NEMA CPSP 2-2018 Cyber Hygiene Best Practices.pdf

1、NEMA Standards PublicationNational Electrical Manufacturers AssociationNEMA CPSP 2-2018Cyber Hygiene Best PracticesA NEMA White Paper CPSP 2-2018 Cyber Hygiene Best Practices Published by National Electrical Manufacturers Association 1300 North 17thStreet, Suite 900 Rosslyn, Virginia 22209 www.nema.

2、org The requirements or guidelines presented in this NEMA white paper are considered technically sound at the time they are approved for publication. They are not a substitute for a product sellers or users own judgment with respect to the particular product discussed, and NEMA does not undertake to

3、 guarantee the performance of any individual manufacturers products by virtue of this document or guide. Thus, NEMA expressly disclaims any responsibility for damages arising from the use, application, or reliance by others on the information contained in this white paper. 2018 National Electrical M

4、anufacturers Association. All rights, including translation into other languages, reserved under the Universal Copyright Convention, the Berne Convention for the Protection of Literary and Artistic Works, and the International and Pan American copyright conventions. NEMA CPSP 2-2018 Page 2 2018 Nati

5、onal Electrical Manufacturers Association NOTICE AND DISCLAIMER The information in this publication was considered technically sound by the consensus of persons engaged in the development and approval of the document at the time it was developed. Consensus does not necessarily mean that there is una

6、nimous agreement among every person participating in the development of this document. NEMA standards and guideline publications, of which the document contained herein is one, are developed through a voluntary consensus standards development process. This process brings together volunteers and/or s

7、eeks out the views of persons who have an interest in the topic covered by this publication. While NEMA administers the process and establishes rules to promote fairness in the development of consensus, it does not write the document and it does not independently test, evaluate, or verify the accura

8、cy or completeness of any information or the soundness of any judgments contained in its standards and guideline publications. NEMA disclaims liability for any personal injury, property, or other damages of any nature whatsoever, whether special, indirect, consequential, or compensatory, directly or

9、 indirectly resulting from the publication, use of, application, or reliance on this document. NEMA disclaims and makes no guaranty or warranty, expressed or implied, as to the accuracy or completeness of any information published herein, and disclaims and makes no warranty that the information in t

10、his document will fulfill any of your particular purposes or needs. NEMA does not undertake to guarantee the performance of any individual manufacturer or sellers products or services by virtue of this standard or guide. In publishing and making this document available, NEMA is not undertaking to re

11、nder professional or other services for or on behalf of any person or entity, nor is NEMA undertaking to perform any duty owed by any person or entity to someone else. Anyone using this document should rely on his or her own independent judgment or, as appropriate, seek the advice of a competent pro

12、fessional in determining the exercise of reasonable care in any given circumstances. Information and other standards on the topic covered by this publication may be available from other sources, which the user may wish to consult for additional views or information not covered by this publication. N

13、EMA has no power, nor does it undertake to police or enforce compliance with the contents of this document. NEMA does not certify, test, or inspect products, designs, or installations for safety or health purposes. Any certification or other statement of compliance with any health or safety-related

14、information in this document shall not be attributable to NEMA and is solely the responsibility of the certifier or maker of the statement. NEMA CPSP 2-2018 Page 3 2018 National Electrical Manufacturers Association Executive Summary Purpose Cyber Hygiene Best Practices identifies a set of industry b

15、est practices and guidelines that electrical equipment and medical imaging manufacturers can implement to raise their level of cybersecurity sophistication in their manufacturing facility and engineering processes. The document provides guidelines for proactive and reactive security with a focus on

16、people, processes, and products. The guideline document addresses raising a manufacturers level of cybersecurity sophistication by following seven fundamental principles: a. Segmenting networks b. Understanding data types and flows c. Monitoring devices and systems d. User management e. Hardening de

17、vices f. Updating devices g. Providing a recovery plan/escalation process This document is not meant to be all-inclusive but rather a representative set of best practices that vendors can implement both in their manufacturing facility and engineering processes. This document is also not intended to

18、describe security best practices for the manufactured devices. Document Structure For each fundamental principle, the following information is provided: a. Identification of threats and an analysis of their implications; b. Additional reference documents and; c. Recommendations that electrical equip

19、ment and medical imaging manufacturers should incorporate. NEMA CPSP 2-2018 Page 4 2018 National Electrical Manufacturers Association CONTENTS Executive Summary 3 Acknowledgements . 5 Introduction . 6 Document Scope . 6 Definitions 6 Risk Tolerance 8 Fundamental Principles . 8 1. Segmenting Networks

20、 . 8 2. Understanding Data Types and Flows 11 3. Monitoring Devices and Systems 12 4. User Management . 13 5. Hardening Devices 15 6. Updating Devices 16 7. Providing a Recovery Plan and/or Escalation Process . 17 Figures Figure 1 A Typical Segmented Manufacturing Network . 9 Figure 2 A Typical Segm

21、ented Multi-Institution Manufacturing Network 10 NEMA CPSP 2-2018 Page 5 2018 National Electrical Manufacturers Association Acknowledgements This white paper guideline document was developed by a task force of the IoT Cybersecurity Council group of the National Electrical Manufacturers Association (

22、NEMA). The following individuals were members of the task force. Canon Medical Systems USA, Inc. Royal Chen, Scott Nitsche Eaton Leon Newsome Lutron Electronics Company, Inc. Doug Kuhlman, Walt Zaharchuk OSRAM SYLVANIA Inc. Roy Harvey Philips Joe Burgoyne, Ben Kokx S vendors do not provide an easy m

23、echanism to change them, or hard-coded passwords are included in the device. As an example, recently IoT devices have been used to create large scale botnets that can execute crippling distributed denial of service (DDoS) attacks. The Mirai botnet affected more than 300,000 IoT devices using default

24、 or weak passwords to create nearly 600 Mbps of disruptive internet traffic to all the different sites being affected. Reference Documents a. IEC 62443-2-1:2010 Industrial communication networksNetwork and system securityPart 2-1: Establishing an industrial automation and control system security pro

25、gram 1. A.3.3.5 Element: Access Control: Account Administration 2. A.3.3.6 Element: Access Control: Authentication 3. A.3.3.7 Element: Access Control: Authorization b. IEC 62443-3-3:2013 Industrial communication networksNetwork and system securityPart 3-3: System security requirements and security l

26、evels 1. Support of essential functions 2. FR 1 Identification and authentication control 3. FR 2 Use control c. NIST SP 800-53 Rev 5 (Draft) Security and Privacy Controls for Information Systems and Organizations 1. AC Access Control Family 2. AU-14 Session Audit 3. IA Identification and Authentica

27、tion Family d. NIST SP 800-82 Rev 2 Guide to Industrial Control Systems (ICS) Security (May 2015) e. KrebsOnSecurity Hit With Record DDoS, https:/ Manufacturer Recommendation Administration a. Ability to add, modify, and delete any user and corresponding credentials within the system. Authentication

28、 a. Requirement to change default passwords upon the first login b. No fixed /hard coded credentials (credentials which you are unable to change such as usernames and passwords) into devices c. Storing account information 1. Ability to store accounts locally 2. Ability to access centrally stored acc

29、ount systems, such as Active Directory or Lightweight Directory Access Protocol (LDAP) d. Ability to use multifactor authentication e. Usage of public key infrastructure, especially for remote login Authorization a. Having role based access 1. Pre-defined roles NEMA CPSP 2-2018 Page 15 2018 National

30、 Electrical Manufacturers Association 2. Ability to create user-defined roles b. Having role based account management 1. Having different roles for normal users versus administrative roles 2. Ability to assign arbitrary privileges to roles c. Ability to map any user account to any role Audit a. Abil

31、ity to record user login/logout along with timestamps. b. Ability to record files accessed and applications run while logged in c. Ability to monitor user-created tasks, including scheduled tasks that dont require an active login session. d. Ability to record failed login attempts along with timesta

32、mps. 5. Hardening Devices This principle addresses techniques manufacturers should use to harden the devices employed to design and manufacture products. The best practices may vary depending on the manufacturers particular sector. Identification of Threats and Analysis of Their Implications Through

33、 the use of comprehensive risk assessments, manufacturers can identify threats to their devices/solutions. There are many risk assessment methodologies available for manufacturing organizations to use. As equipment manufacturers use more effective network defenses, attackers identify alternate metho

34、ds of entry that take them directly inside the shell of the protected and, more importantly, the trusted network environment. Once inside these attacks can exploit vulnerabilities or compromise the environment using multiple vectors such as web, email, and malicious files. Reference Documents a. NEM

35、A CPSP 1-2015 Supply Chain Best Practices b. NEMA/MITA CSP 1-2016 Cybersecurity for Medical Imaging c. IEC 62443-3-3:2013 Industrial communication networksNetwork and system securityPart 3-3: System security requirements and security levels 1. SR 3.5 Input validation 2. SR 3.6 Deterministic output 3

36、. SR 3.7 Error handling d. NIST SP 800-53 Rev 5 (Draft) Security and Privacy Controls for Information Systems and Organizations (August 2017) 1. SC-27 Platform-Independent Applications 2. SC-41 Port and I/O Device Access e. NIST SP 800-82 Rev 2 Guide to Industrial Control Systems (ICS) Security (May

37、 2015) Manufacturer Recommendations There are a number of techniques available to manufacturers for hardening devices. Manufacturers should consider either turning off or disabling a number of device features that are not needed or may have inherent security risks. Examples include Joint Test Action

38、 Group (JTAG), Telnet, SNMP Versions 1 and 2, and wireless communication. NEMA CPSP 2-2018 Page 16 2018 National Electrical Manufacturers Association Manufacturers may consider removing unnecessary programs such as Word Pad, games, and browser plug-ins such as Java. Manufacturers may also consider r

39、emoving unnecessary services such as print spooler and remote desktop. Also, manufactures may also consider disabling cookies. Ethernet and Universal Serial Bus (USB) port blockers can be effective in physically blocking network traffic into a manufactured device. Error handling and input validation

40、 capabilities should also be considered. Examples include sanitizing inputs, static code testing, and software bill of materials (BOM) analysis Data encryption should be used when the information is confidential and sensitive. Manufacturers need to consider if the data needs to be encrypted at rest

41、within the device, in motion when it is in transmission or a combination of both. Integrity protection should be used when information transfer must be reliable and without error. Defensive techniques to a denial-of-service attack typically involve the use of a combination of attack detection and tr

42、affic classification and response tools. They aim to block traffic identified as illegitimate and allow traffic identified as legitimate. While most firewalls and routers do have capabilities to deny incoming traffic from an outside attacker, they can be easily overwhelmed as the attack becomes more

43、 and more sophisticated. Other options available include Intrusion Prevention Systems and the use of application front end hardware to analyze data packets as they enter the system and identify them as priority, regular, or malicious. Finally, manufacturers may wish to consider a secure by default m

44、ethod in which the default configurations are the most secure. A drawback is that these settings may be less backwards compatible and may require more complex initial configuration making it less user friendly. 6. Updating Devices This principle focuses on procedures that manufacturers should use to

45、 update the devices that are currently deployed based on vulnerabilities becoming known as well as the security requirements and necessities of their operating environment. The best practices may vary depending on the manufacturers particular sector. Identification of Threats and Analysis of Their I

46、mplications Through the use of comprehensive risk assessments, manufacturers can identify threats to their devices/solutions. There are many risk assessment methodologies available for manufacturing organizations to use. Updating devices and systems, where possible is an important step in keeping up

47、 with recent functionality and security improvements. Unfortunately, this often gets overlooked for a variety of reasons, such as the end users not having a plan for updating when they architect the system or due to the complexity of managing updates in various environments. There are risks that end

48、 users could install un-validated patches or updates themselves due to the inherent nature of how they are automatically transmitted. Reference Documents a. NEMA CPSP 1-2015 Supply Chain Best Practices b. NEMA/MITA CSP 1-2016 Cybersecurity for Medical Imaging c. IEC 62443-2-1:2010 Industrial communi

49、cation networksNetwork and system securityPart 2-1: Establishing an industrial automation and control system security program 1. A.3.4.2.5.1 Patching IACS Devices NEMA CPSP 2-2018 Page 17 2018 National Electrical Manufacturers Association 2. A.3.4.3 Element: System development and maintenance d. IEC TR 62443-2-3:2015 Security for industrial automation and control systemsPart 2-3: Patch management in the IACS environment e. NIST SP 800-53 Rev 5 (Draft) Security and Privacy Controls