All Posts By

Robin Berthier

Colonial Pipeline Incident: NP Statement

By Cybersecurity, Events

The cyberattack against Colonial Pipeline that was discovered on May 7 underscores the growing impact of cyberthreats on industrial sectors. While the investigation is ongoing and important lessons from this attack will be extracted in the coming weeks, the fact that Colonial Pipeline had to proactively take their OT systems offline after learning about which IT systems were impacted by the ransomware is significant. This decision has halted all pipeline operations, making this attack the most disruptive incident against US energy infrastructure to date. 

Our dependency on connected cyber systems keeps increasing and it is vital to gain and maintain accurate visibility on which communications are allowed between our IT and OT systems. Incident response teams need this visibility immediately when an attack is discovered in order to make informed decisions. Without clear situational awareness, organizations are often unable to fully understand the impact of cyberattacks on their infrastructure and may be forced to take action with significant operational and financial impact.

We recommend every organization with industrial systems to start a network architecture review today in order to understand which communication paths are allowed into their critical assets. We also recommend incident response teams to leverage this current event to conduct a tabletop exercise by evaluating the impact of an IT-targeted ransomware on their OT environment. The network architecture review and the scenario assessment will have a major impact on enabling your organization to become cyber resilient. The team at Network Perception will continue to monitor this incident and to keep you informed. Please contact us if you have questions or need support, we are here to help. It is critical to update and exercise your incident response plans immediately.


Access the Colonial Pipeline Incident Briefing Center

Black and white bottom view of a room equipped with data servers for cloud computing and information storage with bright LED lights in ceiling.

Could CIP-005 have prevented the SolarWinds attack?

By Cyber Resiliency, Cybersecurity

It has been four months since we discovered the SolarWinds attack and many organizations are still deep into clean-up efforts. If you have been affected by this event, excellent resources have been published to dissect the malware involved and to help with identification and remediation. We previously discussed lessons learned from the SolarWinds compromise to emphasize the importance of maintaining continuous visibility over networks and to ensure clear separation of duties between monitoring and control solutions. In this article, we are exploring the role of network segmentation through the lens of CIP-005 and the concept of Electronic Security Perimeter (ESP).

Best Practices from the Electric Industry

In the world of industrial control systems (ICS), priorities are different compared to a traditional corporate environment. Indeed, an IT server shutting down unexpectedly may frustrate users and cause financial damage, but an Operational Technology (OT) server shutting down unexpectedly may impact industrial equipment and possibly injure people. As a result, safety and reliability are top priorities for ICS and this is why the adoption of a strict risk assessment and compliance framework is paramount in the OT space.

To that end, the NERC CIP standards have significantly impacted the way electric utilities in North America are deploying and configuring the firewalls protecting their critical cyber assets. This is particularly important in the context of the SolarWinds attack since understanding trusted communication paths and data flows can directly help mitigate and prevent not only current but also future cyber attacks. It could even be said that better network segmentation could have prevented the breach of the SolarWinds build environment in the first place. To quote from Tom Alrich’s article:

The software build environment would need to be protected in a similar fashion to how the Electronic Security Perimeter (ESP) is required to be protected by the NERC CIP standards – in other words, there should be no direct connection to the internet, and any connection to the IT network should be carefully circumscribed through measures like those required by CIP-005.

At Network Perception, we know CIP-005 quite well since we have designed NP-View and NP-Live with the specific goal of helping the NERC industry with implementation and control of CIP-005 requirements. Following up on Tom’ suggestion, we are providing practical guidance in the section below about how CIP-005 could be leveraged by any organization that has critical systems to protect, whether they reside in the IT or the OT space.

Hardening Network Segmentation with CIP-005

NERC CIP spans multiple reliability standards, ranging from categorizing critical cyber assets (CIP-002) to personnel and training (CIP-004), as well as incident reporting (CIP-008) and configuration change management (CIP-010). The standard that is explored in this article is CIP-005: Electronic Security Perimeter. Before listing the requirements, it is important to understand the terminology which is provided in the NERC Glossary. Here is the summarized version:

  • The Bulk Electric System (BES) is defined to identify the most critical systems to protect. In the electric industry, the BES covers transmission elements operated at 100 kV or higher. The concept of BES could be translated to other industries. For instance, the systems storing and transmitting credit card information in the payment industry. 
  • A Cyber Asset (CA) is a programmable electronic device, which includes computers, servers, and connected equipment.
  • A BES Cyber Asset (BCA) is a cyber asset that can impact the BES within 15 minutes. This definition is important because it allows us to separate mission-critical systems from the rest. 
  • An Electronic Security Perimeter (ESP) is the logical border surrounding a network to which BCAs are connected. 
  • An Electronic access control and monitoring system (EACMS) is a cyber asset that performs access control or monitoring—like a firewall or an intrusion prevention system.
  • An Electronic access point (EAP) is a cyber asset interface on an ESP that allows routable communication. For example, a network interface on a firewall.
  • A Protected Cyber Asset (PCA) is a cyber asset inside the ESP that is not a BCA.
  • An Interactive Remote Access (IRA) is a user-initiated remote network access that uses a routable protocol. An IRA allows us to identify trusted communication paths and separate them from non-interactive system-to-system communications. 
  • An Intermediate Systems (IS) is a cyber asset performing access control to restrict IRA to only authorized users. Typically, an IS is a jump host on which a user has to authenticate before accessing a critical resource.

The diagram below illustrates a network with ten nodes, among which three nodes are BCA (the crown jewels) and all communications to the BCA have to go through a firewall (the EACMS). An ESP has been defined around the BCA and also includes a non-critical node (the PCA). Since the PCA resides in the same broadcast domain with the BCA, it has to be protected with the same criticality level. Finally, an IS (jump host) enables users to connect to the ESP through an interactive session (for instance, SSH or Remote Desktop). 

 

 

Now that we understand the CIP-005 terminology, we can list the five requirement parts that electric utilities with medium and high impact cyber systems have to comply with:

  • CIP-005 R1.1: All applicable Cyber Assets connected to a network via a routable protocol shall reside within a defined ESP
  • CIP-005 R1.2: All External Routable Connectivity must be through an identified Electronic Access Point (EAP)
  • CIP-005 R1.3: Require inbound and outbound access permissions, including the reason for granting access, and deny all other access by default
  • CIP-005 R2.1: Utilize an Intermediate System such that the Cyber Asset initiating Interactive Remote Access does not directly access an applicable Cyber Asset
  • CIP-005 R2.2: Interactive Remote Access sessions must be encrypted to the Intermediate System to protect the confidentiality and integrity of the communications

In summary, utilities have to (1) identify their critical systems and the networks in which they are connected, (2) protect those networks with firewalls, (3) ensure that firewall access rules are justified and follow a principle of least privilege, (4) ensure that interactive remote connections go through a well-identified jump host, and (5) ensure that those interactive remote connections are encrypted outside of the critical networks. This means that critical systems should be in a separate network zone and not have direct access to the corporate network and the Internet.

Coming back to the SolarWinds attack and the software vendor industry at large, here is how the CIP-005 requirements could be adopted to better protect the digital supply chain:

  • Step 1: We should start by translating the concept of the Bulk Electric System (BES) to the software industry. We are suggesting the Critical Build Environment (CBE) that would cover all systems used to compile, package, and deploy a software application for production.
  • Step 2: We then identify CCA, the cyber assets that are either part of the CBE or can connect directly to the CBE.
  • Step 3: We define an ESP to segment the CCA in a clearly-defined network zone and ensure that there are firewalls to control inbound and outbound connections to the ESP. The access lists should prevent CCA from being directly accessible externally, especially from assets in the corporate network and the Internet.
  • Step 4: We deploy jump hosts to allow engineers and devops to access CCA through interactive remote sessions and we ensure that multi-factor authentication as well as encryption are correctly configured. 

There is, of course, a cost to implementing this framework, but it pales in comparison to the impact of a sophisticated supply chain attack such as the one that targeted SolarWinds. This is work-in-progress and we invite you to start a conversation with your team. If you have questions or would like to make suggestions on how this framework could be applied to different industries, please drop us a note at info@network-perception.com.

Accelerate Incident Response with Next-generation Network Access Visualization

By Cybersecurity

“If you really want to protect your network, you really have to know your network”

The advice stated by Rob Joyce (former Chief of Tailored Access Operation at the NSA) in his presentation during the USENIX Enigma conference is gaining further importance in light of the recent SolarWinds attack. For incident response teams who had to investigate the breach inside their environment, a lack of detailed knowledge on networks and connected assets turned their investigation into month-long efforts filled with frustration. The issue of network visibility and clear understanding of network access is affecting most organizations. Two of the top three service engagement findings published in the Dragos 2020 ICS Cybersecurity Year in Review last week are:

  • 90% of service engagements included a finding around lack of visibility across OT networks
  • 88% of service engagements included a finding about improper network segmentation

The core challenge behind these findings comes from the growing complexity of network configurations. A typical firewall configuration includes thousands of statements defining interface settings, access-control lists, and object groups among other categories. Similar to a programming language, network device configuration have bugs that can lead to unexpected consequences, such as enforcing network segmentation partially instead of fully.

Read-only Network Visualization Solutions to the Rescue

The speed at which incident response teams can answer key questions during an attack is crucial to prevent a catastrophic failure. For instance, they may need to understand which port and services are accessible when accessing the control network from a jump host connected to the corporate network. In addition, they need to be able to answer this type of question without relying on network management toolset that can write into the network, since they may be part of the issue (case in point: the SolarWinds Orion application). For these reasons, incident response teams need to be equipped with their own highly-usable solutions that can run outside of the network fabric. This means either offline or through an indirect and readonly connection.

This is an approach that we know well since we spent the last few years training network engineers and cybersecurity analysts to leverage NP-View and NP-Live in order to gain a clear understanding of their networks. The workflow consists in rapidly building a topology map from network device configuration files that serves as a foundation to communicate efficiently among different teams. The map needs to be extremely easy to navigate and understand by both technical and non-technical users. Similar to a heads-up display (HUD) in an aircraft, complex network constructs need to be presented with the correct level of abstraction in order to convey enough details without being overwhelming. A key feature to achieve this objective is to be able to generate a stepping-stone access map.

Breakthrough Insights with Stepping-stone Access Maps

A stepping-stone access map combines end-to-end connections inferred with a path analysis into multi-hop connections. Each hop, or stepping stone, could be used by an attacker to move laterally. For example, a vulnerable web server that is accessible in a DMZ could be exploited and used as a stepping stone to penetrate further into a protected network. In the example below, a vulnerable data historian was selected at the bottom of the map (highlighted with dark circles) and NP-Live analyzed access rules and routes in all the firewalls (red-brick icons) in order to highlight:

  • Nodes that can be directly accessed from the data historian (in red)
  • Nodes that can be indirectly accessed from the data historian (in orange)

An indirect access means that coming from the data historian, an attacker would have to compromise a red node before being able to access an orange node. This type of visualization provides important insights to understand how defense-in-depth is implemented and whether access policy gaps exist. Moreover, it helps everyone to understand critical asset exposure without having to become a firewall or a network expert. For incident response teams, this means precious minutes saved getting to the information they need to take action and also explaining the situation to their colleagues and their leadership.

 

Stepping-stone access map generated by NP-Live to visualize which nodes are directly and indirectly accessible from a vulnerable host

 

Stream the SANS Webinar Recording:

NP New Product Release

Network Perception: January 2021 Release

By New Product Release

Product Release: 

The team at Network Perception is proud to launch NP-View (version 6.2.4) and NP-Live (version 2.1). The new versions includes several key improvements and fixes, including:

  • An improved notification system in NP-Live
  • The ability to easily share, transfer, and export workspaces in NP-Live
  • Enhanced risk alerts and summary reports in NP-Live

Sign in to the Portal to the Portal to download NP-View 6.2.4 or NP-Live 2.1 today.

Support & Training Resources

If you ever have a technical question, please reach out to us at support@network-perception.com or call us at 872-245-4102. Our software is built to be easily supported, and we are always happy to help.

NP-View II

The 2nd generation of NP-View removes the dependency on Java and introduces a more intuitive and elegant user interface that is based on HTML5. 

NP-View II went through extensive internal testing to ensure robustness and ease-of-use. We are currently soliciting a limited number of customers to preview NP-View II.

If you are interested, please contact us, at productpreview@network-perception.com

Don't miss the next article by subscribing to the NP newsletter

Introduction to NERC CIP Vulnerability Assessment

By Cyber Resiliency, NERC CIP

Compliance to cybersecurity standards, such as NERC CIP, can become an opportunity for organizations to establish standardized processes and gain efficiency. In the electric industry, this opportunity means building a culture of risk assessment and mitigation across all the parties involved with managing, regulating, and overseeing the grid, with the goal of maintaining a more secure and reliable grid in the process. CIP-010 Requirement R3 stipulates that a paper vulnerability assessment (PVA) and an active vulnerability assessment (AVA) need to be performed annually and every three years, respectively.

Vulnerability Assessment Requirements

Per CIP-010, Requirement R3, two types of Vulnerability Assessments are identified. There are requirements for an annual Paper Vulnerability Assessment (PVA) and every-three-years Active Vulnerability Assessment (AVA). For each assessment type, the Guidelines and Technical Basis (G&TB) strongly encourage entities to include at least the following elements, taken from NIST SP 800-115, as well as reviewing this NIST Technical Guide for guidance on approaches and methods to execute each:

  • Network Discovery
  • Network Port and Service Identification
  • Vulnerability Review/Scanning
  • Wireless Review/Scanning

Active Vulnerability Assessments vs. Paper Vulnerability Assessments

Per the G&TB in CIP-010, the following are strongly encouraged tasks for a PVA and an AVA, as well as the associated CIP-005, CIP-007, and CIP-010 Requirements and Parts for which they may provide detective controls:

Paper Vulnerability Assessment Tasks

Task Description Requirement Parts
Network Discovery A review of network connectivity to identify all Electronic Access Points. CIP-005 R1 Part 1.2
Network Port and Service Identification A review to verify that all enabled ports and services have an appropriate business justification. CIP-007 R1 Part 1.1
Vulnerability Review A review of security rule-sets and configurations including controls for default accounts, passwords, and network management community strings. CIP-005 R1 Part 1.3

CIP-007 R5 Parts 5.4 – 5.7

Wireless Review Identification of common types of wireless networks and a review of their controls if they are in any way used for BCS communications. CIP-005 R1 Part 1.1

Active Vulnerability Assessment Tasks

Task Description Requirement Parts
Network Discovery Use of active discovery tools to discover active devices and identify communication paths. CIP-005 R1 Parts 1.1 – 1.2
Network Port and Service Identification Use of active discovery tools to discover open ports and services. CIP-007 R1 Part 1.1

CIP-010 R1 Parts 1.1.2 – 1.1.4

Vulnerability Scanning Use of a vulnerability scanning tool to identify known vulnerabilities associated with services running on open ports. CIP-007 R2 Part 2.3

CIP-007 R5 Parts 5.2, 5.4 – 5.7

Wireless Scanning Use of a wireless scanning tool to discover wireless signals and networks in the physical perimeter of a BCS. CIP-005 R1 Part 1.1

While both PVA and AVA tasks are used as detective controls for complying with the above requirements, the controls provided in AVA tasks are more effective. At a high level, the review of evidence in PVA tasks simply identify issues associated with the documenting and/or maintaining of that evidence. AVA tasks, however, include the collection of fresh (updated) evidence that is reviewed and analyzed. AVA tasks can not only identify those documentation issues, they can also identify issues associated with processes followed to meet their respective compliance obligations. As an example, the review of network port and service evidence in a PVA assumes that port and service list is accurate when identifying missing or insufficient business justifications. In an AVA, the network port and service assessment adds the compilation of a fresh network port and service list to compare to existing evidence. This comparison can shine a light on issues related to the methods followed when the list of ports and services were initially collected, how dynamic port ranges associated with services were determined, or if unaccounted for software was installed enabling a previously undocumented port.

As described above, executing PVAs and AVAs have a much greater importance to an entity’s CIP compliance program than simply complying with CIP-010 Requirement 3 Parts 3.1 and 3.2. While automating PVA and AVA tasks improve the efficiency with which the tasks can be executed, that automation also eliminates instances of potential human error when executing the tasks. Thus, an automated solution, such as NP-View, can play an important role to assist entities with automating a number of the tasks above. NP-View is also leveraged by NERC regional auditors for validating evidence during audits.

Reviewing network path originating from or terminating at the ESP to verify interactive remote access

Preparation

In either a PVA or AVA, one key factor for success is a detailed VA plan, which should include:

  • Roles and responsibilities
  • Preparation, including:
    • Personal protective equipment requirements,
    • Site access requests,
    • System access requests,
    • Change request tickets, and
    • VA data storage location.
  • Data collection
  • Onsite activities
  • Data analysis

Another key success factor is entity subject matter expert (SME) engagement in the VA process. Regardless of how well versed the VA team members are in the VA process, inaccurate or incomplete data collected from the Cyber Assets ensures an unsuccessful VA. Additionally, SMEs typically provide the VA team with a more detailed view of the networks than can be collected from network diagrams alone.

Requirements

At a minimum, the needed data inputs for conducting a NERC CIP Vulnerability Assessment include:

  • NERC CIP Cyber Asset Inventory lists, including:
    • Unique identifier, such as hostname,
    • IP addresses and subnet mask, and
    • Electronic Security Perimeter (ESP).
  • List of Intermediate Systems,
  • List of ESP networks with included network subnets and their respective Electronic Access Points (EAPs),
  • CIP-007 R1 Part 1.1 ports and services justification evidence, and
  • CIP-007 R5 Parts 5.4 – 5.7 password controls evidence.
  • Configuration files in format readable by NP View

NP-View uses device configuration files from firewalls, routers, and switches to create a network diagram that allows compliance auditors and other users to understand objects, routes, permissions, and policies in a user readable format. To input the device files in the correct format, follow the instructions on the NP Knowledge Base. If a particular hardware/software platform is not supported, please contact support@network-perception.com to start the implementation of a new configuration parser.

Next Steps

Having a thorough, efficient, and repeatable methodology for vulnerability assessments lays the groundwork for its successful execution. Executing that methodology with personnel that both have expertise in the NERC CIP Reliability Standards and experience conducting vulnerability assessments with automated tools is crucial to that success. NP-View allows those executing vulnerability assessments to more efficiently complete a number of the tasks while minimizing the risk of human error during the more tedious ones. The time saving and completeness aspects are critical as network environment becomes more complex and our resources remain limited. 

This introduction is part of the Better, Faster NERC CIP Vulnerability Assessments Using NP-View white paper, which includes additional information and step-by-step instructions on how to best leverage NP-View during your CVA. For any questions or feedback, please feel free to contact the Network Perception team or the Network & Security Technologies (N&ST) team who co-wrote the white paper.

Don't miss the next article by subscribing to the NP newsletter

NERC CIP Compliance Best Practices

5 Best Practices for NERC CIP Compliance

By NERC Compliance, Uncategorized

Compliance teams in charge of verifying network configurations are meeting the dual challenge of highly technical and dynamic environments. On one hand, networks are becoming larger and more complex. On the other hand, organizations are continuously evolving their technology, use cases, and personnel. As a result, disruptions can impact the ability of compliance teams to ensure that their regulatory framework is properly followed. In this post, we are providing 5 of the top best practices we gathered over the past few years as we developed solutions for cybersecurity and network compliance teams.

5 Best Practices to Achieve NERC CIP Compliance

 

1. Ensure that network device configuration files are backed-up and versioned

One of the key building blocks of a network compliance program is the ability to go back in time and understand precisely how firewalls, routers, and switches have been configured and modified. This means setting up a backup system to keep a copy of network device configuration files at least once a day. It also requires defining file storage and data retention policy to organize and timestamp every configuration version for at least a year. An efficient backup system will enable compliance analysts to search and retrieve records when preparing for an audit.

2. Verify that network topology diagrams and asset categorizations are up-to-date

We cannot protect what we do not know and accurate knowledge about an organizations network starts with a complete asset inventory. Once the inventory has been created, a process should be put in place to periodically update it. This also applies to the network topology diagram which should clearly indicate where critical equipment is located and how networks are segmented into different access zones. A network map is crucial to enabling the compliance team to gain the same clear understanding of configurations in order to work efficiently with the security and networking teams.

3. Build baseline access policies that include rule justifications

Many organizations have a process to add new rules to firewalls, but they lack an efficient process to remove them. As a result, rulesets become bloated after a few years and nobody dares to clean up old rules for fear of breaking something. The solution is for the compliance team to define baseline access policies that correctly implement internal controls and respect regulatory requirements. This way, network engineers have a reference to use when evaluating changes and compliance teams can easily check for deviations from the baseline. It is also important to include rule justification directly in the baseline record so one can understand the business reasons for specific accesses.

4. Monitor baseline changes over time

Once baselines have been defined, a process should be put in place to continuously or at least periodically monitor changes. It is recommended that compliance teams use a system that is independent of the IT change management process in order to verify changes externally. Our advice is to leverage read-only configuration monitoring solutions that compliance analysts can easily use without having to add to the workload of the IT and networking team.

5. Track progress towards cyber resiliency

Finally, compliance teams should support the goal of their organization to become cyber resilient. This means gaining the ability to recover from and adjust rapidly to cyber risks. In practice, once a compliance framework has been established, the compliance team should organize periodic meetings with other stakeholders to review progress towards implementing resiliency techniques and to ensure everyone remains aligned.

 

Don't miss the next article by subscribing to the NP newsletter

 

 

What is Cyber Resiliency, and why is it important?

By Cyber Resiliency
TL;DR: Cyber Resiliency for Utilities
  • Increasing pressure from cyber risks is a top challenge for organizations
  • The key to succeed in an adversarial environment is to become cyber resilient

The State of Cyber Security in 2021

Our dependence on cyber systems is increasing every day and the frequency, severity, and sophistication of cyber attacks has been rising along with it. The size and complexity of networks have also grown exponentially, continuously exposing organizations to larger attack surfaces. As a result, companies are investing in cyber security solutions to keep the latest malware outside of their infrastructure. As shown by the recent Solarwinds breach, cyber security monitoring solutions themselves can become an attack vector and, as experienced by the 18,000 customers affected, cleaning up after the breach is an extremely stressful endeavor.

What Is Cyber Resiliency

The goal of eliminating all cyber threats is futile since organizations will continue to depend on cyber systems and attackers will keep targeting them. To succeed in overcoming this arms race requires investing in cyber resiliency. This means the ability to recover from, and adjust rapidly to cyber risks. Similar to the immune system, that has developed protection, detection, and evolution capabilities over hundreds of thousands of generations to keep organisms alive despite the constant assault from viruses and diseases, organizations have to embrace the principles of cyber resiliency to keep operating despite cyber threats.

The National Institute of Standards and Technology (NIST) published the Special Publication 800-160 Volume 2 to present objectives, approaches, and techniques surrounding the development of cyber resilient systems. In particular, the following diagram represents the relationship among cyber resiliency constructs: 

Cyber Resilience

How to Achieve Cyber Resilience

With the intention of creating a cyber resilient organization, here are the first steps to take:

  1. Define a risk management strategy that will identify acceptable and unacceptable risks along with the resources allocated to mitigate them at the organizational, business process, and system levels. 
  2. Prioritize goals and objectives according to the specificities of the organization, before being implemented through a set of techniques such as analytic monitoring, non-persistence, and privilege restriction.

The first objective of cyber resiliency is to understand. It is defined in the NIST publication as maintaining useful representations of mission and business dependencies and the status of resources with respect to possible adversity. Indeed, we cannot protect what we do not know and in the domain of information systems and networks, it is paramount for an organization to gain and maintain accurate visibility on their infrastructure: which assets are installed, how those assets are configured, and how access policies are effectively segmenting networks into distinct zones. It is also vital for first responders to not only maintain situational awareness but also to reduce the time between receipt of threat intelligence and determination of its relevance in order to adapt rapidly to adversarial conditions.

Helping You Build a Culture of Resilience

In this blog post series, we will present cyber resiliency techniques that can be applied to networks and access policies. Our goal is to provide practical advice to: 

1) Security teams can adopt key techniques to build cyber resilience over time, 

2) Compliance teams can assess and track progress to help guide their organizations, and

3) The utility industry can better understand the importance of, and how to build a more cyber resilient organization.

 

Don't miss the next article by subscribing to the NP newsletter

 

 

Cyber Resilience for Utilities

Lessons Learned From the SolarWinds Compromise

By Cybersecurity

What Happened:

The world of cybersecurity was shaken on Dec. 13 when news broke about the compromise of multiple federal agencies including the Centers for Disease Control and Prevention, the State Department, the Department of Homeland Security, and parts of the Pentagon, along with the majority of Fortune 500 companies. 

Investigation revealed a sophisticated supply chain attack against the SolarWinds Orion software, a popular IT monitoring and management platform used by tens of thousands of organizations all over the world. About 18,000 customers downloaded the tainted versions of the Orion platform that were released between March 2020 and June 2020.

 Once those releases were installed, the malware activated and hid in network traffic as Orion’s native protocol called the Orion Improvement Program (OIP), allowing it to obscure its activity. Upon discovery, the Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive urging all federal civilian agencies to disconnect or power down immediately instances of the Orion software. 

The Impact:

The impact on electric utilities is not yet known but there is high probability that some of the compromised organizations belong to the energy sector. Cybersecurity response teams have been working around the clock to identify whether they installed the compromised updates and which areas of their systems and networks could be affected. 

NERC and the E-ISAC have actively engaged with industry partners to help address the situation. Dealing with supply chain vulnerabilities has been on the forefront for NERC with the introduction of the CIP-013 standard that became effective on Oct. 1, 2020. This standard requires electric utilities to develop and implement a plan that includes security controls for supply chain management for industrial control system hardware, software, and services associated with bulk electric system operations.

What We’ve Learned to Date:

This unprecedented cyberattack will have significant impact on the way organizations handle supply chain, system and network accesses, as well as incident response. We can already extract three important highlights:

  1. It is paramount for an organization to gain and maintain accurate visibility on their networks: which assets are installed, how those assets are configured, and how access policies are effectively segmenting networks into distinct zones. This visibility should extend to vendors that are directly connected to bulk electric system equipments.
  2. Organizations must follow a strict separation of duties and responsibilities with respect to IT and OT management and monitoring platforms. Having a single solution to both modify network rulesets and monitor architecture leads to singles points of failure.
  3. While the electric industry has been prepared for the possibility of supply chain attacks through recent regulations enforced by NERC, the magnitude of this incident shows that vendors and security teams alone cannot mitigate the risk entirely and it is crucial for organizations, vendors, and governments to work together towards improving the way we deliver and update software.

Next Steps:

In the short term, incident response and compliance teams should follow a step-by-step playbook to determine which systems are directly affected and the scope of the clean up and rebuilding efforts. In the longer term, organizations should evaluate their supply chain risk mitigation plan and ensure accurate real-time visibility on both their network firewall rulesets and in-depth traffic activity monitoring and logging solutions.

 

Don't miss the next article by subscribing to the NP newsletter

 

 

Network Perception Joins Industry Leaders at GridSecCon 2019

By Announcement

NERC’s annual Grid Security Conference, GridSecCon, brought together cyber security and physical security experts from around the nation to share the latest policy advancements and lessons learned in throughout the electricity industry over the past year. Network Perception was excited to attend the largest GridSecCon yet, joining industry and government leaders October 22nd – 25th in Atlanta, GA to collaborate on the analysis and advancements of security information in the industry.

Managing risk and uncertainty is an ongoing concern for many utility professionals, which makes the GridSecCon conference an important forum for cyber and physical security experts to learn, share, and identify new solutions for their tool kit. In fact, according to the 2019 Utility Dive, State of the Electric Utility Survey, 85% of Utility Professionals identify Cyber Security and Preparedness as their top concern. Contributing to the market demand for new and effective solutions, the Network Perception team showcased and demonstrated our NP-View and NP-Live platform solutions at the conference, demonstrating how users can simplify compliance management and achieve real-time visibility into their network.

Each day GridSecCon embraced a different theme providing unique insights on best practices and trends for policies, procedures, research and development, threat analysis and threat detection in the electricity industry.

Training Tracks Discuss Key Network and Firewall Risks

he first day of GridSecCon, October 22nd,  kicked off with six different training tracks for industry professionals to refresh their skills and gain valuable knowledge about key aspects of the industry.

The Network Perception team attended Axio’s session on “Measuring, Communicating and Quantifying Cyber Risk” in which the importance of active network security monitoring as part of reducing cyber risk was presented, followed by an informative session, “Exercise Chaos Management”, taught by Steven Briggs at Tennessee Valley Authority.

In the afternoon training track, “Reducing Human Error in Cyber Event Response”, ResilientGrid Inc. explained why GUI/HMI design is key for the proper response and why it’s important to create ongoing habits of practicing and reviewing items to continuously ensure network compliance.

Keynote Speeches Address Ongoing Strategies and Threats to the Industry

The second day of GridSecCon, October 23rd, began with a welcome address and opening keynote by Jim Robb, President and Chief Executive Officer at NERC, who spoke about Homeland Security’s ongoing effort to ensure the security and reliability of the electric grid from both physical and cyber attacks.

This was followed by a keynote from Karen Evans, a primary overseer for much of the energy sector as the Assistant Secretary of CESER at the Department of Energy. Each keynote offered a different perspective on how various areas are making cybersecurity a priority and the measures being implemented to  prevent against an attack. Brian Harrell, the Assistant Director of CISA at Homeland Security, former NERC official and a founder of GridSecCon, spoke of Homeland Security’s goals and the agency’s ongoing efforts to ensure network security.

Research and Development Highlight Improved Network Security Solutions

Day three of GridSecCon, or “Solutions Day”, October 24th, focused on new and emerging technologies advancing security in the industry. Currently, the industry at large is struggling to manage an abundance of data while facing a shortage of people to process and understand it. To mitigate these challenges, research and development efforts are producing game changing solutions, building smarter apps and software to process and provide timely and actionable insights on that network data.

The day began with two panel discussions: “Building a Cyber Threat Model and Coordinating Cyber Threat Intelligence” moderated by Jeff Jones at E-ISAC, and “Game-Changing Research, Development and Deployment moderated by Hailey Siple, Manager of National Security Policy at EEI with panelists from MITRE, NRECA and EPRI. The discussions progressed with a focus on Natural Gas Interdependencies, a growing component of our critical infrastructure. While natural gas many not have the same visibility as “the grid”, it is an essential upstream element in power generation on the grid and requires the same level of network security scrutiny as deployed in electric systems.

Following lunch, were the Lightning Round of Security Solutions where nine different companies presented on major industry problems their platforms solve. A notable presentation by Ray Sefchik, Director of Reliability Assurance at ReliabilityFirst, focused on Cyber Resilience Metrics in collaboration with researchers from the University of Illinois at Urbana-Champaign, where NP-View originated.

GridSecCon concluded with two final panels, one focusing on the Physical Security Outlook for the industry and the other discussing GridEx V. Given that GridEx V will be held November 13 – 14th, the discussions were especially timely and centered around the latest aspects of the industry-wide response plan which a growing number of utilities participate in bi-yearly.

Network Perception Looks Forward to GridSecCon 2020

Overall, the three days at GridSecCon 2019 were an ideal opportunity for Network Perception to meet with other industry leaders and learn more about trends and advancements within the industry. Additionally, it provided the team a forum to speak with other professionals about the NP View and NP Live platforms and how they equip utilities with a simple network visualization supporting internal and external audits, while providing continuous CIP compliance for both the GRC and cyber security organizations.

If you didn’t make it to this year’s event, we would like to extend an invitation for you and your team to join us October 20th – 23rd for GridSecCon 2020.

 

Don't miss the next article by subscribing to the NP newsletter

 

 

Using NP-View to Prepare for a NERC CIP-005 Audit

By NERC CIP

Compliance with NERC1 CIP Reliability Standards requires NERC entities to adopt precise 1 procedures and to verify their implementation. This white paper describes the requirements under the standard CIP-005, the standard for Electronic Security Perimeters, and illustrates how a NERC entity can utilize technological solutions such as NP-View to save time and resources assessing and managing its compliance with the primary parts of CIP-005.

Take this guide to go with you, download your copy here

Important NERC CIP Concepts

Bulk Electric System (BES)

The North American power grid consists of a huge network of fixed assets linked by transmission lines. The primary types of assets include:

  • Control centers, where trained and experienced operators monitor and control electric power flows, using many types of computer systems;
  • Generating assets, including traditional nuclear, coal, natural gas and other power plants, as well as “renewable” power assets such as wind and solar farms and hydroelectric dams;
  • Low-power renewable generating assets, primarily solar panels, installed at homes and businesses; and
  • Substations, where devices like transformers and circuit breakers and control electric power flows, usually under the supervision and direction of a control center.

The BES is monitored and controlled by many types of computing systems. The NERC CIP standards were developed to secure these systems against cyberattacks, whether targeted (as in individual hacking attempts), broadcast (e.g. computer viruses and worms), or inadvertent (a user clicks on a phishing email that installs ransomware and renders his system unusable)

Cyber Asset

There are many types of systems that monitor and control the Bulk Electric System. Some of them are computers like those all of us are familiar with. Others are devices that look very different, and operate very differently, from “normal” computers. Since both types of devices have roles in controlling the BES, the NERC CIP standards introduced the fundamental concept of a Cyber Asset, defined as a “programmable electronic device”. This means an electronic device whose operation can be controlled through a program, which can be revised or replaced in some way.

BES Cyber System (BCS)

While there are many Cyber Assets involved in monitoring and controlling the BES, not all of these are in scope for NERC CIP. There is a subset of these Cyber Assets whose loss or mis-operation (perhaps under the control of a virus or a hacker) could cause an “impact” on the BES within 15 minutes. These are called BES Cyber Systems2. Most of the requirements in the CIP standards apply to BES Cyber Systems, although these are divided into three groups based on their degree of impact on the BES: High, Medium and Low impact.

CIP-005 introduces the important concept of Electronic Security Perimeter (ESP). This is defined by NERC as “The logical border surrounding a network to which BES Cyber Systems are connected using a routable protocol” (almost all routable networks run the Internet Protocol, or IP). In other words, the ESP is the “logical border” of a network that contains all of the BCS located at a BES asset (and used by that asset), when those BCS are connected to other Cyber Assets using IP. In some cases, there might be multiple ESPs located at one BES asset, such as a power plant that is spread over multiple buildings, each with its own IP network.

The ESP can contain Cyber Assets that aren’t BES Cyber Systems – i.e. their loss or compromise won’t impact the BES within 15 minutes. However, the former present as much of a risk as the latter. This is because, on a routable network, any device that has been compromised by a cyberattack can be used as a “jumping-off point” for attacks on other devices on the network. If just the BES Cyber Systems are protected by the CIP standards, they will still be vulnerable because they could still be compromised by an attack that “came through” one of the other systems on the network. For this reason, the CIP standards designate all other Cyber Assets connected to the ESP as Protected Cyber Assets (PCAs). Most of the CIP standards apply equally to BCS and PCAs.

Since the systems within most ESPs will need to communicate with the world outside the asset (including the control center that monitors and controls the asset), there needs to be provision for communications into and out of the ESP. Devices that control these communications, including firewalls, are referred to in CIP as Electronic Access Control and Monitoring Systems (EACMS).

About NP-View

NP-View is a software product developed by a team of networking and security experts at Network Perception. It works offline and generates a network topology diagram by analyzing configuration files from firewalls, routers, and switches. The user interface of NP-View was designed to easily identify and keep track of overly permissive network access policies, as well as recording justification for rules, ports and services. The following sections explain how to use NP-View to manage compliance with four important CIP-005 requirement parts.

CIP-005 R1.1 All applicable Cyber Assets connected to a network via a routable protocol shall reside within a defined ESP.

CIP-005 R1.1 requires that High- and Medium-impact BES Cyber Systems reside within an ESP. As already mentioned, any other Cyber Assets attached to the same network will be Protected Cyber Assets and also subject to most of the CIP requirements, including all of the parts of CIP-005. To provide visual verification (for your organization or the auditors) that all BCS reside within an ESP:

  1. Import the configuration file(s) of the firewall(s) protecting an ESP into NP-View
  2. Select the interface(s) connecting the BES Cyber Systems to the firewall(s) and create a visual group called ESP
  3. If assets are missing from the topology map generated by NP-View, one can also import a network scan report from NMAP or a hostname file to add missing assets to the map
  4. Right-click on BES Cyber Systems and mark their criticality as high or medium
  5. Verify that all your BES Cyber Systems are within an ESP

visual verification all BCS reside within an ESP

Since NP-View will identify and map out all of the networks at a location, any network that contains a BCS is an ESP. It is important to confirm that all of your BCS (meaning all of the Cyber Assets that comprise each BCS) are contained within an ESP3, and at the same time that no BCS 3 is attached to a network that isn’t an ESP. Once you are satisfied that your Electronic Security Perimeter includes all of your BES Cyber Systems, you also need to identify all of the other Cyber Assets that are connected within the ESP – these will all be Protected Cyber Assets.

CIP-005 R1.2 All External Routable Connectivity must be through an identified Electronic Access Point (EAP).

CIP-005 R1.2 introduces the concept of External Routable Connectivity (ERC). This is defined by NERC as “The ability to access a BES Cyber System from a Cyber Asset that is outside of its associated Electronic Security Perimeter via a bi-directional routable protocol connection.” In other words, if a BES Cyber System can be accessed by a system outside of the ESP using a routable protocol (usually IP), then that BCS is said to have ERC. Note that, even though there may be a firewall blocking access to the Cyber Asset from devices outside the ESP, as long as the Cyber Asset is routably connected to a network that has access to the outside world, it still has ERC. In fact, if one device connected to an ESP has ERC (whether or not it’s a BCS), all of the other devices connected to the ESP are assumed to have ERC as well.

CIP-005 R1.2 requires that all External Routable Connectivity come through an Electronic Access Point (EAP). This is a port on an Electronic Access Control and Monitoring System (typically a firewall or router) that allows routable communication between Cyber Assets outside and inside the Electronic Security Perimeter. Compliance with CIP-005 R1.2 – as well as good network security practice – requires there should be no route for a computer outside the ESP to access a BES Cyber System within the ESP, unless that route goes through an EAP.

You can use NP-View to determine whether there is any External Routable Connectivity coming into a BCS, that doesn’t enter the ESP through an EAP. In other words, NP-View can identify “holes” in your ESP that you may not know about; these can lead to both network security and CIP compliance risk. You just have to:

  1. Save the project first and then go the Analyze toolbar and select Pair analysis to launch a path analysis from “any” to the group “ESP” that was created in the previous step
  2. Review the path results being reported by NP-View in the Path Analysis table to verify that all paths originating outside of the ESP come through an Electronic Access Point on an Electronic Access Control and Monitoring System (usually a firewall).
  3. Investigate any external paths that don’t come through an EACMS.

pair path analysis visualization

CIP-005 R1.3 Require inbound and outbound access permissions, including the reason for granting access, and deny all other access by default.

CIP-005 R1.3 requires that all inbound or outbound traffic flows at an EAP must be explicitly permitted and there must be a justification for each permission; just as importantly, these permissions need to be regularly evaluated to make sure they are still needed and that the justifications remain correct. This requires regular review of firewall rule sets to make sure all permissions have documented justifications, and that these justifications remain valid. You can use NP-View to verify your compliance with CIP-005 R1.3 as follows:

  1. Go through the Rule Audit tab to review Risk Alerts and Justifications.
  2. Use the Rule Marker to mark rules that need to be examined more closely.
  3. For any open port or service that doesn’t have a documented justification, either document the justification or close the port.
  4. For ports and services with justifications, determine whether the justification is still valid

verifying cip-005 r13 compliance with np-view

CIP-005 R2.1 For all Interactive Remote Access, utilize an Intermediate System such that the Cyber Asset initiating Interactive Remote Access does not directly access an applicable Cyber Asset.

CIP-005 R2.1 introduces two more important concepts into the NERC CIP standards. The first of these is Interactive Remote Access (IRA). NERC’s definition of IRA begins with this sentence: “User-initiated access by a person employing a remote access client or other remote access technology using a routable protocol.” Note that the most important feature of IRA is that there is a person sitting at the remote computer and interacting with a BES Cyber System within an ESP. The definition goes on to say “Interactive remote access does not include system-to-system4 process communications.”

The other new concept is Intermediate System (IS), which NERC defines as “A Cyber Asset or collection of Cyber Assets performing access control to restrict Interactive Remote Access to only authorized users.” This is what is often called a “jump host” – a server that authenticates remote users, then opens up a new session to connect them to a system on the protected network, which in this case is the ESP. Because the IS opens up a new session, malware on the remote system can’t spread into the ESP. The IS needs to be installed in a DMZ, not on the ESP itself. Complying with CIP-005 R2.1 requires you to confirm that all possible Interactive Remote Access paths terminate at the Intermediate System, not at a BES Cyber System in the ESP. Similarly to CIP-005 R1.2, you can identify possible IRA paths using the Path Analysis feature of NP-View:

  1. Launch a Full Path Analysis
  2. Right click on each component of a BES Cyber System and select “Filter path analysis…” > “Incoming paths”
  3. Verify that the paths that use an interactive remote access protocol and that terminate at the selected BES Cyber System component originate from a valid jump host
  4. Right click on the jump host and select “Filter path analysis…” > “Incoming and outgoing paths” to review which interactive remote access protocols are permitted to go through the jump host

path analysis to identify possible IRA paths in np-view

Conclusion: Building a Workflow

Successfully managing compliance means gaining a clear understanding of requirements and building a workflow that enables a team to coordinate while reviewing evidence and preparing reports. Used efficiently, technology can bring automation to this workflow, in order to save time and minimize the risk of human error. This is especially important in the context of CIP-005, since mis-identifying an asset or missing an access rule can lead to serious consequences. This white paper provided a step-by-step guidance towards building such a workflow for four important CIP-005 requirement parts.

If you have questions or would like to know more about NP-View, you can contact the Network Perception team at:

(773) 830-4061
info@network-perception.com
https://portal.network-perception.com

1NERC is the acronym for the North American Electric Reliability Corporation. NERC is a non-profit organization tasked by the Federal Energy Regulatory Commission (part of the US Department of Energy) with ensuring the reliability of the North American electric power grid. Among its tasks are drafting and auditing standards for cybersecurity of the systems that monitor and control the grid. This set of standards is known as NERC CIP. There are currently 13 CIP standards either in effect, awaiting approval by FERC, or under development. These standards are numbered CIP-002 through CIP-014.

2BES Cyber Systems can be composed of one or many cyber assets. The individual cyber assets may or may not have a 15-minute BES impact, but the system as a whole does. Note that a BCS must be located at one of the six types of assets listed in CIP-002-5.1a R1.1, to be in scope for CIP.

3While all BCS components have to be contained within an ESP, it is possible for the components of a single BCS to be contained within multiple ESPs. For example, a utility may decide to classify all of their relays in all Medium impact BES substations as a single BCS, meaning they would most likely be contained within many ESPs. The individual relays would be BES Cyber Assets. Each of these would need to be contained within an ESP, but they would be separate ESPs, presumably one for each Medium impact substation.

4System-to-system remote access by vendors is addressed in two new requirement parts, CIP-005 R2.4 and R2.5. These two parts are awaiting approval by FERC along with CIP-013, the new standard for supply chain cyber security risk management. CIP-013 and these two requirement parts, as well as another new requirement part, CIP-010 R1.6, will most likely come into effect in later 2019.

Download your copy of this guide

 
Don't miss the next article by subscribing to the NP newsletter