 2006)
Corporate IT to Control System IT
Comparison
Source: Idaho National Laboratory, Control Systems Cyber Security: Defense in Depth Strategies (May, 2006)
NERC CIP Compliance
Building ESPs using Security
Enclaves and DinD
Definition: Security Enclaves
An
enclave is, as defined in the Department of
Defense Directive (DoDD ) 8500.1 E2.1.16.2, “the
collection of computing environments connected by
one or more internal networks under the control of
a single authority and security policy, including
personnel and physical security.“
Terminology Potpourri
—Security Zones
—DeMilitarized Zones
—Transactional Zones
Determine security controls and define system
interactions
Review NIST SP 800-53 r2; 800-82
Security Enclave Creation
 Security
enclaves provide the layers of trusted systems
which limit untrusted interactions
 Enclaves creation can be based upon:
—Mission criticality
—Operational requirements
—Type of application
—System users
—Trusted versus untrusted interactions
Enclave Split - Services
Services
are separated among enclaves
Separation of duties
—External DNS / Internal DNS
—External Mail / Internal Mail
—External Web / Internal Web
—External Authentication / Internal Authentication
Split Active Directory Domains
—Out Of Band Management Network
—Application Proxy
Building Security Enclaves
 Defined
logical ESP access points
with enterprise identity
management and network
integrated firewalls and IDS
Legend
Site-to-Site
VPN
Firewall
ESP
High Availability
Virtualized
Architecture
Restricted
WAN
Control
Enclave
IDS/EDS
Remote VPN,
Contractor,
Identity Mgmt,
Uncontrolled ISO
Enclaves
Office
Desktop
Systems
ISO, Identity &
Event Mgmt
Enclaves
Testing
Enclaves
Building Security Enclaves
Legend
Control
Enclaves
VPN
IDS/EDS
Firewall
Testing
Enclave
Generating /
Sub Station
ESP
Primary
ISO
Enclave
High Availability
Virtualized
Architecture
Secondary
Testing
Enclaves
ISO
Enclave
High Availability
Virtualized
Architecture
Control
Enclave
WAN
Remote VPN,
Contractor,
Uncontrolled ISO
Enclaves
IDS/EDS
Control
Enclave
Office
Systems
Remote VPN,
Contractor,
Uncontrolled ISO
Enclaves
IDS/EDS
Office
Systems
ISO
Enclave
Testing
Enclaves
Defining Ports and Services Access
Rules
• Do you know who, how, why, where, and when
the system communicates across the network?
• Known Communication
Between Systems
• Unknown Communication
Between Systems
– Review levels of system trust
for need of isolation station /
proxy
– Review levels of system trust
for need of isolation station /
proxy
– Define appropriate access
rules
– Work with application vendor
to identify requirements
– If necessary, enable
connectivity in learning mode
Defense in Depth Security Controls
• Layers of Protection for
Information and Control (I & C)
•
Provides security against a single
or multiple points of failure
•
Common to define Network, Client
or Control Node, Server and
Operational controls
Build Knowing The Attacks
“Man-in-the-Middle”
• Attacker reads, inserts and
modifies information without
either party aware
• Physical Layer
• Datalink Layer
• Network Layer
• Application Layer
• Social Layer
• Not an exhaustive list of attacks
and controls
• What can happen?
• Incorrect information is
conveyed to the operator
• Incorrect control settings
are sent to the system
• Control is completely taken
over by attacker
Defense in Depth : Network
Information and Control (I & C)
●
Encrypted and
integrity checked
traffic
Touchpoints should:
—
—
Be limited to the
absolute minimum,
where the purpose of
the application may still
be satisfied
Provide limitations for
trusted and untrusted
access
Traffic
access
control
Intrusion Detection
and Prevention
I&C
●
Note: This is not an
exhaustive list of
Defense in Depth
solutions
Network
authentication /
authorization
Application
proxy
Defense in Depth : EMS / Operator
Connectivity
●
EMS Enclave
●
●
●
Separate
development and
quality assurance
enclaves
Island acceptable
architecture with
dedicated
infrastructure
Note: This is not an
exhaustive list of
Defense in Depth
solutions
Event Monitoring
DHCP Snooping /
Port Security / DNS
Host Files
Separate
EMS Enclaves for
PDS and QAS
I&C
Workstation
Dual Homed / EMS
Direct Connection
Unique
Operator Login
Operational Workflow for Managing ESP/PSP
Access Requests and Approvals
Same
workflow for
both physical and
cyber access
Defines
approval
process for
creation/modification
of access and
revocation of rights
NERC CIP Compliance
Defining your ESP Vulnerability
Assessment Methodology
Defining an ESP Vulnerability Assessment
Methodology appropriate for the bulk electric system.
 The
ESP Vulnerability Assessment Methodology considers the
threat, the cyber asset, adversary type, known vulnerabilities
and the consequences of an adversarial success to arrive at a
relative risk level and appropriate response. Automated and
manual vulnerability analysis is performed by the IT Security
department, and the FERC/NERC Compliance departments to
identify both effective and ineffective security controls. The
results of the assessment are then provided to the FERC/NERC
Compliance Director. The results are reviewed and appropriate
countermeasures are identified, developed, applied in a test
environment, reviewed for acceptance and propagated to
production. The methodology is reapplied to determine the
relative risk reduction achieved. This iterative process is
continued until the most appropriate method for reducing risk
to an acceptable level is identified and approved by the
FERC/NERC Compliance Director.
Performing a Vulnerability Assessment within and
against your ESP
 Defined
in CIP-005 Requirement 4 and
CIP-007 Requirements 3 and 8
 Typically do not perform tests against live systems
—The risk is substantial
 Ensure the accurateness of system state with your change
management system
 Define the appropriate personnel for risk acceptance and
mitigation procedures
 Create an appropriate set of procedures to
—adequately test the response of the system and the
associative controls
—migrate the modifications through staging
—an appropriate rollback structure
Selecting Vulnerability Management Solutions

Review vulnerability management solutions for the following
requirements:
—Ability to generate audit trails and appropriate reports / integration
with your situational awareness software
—Breadth of supported capabilities to validate networks, applications and
operating systems in your environment
—Ability to operate in an *Internet isolated* environment leveraging a
proxy solutions
—Interoperate with NIST or CISecurity.org baseline criteria definitions
—Support agreement and associative service level capabilities
—Incremental patch deployment to categorically identified systems and
applications on a schedule-able basis
—Supports the appropriate trust model for your organization’s access
control model
—High level of assurance of the system’s accuracy and efficiency for your
environment
Vulnerability Assessment Process
 Network
Tests
—Remote / Local Scanning using GFI Languard, Nessus and Harris
STAT
—Remote / Local PenTesting using Backtrack 2 tools with Metasploit
3
 Local Tests
—CISecurity.org Assessment Scoring Tools
 Reviewing New NIST SCAP Vendors
—Part of Federal Desktop Initiative
Responding to results from your vulnerability
assessment
 Do
not PANIC
—However, review high risk results immediately; identify
if other defense in depth controls provide protection
 Vulnerability assessments should be a dialogue between
the audit team and the systems personnel
 Appropriately document, notify the vendor for resolution
and receive the update to validate using your patch
testing methodology created in CIP-007 Requirement 3
NERC CIP Compliance
Simple Principles to reflect
upon while architecting
Simple Principles
Isolationism
provides protection
—The more isolated an environment is from
others the greater the success of physical
and logical security controls assuring
continuously accurate information and
control
Simple Principles
• Assets will be physically stolen or lost
– Physical assets, physical assets storing electronic
information and electronic assets will be stolen or lost
– You must limit the impact of any theft of information

Your conversations will be eavesdropped upon
—Any verbal, paper or electronic conversation can be
monitored; you must be accepting of this and utilize
the appropriate protective controls to limit your risk
Simple Principles
• Assets will be physically stolen or lost
– Physical assets, physical assets storing electronic
information and electronic assets will be stolen or lost
– You must limit the impact of any theft of information
Your
conversations will be
eavesdropped upon
—Any verbal, paper or electronic conversation can
be monitored; you must be accepting of this and
utilize the appropriate protective controls to
limit your risk
Simple Principles
Build
with a moat (control)
—Separate trust levels / Security Enclaves
—Understand how the moat (control) works
(or)
Build with Nightingale Floors *
* Nijo Castle
Kyoto, Japan
Simple Principles
Vulnerabilities
are the gateways
through which threats manifest
themselves
Threats
exist
—Hackers
—Corporations
—Nation States
RISK
MISSION
Risk Assessment Relationship
value
Owners
wish to minimize
impose
to reduce
Countermeasures
that may possess
that may be reduced by
may be aware of
Vulnerabilities
that exploit
Threat agents
give rise to
leading to
Risks
that increase
Threats
to
wish to abuse or damage
Based upon IEEE Standard 15408 (Common Criteria)
Assets
Simple Principles
Security
or risk mitigation controls must be
well understood to be properly used
—A detailed understanding of the category of the
control
Directive
Preventive
Compensating
Detective
Corrective