CIP-005-3a

Electronic Security Perimeters

A Primer in ESP Identification
Brent Johnson, CISSP, CISA
Project Consultant
GDS Associates, Inc.
CIP-005: Electronic Security Perimeters

Identify

• 5 Requirements Control
• This presentation Monitor
deals specifically with
Identification of ESPs Assess Vulnerabilities

Maintain Documentation
Importance of ESP Documentation

• Documentation is the blueprint to network

security
– Visually shows how CCAs are electronically
protected
– Forces entities to confirm their electronic security
strategy
– Serves as a guide for auditors
What is an ESP?

• Electronic Security Perimeter

• The logical border around a network
– All CCAs must be protected by an ESP
– Access is Controlled
How is Access Controlled?

• Access Points
– The device that discriminates between authorized
and unauthorized traffic in and out of ESPs
– This may not always be the outermost device on
the network!
 Understanding Access Points

“
The endpoint is the ESP access point

”
if access is controlled at the endpoint

irrespective of which OSI layer is managing the communication.

Non-binding Standard Drafting Team Comment on CIP-005-1 Interpretation

http://www.nerc.com/docs/standards/sar/2009-12_C_of_C_Initial_Ballot_RFI_PacifiCorp_CIP-005-
1_2009Oct12.pdf
Access Points

Device Accessible from Outside

• A device accessible from outside the ESP

* Unless this access is controlled by another device in the ESP

VPNs and Tunnels

• Anything serving as an endpoint of a tunnel where the other endpoint

is outside the ESP
• This applies even when the other endpoint is in a different ESP

Dial-Up

• Externally connected dial-up devices

 Access Points: Accessible from Outside

• Alice needs to access the File Server

– She has a username, password and network token
• The Firewall forwards all traffic on the VPN Server
port number without considering its origin
• The VPN Server is responsible for authenticating
users
Where is the access point?
Access Points: VPNs

• Alice needs to check on Workstations A, B and C

• Once she authenticates with the VPN, she has a
secure tunnel to the ESP Firewall
• The ESP firewall only allows traffic in from the
VPN server, which is already authenticated
Access Points: Modems

• The corporate internet connection goes down and

Alice needs to remotely access the protected
network
• Alice uses a cell phone modem to connect to the
dial-up server which then authenticates her
Links Between ESPs

• Communication networks connecting discrete

ESPs together are not considered part of the ESP
– Equipment outside of ESP access points is out of
scope
Links Between ESPs

• It is possible to create one logical ESP even if it is

broken into multiple physical locations
Access Control & Monitoring Equipment
Functions of ACM Equipment

Logging Intrusion Detection

• Centralized Logging • SIEM
Servers • IDS/IPS
• Pattern Recognition
• Incident Response

Authentication
• Active Directory
• LDAP
• Kerberos
 Protecting ACM Equipment

Physical Secure Evolving Threat Response and

Information
Security Configuration Response Recovery

007
003

004

003

008
Change Control
Information Personnel Risk Security Patch Incident Reporting &
and Configuration
Protection Plan Assessment Management Response Management
Management

007
005

006

005

009
Monitoring Electronic Access Electronic Malicious Software
Recovery Plans
Electronic Access Control Systems (PSP) Access Controls Prevention

007
007

007
Security Status Security Cyber Vulnerability
Monitoring Controls Testing Assessment
007

007

Disposal and
Account Management
Redeployment
007

Systems Security
Management
Documentation Review
Documenting an ESP: Components

• Good ESP documentation successfully identifies:

– Critical Cyber Assets
– Access Points
– Access Control and Monitoring Equipment
– All other assets inside the ESP
Documenting an ESP

• Accuracy is imperative!
• Develop documentation based on known
configuration and confirm topology with:
– Network discovery of assets
• Nmap
– Physical Cable Inspection
• Documentation must contain all cyber assets
inside, regardless of Criticality
Common Pitfalls in Documenting ESPs

• Not everything is included

• Redundant cabling/port connections are not
documented
• Failure to consider Access Points possibly behind
the outermost device

• Documentation not updated within 90 days of

changes made
Questions

Available until 5/31 at: We have a blog too:

http://bit.ly/GDS-CIP005 http://cip-gds.tumblr.com/