Category

Cyber Resiliency

Black and white bottom view of a room equipped with data servers for cloud computing and information storage with bright LED lights in ceiling.

Could CIP-005 have prevented the SolarWinds attack?

By Cyber Resiliency, Cybersecurity

It has been four months since we discovered the SolarWinds attack and many organizations are still deep into clean-up efforts. If you have been affected by this event, excellent resources have been published to dissect the malware involved and to help with identification and remediation. We previously discussed lessons learned from the SolarWinds compromise to emphasize the importance of maintaining continuous visibility over networks and to ensure clear separation of duties between monitoring and control solutions. In this article, we are exploring the role of network segmentation through the lens of CIP-005 and the concept of Electronic Security Perimeter (ESP).

Best Practices from the Electric Industry

In the world of industrial control systems (ICS), priorities are different compared to a traditional corporate environment. Indeed, an IT server shutting down unexpectedly may frustrate users and cause financial damage, but an Operational Technology (OT) server shutting down unexpectedly may impact industrial equipment and possibly injure people. As a result, safety and reliability are top priorities for ICS and this is why the adoption of a strict risk assessment and compliance framework is paramount in the OT space.

To that end, the NERC CIP standards have significantly impacted the way electric utilities in North America are deploying and configuring the firewalls protecting their critical cyber assets. This is particularly important in the context of the SolarWinds attack since understanding trusted communication paths and data flows can directly help mitigate and prevent not only current but also future cyber attacks. It could even be said that better network segmentation could have prevented the breach of the SolarWinds build environment in the first place. To quote from Tom Alrich’s article:

The software build environment would need to be protected in a similar fashion to how the Electronic Security Perimeter (ESP) is required to be protected by the NERC CIP standards – in other words, there should be no direct connection to the internet, and any connection to the IT network should be carefully circumscribed through measures like those required by CIP-005.

At Network Perception, we know CIP-005 quite well since we have designed NP-View and NP-Live with the specific goal of helping the NERC industry with implementation and control of CIP-005 requirements. Following up on Tom’ suggestion, we are providing practical guidance in the section below about how CIP-005 could be leveraged by any organization that has critical systems to protect, whether they reside in the IT or the OT space.

Hardening Network Segmentation with CIP-005

NERC CIP spans multiple reliability standards, ranging from categorizing critical cyber assets (CIP-002) to personnel and training (CIP-004), as well as incident reporting (CIP-008) and configuration change management (CIP-010). The standard that is explored in this article is CIP-005: Electronic Security Perimeter. Before listing the requirements, it is important to understand the terminology which is provided in the NERC Glossary. Here is the summarized version:

  • The Bulk Electric System (BES) is defined to identify the most critical systems to protect. In the electric industry, the BES covers transmission elements operated at 100 kV or higher. The concept of BES could be translated to other industries. For instance, the systems storing and transmitting credit card information in the payment industry. 
  • A Cyber Asset (CA) is a programmable electronic device, which includes computers, servers, and connected equipment.
  • A BES Cyber Asset (BCA) is a cyber asset that can impact the BES within 15 minutes. This definition is important because it allows us to separate mission-critical systems from the rest. 
  • An Electronic Security Perimeter (ESP) is the logical border surrounding a network to which BCAs are connected. 
  • An Electronic access control and monitoring system (EACMS) is a cyber asset that performs access control or monitoring—like a firewall or an intrusion prevention system.
  • An Electronic access point (EAP) is a cyber asset interface on an ESP that allows routable communication. For example, a network interface on a firewall.
  • A Protected Cyber Asset (PCA) is a cyber asset inside the ESP that is not a BCA.
  • An Interactive Remote Access (IRA) is a user-initiated remote network access that uses a routable protocol. An IRA allows us to identify trusted communication paths and separate them from non-interactive system-to-system communications. 
  • An Intermediate Systems (IS) is a cyber asset performing access control to restrict IRA to only authorized users. Typically, an IS is a jump host on which a user has to authenticate before accessing a critical resource.

The diagram below illustrates a network with ten nodes, among which three nodes are BCA (the crown jewels) and all communications to the BCA have to go through a firewall (the EACMS). An ESP has been defined around the BCA and also includes a non-critical node (the PCA). Since the PCA resides in the same broadcast domain with the BCA, it has to be protected with the same criticality level. Finally, an IS (jump host) enables users to connect to the ESP through an interactive session (for instance, SSH or Remote Desktop). 

 

 

Now that we understand the CIP-005 terminology, we can list the five requirement parts that electric utilities with medium and high impact cyber systems have to comply with:

  • CIP-005 R1.1: All applicable Cyber Assets connected to a network via a routable protocol shall reside within a defined ESP
  • CIP-005 R1.2: All External Routable Connectivity must be through an identified Electronic Access Point (EAP)
  • CIP-005 R1.3: Require inbound and outbound access permissions, including the reason for granting access, and deny all other access by default
  • CIP-005 R2.1: Utilize an Intermediate System such that the Cyber Asset initiating Interactive Remote Access does not directly access an applicable Cyber Asset
  • CIP-005 R2.2: Interactive Remote Access sessions must be encrypted to the Intermediate System to protect the confidentiality and integrity of the communications

In summary, utilities have to (1) identify their critical systems and the networks in which they are connected, (2) protect those networks with firewalls, (3) ensure that firewall access rules are justified and follow a principle of least privilege, (4) ensure that interactive remote connections go through a well-identified jump host, and (5) ensure that those interactive remote connections are encrypted outside of the critical networks. This means that critical systems should be in a separate network zone and not have direct access to the corporate network and the Internet.

Coming back to the SolarWinds attack and the software vendor industry at large, here is how the CIP-005 requirements could be adopted to better protect the digital supply chain:

  • Step 1: We should start by translating the concept of the Bulk Electric System (BES) to the software industry. We are suggesting the Critical Build Environment (CBE) that would cover all systems used to compile, package, and deploy a software application for production.
  • Step 2: We then identify CCA, the cyber assets that are either part of the CBE or can connect directly to the CBE.
  • Step 3: We define an ESP to segment the CCA in a clearly-defined network zone and ensure that there are firewalls to control inbound and outbound connections to the ESP. The access lists should prevent CCA from being directly accessible externally, especially from assets in the corporate network and the Internet.
  • Step 4: We deploy jump hosts to allow engineers and devops to access CCA through interactive remote sessions and we ensure that multi-factor authentication as well as encryption are correctly configured. 

There is, of course, a cost to implementing this framework, but it pales in comparison to the impact of a sophisticated supply chain attack such as the one that targeted SolarWinds. This is work-in-progress and we invite you to start a conversation with your team. If you have questions or would like to make suggestions on how this framework could be applied to different industries, please drop us a note at info@network-perception.com.

How Can Critical Infrastructure Facilities Become Cyber-Resilient?

By Cyber Resiliency

Network Perception CEO Dr. Robin Berthier, recently joined Luke Fox on The Trust Revolution to discuss cybersecurity in relation to recent attacks on several critical infrastructure industries. Berthier explains, “Utilities have modernized, and that connectivity, especially around equipment and IoT, increases the risk for disruption and attacks.” He elaborates with specific examples and provides best practices.

Berthier also cautions against a singular focus on preventing attack, as that effort is futile. To best prepare for future threats, he recommends building cyber resiliency with an emphasis on “defense in depth or multiple layers of security.” Companies must change the way they think about cybersecurity and prioritize building resiliency.

“It’s impossible to keep everything outside of the perimeter, so design a system with this in mind. Software vulnerabilities are only growing. There were 6000 in 2016 and 18,000 in 2020.”

To achieve cyber resiliency within your organization, he says, “Visibility is key. Know what you have in your network and keep it up to date. Also, follow the principle of least privilege for applications.”

Berthier also emphasized that cyber resiliency and cybersecurity must be a concern for more than just IT teams. For true resiliency, systems need to work harmoniously across a diverse set of tools, and teams need to work together to ensure business continuity.

Listen Online

Listen on Spotify

Listen on Apple Podcasts

 

Introduction to NERC CIP Vulnerability Assessment

By Cyber Resiliency, NERC CIP

Compliance to cybersecurity standards, such as NERC CIP, can become an opportunity for organizations to establish standardized processes and gain efficiency. In the electric industry, this opportunity means building a culture of risk assessment and mitigation across all the parties involved with managing, regulating, and overseeing the grid, with the goal of maintaining a more secure and reliable grid in the process. CIP-010 Requirement R3 stipulates that a paper vulnerability assessment (PVA) and an active vulnerability assessment (AVA) need to be performed annually and every three years, respectively.

Vulnerability Assessment Requirements

Per CIP-010, Requirement R3, two types of Vulnerability Assessments are identified. There are requirements for an annual Paper Vulnerability Assessment (PVA) and every-three-years Active Vulnerability Assessment (AVA). For each assessment type, the Guidelines and Technical Basis (G&TB) strongly encourage entities to include at least the following elements, taken from NIST SP 800-115, as well as reviewing this NIST Technical Guide for guidance on approaches and methods to execute each:

  • Network Discovery
  • Network Port and Service Identification
  • Vulnerability Review/Scanning
  • Wireless Review/Scanning

Active Vulnerability Assessments vs. Paper Vulnerability Assessments

Per the G&TB in CIP-010, the following are strongly encouraged tasks for a PVA and an AVA, as well as the associated CIP-005, CIP-007, and CIP-010 Requirements and Parts for which they may provide detective controls:

Paper Vulnerability Assessment Tasks

Task Description Requirement Parts
Network Discovery A review of network connectivity to identify all Electronic Access Points. CIP-005 R1 Part 1.2
Network Port and Service Identification A review to verify that all enabled ports and services have an appropriate business justification. CIP-007 R1 Part 1.1
Vulnerability Review A review of security rule-sets and configurations including controls for default accounts, passwords, and network management community strings. CIP-005 R1 Part 1.3

CIP-007 R5 Parts 5.4 – 5.7

Wireless Review Identification of common types of wireless networks and a review of their controls if they are in any way used for BCS communications. CIP-005 R1 Part 1.1

Active Vulnerability Assessment Tasks

Task Description Requirement Parts
Network Discovery Use of active discovery tools to discover active devices and identify communication paths. CIP-005 R1 Parts 1.1 – 1.2
Network Port and Service Identification Use of active discovery tools to discover open ports and services. CIP-007 R1 Part 1.1

CIP-010 R1 Parts 1.1.2 – 1.1.4

Vulnerability Scanning Use of a vulnerability scanning tool to identify known vulnerabilities associated with services running on open ports. CIP-007 R2 Part 2.3

CIP-007 R5 Parts 5.2, 5.4 – 5.7

Wireless Scanning Use of a wireless scanning tool to discover wireless signals and networks in the physical perimeter of a BCS. CIP-005 R1 Part 1.1

While both PVA and AVA tasks are used as detective controls for complying with the above requirements, the controls provided in AVA tasks are more effective. At a high level, the review of evidence in PVA tasks simply identify issues associated with the documenting and/or maintaining of that evidence. AVA tasks, however, include the collection of fresh (updated) evidence that is reviewed and analyzed. AVA tasks can not only identify those documentation issues, they can also identify issues associated with processes followed to meet their respective compliance obligations. As an example, the review of network port and service evidence in a PVA assumes that port and service list is accurate when identifying missing or insufficient business justifications. In an AVA, the network port and service assessment adds the compilation of a fresh network port and service list to compare to existing evidence. This comparison can shine a light on issues related to the methods followed when the list of ports and services were initially collected, how dynamic port ranges associated with services were determined, or if unaccounted for software was installed enabling a previously undocumented port.

As described above, executing PVAs and AVAs have a much greater importance to an entity’s CIP compliance program than simply complying with CIP-010 Requirement 3 Parts 3.1 and 3.2. While automating PVA and AVA tasks improve the efficiency with which the tasks can be executed, that automation also eliminates instances of potential human error when executing the tasks. Thus, an automated solution, such as NP-View, can play an important role to assist entities with automating a number of the tasks above. NP-View is also leveraged by NERC regional auditors for validating evidence during audits.

Reviewing network path originating from or terminating at the ESP to verify interactive remote access

Preparation

In either a PVA or AVA, one key factor for success is a detailed VA plan, which should include:

  • Roles and responsibilities
  • Preparation, including:
    • Personal protective equipment requirements,
    • Site access requests,
    • System access requests,
    • Change request tickets, and
    • VA data storage location.
  • Data collection
  • Onsite activities
  • Data analysis

Another key success factor is entity subject matter expert (SME) engagement in the VA process. Regardless of how well versed the VA team members are in the VA process, inaccurate or incomplete data collected from the Cyber Assets ensures an unsuccessful VA. Additionally, SMEs typically provide the VA team with a more detailed view of the networks than can be collected from network diagrams alone.

Requirements

At a minimum, the needed data inputs for conducting a NERC CIP Vulnerability Assessment include:

  • NERC CIP Cyber Asset Inventory lists, including:
    • Unique identifier, such as hostname,
    • IP addresses and subnet mask, and
    • Electronic Security Perimeter (ESP).
  • List of Intermediate Systems,
  • List of ESP networks with included network subnets and their respective Electronic Access Points (EAPs),
  • CIP-007 R1 Part 1.1 ports and services justification evidence, and
  • CIP-007 R5 Parts 5.4 – 5.7 password controls evidence.
  • Configuration files in format readable by NP View

NP-View uses device configuration files from firewalls, routers, and switches to create a network diagram that allows compliance auditors and other users to understand objects, routes, permissions, and policies in a user readable format. To input the device files in the correct format, follow the instructions on the NP Knowledge Base. If a particular hardware/software platform is not supported, please contact support@network-perception.com to start the implementation of a new configuration parser.

Next Steps

Having a thorough, efficient, and repeatable methodology for vulnerability assessments lays the groundwork for its successful execution. Executing that methodology with personnel that both have expertise in the NERC CIP Reliability Standards and experience conducting vulnerability assessments with automated tools is crucial to that success. NP-View allows those executing vulnerability assessments to more efficiently complete a number of the tasks while minimizing the risk of human error during the more tedious ones. The time saving and completeness aspects are critical as network environment becomes more complex and our resources remain limited. 

This introduction is part of the Better, Faster NERC CIP Vulnerability Assessments Using NP-View white paper, which includes additional information and step-by-step instructions on how to best leverage NP-View during your CVA. For any questions or feedback, please feel free to contact the Network Perception team or the Network & Security Technologies (N&ST) team who co-wrote the white paper.

Don't miss the next article by subscribing to the NP newsletter

What is Cyber Resiliency, and why is it important?

By Cyber Resiliency
TL;DR: Cyber Resiliency for Utilities
  • Increasing pressure from cyber risks is a top challenge for organizations
  • The key to succeed in an adversarial environment is to become cyber resilient

The State of Cyber Security in 2021

Our dependence on cyber systems is increasing every day and the frequency, severity, and sophistication of cyber attacks has been rising along with it. The size and complexity of networks have also grown exponentially, continuously exposing organizations to larger attack surfaces. As a result, companies are investing in cyber security solutions to keep the latest malware outside of their infrastructure. As shown by the recent Solarwinds breach, cyber security monitoring solutions themselves can become an attack vector and, as experienced by the 18,000 customers affected, cleaning up after the breach is an extremely stressful endeavor.

What Is Cyber Resiliency

The goal of eliminating all cyber threats is futile since organizations will continue to depend on cyber systems and attackers will keep targeting them. To succeed in overcoming this arms race requires investing in cyber resiliency. This means the ability to recover from, and adjust rapidly to cyber risks. Similar to the immune system, that has developed protection, detection, and evolution capabilities over hundreds of thousands of generations to keep organisms alive despite the constant assault from viruses and diseases, organizations have to embrace the principles of cyber resiliency to keep operating despite cyber threats.

The National Institute of Standards and Technology (NIST) published the Special Publication 800-160 Volume 2 to present objectives, approaches, and techniques surrounding the development of cyber resilient systems. In particular, the following diagram represents the relationship among cyber resiliency constructs: 

Cyber Resilience

How to Achieve Cyber Resilience

With the intention of creating a cyber resilient organization, here are the first steps to take:

  1. Define a risk management strategy that will identify acceptable and unacceptable risks along with the resources allocated to mitigate them at the organizational, business process, and system levels. 
  2. Prioritize goals and objectives according to the specificities of the organization, before being implemented through a set of techniques such as analytic monitoring, non-persistence, and privilege restriction.

The first objective of cyber resiliency is to understand. It is defined in the NIST publication as maintaining useful representations of mission and business dependencies and the status of resources with respect to possible adversity. Indeed, we cannot protect what we do not know and in the domain of information systems and networks, it is paramount for an organization to gain and maintain accurate visibility on their infrastructure: which assets are installed, how those assets are configured, and how access policies are effectively segmenting networks into distinct zones. It is also vital for first responders to not only maintain situational awareness but also to reduce the time between receipt of threat intelligence and determination of its relevance in order to adapt rapidly to adversarial conditions.

Helping You Build a Culture of Resilience

In this blog post series, we will present cyber resiliency techniques that can be applied to networks and access policies. Our goal is to provide practical advice to: 

1) Security teams can adopt key techniques to build cyber resilience over time, 

2) Compliance teams can assess and track progress to help guide their organizations, and

3) The utility industry can better understand the importance of, and how to build a more cyber resilient organization.

 

Don't miss the next article by subscribing to the NP newsletter