Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

NERC CIP 007 5 R1 White Paper

952 views

Published on

With Drafting NERC CIP Revision 5 TDI took a Serious look at CIP 7 - Control Ports and built this educational White Paper.

Published in: Technology, Business
  • Be the first to comment

  • Be the first to like this

NERC CIP 007 5 R1 White Paper

  1. 1. CIP-007-5 R1 DRAFT:Understanding the Importance andRelevance of Configuration Ports toUtility Cyber Security Whitepaper
  2. 2. CIP-007-5 R1 DRAFT: Understanding the Importance and Relevance of Configuration Ports to Utility Cyber SecurityPurposeConfiguration ports on critical and non-critical cyber assets are often misunderstoodand overlooked in the overall cyber security strategy. This paper discusses theimportance of configuration ports in the overall cyber security strategy and how theyapply to the NERC-CIP standard. An Industry Advisory from NERC with additionaldetails on this subject is available here:http://www.nerc.com/fileUploads/File/Events%20Analysis/A-2008-05-13-1.pdfIntroductionThe NERC-CIP standard is the primary knowledge resource used by the Utility industryto ensure our nation’s power grid is protected from unintentional (accidental) andintentional (malicious) disruption. While the NERC-CIP standard takes acomprehensive approach to cyber security, there remain areas where the specificimplications of security vulnerabilities are not understood by the industry at large.This whitepaper looks at the specific area of Configuration Ports as covered by NERC-CIP-007-5.What are Configuration Ports?Configuration ports exist on almost every hardware device in the IT infrastructure.These physical ports provide a special level of privilege access that can be used to: 1) Change Bios 2) Upgrade Firmware 3) Set Baseline Configuration 4) Build-out devices that have components (like servers) 5) Perform a variety of Administrative functions 6) Perform emergency repair or failure recovery when no other port is accessibleItem six in the list above is very telling in respect to the important role these portsplay in the cyber security strategy. Except for power supply or catastrophic electroniccomponent failure, configuration ports are active at all times – even when conditionshave degraded a device to the point that no other port can accept communications.They are the default emergency access point for every IT device.Per CIP-007-5 all ports should be either secured or disabled. This obviously includesconfiguration ports. However, most IT devices do not allow the disabling of these©2011 – TDi Technologies, Inc. www.tditechnologies.com Page |2
  3. 3. ports nor should these ports be disabled as they serve important purposes, includingbeing the primary emergency access port. Instead, these ports must be secured.Types of Configuration PortsMost configuration ports are serial or TCP/IP. Most modern server hardware providesthe configuration interface through a baseboard management controller with aTCP/IP interface that directly falls under the “routable protocol” definition in thestandard.The baseboard managementcontroller is a standalone,independent computer built intothe server architecture and it isfully operational anytime power issupplied to the device chassis.Common vendor names forbaseboard managementcontrollers include iLo2 (HP),DRAC (DELL), and ALOM, ILOM(SUN/ORACLE).While configuration ports havebeen part of IT device design fordecades, the baseboard management controller is a rapidly evolving form of modernconfiguration port capability. Modern server architectures with blades and bladechassis normally come with baseboard management controllers on the individualblades as well as on the chassis itself.Many networking devices such as routers and fabric switches, storage controllersalong with specific-purpose appliances like firewalls and terminal servers often havea serial configuration port. The operation and availability (power to chassis) is thesame as with servers. The primary difference is the type of communications protocol.Configuration port functionality is also replicated in most virtual machine designswith virtual consoles, or virtual serial consoles that can be accessed from thephysical baseboard management controller of the physical host they reside on or viaSecure Shell Network Connection. This allows remote configuration of the virtualguest operating system/machine, which in most cases is not logged or audited.©2011 – TDi Technologies, Inc. www.tditechnologies.com Page |3
  4. 4. Access and Use of Configuration PortsConfiguration ports are often not connected to anything until they are needed, suchas a catastrophic failure. When configuration ports are not connected (port is leftopen) access is achieved by connecting a computer to the configuration port, whichrequires the person connecting to the port to be physically present where the deviceresides.More often configuration ports are networked in some manner with the network forthese ports commonly referred to as an out-of-band or management network. Thisout-of-band network is typically segregated from the normal or production network foradditional security due to the highly sensitive nature of configuration ports.As noted above, configuration ports are often used under a variety of operatingconditions, including situations where the configuration port is the only accessibleport on a device. This presents a problem for cyber security approaches that rely onnormal networking to be active (this includes all locally installed agent software)because their security capabilities are disabled during conditions where access islikely to occur over the configuration port.The key takeaways of access and use of configuration ports are: 1) Configuration ports either cannot or should not be disabled 2) Security over unconnected (networked) configuration ports is limited to physical security 3) Traditional cyber security approaches cannot secure configuration ports at all times 4) Access of the configuration ports is not audited or logged. 5) Authentication is often independent of the production methods mostly because during an outage the production method of authentication may not be available.Severity of the Cyber Security ThreatA significant influence on the severity of the threat an access port presents to theUtility organization is the privileged capabilities the port presents to its user.Configuration ports present an extremely high set of privileges that can be used tochange almost anything on the target device. This level of privilege is why access toconfiguration ports is often referred to as having the “keys to the kingdom.”The list of severe security threats over configuration ports is impossible to fullydocument due to the range of privileged commands these ports provide to its users.Some of the more obvious threats are: communication ports can be changed or added©2011 – TDi Technologies, Inc. www.tditechnologies.com Page |4
  5. 5. data can be copied malware can be installed at multiple levels (Bios, Firmware, OS) user accounts and privileges can be added, changed or deleted device configuration can be changed ports are “discoverable” making them targets for malicious actorsThe simple fact is configuration points are an extremely high security issue that canbe exploited under a variety of scenarios where other security technologies,techniques, and practices cannot detect an active exploit.In addition, many baseboard management controllers now allow side-band accessthat allows them to be accessed even when their dedicated port is not connected toanything. With side-band access, the baseboard management controller can useother TCP/IP ports on the device enabling the baseboard management controller tobe accessed even while itsdedicated port remainsunconnected.This means that the threatsidentified above may remain inforce even when the out-of-bandnetwork is in place and properlysegregated from the productionnetwork (depending on thespecifics of the baseboardmanagement controller byvendor, and possibility itsconfiguration). This alsoincreases the risk of these portsbeing improperly secured,discovered, and compromised.Best Practice GuidanceThe best practice guidance for configuration ports is that they should be treated justlike any other security concern in regards to active monitoring and control. The stepsthat should be taken include: 1) Insure that all configuration ports are connected to an out-of-band or management specific network 2) Segregate the out-of-band network from the normal or production network(s)©2011 – TDi Technologies, Inc. www.tditechnologies.com Page |5
  6. 6. 3) Institute role-based access and control over all configuration ports (restrict access, least privilege) 4) Encrypt communications to configuration ports (where supported by devices) 5) Use proper or multi-factor authentication to configuration ports 6) Persistently monitor all configuration ports to ensure all access meets the security policy 7) Log all access to configuration ports by each actor 8) Log all privileged user activity over configuration ports 9) Alert and ALARM on specific messages or events detected on the access port.One reference that can help in assessing or designing a secure out-of-band networkis available from the Defense Information System Agency:http://iase.disa.mil/stigs/downloads/pdf/network_management_security_guidance_at-a-glance_v8r1.pdfVarious hardware and software solutions exist for managing the out-of-band networkper the best practice guidance provided above. These solutions should be evaluatedagainst existing security policies and wherever possible be capable of directlysupporting them programmatically to limit the scope of manual policy enforcement.About This WhitepaperThis whitepaper was written to help address a security vulnerability that is oftenoverlooked and misunderstood in the Utility industry. The recommendations providedare believed to be accurate in their applicability and support for the DRAFT NERC-CIP-007-5 R1. The additional areas of the DRAFT NERC-CIP-xxx-5 standard that we will bediscussing in upcoming whitepapers includes: CIP-005, 007 (additional sections),008, 010, and 011.Full DisclosureThis whitepaper was written and produced by TDi Technologies, a software vendorthat provides an out-of-band software solution to the Utility industry and other verticalmarkets. The information presented here represents our best understanding of thesecurity issues associated with configuration ports, which is a problem area ourcompany focuses on. The whitepaper is intended to provide useful and educationalcontent that can assist Utility companies in providing secure, dependable power toour Nation without interruption.Future WhitepapersIf you would like to receive additional whitepapers on NERC-CIP from us as theybecome available, please email us at info@tditechnologies.com.©2011 – TDi Technologies, Inc. www.tditechnologies.com Page |6

×