cip webinar - ReliabilityFirst

Report
Ports and Services
An Audit Approach
ReliabilityFirst CIP Webinar
Thursday, September 30, 2010
Lew Folkerth, Senior Engineer - Compliance
1
CIP-005: ESP Access Points
 CIP-005-3 R2.2: “At all access points to the Electronic
Security Perimeter(s), the Responsible Entity shall
enable only ports and services required for operations
and for monitoring Cyber Assets within the Electronic
Security Perimeter, and shall document, individually or
by specified grouping, the configuration of those ports
and services.”
 CIP-005-3 R4.2 requires that the Cyber Vulnerability
Assessment (CVA) include: “A review to verify that only
ports and services required for operations at these
access points are enabled”
 CIP-005-3 R5 requires annual review and update within
2
90 days of change
CIP-007: Systems Within ESP
 CIP-007-3 R2.1: “The Responsible Entity shall enable
only those ports and services required for normal and
emergency operations.”
 CIP-007-3 R8.2 requires that the CVA include: “A review
to verify that only ports and services required for
operation of the Cyber Assets within the Electronic
Security Perimeter are enabled”
 CIP-007-3 R9 requires annual review and update within
30 days of change
3
Audit Approach
What follows is an example of how the
compliance review might proceed. Since
each entity is different, this example is
offered only as general guidance on what
to present to the audit team.
4
Baseline
 The baseline configuration is one or more lists of ports and services
that have been determined to be needed for normal and/or
emergency operations. The baseline includes:
•
•
•
•
Port or range of ports
The associated service
The operational purpose of the port and/or service
For firewalls, the source and destination address ranges
 Once baseline configurations have been established, changes and
exceptions should be managed by a change management process
 The configuration of authorized ports and services should be able to
be produced for any given time period
5
Operational Purpose
 Operational Purpose: The reason a port and/or service is
needed for normal or emergency operations
 Demonstrates that a port and/or service is “required for
operations” per the language of the standard
 Examples:
• Insufficient: Port 22/tcp is Secure Shell (SSH).
• Sufficient: Port 22/tcp is associated with the Secure Shell (SSH) service,
which is required for remote administration of the SCADA system and
other applications.
• Sufficient: Port 22/tcp, the SSH service, is needed for unknown reasons.
The service was disabled in a test environment, after which the SCADA
system operated in an anomalous manner. See testing document ABC234.
6
Audit of Baseline
 For the baseline configurations, the audit team will seek
to determine:
• Do the baselines collectively cover all applicable cyber assets?
• For each port or port range listed, is there an associated service
identified?
• What is the operational purpose of the port and/or service?
• For firewalls, are the source and destination address ranges
sufficiently restricted?
• Are variations from the baseline properly documented?
7
Audit of Firewalls
 For a sample of firewalls, the audit team will ask the entity to
demonstrate that the actual configuration of the firewall
matches the expected configuration – that is, the baseline
plus any documented variances
 The audit team will ask the entity to demonstrate that this
determination has been made at least annually (per CIP-005
R4 and CIP-005 R5)
8
Audit of Systems Within ESP
 For a sample of systems within an ESP, the audit team will
ask the entity to demonstrate that the actual ports open and
services running match the expected configuration – that is,
the baseline plus any documented variances
 The entity is free to use any desired tool, but the audit team
will accept the output of “netstat –an” if no other tool is
available.
 The audit team will ask the entity to demonstrate that this
determination has been made at least annually (per CIP-007
R8 and CIP-007 R9)
9
CVA vs. Document Maintenance
 One question that usually arises from this discussion is: “What
is the difference between the Cyber Vulnerability Assessment
(CVA) (in CIP-005 R4 and CIP-007 R8) and Documentation
Review and Maintenance (in CIP-005 R5 and CIP-007 R9)?
 The Documentation Review and Maintenance provisions
require the documentation to be kept up with changes to the
actual systems. The documentation should be compared
against the actual systems to ensure the documentation
accurately reflects the configuration of the systems.
 The CVA requires a review of the system configurations, not
just the documentation. All ports and services should be
reviewed to ensure that each is still necessary for normal or
emergency operations.
10
Questions
 Questions should be emailed to Karen Yoder
([email protected]) Subject: “CIP
WEBINAR”
 Questions will be considered in the order they
are received
 Clarifying questions are welcome and we will do
our best to answer during the question period
 Challenges to a position should be addressed to
the presenter and will be taken offline

similar documents