Managing Interactive Remote Access - SPP
Managing Interactive RemoteAccess2015 CIP ComplianceWorkshopJune 2, 2015Shon AustinLead Compliance Specialist
Objectives What is Interactive Remote Access? Which requirements are associated with InteractiveRemote Access? Migrating from V3 to V5 (example implementationsolutions) Avoid the most common sticking points/potentialissues Questions and Summary2
What is Interactive Remote AccessInteractive Remote Access - Effective 4/1/16 - InteractiveRemote Access is defined as:“User-initiated access by a person employing a remote access client orother remote access technology using a routable protocol. Remoteaccess originates from a Cyber Asset that is not an IntermediateSystem and not located within any of the Responsible Entity’sElectronic Security Perimeter(s) or at a defined Electronic Access Point(EAP). Remote access may be initiated from:1) Cyber Assets used or owned by the Responsible Entity,2) Cyber Assets used or owned by employees, and3) Cyber Assets used or owned by vendors, contractors, orconsultants.Interactive remote access does not include system-to-systemprocess communications.”3
What is Interactive Remote accessIntermediate System is defined in the NERC Glossary ofTerms as:“a Cyber Asset or collection of Cyber Assets performing accesscontrol to restrict Interactive Remote Access to onlyauthorized users. The Intermediate System must not belocated inside the Electronic Security Perimeter. (ESP)”The Intermediate System acts as proxy between the CyberAsset initiating the external communication and the cyberassets within the ESP.4
What is Interactive Remote access Intermediate system can be broken into a collection ofsystems–Number of functions (e.g., protocol break or proxy,encryption termination, and multi-factorauthentication)–Mix and Match5
Applicable Systems High Impact BES Cyber Systems and their associatedPCA Medium Impact BES Cyber Systems with ExternalRoutable Connectivity* (ERC*) and their associatedPCA*This is addressed in SPP RE External RoutableConnectivity presentation.6
Requirement Part 2.1 - Use an Intermediate System such that theCyber Asset initiating Interactive Remote Access doesnot directly access an applicable Cyber Asset Part 2.2 - Use encryption that terminates at anIntermediate System for all Interactive Remote Access Part 2.3 - Use multi-factor (i.e., at least two)authentication to manage all Interactive RemoteAccess sessions7
Implementing Part 2.1 Part 2.1 - Use an Intermediate System such that theCyber Asset initiating Interactive Remote Access doesnot directly access an applicable Cyber Asset–Identify your entity’s requirements for allowingInteractive Remote Access–To increase overall security posture, place theIntermediate System(s) into a demilitarized zone (DMZ) –a defined, protected network with both ingress and egressfiltering rules in placeThe Intermediate System can be used to access CyberAssets in mixed environments These system can have different impact ratings inside the ESPas well as be outside the ESP8
Implementing Part 2.1 Establish a criteria for determining which applicationsshould reside on the Intermediate System– Need to knowEnsure Interactive Remote Access must be managed bythe Intermediate System–Cyber Asset initiating the external communication doesnot have direct external access –Cannot RDP directly to SCADA system within an ESP fromoutside the ESPNot a pass through RDP from the intermediate System must be a new sessionfrom the Intermediate System9
Implementing Part 2.1 Interactive Remote Access is NOT–System-to system communications Despite the fact that the protocol can used for InteractiveRemote Access10
Implementing Part 2.2 Part 2.2 - Use encryption that terminates at anIntermediate System for all Interactive Remote Access–Encryption between the Cyber Asset initiatingcommunication and the Intermediate System(s)–Where is encryption required to terminate? There is confusion regarding where encryption must terminate Encryption only required on the “non-secure” side of theIntermediate System11
How to implement Part 2.3 Part 2.3 - Use multi-factor (i.e., at least two)authentication to manage all Interactive RemoteAccess sessions–Implement multi-factor authentication useauthentication factors from at least two of threegenerally accepted categories : Something you know (the knowledge factor) – (e.g., a password or personal identification number or PIN)Something you have (the possession factor) – (e.g., a one-time password token or a smart-card)Something you are (the inherence factor)– (e.g., fingerprint or iris pattern)12
How to implement Part 2.3 An additional authentication factors outside of theclassical paradigm–When implemented reduces the shortcomingsassociated with traditional (static) password Location factors - the authenticator's current location– GPS device (Smartphone)13
How to implement Part 2.3 Where does multi-factor authentication have to beperformed?– Before gaining access to a system inside the ESPCan a Intermediate System be accessed directly forInteractive Remote Access without performing multifactor authentication?–No. Must ensure multi-factor authentication cannot beby bypassed when attempting Interactive RemoteAccess to assets within the ESP14
How Interactive Remote Access’s vulnerabilitiesare reduced in V5 (from V3)15
EMS SysAdminvia Remote PCCorporateFirewallEMS SysAdminvia Corporate PCDMZFirewallESP FirewallBES Cyber SystemsEMS JumpHost DCEMS Jump Host16
17
18
19
20
Suggested Evidence Network diagrams Evidence of multi-factor authentication Evidence of end-to-end encryption Evidence that Intermediate System is subjected toapplicable CIP requirements for EACMS (ElectronicAccess Control or Monitoring System)21
References DRAFT Lesson Learned CIP Version 5 TransitionProgram, CIP-005-5 R2: Interactive Remote Access,Version: January 9, 2015 NERC Guidance for Secure Interactive Remote Access,July 2011 National Institute of Standards and Technology (NIST),NIST Special Publication (SP) 800-63-2 (2013)22
Summary Interactive Remote Access must be managed by anIntermediate System(s) Interactive Remote Access does not originate on anIntermediate System or inside of an ESP Requires encryption to Intermediate System Requires multi-factor authentication Programmatic interfaces can run on IntermediateSystem, eliminating Interactive Remote Access23
SPP RE CIP Team Kevin Perry, Director of Critical Infrastructure Protection(501) 614-3251 Shon Austin, Lead Compliance Specialist-CIP(501) 614-3273 Steven Keller, Lead Compliance Specialist-CIP(501) 688-1633 Jeremy Withers, Senior Compliance Specialist-CIP(501) 688-1676 Robert Vaughn, Compliance Specialist II-CIP(501) 482-230124
What is Interactive Remote Access . Interactive Remote Access - Effective 4/1/16- Interactive Remote Access. is defined as: "User-initiated access by a person . employing a remote access client or other remote access technology . using a routable protocol. Remote access originates from a Cyber Asset. that is . not. an . Intermediate System .
they start nest-building soon after. The crows use many species of trees for nesting. In rural areas, Faragó (2002) found nests in seven tree species (Acer campestre, Carpinus betulus, Pyrus pyraster, Morus alba, Salix spp., Alnus spp. and Fraxinus spp. spp., Alnus. spp. and . Fraxinus. spp
Scientific Names of Organisms Mentioned in the Text 511 Common Names and Scientific Names of Organisms COMMON NAME SCIENTIFIC NAME Algae, green filamentous Oedogonium spp., Spirogyra spp., Ulothrix spp., Zygnema spp., and others Algae, medicinal Laminaria spp., Digenia spp., and ma
techniques have been used to feed a number of tick spe-cies of the family Ixodidae, including Rhipicephalus spp., Dermacentor spp., Amblyomma spp., Hyalomma spp., and Ixodes spp. using capillary tubes or membranes (briefly reviewed in [3]). Recently, Kröber and Guerin [1,4,5] established a method using a silicone membrane to engorge Ixodes .
SPP 2015 TPL-001-4 Short Circuit Planning Assessment for Selected UMZ Entities 2 y Date Author Change Description 12/23/2015 SPP staff Initial Draft 12/30/2015 SPP staff Final Draft . Southwest Power Pool, Inc. Table of Contents SPP 2015 TPL-001-4 Short Circuit Planning Assessment For Selected UMZ Entities 3 .
Southwest Power Pool, Inc. Revision History 2 2015 ITPNT Assessment Revision History Date Author Change Description 12/22/2014 SPP staff Draft 12/29/2014 SPP staff Approved by TWG 1/12/15 SPP staff Removed blank rows in Table 5.3 1/12/2015 SPP staff Added Final Reliability Assessment section 1/13/15 SPP staff Updated Table 5.4 with accurate costs per state
Tables LOT-2 Plants for Planting Manual 03/2021-66 301.38) 3-77 Table 3-17 Size and Age Restrictions for Dracaena spp. Entire (Whole) Plants Imported as Plants for Planting from Costa Rica 3-104 Table 3-18 Mangifera spp. Plants for Planting 3-133 Table 3-19 Poncirus spp. Seeds of Rutaceae Family 3-148 Table 3-20 Prunus spp. Plants (except Seeds) 3-159 Table 3-21 Prunus spp. Seeds Not .
Tables LOT-2 Cut Flowers and Greenery 04/2021-90 Table 3-8 Arecaceae (alt. Palmae) (palms) 3-9 Table 3-9 Capsicum spp. (pepper) Solanaceae 3-10 Table 3-10 Castanea spp. (chestnut), Fagaceae 3-11 Table 3-11 Chaenomeles spp. (flowering quince) Rosaceae 3-11 Table 3-12 Chrysanthemum spp. (mum) Asteraceae 3-12 Table 3-13 Coffea spp. (coffee) Rubiaceae
The energy intensity target in China’s 11th Five-Year Plan period - Local implementation and achievements in Shanxi Province Daisheng Zhanga,*, Kristin Aunanb,a, Hans Martin Seipa,b, Haakon Vennemoc a Department of Chemistry, University of Oslo, P. O. Box 1033 Blindern, 0315 Oslo, Norway b Center for International Climate and Environmental Research — Oslo (CICERO), P.O. Box 1129 Blindern .
