Cyber Asset Lifecycle and Change Management
CSWG Salt Lake, UT
July 25, 2018
1
Speaker Introduction-Michael Cole• TID Control System Cybersecurity Analyst
• U.S. Navy: Aviation Electronics Technician (97-2002)
• B.S. Computer Science, Cal-State University Stanislaus (2006)
• CCNP-Cisco Certified Network Professional (2013)
• CISSP-Certified Information Systems Security Professional (2016)
• 7 years in IT, 5 years in OT/EMS/Compliance
• Married 14 years, 4 Children2
Agenda• Change Management Overview
• NIST Cybersecurity Framework
• NIST.SP.800-53 Controls
• TID’s Cybersecurity Program
• TID’s Asset and Change Management Policy
• TID’s Implementation
3
CIP-010-2 R1,R2• 1.1-Develop a baseline configuration
• 1.2-Authorize and document changes
• 1.3-For changes, update the baseline configuration
• 1.4-Verify and document cyber security controls
• 1.5-Test and document changes prior to implementation
• 2.1-Monitor changes to the baseline configuration
4
Cyber Asset Lifecycle• Cyber Asset Lifecycle (IEEE 1220)
– Development: Planning and execution– Manufacturing: Test model and prototypes– Test: Evaluation against requirements– Distribution: Transport and deliver– Operations: System usage– Support: Maintenance and materials– Training: Knowledge/Skills to perform operations– Disposal: Destroyed per requirements
5
Cyber Asset Lifecycle• Cyber Asset Lifecycle (IEEE 1220)
– Development: Planning and execution– Manufacturing: Test model and prototypes– Test: Evaluation against requirements– Distribution: Transport and deliver– Operations: System usage– Support: Maintenance and materials– Training: Knowledge/Skills to perform operations– Disposal: Destroyed per requirements
6
Cyber Asset Lifecycle• Cyber Asset Lifecycle (IEEE 1220)
– Development: Planning and execution– Manufacturing: Test model and prototypes– Test: Evaluation against requirements– Distribution: Transport and deliver– Operations: System usage– Support: Maintenance and materials– Training: Knowledge/Skills to perform operations– Disposal: Destroyed per requirements
7
Holistic Cyber Asset Lifecycle View• What are the Cyber Security requirements for
Cyber Asset Lifecycle?
• How do they fit into the overall Cyber Security strategy?
• What additional standards can be managed beyond CIP-010? (CIP-005, CIP-007, CIP-011)
8
NIST Cybersecurity Framework
9
NIST Cybersecurity Framework
10
CIP-010 R1.1,R1.3
CIP-010 R1.1.1-R1.1.5
CIP-010 R2
CIP-010 R1.2,R1.4
NIST Cybersecurity Framework
11
CIP-010 R1.1.1-R1.1.5
Identify: Asset Management• ID.AM-2: Software platforms and applications
within the organization are inventoried
– CIP-010 R1.1.1 Operating Systems
– CIP-010 R1.1.2-1.1.3 Software
– CIP-010 R1.1.4 Network ports
– CIP-010 R1.1.5 Security Patches
12
Identify: Asset Management• Configuration Management Controls
– CM-8: Information System Component Inventory
• Develops and documents an inventory of information system components
• Reviews and updates the Information system component inventory
13
Identify: Asset Management• Enhancements for CM-8: Information System
Component Inventory
– Updates during installations and removals
• Integral part of the process is updates
– Automated maintenance
• Software assisted detection and validation of baseline/assets
– Accountability Information
• The inventory contains ownership information
14
NIST Cybersecurity Framework
15
CIP-010 R1.1,R1.3CIP-010 R1.2,R1.4
Protect: Information Protection• PR.IP-1: A baseline configuration of
information technology/industrial control systems is created and maintained
– CIP-010 R1.1 Develop a baseline configuration
– CIP-010 R1.3 For a change that deviates from the baseline, update the baseline configuration
16
Protect: Information Protection• Configuration Management Controls
– CM-2: Baseline Configuration
• Establish a baseline configuration that contains software, OS, patches, network topology, and placement in system architecture
• Formally documented and reviewed
• New baselines are built based on changing requirements
17
Protect: Information Protection• Enhancements for CM-2: Baseline
Configuration– Reviews and updates
• Recurring frequency not driven by change
• Part of installation or upgrade
– Automation support for accuracy • Hardware, software and patch inventory tools
• Configuration management tools
18
Protect: Information Protection• Enhancements for CM-2: Baseline
Configuration– Retention of previous configurations
• Restore points
– Development and test environments• Baselining test and production systems
• The results of testing are representative of the proposed changes to operational systems
19
Protect: Information Protection• Configuration Management Controls
– CM-6: Configuration Settings
• Configuration settings based on checklists and reflect most restrictive mode consistent with requirements
• Implements configuration settings
• Identifies any deviations from organizational requirements
20
Protect: Information Protection• Enhancements for CM-6: Configuration
Settings
– Automated centralized management/application/verification
• Software assisted management of applications and verification
21
Protect: Information Protection• PR.IP-3: Configuration change control
processes are in place
– CIP-010 R1.2 Authorize and document changes that deviate from the existing baseline configuration.
– CIP-010 R1.4 Security controls verification and documentation
22
Protect: Information Protection• Configuration Management Controls
– CM-3: Configuration Change Control
• Determines which changes are configuration-controlled
• Reviews and approves proposed configuration with an understanding of the security impact
• Documents rationality for change
• Retains change documentation
• Audits and review activities associated with changes
23
Protect: Information Protection• Enhancements for CM-3: Configuration Settings
– Automated document, notification and prohibition of change• The change is documented in a system and is automatically
sent to designation personnel to approval
• The change cannot proceed without approval
• Notification that change is complete
– Test, validate and document• Testing does not interfere with production
24
Protect: Information Protection• Configuration Management Controls
– CM-4: Security Impact Analysis
• Security impact analysis is conducted prior to the change
25
Protect: Information Protection• Enhancements for CM-4: Security Impact
Analysis– Separate test environments
• Physical or logical separation
• Virtual machine copies of production
– Verification of security functions• Security software and settings are functioning as
required
26
NIST Cybersecurity Framework
27
CIP-010 R2
Detect: Security Continuous Monitoring
• DE.CM-1: The network is monitored to detect potential cybersecurity events
– CIP-010 R2 Monitor changes to the baseline configuration. Investigate unauthorized changes.
28
Detect: Security Continuous Montoring
• Configuration Management Controls
– CM-6: Configuration Settings
• Monitors and controls changes to the configuration settings
29
Detect: Security Continuous Monitoring
• Enhancements for CM-6: Configuration Settings
– Automated central management
• The same system that manages baseline configurations also monitors for changes
– Respond to unauthorized changes
• Email notification of detected unauthorized changes sent to designated personnel
30
NIST/ES-C2M2 Abstracted ArchitectureCIP Documentation Architecture
RiskManagement
Asset, ChangeAnd Configuration
Management
Identity andAccess
Management
Threat andVulnerabilityManagement
SituationalAwareness
Event and Incident Response,
Continuity of Operations
Cyber SecurityPolicy
CIP-002R1 BES Cyber System Identification
CIP-002R2 Identification Review
CIP-003R1-R3 Cyber Security Policy
CIP-003R4 Delegations
CIP-004R1-R2 Security Awareness Program
CIP-004R3 Personnel Risk Assessment
CIP-004R4 Access Management Program
CIP-004R5 Access Revocation
CIP-005R1 Electronic Security Perimeter
CIP-005R2 Interactive Remote Access
CIP-006P1.1-P1.2 Physical Security Plan
CIP-006R2 Visitor Control Program
CIP-006R3 PACS Maintenance and Testing
CIP-007R1 Ports and Services
CIP-007R2 Security Patch Management
CIP-007R3 Malicious Code Prevention
CIP-007R4 Security Event Monitoring
CIP-007R5 System Access Control
CIP-008R1-R3 Incident Response Plans
CIP-009R1-R3 Recovery Plans
CIP-010R1 Configuration Change Management
CIP-010R2 Configuration Monitoring
CIP-010R3 Vulnerability Assessments
CIP-011R1 Information Protection
CIP-014R1 Physical Security Risk Assessment
CIP-014R2-R3 Assessment Review and Notification
CIP-014R4 Physical Security Vulnerability
Assessment
CIP-014R5 Physical Security Plan
CIP-014R6 Physical Security Plan Review
WorkForce Management
CIP-006P1.4-P1.9 Physical Security Plan
CIP-011R2 BES Cyber Asset Reuse and Disposal
CIP-007R5.7 System Access Control
31
NIST/ES-C2M2 Abstracted Architecture
Asset, ChangeAnd Configuration
Management
CIP-005R1 Electronic Security Perimeter
CIP-005R2 Interactive Remote Access
CIP-007R1 Ports and Services
CIP-010R1 Configuration Change Management
CIP-011R2 BES Cyber Asset Reuse and Disposal
CIP-010R2 Configuration Monitoring
32
Asset & Configuration Management Policy
33
Configuration Change Management Process
34
Speaker Introduction
• TID Control System Cybersecurity Analyst
• Senior IT Analyst City of Turlock(2002-2015)
• B.S. Computer Information Systems (2012)
• 13 years in IT, 3 years in OT/EMS/Compliance
• Married 13 years, 3 Children
35
36
“A goal without a plan is just a wish.”
– Antoine de Saint-Exupéry
Planning for Automation
37
• Holistic view of Cyber Security and Data management • Standard data schema / Define once reference many
times.• Create data definitions for input.• Leverage database driven comparison methods for
controls.• Supplement Data inputs with required compliance
information.• Summarize data for reporting.
Keys to Success• Established and performed processes manually
before we automated anything
• Have not automated everything. Still a lot more that we can do.
• Perform processes manually for items that fall outside of our automation scope.
• Review automated processes regularly to ensure accuracy and consistency.
38
ID.AM-2: Software Platforms/Applications Inventory
• Starting point is our CIP-2 R5.1 Cyber asset list.• Create a new or associate assets with an existing
baseline• CIP-010 R1.1-R1.5 Baseline Components
– CIP-010 R1.1.1 Operating Systems– CIP-010 R1.1.2-1.1.3 Software– CIP-010 R1.1.4 Network ports– CIP-010 R1.1.5 Security Patches
39
Management of CIP 2 R5.1 Asset Example
40
Baseline Association Example
41
Baseline Creation Example
42
PR.IP-3 Configuration change control
• CCM required for any changes.
• CCM recorded for the summary of changes.
• Security controls verification produced to document that security controls have not changed.
43
CM Process Example
44
Baseline Change to CM Relationships
45
Security Controls Verification
46
PR.IP-1 Baseline changes/Updates
• Gather inputs from multiple systems.
• Use database comparison methods against those inputs.
• Accept changes to baselines and add supplemental compliance information
• Summarize data for reporting
• Generate required evidence to demonstrate compliance.
47
Baseline Change Example
48
DE.CM-1 Baseline changes/Updates
• Gather inputs from multiple systems.
• Use database comparison methods against those inputs.
• Accept changes to baselines and add supplemental compliance information
• Summarize data for reporting
• Generate required evidence to demonstrate compliance.
49
Change Management
Ticket
Security Controls
Verfication
Are there any baseline
changes?
Associated Baseline changes to a Change
Management Number
Baseline Software Inventory
Report
Start End
DatabaseClient
Automation
Compliance Database
Application
BCA
BCA
Native Commands Validation
Validation
Perform Security Controls
Verification
Baseline Changes
Summary Report
Review Evidence
Complete Change
Management Ticket
NO
YES
Validate Baseline
50
References• DHS, DOE, Carnegie Mellon University. (2014 February).
Electric Subsector Cybersecurity Capability Maturity Model Version 1.1.
• NIST. (February 2014). Framework for Improving Critical Infrastructure Cybersecurity Version 1.0.
• NIST. (April 2013). NIST Special Publication 800-53- Security and Privacy Controls for Federal Information Systems and Organizations, Revision 4.
51
Questions?• Dave Arounsack, CCIE #43254
Water & Energy Management System [email protected] 209-883-8657
• Michael Cole, CCNP, CISSP Control System Cybersecurity [email protected] 209-883-8245
• Daniel LourencoControl System Cybersecurity [email protected] 209-883-8208
52