SlideShare uma empresa Scribd logo

NERC CIP 007 5 R1 White Paper

W
wdjohnson1

With Drafting NERC CIP Revision 5 TDI took a Serious look at CIP 7 - Control Ports and built this educational White Paper.

TecnologiaNegócios
1 de 6
Baixar para ler offline
CIP-007-5 R1 DRAFT: Understanding the Importance and Relevance of Configuration Ports to Utility Cyber Security Whitepaper
CIP-007-5 R1 DRAFT: Understanding the Importance and Relevance of Configuration Ports to Utility Cyber Security Purpose Configuration ports on critical and non-critical cyber assets are often misunderstood and overlooked in the overall cyber security strategy. This paper discusses the importance of configuration ports in the overall cyber security strategy and how they apply to the NERC-CIP standard. An Industry Advisory from NERC with additional details on this subject is available here: http://www.nerc.com/fileUploads/File/Events%20Analysis/A-2008-05-13-1.pdf Introduction The NERC-CIP standard is the primary knowledge resource used by the Utility industry to ensure our nation’s power grid is protected from unintentional (accidental) and intentional (malicious) disruption. While the NERC-CIP standard takes a comprehensive approach to cyber security, there remain areas where the specific implications of security vulnerabilities are not understood by the industry at large. This whitepaper looks at the specific area of Configuration Ports as covered by NERC- CIP-007-5. What are Configuration Ports? Configuration ports exist on almost every hardware device in the IT infrastructure. These physical ports provide a special level of privilege access that can be used to: 1) Change Bios 2) Upgrade Firmware 3) Set Baseline Configuration 4) Build-out devices that have components (like servers) 5) Perform a variety of Administrative functions 6) Perform emergency repair or failure recovery when no other port is accessible Item six in the list above is very telling in respect to the important role these ports play in the cyber security strategy. Except for power supply or catastrophic electronic component failure, configuration ports are active at all times – even when conditions have degraded a device to the point that no other port can accept communications. They are the default emergency access point for every IT device. Per CIP-007-5 all ports should be either secured or disabled. This obviously includes configuration ports. However, most IT devices do not allow the disabling of these ©2011 – TDi Technologies, Inc. www.tditechnologies.com Page |2
ports nor should these ports be disabled as they serve important purposes, including being the primary emergency access port. Instead, these ports must be secured. Types of Configuration Ports Most configuration ports are serial or TCP/IP. Most modern server hardware provides the configuration interface through a baseboard management controller with a TCP/IP interface that directly falls under the “routable protocol” definition in the standard. The baseboard management controller is a standalone, independent computer built into the server architecture and it is fully operational anytime power is supplied to the device chassis. Common vendor names for baseboard management controllers include iLo2 (HP), DRAC (DELL), and ALOM, ILOM (SUN/ORACLE). While configuration ports have been part of IT device design for decades, the baseboard management controller is a rapidly evolving form of modern configuration port capability. Modern server architectures with blades and blade chassis normally come with baseboard management controllers on the individual blades as well as on the chassis itself. Many networking devices such as routers and fabric switches, storage controllers along with specific-purpose appliances like firewalls and terminal servers often have a serial configuration port. The operation and availability (power to chassis) is the same as with servers. The primary difference is the type of communications protocol. Configuration port functionality is also replicated in most virtual machine designs with virtual consoles, or virtual serial consoles that can be accessed from the physical baseboard management controller of the physical host they reside on or via Secure Shell Network Connection. This allows remote configuration of the virtual guest operating system/machine, which in most cases is not logged or audited. ©2011 – TDi Technologies, Inc. www.tditechnologies.com Page |3
Access and Use of Configuration Ports Configuration ports are often not connected to anything until they are needed, such as a catastrophic failure. When configuration ports are not connected (port is left open) access is achieved by connecting a computer to the configuration port, which requires the person connecting to the port to be physically present where the device resides. More often configuration ports are networked in some manner with the network for these ports commonly referred to as an out-of-band or management network. This out-of-band network is typically segregated from the normal or production network for additional security due to the highly sensitive nature of configuration ports. As noted above, configuration ports are often used under a variety of operating conditions, including situations where the configuration port is the only accessible port on a device. This presents a problem for cyber security approaches that rely on normal networking to be active (this includes all locally installed agent software) because their security capabilities are disabled during conditions where access is likely to occur over the configuration port. The key takeaways of access and use of configuration ports are: 1) Configuration ports either cannot or should not be disabled 2) Security over unconnected (networked) configuration ports is limited to physical security 3) Traditional cyber security approaches cannot secure configuration ports at all times 4) Access of the configuration ports is not audited or logged. 5) Authentication is often independent of the production methods mostly because during an outage the production method of authentication may not be available. Severity of the Cyber Security Threat A significant influence on the severity of the threat an access port presents to the Utility organization is the privileged capabilities the port presents to its user. Configuration ports present an extremely high set of privileges that can be used to change almost anything on the target device. This level of privilege is why access to configuration ports is often referred to as having the “keys to the kingdom.” The list of severe security threats over configuration ports is impossible to fully document due to the range of privileged commands these ports provide to its users. Some of the more obvious threats are: communication ports can be changed or added ©2011 – TDi Technologies, Inc. www.tditechnologies.com Page |4
data can be copied malware can be installed at multiple levels (Bios, Firmware, OS) user accounts and privileges can be added, changed or deleted device configuration can be changed ports are “discoverable” making them targets for malicious actors The simple fact is configuration points are an extremely high security issue that can be exploited under a variety of scenarios where other security technologies, techniques, and practices cannot detect an active exploit. In addition, many baseboard management controllers now allow side-band access that allows them to be accessed even when their dedicated port is not connected to anything. With side-band access, the baseboard management controller can use other TCP/IP ports on the device enabling the baseboard management controller to be accessed even while its dedicated port remains unconnected. This means that the threats identified above may remain in force even when the out-of-band network is in place and properly segregated from the production network (depending on the specifics of the baseboard management controller by vendor, and possibility its configuration). This also increases the risk of these ports being improperly secured, discovered, and compromised. Best Practice Guidance The best practice guidance for configuration ports is that they should be treated just like any other security concern in regards to active monitoring and control. The steps that should be taken include: 1) Insure that all configuration ports are connected to an out-of-band or management specific network 2) Segregate the out-of-band network from the normal or production network(s) ©2011 – TDi Technologies, Inc. www.tditechnologies.com Page |5
3) Institute role-based access and control over all configuration ports (restrict access, least privilege) 4) Encrypt communications to configuration ports (where supported by devices) 5) Use proper or multi-factor authentication to configuration ports 6) Persistently monitor all configuration ports to ensure all access meets the security policy 7) Log all access to configuration ports by each actor 8) Log all privileged user activity over configuration ports 9) Alert and ALARM on specific messages or events detected on the access port. One reference that can help in assessing or designing a secure out-of-band network is available from the Defense Information System Agency: http://iase.disa.mil/stigs/downloads/pdf/network_management_security_guidance_at-a- glance_v8r1.pdf Various hardware and software solutions exist for managing the out-of-band network per the best practice guidance provided above. These solutions should be evaluated against existing security policies and wherever possible be capable of directly supporting them programmatically to limit the scope of manual policy enforcement. About This Whitepaper This whitepaper was written to help address a security vulnerability that is often overlooked and misunderstood in the Utility industry. The recommendations provided are believed to be accurate in their applicability and support for the DRAFT NERC-CIP- 007-5 R1. The additional areas of the DRAFT NERC-CIP-xxx-5 standard that we will be discussing in upcoming whitepapers includes: CIP-005, 007 (additional sections), 008, 010, and 011. Full Disclosure This whitepaper was written and produced by TDi Technologies, a software vendor that provides an out-of-band software solution to the Utility industry and other vertical markets. The information presented here represents our best understanding of the security issues associated with configuration ports, which is a problem area our company focuses on. The whitepaper is intended to provide useful and educational content that can assist Utility companies in providing secure, dependable power to our Nation without interruption. Future Whitepapers If you would like to receive additional whitepapers on NERC-CIP from us as they become available, please email us at info@tditechnologies.com. ©2011 – TDi Technologies, Inc. www.tditechnologies.com Page |6

Recomendados

The war at home b
The war at home bThe war at home b
The war at home bham97
 
Europen law on Functional Claims
Europen law on Functional ClaimsEuropen law on Functional Claims
Europen law on Functional ClaimsKennethQHuang
 
The Making To Launch Of The Discovery
The Making To Launch Of The DiscoveryThe Making To Launch Of The Discovery
The Making To Launch Of The DiscoveryNatarajan Hariharan
 
The atomic bomb ends the war
The atomic bomb ends the warThe atomic bomb ends the war
The atomic bomb ends the warham97
 
Etech2
Etech2Etech2
Etech2ham97
 
Il nostro metodo #eCommerce
Il nostro metodo #eCommerceIl nostro metodo #eCommerce
Il nostro metodo #eCommerceGIROIDEA Avanguardia Comunicativa
 
Iti Lprocessmgmt
Iti LprocessmgmtIti Lprocessmgmt
Iti Lprocessmgmtparamalways
 
Tu tin hoa nhap vao moi truong lam viec
Tu tin hoa nhap vao moi truong lam viecTu tin hoa nhap vao moi truong lam viec
Tu tin hoa nhap vao moi truong lam viecXSpring
 

Recomendados

The war at home b
The war at home bThe war at home b
The war at home bham97
 
Europen law on Functional Claims
Europen law on Functional ClaimsEuropen law on Functional Claims
Europen law on Functional ClaimsKennethQHuang
 
The Making To Launch Of The Discovery
The Making To Launch Of The DiscoveryThe Making To Launch Of The Discovery
The Making To Launch Of The DiscoveryNatarajan Hariharan
 
The atomic bomb ends the war
The atomic bomb ends the warThe atomic bomb ends the war
The atomic bomb ends the warham97
 
Etech2
Etech2Etech2
Etech2ham97
 
Il nostro metodo #eCommerce
Il nostro metodo #eCommerceIl nostro metodo #eCommerce
Il nostro metodo #eCommerceGIROIDEA Avanguardia Comunicativa
 
Iti Lprocessmgmt
Iti LprocessmgmtIti Lprocessmgmt
Iti Lprocessmgmtparamalways
 
Tu tin hoa nhap vao moi truong lam viec
Tu tin hoa nhap vao moi truong lam viecTu tin hoa nhap vao moi truong lam viec
Tu tin hoa nhap vao moi truong lam viecXSpring
 
Persia
PersiaPersia
Persiaham97
 
Introduction to prog
Introduction to progIntroduction to prog
Introduction to progham97
 
La cruz del cambio
La cruz del cambioLa cruz del cambio
La cruz del cambioJohn Gonzalez
 
Osservatorio Web Energia 2010-2011
Osservatorio Web Energia 2010-2011Osservatorio Web Energia 2010-2011
Osservatorio Web Energia 2010-2011Reputation Manager
 
Elkin Response 8 31 09
Elkin Response 8 31 09Elkin Response 8 31 09
Elkin Response 8 31 09bhtiv
 
Diffusion of Innovation by Aviroop Banik
Diffusion of Innovation by Aviroop BanikDiffusion of Innovation by Aviroop Banik
Diffusion of Innovation by Aviroop BanikAviroop Banik
 
Persia
PersiaPersia
Persiaham97
 
Shedding light on podcasting
Shedding light on podcastingShedding light on podcasting
Shedding light on podcastingCarrie Henderson
 
Curriculum Night Meddin
Curriculum Night MeddinCurriculum Night Meddin
Curriculum Night Meddinmmeddin
 
Greece
GreeceGreece
Greeceham97
 
Ogt 2006
Ogt 2006Ogt 2006
Ogt 2006ham97
 
Il risparmio gestito nell'era di internet: l'influenza delle opinioni on line...
Il risparmio gestito nell'era di internet: l'influenza delle opinioni on line...Il risparmio gestito nell'era di internet: l'influenza delle opinioni on line...
Il risparmio gestito nell'era di internet: l'influenza delle opinioni on line...Reputation Manager
 
Life sciences regulations in Russia - 2015
Life sciences regulations in Russia - 2015Life sciences regulations in Russia - 2015
Life sciences regulations in Russia - 2015Andrey Zelenin
 
Bis Tools Of It
Bis Tools Of ItBis Tools Of It
Bis Tools Of Itparamalways
 
The punic wars
The punic warsThe punic wars
The punic warsham97
 
소셜미디어를활용한온라인마케팅
소셜미디어를활용한온라인마케팅소셜미디어를활용한온라인마케팅
소셜미디어를활용한온라인마케팅DamianoJun
 
Doc6 Axel Medina Brochure
Doc6 Axel Medina BrochureDoc6 Axel Medina Brochure
Doc6 Axel Medina Brochuremaryalice124
 
El Vuelo De Los Gansos
El Vuelo De Los GansosEl Vuelo De Los Gansos
El Vuelo De Los Gansosfranciscoparedes
 
Alexander The Great
Alexander The GreatAlexander The Great
Alexander The Greatham97
 
Introduction to Social Media
Introduction to Social MediaIntroduction to Social Media
Introduction to Social MediaLouise McGregor
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 

Mais conteúdo relacionado

Destaque

Persia
PersiaPersia
Persiaham97
 
Introduction to prog
Introduction to progIntroduction to prog
Introduction to progham97
 
Osservatorio Web Energia 2010-2011
Osservatorio Web Energia 2010-2011Osservatorio Web Energia 2010-2011
Osservatorio Web Energia 2010-2011Reputation Manager
 
Elkin Response 8 31 09
Elkin Response 8 31 09Elkin Response 8 31 09
Elkin Response 8 31 09bhtiv
 
Diffusion of Innovation by Aviroop Banik
Diffusion of Innovation by Aviroop BanikDiffusion of Innovation by Aviroop Banik
Diffusion of Innovation by Aviroop BanikAviroop Banik
 
Persia
PersiaPersia
Persiaham97
 
Shedding light on podcasting
Shedding light on podcastingShedding light on podcasting
Shedding light on podcastingCarrie Henderson
 
Curriculum Night Meddin
Curriculum Night MeddinCurriculum Night Meddin
Curriculum Night Meddinmmeddin
 
Greece
GreeceGreece
Greeceham97
 
Ogt 2006
Ogt 2006Ogt 2006
Ogt 2006ham97
 
Il risparmio gestito nell'era di internet: l'influenza delle opinioni on line...
Il risparmio gestito nell'era di internet: l'influenza delle opinioni on line...Il risparmio gestito nell'era di internet: l'influenza delle opinioni on line...
Il risparmio gestito nell'era di internet: l'influenza delle opinioni on line...Reputation Manager
 
Life sciences regulations in Russia - 2015
Life sciences regulations in Russia - 2015Life sciences regulations in Russia - 2015
Life sciences regulations in Russia - 2015Andrey Zelenin
 
The punic wars
The punic warsThe punic wars
The punic warsham97
 
소셜미디어를활용한온라인마케팅
소셜미디어를활용한온라인마케팅소셜미디어를활용한온라인마케팅
소셜미디어를활용한온라인마케팅DamianoJun
 
Doc6 Axel Medina Brochure
Doc6 Axel Medina BrochureDoc6 Axel Medina Brochure
Doc6 Axel Medina Brochuremaryalice124
 
Alexander The Great
Alexander The GreatAlexander The Great
Alexander The Greatham97
 
Introduction to Social Media
Introduction to Social MediaIntroduction to Social Media
Introduction to Social MediaLouise McGregor
 

Destaque (20)

Persia
PersiaPersia
Persia
 
Introduction to prog
Introduction to progIntroduction to prog
Introduction to prog
 
La cruz del cambio
La cruz del cambioLa cruz del cambio
La cruz del cambio
 
Osservatorio Web Energia 2010-2011
Osservatorio Web Energia 2010-2011Osservatorio Web Energia 2010-2011
Osservatorio Web Energia 2010-2011
 
Elkin Response 8 31 09
Elkin Response 8 31 09Elkin Response 8 31 09
Elkin Response 8 31 09
 
Diffusion of Innovation by Aviroop Banik
Diffusion of Innovation by Aviroop BanikDiffusion of Innovation by Aviroop Banik
Diffusion of Innovation by Aviroop Banik
 
Persia
PersiaPersia
Persia
 
Shedding light on podcasting
Shedding light on podcastingShedding light on podcasting
Shedding light on podcasting
 
Curriculum Night Meddin
Curriculum Night MeddinCurriculum Night Meddin
Curriculum Night Meddin
 
Greece
GreeceGreece
Greece
 
Ogt 2006
Ogt 2006Ogt 2006
Ogt 2006
 
Il risparmio gestito nell'era di internet: l'influenza delle opinioni on line...
Il risparmio gestito nell'era di internet: l'influenza delle opinioni on line...Il risparmio gestito nell'era di internet: l'influenza delle opinioni on line...
Il risparmio gestito nell'era di internet: l'influenza delle opinioni on line...
 
Life sciences regulations in Russia - 2015
Life sciences regulations in Russia - 2015Life sciences regulations in Russia - 2015
Life sciences regulations in Russia - 2015
 
Bis Tools Of It
Bis Tools Of ItBis Tools Of It
Bis Tools Of It
 
The punic wars
The punic warsThe punic wars
The punic wars
 
소셜미디어를활용한온라인마케팅
소셜미디어를활용한온라인마케팅소셜미디어를활용한온라인마케팅
소셜미디어를활용한온라인마케팅
 
Doc6 Axel Medina Brochure
Doc6 Axel Medina BrochureDoc6 Axel Medina Brochure
Doc6 Axel Medina Brochure
 
El Vuelo De Los Gansos
El Vuelo De Los GansosEl Vuelo De Los Gansos
El Vuelo De Los Gansos
 
Alexander The Great
Alexander The GreatAlexander The Great
Alexander The Great
 
Introduction to Social Media
Introduction to Social MediaIntroduction to Social Media
Introduction to Social Media
 

Último

08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessPixlogix Infotech
 

Último (20)

08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 

NERC CIP 007 5 R1 White Paper

  • 1. CIP-007-5 R1 DRAFT: Understanding the Importance and Relevance of Configuration Ports to Utility Cyber Security Whitepaper
  • 2. CIP-007-5 R1 DRAFT: Understanding the Importance and Relevance of Configuration Ports to Utility Cyber Security Purpose Configuration ports on critical and non-critical cyber assets are often misunderstood and overlooked in the overall cyber security strategy. This paper discusses the importance of configuration ports in the overall cyber security strategy and how they apply to the NERC-CIP standard. An Industry Advisory from NERC with additional details on this subject is available here: http://www.nerc.com/fileUploads/File/Events%20Analysis/A-2008-05-13-1.pdf Introduction The NERC-CIP standard is the primary knowledge resource used by the Utility industry to ensure our nation’s power grid is protected from unintentional (accidental) and intentional (malicious) disruption. While the NERC-CIP standard takes a comprehensive approach to cyber security, there remain areas where the specific implications of security vulnerabilities are not understood by the industry at large. This whitepaper looks at the specific area of Configuration Ports as covered by NERC- CIP-007-5. What are Configuration Ports? Configuration ports exist on almost every hardware device in the IT infrastructure. These physical ports provide a special level of privilege access that can be used to: 1) Change Bios 2) Upgrade Firmware 3) Set Baseline Configuration 4) Build-out devices that have components (like servers) 5) Perform a variety of Administrative functions 6) Perform emergency repair or failure recovery when no other port is accessible Item six in the list above is very telling in respect to the important role these ports play in the cyber security strategy. Except for power supply or catastrophic electronic component failure, configuration ports are active at all times – even when conditions have degraded a device to the point that no other port can accept communications. They are the default emergency access point for every IT device. Per CIP-007-5 all ports should be either secured or disabled. This obviously includes configuration ports. However, most IT devices do not allow the disabling of these ©2011 – TDi Technologies, Inc. www.tditechnologies.com Page |2
  • 3. ports nor should these ports be disabled as they serve important purposes, including being the primary emergency access port. Instead, these ports must be secured. Types of Configuration Ports Most configuration ports are serial or TCP/IP. Most modern server hardware provides the configuration interface through a baseboard management controller with a TCP/IP interface that directly falls under the “routable protocol” definition in the standard. The baseboard management controller is a standalone, independent computer built into the server architecture and it is fully operational anytime power is supplied to the device chassis. Common vendor names for baseboard management controllers include iLo2 (HP), DRAC (DELL), and ALOM, ILOM (SUN/ORACLE). While configuration ports have been part of IT device design for decades, the baseboard management controller is a rapidly evolving form of modern configuration port capability. Modern server architectures with blades and blade chassis normally come with baseboard management controllers on the individual blades as well as on the chassis itself. Many networking devices such as routers and fabric switches, storage controllers along with specific-purpose appliances like firewalls and terminal servers often have a serial configuration port. The operation and availability (power to chassis) is the same as with servers. The primary difference is the type of communications protocol. Configuration port functionality is also replicated in most virtual machine designs with virtual consoles, or virtual serial consoles that can be accessed from the physical baseboard management controller of the physical host they reside on or via Secure Shell Network Connection. This allows remote configuration of the virtual guest operating system/machine, which in most cases is not logged or audited. ©2011 – TDi Technologies, Inc. www.tditechnologies.com Page |3
  • 4. Access and Use of Configuration Ports Configuration ports are often not connected to anything until they are needed, such as a catastrophic failure. When configuration ports are not connected (port is left open) access is achieved by connecting a computer to the configuration port, which requires the person connecting to the port to be physically present where the device resides. More often configuration ports are networked in some manner with the network for these ports commonly referred to as an out-of-band or management network. This out-of-band network is typically segregated from the normal or production network for additional security due to the highly sensitive nature of configuration ports. As noted above, configuration ports are often used under a variety of operating conditions, including situations where the configuration port is the only accessible port on a device. This presents a problem for cyber security approaches that rely on normal networking to be active (this includes all locally installed agent software) because their security capabilities are disabled during conditions where access is likely to occur over the configuration port. The key takeaways of access and use of configuration ports are: 1) Configuration ports either cannot or should not be disabled 2) Security over unconnected (networked) configuration ports is limited to physical security 3) Traditional cyber security approaches cannot secure configuration ports at all times 4) Access of the configuration ports is not audited or logged. 5) Authentication is often independent of the production methods mostly because during an outage the production method of authentication may not be available. Severity of the Cyber Security Threat A significant influence on the severity of the threat an access port presents to the Utility organization is the privileged capabilities the port presents to its user. Configuration ports present an extremely high set of privileges that can be used to change almost anything on the target device. This level of privilege is why access to configuration ports is often referred to as having the “keys to the kingdom.” The list of severe security threats over configuration ports is impossible to fully document due to the range of privileged commands these ports provide to its users. Some of the more obvious threats are: communication ports can be changed or added ©2011 – TDi Technologies, Inc. www.tditechnologies.com Page |4
  • 5. data can be copied malware can be installed at multiple levels (Bios, Firmware, OS) user accounts and privileges can be added, changed or deleted device configuration can be changed ports are “discoverable” making them targets for malicious actors The simple fact is configuration points are an extremely high security issue that can be exploited under a variety of scenarios where other security technologies, techniques, and practices cannot detect an active exploit. In addition, many baseboard management controllers now allow side-band access that allows them to be accessed even when their dedicated port is not connected to anything. With side-band access, the baseboard management controller can use other TCP/IP ports on the device enabling the baseboard management controller to be accessed even while its dedicated port remains unconnected. This means that the threats identified above may remain in force even when the out-of-band network is in place and properly segregated from the production network (depending on the specifics of the baseboard management controller by vendor, and possibility its configuration). This also increases the risk of these ports being improperly secured, discovered, and compromised. Best Practice Guidance The best practice guidance for configuration ports is that they should be treated just like any other security concern in regards to active monitoring and control. The steps that should be taken include: 1) Insure that all configuration ports are connected to an out-of-band or management specific network 2) Segregate the out-of-band network from the normal or production network(s) ©2011 – TDi Technologies, Inc. www.tditechnologies.com Page |5
  • 6. 3) Institute role-based access and control over all configuration ports (restrict access, least privilege) 4) Encrypt communications to configuration ports (where supported by devices) 5) Use proper or multi-factor authentication to configuration ports 6) Persistently monitor all configuration ports to ensure all access meets the security policy 7) Log all access to configuration ports by each actor 8) Log all privileged user activity over configuration ports 9) Alert and ALARM on specific messages or events detected on the access port. One reference that can help in assessing or designing a secure out-of-band network is available from the Defense Information System Agency: http://iase.disa.mil/stigs/downloads/pdf/network_management_security_guidance_at-a- glance_v8r1.pdf Various hardware and software solutions exist for managing the out-of-band network per the best practice guidance provided above. These solutions should be evaluated against existing security policies and wherever possible be capable of directly supporting them programmatically to limit the scope of manual policy enforcement. About This Whitepaper This whitepaper was written to help address a security vulnerability that is often overlooked and misunderstood in the Utility industry. The recommendations provided are believed to be accurate in their applicability and support for the DRAFT NERC-CIP- 007-5 R1. The additional areas of the DRAFT NERC-CIP-xxx-5 standard that we will be discussing in upcoming whitepapers includes: CIP-005, 007 (additional sections), 008, 010, and 011. Full Disclosure This whitepaper was written and produced by TDi Technologies, a software vendor that provides an out-of-band software solution to the Utility industry and other vertical markets. The information presented here represents our best understanding of the security issues associated with configuration ports, which is a problem area our company focuses on. The whitepaper is intended to provide useful and educational content that can assist Utility companies in providing secure, dependable power to our Nation without interruption. Future Whitepapers If you would like to receive additional whitepapers on NERC-CIP from us as they become available, please email us at info@tditechnologies.com. ©2011 – TDi Technologies, Inc. www.tditechnologies.com Page |6