Electronic Access Controls June 27, 2017 · 2019. 2. 8. · Electronic Access Controls June 27,...

Electronic Access ControlsJune 27, 2017Kevin B. Perry

Director, Critical Infrastructure Protection

[email protected]

501.614.3251

1

Electronic Access Point

2

What does your access control look like?

3

4

App A&B

DB A&B

HMI A&B

CFE Terminal Servers A, B, and C

OpconA

OpconB

OpconC

OpconD

SatelliteClock

ESP

A/VServer

WSUSServer

RHELServer

SyslogServer Historian

A&B

Jump Host

VLAN 21 / 192.168.21.0/24

VLAN 22 / 192.168.22.0/24

VLAN 23 / 192.168.23.0/24

VLAN 24 / 192.168.24.0/24

Field Network

Corp Network

AD Server

VLAN 20 / 192.168.20.0/24

Microsoft Windows

Redhat Linux

Firmware-based

5

App A&B

DB A&B

HMI A&B


OpconA

OpconB

OpconC

OpconD

SatelliteClock

ESP

A/VServer

WSUSServer

RHELServer


A&B

Jump Host

VLAN 21 / 192.168.21.0/24

VLAN 22 / 192.168.22.0/24

VLAN 23 / 192.168.23.0/24

VLAN 24 / 192.168.24.0/24

Field Network

Corp Network

AD Server

VLAN 20 / 192.168.20.0/24

HTTP, HTTPS Listening

6

App A&B

DB A&B

HMI A&B


OpconA

OpconB

OpconC

OpconD

SatelliteClock

ESP

A/VServer

WSUSServer

RHELServer


A&B

Jump Host

VLAN 21 / 192.168.21.0/24

VLAN 22 / 192.168.22.0/24

VLAN 23 / 192.168.23.0/24

VLAN 24 / 192.168.24.0/24

Field Network

Corp Network

AD Server

VLAN 20 / 192.168.20.0/24

ESP-Group

DMZ-Group

Consider this…object-group network ESP-Group

network-object 192.168.20.0 255.255.255.0network-object 192.168.21.0 255.255.255.0network-object 192.168.22.0 255.255.255.0

object-group network DMZ-Groupnetwork-object 192.168.23.0 255.255.255.0network-object 192.168.24.0 255.255.255.0

object-group service WSUSservice-object icmp echo service-object icmp echo-reply service-object icmp time-exceededservice-object icmp unreachableservice-object tcp destination eq www service-object tcp destination eq 443 service-object tcp destination eq 135service-object tcp destination range 8530 8531

permit ESP_allow_in extended permit object-group WSUS object-group DMZ-Group object-group ESP-Group

permit ESP_allow_out extended permit object-group WSUS object-group ESP-Group object-group DMZ-Group 7

Audience Participation Time…

What are the compliance concerns with the rules just shown?

What are the risks posed by the rules as written?

How would you make the access control lists better?

(No fair looking ahead…)

8

Compliance Concerns

• CIP-005-5, Requirement R1, Part 1.3 states:

Require inbound and outbound access permissions, including the reason for granting access, and deny all other access by default

• Expectation:

⁻ Inbound and outbound permissions are demonstrably needed

⁻ Inbound and outbound permissions are tightly restricted

9

Compliance Concerns

• Object groups are not sufficiently granular

⁻ ESP-Group encompasses every Cyber Asset within the ESP

⁻ DMZ-Group encompasses every Cyber Asset in the DMZ

⁻ WSUS defines every port (service) that is required for any reason to support WSUS, plus some not required by WSUS

No consideration of reason for the port

No consideration of direction of traffic flow

• This example will result in a Potential Non-Compliance

10

Compliance Concerns

• From Microsoft TechNet:

Configure the firewall to allow communication for the HTTP and HTTPS ports used by the WSUS server. By default, a WSUS server that is configured for the default Web site uses port 80 for HTTP and port 443 for HTTPS. By default, the WSUS server uses port 8530 for HTTP and port 8531 for HTTPS if it is using the WSUS custom Web site

• References:

⁻ https://technet.microsoft.com/en-us/library/bb693717.aspx

⁻ https://technet.microsoft.com/en-us/library/bb632477.aspx

11

https://technet.microsoft.com/en-us/library/bb693717.aspx


Risks Posed by the Rules

• Full DMZ – ESP inbound and outbound access

⁻ Even with port limitation, such broad IP ranges are not warranted in a Control Center network environment

⁻ Reciprocal rules not required with a stateful firewall

⁻ Unnecessarily increases the attack surface

• ICMP not required for WSUS purposes

⁻ Although limited to only the “ping” and “traceroute” commands, ICMP can be used by a malicious attacker to perform network reconnaissance

12


• WSUS uses either ports 80/443 or 8530/8531 per the TechNet bulletins.

⁻ Ports only “listening” on the WSUS server

⁻ Listening ports configured when WSUS is installed

⁻ Ports required to download patches from an upstream server or Microsoft web site.

⁻ No requirement for the WSUS server to connect to the client Cyber Assets, thus inbound rules not required

13


• Only Microsoft Windows-based Cyber Assets are supported by WSUS

⁻ Outbound rules should permit either ports 80/443 or 8530/8531 from the operator consoles and Active Directory server to the WSUS server

⁻ Permitting broad outbound access increases the ability of malware to contact its command and control system through a compromised proxy in the non-ESP networks

14


• Permitting port 80 and 443 from every Cyber Asset in the DMZ inadvertently exposes the CFE terminal servers to malicious configuration interface access

⁻ Any external remote access to the CFE terminal servers using web services needs to go through the Intermediate System (jump host)

⁻ Malicious actor could access and reconfigure the CFE terminal servers and disrupt SCADA/EMS communication with the generating plants and substations

15

16

App A&B

DB A&B

HMI A&B


OpconA

OpconB

OpconC

OpconD

SatelliteClock

ESP

A/VServer

WSUSServer

RHELServer


A&B

Jump Host

VLAN 21 / 192.168.21.0/24

VLAN 22 / 192.168.22.0/24

VLAN 23 / 192.168.23.0/24

VLAN 24 / 192.168.24.0/24

Field Network

Corp Network

AD Server

VLAN 20 / 192.168.20.0/24

HTTP, HTTPS Listening

Windows Clients in the ESP

Improving the Access Control Listsobject-group network Windows-Systems

network-object object Opcon_Anetwork-object object Opcon_Bnetwork-object object Opcon_Cnetwork-object object Opcon_Dnetwork-object object AD_Server

object network WSUS-Serverhost 192.168.23.102

object-group service WSUSservice-object tcp destination range 8530 8531

permit ESP_allow_out extended permit object-group WSUS object-group Windows-Systems object WSUS-Server

• Define similar tight rules for interaction with the Active Directory server, RHEL update server, anti-virus server, the syslog server, and between the primary and backup Control Center ESPs 17

Active Directory

• Current design

⁻ AD server is inside the ESP to allow normal operation with the outside interface of the firewall disconnected in an emergency

⁻ DMZ Cyber Assets have to reach into the ESP to access the AD server

⁻ Default AD server configuration (Dynamic RPC) exposes the ESP to approximately 95% of all possible ports

⁻ Exposure is magnified if inbound access is not limited to just the AD server

18

Active Directory

• Required ports – Dynamic RPC (default) configuration

19

Service Port/protocolRPC endpoint mapper 135/tcp, 135/udpNetwork basic input/output system (NetBIOS) name service 137/tcp, 137/udpNetBIOS datagram service 138/udpNetBIOS session service 139/tcpRPC dynamic assignment 1024-65535/tcpServer message block (SMB) over IP (Microsoft-DS) 445/tcp, 445/udpLightweight Directory Access Protocol (LDAP) 389/tcpLDAP ping 389/udpLDAP over SSL 636/tcpGlobal catalog LDAP 3268/tcpGlobal catalog LDAP over SSL 3269/tcpKerberos 88/tcp, 88/udpDomain Name Service (DNS) 53/tcp1, 53/udpWindows Internet Naming Service (WINS) resolution (if required) 1512/tcp, 1512/udpWINS replication (if required) 42/tcp, 42/udp

Source: https://technet.microsoft.com/en-us/library/bb727063.aspx


Active Directory

• Dynamic RPC (default) configuration

⁻ Pros:

No special server configuration

⁻ Cons:

Turns the firewall into "Swiss cheese"

Random incoming high-port connections

Insecure firewall configuration

20

Active Directory

• Required Ports – Limited RPC configuration

21Source: https://technet.microsoft.com/en-us/library/bb727063.aspx

Service Port/protocolRPC endpoint mapper 135/tcp, 135/udpNetBIOS name service 137/tcp, 137/udpNetBIOS datagram service 138/udpNetBIOS session service 139/tcpRPC static port for AD replication <AD-fixed-port>/TCPRPC static port for FRS <FRS-fixed-port>/TCPSMB over IP (Microsoft-DS) 445/tcp, 445/udpLDAP 389/tcpLDAP ping 389/udpLDAP over SSL 636/tcpGlobal catalog LDAP 3268/tcpGlobal catalog LDAP over SSL 3269/tcpKerberos 88/tcp, 88/udpDNS 53/tcp, 53/udpWINS resolution (if required) 1512/tcp, 1512/udpWINS replication (if required) 42/tcp, 42/udp


Active Directory

• Limited RPC configuration

⁻ Pros:

More secure than dynamic RPC—only two open high ports

⁻ Cons:

Registry modification to all Active Directory servers

• Instructions for selecting the high ports and modifying the Registry are found in:


22


Active Directory

• But wait… It can get even better

⁻ Currently, the DMZ Cyber Assets need to punch through the firewall to access the Active Directory server

⁻ Every permitted port is another opportunity for exploit

• A read-only domain controller (RODC) is a new type of domain controller in the Windows Server® 2008 operating system.

⁻ Eliminates need for inbound port permissions to the Active Directory server inside the ESP

23

24

App A&B

DB A&B

HMI A&B


OpconA

OpconB

OpconC

OpconD

SatelliteClock

ESP

A/VServer

WSUSServer

RHELServer


A&B

Jump Host

VLAN 21 / 192.168.21.0/24

VLAN 22 / 192.168.22.0/24

VLAN 23 / 192.168.23.0/24

VLAN 24 / 192.168.24.0/24

Field Network

Corp Network

AD Server

VLAN 20 / 192.168.20.0/24

ADServer(RODC)

Read-Only Active Directory

• Read-only AD DS database

⁻ Except for account passwords, an RODC holds all the Active Directory objects and attributes that a writable domain controller holds. However, changes cannot be made to the database that is stored on the RODC. Changes must be made on a writable domain controller and then replicated back to the RODC.

• Unidirectional replication

⁻ Because no changes are written directly to the RODC, no changes originate at the RODC. Accordingly, writable domain controllers that are replication partners do not have to pull changes from the RODC. This means that any changes or corruption that a malicious user might make to the DMZ Active Directory Server cannot replicate from the RODC to the rest of the forest.

Source: https://technet.microsoft.com/en-us/library/cc732801(v=ws.10).aspx

25

https://technet.microsoft.com/en-us/library/cc732801(v=ws.10).aspx

Read-Only Active Directory

• One more thing to do…

⁻ Point the Cyber Assets inside the ESP to the Active Directory server inside the ESP

⁻ Point the Cyber Assets outside the ESP to the Active Directory server in the DMZ

⁻ Eliminate all AD-related permissions through the firewall from the DMZ into the ESP

Frustrates the malicious actor…too bad, so sad…

26

Interactive Remote Access

27

28

What is Multi-Factor Authentication?

• Something you know:

⁻ Password, passphrase, PIN

• Something you have:

⁻ RSA token, CRYPTOcard, challenge/response card, cell phone

• Something you are:

⁻ Biometrics (fingerprint, facial features, iris)

29

Something You Have

• This is the most misunderstood factor

⁻ You need to be in physical possession

⁻ You cannot stop off somewhere (electronically) and pick it up

⁻ It cannot be publicly available

• The Guidelines and Technical Basis for CIP-005-5, Requirement R2 simply says “See Secure Remote Access Reference Document (see remote access alert).”

⁻ Guidance for Secure Interactive Remote Access

30

http://www.nerc.com/fileUploads/File/Events%20Analysis/FINAL-Guidance_for_Secure_Interactive_Remote_Access.pdf

Multi-Factor Scenario 1

• Authentication is performed by the following sequence:

⁻ Enter username and password

⁻ One-time token is sent by the authentication server to your company email account

⁻ Enter the one-time token value found in the email body

⁻ You are authenticated

• Question: Is this a valid form of multi-factor authentication?

NO

31




⁻ One-time token is generated using an app on your smart phone

⁻ Enter the one-time token



YES

32



⁻ Enter username and password to authenticate to a Citrix server (not the Intermediate System)

⁻ Connect to the Intermediate System from the Citrix server

⁻ Enter your username and password

⁻ Enter the password to enable use of your digital certificate, stored in your user profile on the Citrix server



NO 33



⁻ Connect to the Intermediate System from your laptop

⁻ Enter your username and password

⁻ Enter the password to enable use of your digital certificate, stored in your user profile on your laptop



Yes, but…

34




⁻ The authentication system places a call to a pre-registered phone number (cell or landline)

⁻ Answer the phone and respond as instructed



YES (cell phone would be best)

35



⁻ Insert USB key containing your digital certificate into your laptop

⁻ Launch your VPN client on your laptop and connect to the VPN concentrator (upstream from the Intermediate System)

⁻ Enter the passcode required to use your digital certificate



YES

36



⁻ Log into your laptop using your fingerprint in lieu of entering your username and password

⁻ Once logged in, connect to the Intermediate System with a username and password



You would think so, but, NO

37

Summary

• Electronic Access Point

⁻ You want tight ingress and egress access controls

⁻ Access in and out needs to be limited to what is necessary to operate, not for convenience

• Multi-Factor Authentication

⁻ Two of three: something you know, something you have, something you are

⁻ You need to be in sole possession of something you have

38

SPP RE CIP Team

• Kevin Perry, Director of Critical Infrastructure Protection(501) 614-3251

• Shon Austin, Lead Compliance Specialist-CIP(501) 614-3273

• Ted Bell, Senior Compliance Specialist-CIP(501) 614-3535

• Jeremy Withers, Senior Compliance Specialist-CIP(501) 688-1676

• Robert Vaughn, Compliance Specialist II-CIP(501) 482-2301

• Sushil Subedi, Compliance Specialist II-CIP(501) 482-2332

39

Date post:	20-Aug-2020
Category:	Documents
Upload:	others
View:	1 times
Download:	0 times

Electronic Access Controls June 27, 2017 · 2019. 2. 8. · Electronic Access Controls June 27,...

Documents