CIP-005-3a

Electronic Security Perimeters

A Primer in ESP Identification

Brent Johnson, CISSP, CISA

Project Consultant

GDS Associates, Inc.

CIP-005: Electronic Security Perimeters

• 5 Requirements

• This presentation

deals specifically with

Identification of ESPs

Identify

Control

Monitor

Assess Vulnerabilities

Maintain Documentation

Importance of ESP Documentation

• Documentation is the blueprint to network

security

– Visually shows how CCAs are electronically

protected

– Forces entities to confirm their electronic security

strategy

– Serves as a guide for auditors

What is an ESP?

• Electronic Security Perimeter

• The logical border around a network

– All CCAs must be protected by an ESP

– Access is Controlled

How is Access Controlled?

• Access Points

– The device that discriminates between authorized

and unauthorized traffic in and out of ESPs

– This may not always be the outermost device on

the network!

”“

Understanding Access Points

The endpoint is the ESP access point

if access is controlled at the endpoint

irrespective of which OSI layer is managing the communication.

Non-binding Standard Drafting Team Comment on CIP-005-1 Interpretationhttp://www.nerc.com/docs/standards/sar/2009-12_C_of_C_Initial_Ballot_RFI_PacifiCorp_CIP-005-

1_2009Oct12.pdf

Access Points

• A device accessible from outside the ESP* Unless this access is controlled by another device in the ESP

Device Accessible from Outside

• Anything serving as an endpoint of a tunnel where the other endpoint is outside the ESP

• This applies even when the other endpoint is in a different ESP

VPNs and Tunnels

• Externally connected dial-up devices

Dial-Up

Access Points: Accessible from Outside

• Alice needs to access the File Server

– She has a username, password and network token

• The Firewall forwards all traffic on the VPN Server

port number without considering its origin

• The VPN Server is responsible for authenticating

users

Where is the access point?

Access Points: VPNs

• Alice needs to check on Workstations A, B and C

• Once she authenticates with the VPN, she has a

secure tunnel to the ESP Firewall

• The ESP firewall only allows traffic in from the

VPN server, which is already authenticated

Access Points: Modems

• The corporate internet connection goes down and

Alice needs to remotely access the protected

network

• Alice uses a cell phone modem to connect to the

dial-up server which then authenticates her

Links Between ESPs

• Communication networks connecting discrete

ESPs together are not considered part of the ESP

– Equipment outside of ESP access points is out of

scope

Links Between ESPs

• It is possible to create one logical ESP even if it is

broken into multiple physical locations

Access Control & Monitoring Equipment

Logging

• Centralized Logging Servers

Intrusion Detection

• SIEM

• IDS/IPS

• Pattern Recognition

• Incident Response

Authentication

• Active Directory

• LDAP

• Kerberos

Functions of ACM Equipment

Protecting ACM Equipment

Information

InformationProtection Plan

MonitoringElectronic Access

Security Status Monitoring

Disposal and Redeployment

Systems Security Management

Documentation Review

Physical Security

Personnel Risk Assessment

Electronic Access Control Systems (PSP)

Secure Configuration

Change Controland Configuration

Management

ElectronicAccess Controls

SecurityControls Testing

Account Management

Evolving Threat Response

Security Patch Management

Malicious Software Prevention

Cyber Vulnerability Assessment

Response and Recovery

Incident Reporting & Response Management

Recovery Plans

003

005

007

007

007

004

006

003

005

007

007

007

007

007

008

009

Documenting an ESP: Components

• Good ESP documentation successfully identifies:

– Critical Cyber Assets

– Access Points

– Access Control and Monitoring Equipment

– All other assets inside the ESP

Documenting an ESP

• Accuracy is imperative!

• Develop documentation based on known

configuration and confirm topology with:

– Network discovery of assets

• Nmap

– Physical Cable Inspection

• Documentation must contain all cyber assets

inside, regardless of Criticality

Common Pitfalls in Documenting ESPs

• Not everything is included

• Redundant cabling/port connections are not

documented

• Failure to consider Access Points possibly behind

the outermost device

• Documentation not updated within 90 days of

changes made

Questions

Available until 5/31 at:

http://bit.ly/GDS-CIP005

We have a blog too:

http://cip-gds.tumblr.com/