spp cip-005 presentation
Post on 27-Nov-2014
120 Views
Preview:
TRANSCRIPT
CIP-005-3a
Electronic Security Perimeters
A Primer in ESP Identification
Brent Johnson, CISSP, CISA
Project Consultant
GDS Associates, Inc.
CIP-005: Electronic Security Perimeters
• 5 Requirements
• This presentation
deals specifically with
Identification of ESPs
Identify
Control
Monitor
Assess Vulnerabilities
Maintain Documentation
Importance of ESP Documentation
• Documentation is the blueprint to network
security
– Visually shows how CCAs are electronically
protected
– Forces entities to confirm their electronic security
strategy
– Serves as a guide for auditors
What is an ESP?
• Electronic Security Perimeter
• The logical border around a network
– All CCAs must be protected by an ESP
– Access is Controlled
How is Access Controlled?
• Access Points
– The device that discriminates between authorized
and unauthorized traffic in and out of ESPs
– This may not always be the outermost device on
the network!
”“
Understanding Access Points
The endpoint is the ESP access point
if access is controlled at the endpoint
irrespective of which OSI layer is managing the communication.
Non-binding Standard Drafting Team Comment on CIP-005-1 Interpretationhttp://www.nerc.com/docs/standards/sar/2009-12_C_of_C_Initial_Ballot_RFI_PacifiCorp_CIP-005-
1_2009Oct12.pdf
Access Points
• A device accessible from outside the ESP* Unless this access is controlled by another device in the ESP
Device Accessible from Outside
• Anything serving as an endpoint of a tunnel where the other endpoint is outside the ESP
• This applies even when the other endpoint is in a different ESP
VPNs and Tunnels
• Externally connected dial-up devices
Dial-Up
Access Points: Accessible from Outside
• Alice needs to access the File Server
– She has a username, password and network token
• The Firewall forwards all traffic on the VPN Server
port number without considering its origin
• The VPN Server is responsible for authenticating
users
Where is the access point?
Access Points: VPNs
• Alice needs to check on Workstations A, B and C
• Once she authenticates with the VPN, she has a
secure tunnel to the ESP Firewall
• The ESP firewall only allows traffic in from the
VPN server, which is already authenticated
Access Points: Modems
• The corporate internet connection goes down and
Alice needs to remotely access the protected
network
• Alice uses a cell phone modem to connect to the
dial-up server which then authenticates her
Links Between ESPs
• Communication networks connecting discrete
ESPs together are not considered part of the ESP
– Equipment outside of ESP access points is out of
scope
Links Between ESPs
• It is possible to create one logical ESP even if it is
broken into multiple physical locations
Access Control & Monitoring Equipment
Logging
• Centralized Logging Servers
Intrusion Detection
• SIEM
• IDS/IPS
• Pattern Recognition
• Incident Response
Authentication
• Active Directory
• LDAP
• Kerberos
Functions of ACM Equipment
Protecting ACM Equipment
Information
InformationProtection Plan
MonitoringElectronic Access
Security Status Monitoring
Disposal and Redeployment
Systems Security Management
Documentation Review
Physical Security
Personnel Risk Assessment
Electronic Access Control Systems (PSP)
Secure Configuration
Change Controland Configuration
Management
ElectronicAccess Controls
SecurityControls Testing
Account Management
Evolving Threat Response
Security Patch Management
Malicious Software Prevention
Cyber Vulnerability Assessment
Response and Recovery
Incident Reporting & Response Management
Recovery Plans
003
005
007
007
007
004
006
003
005
007
007
007
007
007
008
009
Documenting an ESP: Components
• Good ESP documentation successfully identifies:
– Critical Cyber Assets
– Access Points
– Access Control and Monitoring Equipment
– All other assets inside the ESP
Documenting an ESP
• Accuracy is imperative!
• Develop documentation based on known
configuration and confirm topology with:
– Network discovery of assets
• Nmap
– Physical Cable Inspection
• Documentation must contain all cyber assets
inside, regardless of Criticality
Common Pitfalls in Documenting ESPs
• Not everything is included
• Redundant cabling/port connections are not
documented
• Failure to consider Access Points possibly behind
the outermost device
• Documentation not updated within 90 days of
changes made
Questions
Available until 5/31 at:
http://bit.ly/GDS-CIP005
We have a blog too:
http://cip-gds.tumblr.com/
top related