Bandolier and NERC CIP
From SCADApedia
Bandolier audit files are used in security scanners such as Nessus to compare security setting in the operating system and applications, including control system applications, to a Gold Standard, optimal security configuration developed by the control system vendor, Digital Bond and asset owners. Bandolier helps an organization validate that their servers and workstations are configured according to security best practice at installation and periodically to detect a degraded security posture.
Bandolier audit files can also aid with security compliance efforts, including the NERC CIP standards. This SCADApedia page focuses on the specific NERC CIP requirements that Bandolier can not only help test, but also provide evidence of compliance to assist in NERC CIP audits.
Individual Bandolier audit tests primarily assist with CIP-007 requirements. According to its purpose statement, CIP-007 "requires Responsible Entities to define methods, processes, and procedures for securing those systems determined to be Critical Cyber Assets, as well as the non-critical Cyber Assets within the Electronic Security Perimeter(s)." The Bandolier audit files can be a valuable tool for validating secure configuration settings for servers and workstations that are considered Critical Cyber Assets or that exist within the Electronic Security Perimeter.
Contents |
CIP-007-1 R1: Test Procedures
Requirements
R1. Test Procedures — The Responsible Entity shall ensure that new Cyber Assets and significant changes to existing Cyber Assets within the Electronic Security Perimeter do not adversely affect existing cyber security controls. For purposes of Standard CIP-007, a significant change shall, at a minimum, include implementation of security patches, cumulative service packs, vendor releases, and version upgrades of operating systems, applications, database platforms, or other third-party software or firmware.
R1.1. The Responsible Entity shall create, implement, and maintain cyber security test procedures in a manner that minimizes adverse effects on the production system or its operation.
R1.2. The Responsible Entity shall document that testing is performed in a manner that reflects the production environment.
R1.3. The Responsible Entity shall document test results.
Bandolier Applicability
- The Bandolier audit templates can be a valuable part of the testing procedures outlined in this requirement because they audit a server or workstation's security configuration, or "cyber security controls" as described in the standard language.
- Because the Bandolier audits use an authenticated management connection rather than traditional vulnerability scanning methods, the risk for adverse effects as described in R1.1 are minimal.
- Reports from the audit templates can generally be saved in a variety of formats that can provide the documentation required by R1.3.
- EXAMPLE: After an update has been applied, a Bandolier audit can be performed to validate that the defined security best practice has not changed.
CIP-007-1 R2: Ports and Services
Requirements
R2. Ports and Services — The Responsible Entity shall establish and document a process to ensure that only those ports and services required for normal and emergency operations are enabled.
R2.1. The Responsible Entity shall enable only those ports and services required for normal and emergency operations.
R2.2. The Responsible Entity shall disable other ports and services, including those used for testing purposes, prior to production use of all Cyber Assets inside the Electronic Security Perimeter(s).
R2.3. In the case where unused ports and services cannot be disabled due to technical limitations, the Responsible Entity shall document compensating measure(s) applied to mitigate risk exposure or an acceptance of risk.
Bandolier Applicability
- The Bandolier development approach includes working with the application vendor to define the minimum set of services and process required for the application to properly function. This intelligence is included in the audit templates.
- The Bandolier audit templates report on the status of known services or processes.
CIP-007-1 R5: Account Management
Requirements
R5. Account Management — The Responsible Entity shall establish, implement, and document technical and procedural controls that enforce access authentication of, and accountability for, all user activity, and that minimize the risk of unauthorized system access.
R5.1. The Responsible Entity shall ensure that individual and shared system accounts and authorized access permissions are consistent with the concept of “need to know” with respect to work functions performed.
R5.1.1. The Responsible Entity shall ensure that user accounts are implemented as approved by designated personnel. Refer to Standard CIP-003 Requirement R5.
R5.1.2. The Responsible Entity shall establish methods, processes, and procedures that generate logs of sufficient detail to create historical audit trails of individual user account access activity for a minimum of ninety days.
R5.1.3. The Responsible Entity shall review, at least annually, user accounts to verify access privileges are in accordance with Standard CIP-003 Requirement R5 and Standard CIP-004 Requirement R4.
R5.2. The Responsible Entity shall implement a policy to minimize and manage the scope and acceptable use of administrator, shared, and other generic account privileges including factory default accounts.
R5.2.1. The policy shall include the removal, disabling, or renaming of such accounts where possible. For such accounts that must remain enabled, passwords shall be changed prior to putting any system into service.
R5.2.2. The Responsible Entity shall identify those individuals with access to shared accounts.
R5.2.3. Where such accounts must be shared, the Responsible Entity shall have a policy for managing the use of such accounts that limits access to only those with authorization, an audit trail of the account use (automated or manual), and steps for securing the account in the event of personnel changes (for example, change in assignment or termination).
R5.3. At a minimum, the Responsible Entity shall require and use passwords, subject to the following, as technically feasible:
R5.3.1. Each password shall be a minimum of six characters.
R5.3.2. Each password shall consist of a combination of alpha, numeric, and “special” characters.
R5.3.3. Each password shall be changed at least annually, or more frequently based on risk.
Bandolier Applicability
- The Bandolier audit templates can verify if Windows default accounts have been renamed and/or disabled. (R2.1)
- Default application accounts, where possible, are identified and audited by the templates. (R2.1)
- The Bandolier audit templates measure operating system password characteristics on Windows and Unix systems (R3)
- The Bandolier audit templates, where possible, measure the password characteristics at the application level. (R3)
CIP-007-1 R8: Vulnerability Assessment
Requirements
R8. Cyber Vulnerability Assessment — The Responsible Entity shall perform a cyber vulnerability assessment of all Cyber Assets within the Electronic Security Perimeter at least annually. The vulnerability assessment shall include, at a minimum, the following:
R8.1. A document identifying the vulnerability assessment process;
R8.2. A review to verify that only ports and services required for operation of the Cyber Assets within the Electronic Security Perimeter are enabled;
R8.3. A review of controls for default accounts; and,
R8.4. Documentation of the results of the assessment, the action plan to remediate or mitigate vulnerabilities identified in the assessment, and the execution status of that action plan.
Bandolier Applicability
- The Bandolier audit templates are not a complete vulnerability assessment but can add contribute to the assessment process.
- The Bandolier development approach includes working with the application vendor to define the minimum set of services and process required for the application to properly function. This intelligence is included in the audit templates. (R8.2)
- Where possible, the audit templates report on the status of default operating system and application accounts. (R8.3)
See also
Bandolier Compliance Check Categories
List of Bandolier Audit Templates
Cyber Security Audit and Attack Detection Toolkit
