Electronic Access ControlsJune 27, 2017Kevin B. Perry
Director, Critical Infrastructure Protection
501.614.3251
1
Electronic Access Point
2
What does your access control look like?
3
4
App A&B
DB A&B
HMI A&B
CFE Terminal Servers A, B, and C
OpconA
OpconB
OpconC
OpconD
SatelliteClock
ESP
A/VServer
WSUSServer
RHELServer
SyslogServer Historian
A&B
Jump Host
VLAN 21 / 192.168.21.0/24
VLAN 22 / 192.168.22.0/24
VLAN 23 / 192.168.23.0/24
VLAN 24 / 192.168.24.0/24
Field Network
Corp Network
AD Server
VLAN 20 / 192.168.20.0/24
Microsoft Windows
Redhat Linux
Firmware-based
5
App A&B
DB A&B
HMI A&B
CFE Terminal Servers A, B, and C
OpconA
OpconB
OpconC
OpconD
SatelliteClock
ESP
A/VServer
WSUSServer
RHELServer
SyslogServer Historian
A&B
Jump Host
VLAN 21 / 192.168.21.0/24
VLAN 22 / 192.168.22.0/24
VLAN 23 / 192.168.23.0/24
VLAN 24 / 192.168.24.0/24
Field Network
Corp Network
AD Server
VLAN 20 / 192.168.20.0/24
HTTP, HTTPS Listening
6
App A&B
DB A&B
HMI A&B
CFE Terminal Servers A, B, and C
OpconA
OpconB
OpconC
OpconD
SatelliteClock
ESP
A/VServer
WSUSServer
RHELServer
SyslogServer Historian
A&B
Jump Host
VLAN 21 / 192.168.21.0/24
VLAN 22 / 192.168.22.0/24
VLAN 23 / 192.168.23.0/24
VLAN 24 / 192.168.24.0/24
Field Network
Corp Network
AD Server
VLAN 20 / 192.168.20.0/24
ESP-Group
DMZ-Group
Consider this…object-group network ESP-Group
network-object 192.168.20.0 255.255.255.0network-object 192.168.21.0 255.255.255.0network-object 192.168.22.0 255.255.255.0
object-group network DMZ-Groupnetwork-object 192.168.23.0 255.255.255.0network-object 192.168.24.0 255.255.255.0
object-group service WSUSservice-object icmp echo service-object icmp echo-reply service-object icmp time-exceededservice-object icmp unreachableservice-object tcp destination eq www service-object tcp destination eq 443 service-object tcp destination eq 135service-object tcp destination range 8530 8531
permit ESP_allow_in extended permit object-group WSUS object-group DMZ-Group object-group ESP-Group
permit ESP_allow_out extended permit object-group WSUS object-group ESP-Group object-group DMZ-Group 7
Audience Participation Time…
What are the compliance concerns with the rules just shown?
What are the risks posed by the rules as written?
How would you make the access control lists better?
(No fair looking ahead…)
8
Compliance Concerns
• CIP-005-5, Requirement R1, Part 1.3 states:
Require inbound and outbound access permissions, including the reason for granting access, and deny all other access by default
• Expectation:
⁻ Inbound and outbound permissions are demonstrably needed
⁻ Inbound and outbound permissions are tightly restricted
9
Compliance Concerns
• Object groups are not sufficiently granular
⁻ ESP-Group encompasses every Cyber Asset within the ESP
⁻ DMZ-Group encompasses every Cyber Asset in the DMZ
⁻ WSUS defines every port (service) that is required for any reason to support WSUS, plus some not required by WSUS
No consideration of reason for the port
No consideration of direction of traffic flow
• This example will result in a Potential Non-Compliance
10
Compliance Concerns
• From Microsoft TechNet:
Configure the firewall to allow communication for the HTTP and HTTPS ports used by the WSUS server. By default, a WSUS server that is configured for the default Web site uses port 80 for HTTP and port 443 for HTTPS. By default, the WSUS server uses port 8530 for HTTP and port 8531 for HTTPS if it is using the WSUS custom Web site
• References:
⁻ https://technet.microsoft.com/en-us/library/bb693717.aspx
⁻ https://technet.microsoft.com/en-us/library/bb632477.aspx
11
Risks Posed by the Rules
• Full DMZ – ESP inbound and outbound access
⁻ Even with port limitation, such broad IP ranges are not warranted in a Control Center network environment
⁻ Reciprocal rules not required with a stateful firewall
⁻ Unnecessarily increases the attack surface
• ICMP not required for WSUS purposes
⁻ Although limited to only the “ping” and “traceroute” commands, ICMP can be used by a malicious attacker to perform network reconnaissance
12
Risks Posed by the Rules
• WSUS uses either ports 80/443 or 8530/8531 per the TechNet bulletins.
⁻ Ports only “listening” on the WSUS server
⁻ Listening ports configured when WSUS is installed
⁻ Ports required to download patches from an upstream server or Microsoft web site.
⁻ No requirement for the WSUS server to connect to the client Cyber Assets, thus inbound rules not required
13
Risks Posed by the Rules
• Only Microsoft Windows-based Cyber Assets are supported by WSUS
⁻ Outbound rules should permit either ports 80/443 or 8530/8531 from the operator consoles and Active Directory server to the WSUS server
⁻ Permitting broad outbound access increases the ability of malware to contact its command and control system through a compromised proxy in the non-ESP networks
14
Risks Posed by the Rules
• Permitting port 80 and 443 from every Cyber Asset in the DMZ inadvertently exposes the CFE terminal servers to malicious configuration interface access
⁻ Any external remote access to the CFE terminal servers using web services needs to go through the Intermediate System (jump host)
⁻ Malicious actor could access and reconfigure the CFE terminal servers and disrupt SCADA/EMS communication with the generating plants and substations
15
16
App A&B
DB A&B
HMI A&B
CFE Terminal Servers A, B, and C
OpconA
OpconB
OpconC
OpconD
SatelliteClock
ESP
A/VServer
WSUSServer
RHELServer
SyslogServer Historian
A&B
Jump Host
VLAN 21 / 192.168.21.0/24
VLAN 22 / 192.168.22.0/24
VLAN 23 / 192.168.23.0/24
VLAN 24 / 192.168.24.0/24
Field Network
Corp Network
AD Server
VLAN 20 / 192.168.20.0/24
HTTP, HTTPS Listening
Windows Clients in the ESP
Improving the Access Control Listsobject-group network Windows-Systems
network-object object Opcon_Anetwork-object object Opcon_Bnetwork-object object Opcon_Cnetwork-object object Opcon_Dnetwork-object object AD_Server
object network WSUS-Serverhost 192.168.23.102
object-group service WSUSservice-object tcp destination range 8530 8531
permit ESP_allow_out extended permit object-group WSUS object-group Windows-Systems object WSUS-Server
• Define similar tight rules for interaction with the Active Directory server, RHEL update server, anti-virus server, the syslog server, and between the primary and backup Control Center ESPs 17
Active Directory
• Current design
⁻ AD server is inside the ESP to allow normal operation with the outside interface of the firewall disconnected in an emergency
⁻ DMZ Cyber Assets have to reach into the ESP to access the AD server
⁻ Default AD server configuration (Dynamic RPC) exposes the ESP to approximately 95% of all possible ports
⁻ Exposure is magnified if inbound access is not limited to just the AD server
18
Active Directory
• Required ports – Dynamic RPC (default) configuration
19
Service Port/protocolRPC endpoint mapper 135/tcp, 135/udpNetwork basic input/output system (NetBIOS) name service 137/tcp, 137/udpNetBIOS datagram service 138/udpNetBIOS session service 139/tcpRPC dynamic assignment 1024-65535/tcpServer message block (SMB) over IP (Microsoft-DS) 445/tcp, 445/udpLightweight Directory Access Protocol (LDAP) 389/tcpLDAP ping 389/udpLDAP over SSL 636/tcpGlobal catalog LDAP 3268/tcpGlobal catalog LDAP over SSL 3269/tcpKerberos 88/tcp, 88/udpDomain Name Service (DNS) 53/tcp1, 53/udpWindows Internet Naming Service (WINS) resolution (if required) 1512/tcp, 1512/udpWINS replication (if required) 42/tcp, 42/udp
Source: https://technet.microsoft.com/en-us/library/bb727063.aspx
Active Directory
• Dynamic RPC (default) configuration
⁻ Pros:
No special server configuration
⁻ Cons:
Turns the firewall into "Swiss cheese"
Random incoming high-port connections
Insecure firewall configuration
20
Active Directory
• Required Ports – Limited RPC configuration
21Source: https://technet.microsoft.com/en-us/library/bb727063.aspx
Service Port/protocolRPC endpoint mapper 135/tcp, 135/udpNetBIOS name service 137/tcp, 137/udpNetBIOS datagram service 138/udpNetBIOS session service 139/tcpRPC static port for AD replication <AD-fixed-port>/TCPRPC static port for FRS <FRS-fixed-port>/TCPSMB over IP (Microsoft-DS) 445/tcp, 445/udpLDAP 389/tcpLDAP ping 389/udpLDAP over SSL 636/tcpGlobal catalog LDAP 3268/tcpGlobal catalog LDAP over SSL 3269/tcpKerberos 88/tcp, 88/udpDNS 53/tcp, 53/udpWINS resolution (if required) 1512/tcp, 1512/udpWINS replication (if required) 42/tcp, 42/udp
Active Directory
• Limited RPC configuration
⁻ Pros:
More secure than dynamic RPC—only two open high ports
⁻ Cons:
Registry modification to all Active Directory servers
• Instructions for selecting the high ports and modifying the Registry are found in:
https://technet.microsoft.com/en-us/library/bb727063.aspx
22
Active Directory
• But wait… It can get even better
⁻ Currently, the DMZ Cyber Assets need to punch through the firewall to access the Active Directory server
⁻ Every permitted port is another opportunity for exploit
• A read-only domain controller (RODC) is a new type of domain controller in the Windows Server® 2008 operating system.
⁻ Eliminates need for inbound port permissions to the Active Directory server inside the ESP
23
24
App A&B
DB A&B
HMI A&B
CFE Terminal Servers A, B, and C
OpconA
OpconB
OpconC
OpconD
SatelliteClock
ESP
A/VServer
WSUSServer
RHELServer
SyslogServer Historian
A&B
Jump Host
VLAN 21 / 192.168.21.0/24
VLAN 22 / 192.168.22.0/24
VLAN 23 / 192.168.23.0/24
VLAN 24 / 192.168.24.0/24
Field Network
Corp Network
AD Server
VLAN 20 / 192.168.20.0/24
ADServer(RODC)
Read-Only Active Directory
• Read-only AD DS database
⁻ Except for account passwords, an RODC holds all the Active Directory objects and attributes that a writable domain controller holds. However, changes cannot be made to the database that is stored on the RODC. Changes must be made on a writable domain controller and then replicated back to the RODC.
• Unidirectional replication
⁻ Because no changes are written directly to the RODC, no changes originate at the RODC. Accordingly, writable domain controllers that are replication partners do not have to pull changes from the RODC. This means that any changes or corruption that a malicious user might make to the DMZ Active Directory Server cannot replicate from the RODC to the rest of the forest.
Source: https://technet.microsoft.com/en-us/library/cc732801(v=ws.10).aspx
25
Read-Only Active Directory
• One more thing to do…
⁻ Point the Cyber Assets inside the ESP to the Active Directory server inside the ESP
⁻ Point the Cyber Assets outside the ESP to the Active Directory server in the DMZ
⁻ Eliminate all AD-related permissions through the firewall from the DMZ into the ESP
Frustrates the malicious actor…too bad, so sad…
26
Interactive Remote Access
27
28
What is Multi-Factor Authentication?
• Something you know:
⁻ Password, passphrase, PIN
• Something you have:
⁻ RSA token, CRYPTOcard, challenge/response card, cell phone
• Something you are:
⁻ Biometrics (fingerprint, facial features, iris)
29
Something You Have
• This is the most misunderstood factor
⁻ You need to be in physical possession
⁻ You cannot stop off somewhere (electronically) and pick it up
⁻ It cannot be publicly available
• The Guidelines and Technical Basis for CIP-005-5, Requirement R2 simply says “See Secure Remote Access Reference Document (see remote access alert).”
⁻ Guidance for Secure Interactive Remote Access
30
Multi-Factor Scenario 1
• Authentication is performed by the following sequence:
⁻ Enter username and password
⁻ One-time token is sent by the authentication server to your company email account
⁻ Enter the one-time token value found in the email body
⁻ You are authenticated
• Question: Is this a valid form of multi-factor authentication?
NO
31
Multi-Factor Scenario 2
• Authentication is performed by the following sequence:
⁻ Enter username and password
⁻ One-time token is generated using an app on your smart phone
⁻ Enter the one-time token
⁻ You are authenticated
• Question: Is this a valid form of multi-factor authentication?
YES
32
Multi-Factor Scenario 3
• Authentication is performed by the following sequence:
⁻ Enter username and password to authenticate to a Citrix server (not the Intermediate System)
⁻ Connect to the Intermediate System from the Citrix server
⁻ Enter your username and password
⁻ Enter the password to enable use of your digital certificate, stored in your user profile on the Citrix server
⁻ You are authenticated
• Question: Is this a valid form of multi-factor authentication?
NO 33
Multi-Factor Scenario 4
• Authentication is performed by the following sequence:
⁻ Connect to the Intermediate System from your laptop
⁻ Enter your username and password
⁻ Enter the password to enable use of your digital certificate, stored in your user profile on your laptop
⁻ You are authenticated
• Question: Is this a valid form of multi-factor authentication?
Yes, but…
34
Multi-Factor Scenario 5
• Authentication is performed by the following sequence:
⁻ Enter username and password
⁻ The authentication system places a call to a pre-registered phone number (cell or landline)
⁻ Answer the phone and respond as instructed
⁻ You are authenticated
• Question: Is this a valid form of multi-factor authentication?
YES (cell phone would be best)
35
Multi-Factor Scenario 6
• Authentication is performed by the following sequence:
⁻ Insert USB key containing your digital certificate into your laptop
⁻ Launch your VPN client on your laptop and connect to the VPN concentrator (upstream from the Intermediate System)
⁻ Enter the passcode required to use your digital certificate
⁻ You are authenticated
• Question: Is this a valid form of multi-factor authentication?
YES
36
Multi-Factor Scenario 7
• Authentication is performed by the following sequence:
⁻ Log into your laptop using your fingerprint in lieu of entering your username and password
⁻ Once logged in, connect to the Intermediate System with a username and password
⁻ You are authenticated
• Question: Is this a valid form of multi-factor authentication?
You would think so, but, NO
37
Summary
• Electronic Access Point
⁻ You want tight ingress and egress access controls
⁻ Access in and out needs to be limited to what is necessary to operate, not for convenience
• Multi-Factor Authentication
⁻ Two of three: something you know, something you have, something you are
⁻ You need to be in sole possession of something you have
38
SPP RE CIP Team
• Kevin Perry, Director of Critical Infrastructure Protection(501) 614-3251
• Shon Austin, Lead Compliance Specialist-CIP(501) 614-3273
• Ted Bell, Senior Compliance Specialist-CIP(501) 614-3535
• Jeremy Withers, Senior Compliance Specialist-CIP(501) 688-1676
• Robert Vaughn, Compliance Specialist II-CIP(501) 482-2301
• Sushil Subedi, Compliance Specialist II-CIP(501) 482-2332
39