CIP- 5-5 R2 is focused on ensuring that the security of the Bulk Energy System is not compromised byremote access. The general access control policy defined in section R1 is further augmented by therequirements of R2 for all remote access. This paper discusses the requirements and approaches to meetingthe challenge of Remote Access Management for the Bulk Energy System (BES).IntroductionThe NERC-CIP standards are the primary knowledge resource used by the Utility industry to ensure ournation’s power grid is protected from unintentional (accidental) and intentional (malicious) disruption. Whilethe NERC-CIP standard takes a comprehensive approach to cyber security, there remain areas where thespecific implications of security vulnerabilities are not understood by the industry at large. This whitepaperlooks at the specific area of Remote Access Management as covered by NERC-CIP-005-3a R2.What is Secure RemoteAccess?Remote access occurs anytime an asset insidethe electronic security perimeter (ESP) isaccessed by a user that is outside of the ESPwhether the asset is classified a Critical CyberAsset (CCA) or not. This includes access fromwithin a physical security perimeter and accessfrom outside all physical security perimeters.The focus is on user access to the assets or CCAcontrolling the Bulk Electric Supply (BES). As
depicted in the diagram to the right, users may be inside a physical security perimeter yet outside the actualElectronic Security Perimeter of the BES or they may be at a remote location (i.e. – traveling, working fromhome, etc.) outside all physical and logical security. Only personnel inside the physical security of the ESP orBES control room (or other secured cyber asset location) would not be considered remote.This is a new requirement for Utility organizations that was not included in previous versions of NERC-CIP.From NERC, it addresses “vulnerabilities for remote access methods and technologies that were previouslythought secure and in use by a number of large electric security entities” (NERC-CIP-005-3a R2 - Rationale).While NERC does not currently provide any requirements or guidance documents on how to accomplishsecure remote access, NERC does define the key requirements that must be met by a secure remote accesspractice or solution in CIP-005.The key requirements of CIP-005-3a R2 include:1)2)3)4)5)Implementing an Intermediate Device for Remote AccessEncryption for all Interactive Remote SessionsMulti-factor authenticationUp-to-date anti-malware software on user devicesUp-to-date patch levels on user devicesIntermediate Device (ID) ExplainedA firewall or other electronic access point (EAP) device provides access denial, unless authentication isaccomplished, and limited access based on roles. Once authentication is accomplished, it allows the user todirectly connect to one or more cyber assets, networks, or other logical elements. In the simplest terms, it is alocked door on the perimeter to the BES that must be opened to gain access.« « « « « « « « « « Secur ity Perspe ct ive: Personnel remotely accessing the BES must be managed per CIP-005 R2,but they also must be managed per CIP-007 (strong role-based access control, logging, and real-timeevent /incident detection).From this perspective, even personnel inside the ESP should be utilizing the same controls for accessas those outside the ESP. This ensures that a consistent view, method and process is used for controlof the BES - all the while having command and control of the BES that is logged and audited in such amanner as to thwart an insider attack or insider unintentional impact to the BES.CIP-005 R2 should be considered in the broader scope of the NERC-CIP regulations when formulatingan overall security strategy. Addressing the new requirements for Remote Access Management inisolation can result in a fragmented security solution with gaps that can have a significant impact onthe ability of the Utility organization to support reliability and security - its primary objective.« « « « « « « « « «
With Remote Access Management there is another step between the EAP and the BES that is required tomeet the CIP-005 R2 requirements. Instead of gaining access to the BES through the EAP, the user gainsaccess to an Intermediate Device (ID). The ID is connected to the BES cyber network inside the ESP. In thisconfiguration, there is no direct connection between the remote user and the BES or CCA. This kind ofIntermediate Device is often called a jump box or bastion host. The jump box provides an added layer orbuffer to the security of the BES, never directly exposing a BES cyber system to a remote cyber asset.Compared to the EAP “locked door” analogy, CIP-005 R2 can be viewed as two locked doors, with the seconddoor opening from a secure ‘room’ to the BES cyber network. Authenticated users enter the secure roomwhere they can issue commands that the room can then carry out to the BES cyber asset. In this scenario, theuser is never directly connected to the BES cyber system or network. The Remote Access Managementsolution is presented in the following diagram.In this scenario, the remote user connects to an EAP through a firewall (Firewall 1), probably with a VPN. Theremote user must now authenticate against the Intermediate Device (ID) using a multi-factor (username,password and an additional method) authentication. Once authenticated, the Intermediate Device providesthe specific connectivity to the BES CCA through the next firewall (Firewall 2) needed for the remote user to dotheir work.The result is a DMZ (De-Militarized Zone) that acts as a composite EAP (combination of Firewall 1, ID, andFirewall 2).Additional Requirements:1) Networking between Firewall 1 and the ID is both physical and logical2) Networking between ID and Firewall 2 is both physical and logical3) Firewall 1 and Firewall 2 are NOT the same device type
Employing physical networking between Firewall 1 and the ID, and the ID and Firewall 2 (as depicted in theIntermediate Device Solution diagram above) ensures that NO connection can be made to the BES or a CCAwithout going through the composite EAP.By deploying defense-in-depth with layering of firewalls, role-based access management, and high availabilityfailover of security status monitoring and event logging, entities can be assured of data integrity, rapidincident response and disaster recovery.Intermediate Device Advanced CapabilitiesIntermediate Devices can provide advanced capabilities to harden the security footprint without impactinguser performance – a major drawback in many Intermediate Device approaches.The major performance impact derives from RDP (Remote Desktop Protocol) sessions1 that are heavybandwidth consumers that cannot be comprehensively audited. CLI (Command Line Interface) sessions aremuch lighter (and auditable) but can still affect performance depending on their technical implementation.Advanced capabilities in Intermediate Devices can include:1) Role-based access and control that limits each user’s access to a predefined set of cyber assets inthe BES2) Least privilege by user and/or role, limiting privileges to lowest level needed to perform the work theuser is authorized to eprimarilyanartifactofWindowsservers
3) Capture of all user activity down to the keystroke (CLI). (usage of video or graphics based interfacesdo not allow capture of meaningful keystroke activity for auditing purposes as it allows the mixture of“Button Pushes”, “Check Box” and keystrokes.)4) Capture of system messages from application logs , SNMP alerts, SYSLOG and other sources5) Management of all BES assets in the ESP – not just servers. Support of more than just a single OS,application or interface.6) Support for normal and emergency operations including power reset, firmware management, BIOSConfiguration as well as multi-user privileged access.7) Event detection and alerting – predefined and admin configurable8) Single pane-of-glass oversight9) Business rules that restrict, alert, or control user activity« « « « « « « « « « Additiona l resources:One reference that can help in assessing or designing a secure network is available from the DefenseInformation System twork management security guidance at-aglance v8r1.pdfOther resources that discuss network design/topology, security practices and security process includeITIL V3, ISO270001, NIST, FEMA, and SANS 20 Critical Security Controls for Effective Cyber Defense.« « « « « « « « « « 10) Coverage for all privileged interfaces, in-band (production) network and out-of-band (maintenance)networkThe items in the list above (in particular items 1,2,3,7,8) are common security practices typically falling underthe practice of Privileged Access Management (PAM).Privileged Access ManagementPrivileged Access Management is a highly appropriate value-added role for an Intermediate Device for NERCCIP-005-3a R2. Restricting access to specific cyber assets, networks, or other logical elements at each EAP(the traditional approach) is valuable, but it does not provide fine-grained control over what a user can accessor the privileges granted for each. Intermediate Devices should serve as the fine-grained control mechanismfor the Remote Access Management practice.Supporting the Role of PeopleThe most secure access profile eliminates remote access altogether. This, however, is unreasonable as itwould require that all staff needed to service the BES - address security threats, perform IT maintenance, andrespond to emergencies - would be required to be physically present inside the physical security of the BESESP at all times (24/7/365).
This brings up an extremely important point. When personnel are accessing the BES remotely, they aretypically doing so under conditions demanding fast response and expert skill. This most commonly occurs inone of the following two scenarios: 1) issues that threaten availability of the BES (alarm, outage, serviceissues, etc.) and 2) security threats.An Intermediate Device can serve multiple purposes by addressing the context of the people needing remoteaccess with supporting capabilities that improve their ability to resolve operational or security issues.To do this, the Intermediate Device must have very good situational awareness of the complete BES CCAinside the ESP – from hardware to the application and all points in-between. This way, when the remote orlocal user accesses the ID they will not need to look in multiple places to gain a forensic understanding offailures, degradation or other issues affecting BES availability (which cause remote access to be used byremote personnel). This directly supports the primary objective of Availability while providing the appropriatelevel of security.Forensic capture and logging down to the keystroke of privileged user activity provides another importantsecurity and compliance function. Capturing privileged user activity actively deters out-of-policy behavior whilethe information it contains is often critical to resolving issues and mitigating security threats caused byhuman error or malicious intent by Insider threat.Remote access to both in-band and out-of-band networks is a requirement. The out-of-band network is theonly network and interface where emergency operations and actions can be taken to resolve hardware orsoftware failures, including configuration issues related to hardware, operating system, network and oftenapplications.Where the Intermediate Device can capture system messages (application logs, SYSLOG, SNMP andprivileged actions for single user and multi-user access et. al.), it can serve a dual purpose by automaticallyproducing compliance records and for retaining information needed by remote users to troubleshoot issues,confirm operations, and be alerted to potential problems.This ability also has impact on mean-time-to-repair (MTTR) since forensic information needed to repair or« « « « « « « « « « In-band a nd out-of-band net work s:The In-band network is commonly referred to as the production network. It uses the normalnetworking ports on devices that require each device to be functional, healthy, and fully operationalwith network services running before communications can be established.The out-of-band network is commonly referred to as the maintenance network. It uses special portsincluding baseboard management controllers (iLO, DRAC, ALOM, etc.) and serial privileged interfacesto establish communications. These ports (often called Configuration Ports – see whitepaper CIP-007R1: Understanding the Importance and Relevance of Configuration Ports to Utility Cyber Security) arealways on as long as there is power to the chassis of the device.« « « « « « « « « « correct the BES configuration would be at-hand in the event of an outage or degradation. Having theinformation readily at-hand, eliminates the need to look in multiple places and find available logs messages(assuming they still exist or in some cases may have been a single last gasp alert not stored or no longeravailable).
From a management perspective, the Intermediate Device with the capabilities listed here providescomprehensive oversight and transparency. Because the Intermediate Device is effectively a single point ofconnection for remote and local users to the BES cyber system, it has access to all of the information neededto provide a single source of all Remote Access activity. This makes the Intermediate Device the ideal sourcefor single pane-of-glass oversight and situational awareness.Ideally, the Intermediate Device would automatically confirm the user’s device has met malware and patchlevel requirements before allowing the user to connect to it – although this may be instituted as a separatesecurity procedure.The challenge here is that the rem