Chris Jager is a freelance security consultant who is always looking for interesting projects related to NERC CIP or ICS cybersecurity. In this four-part guest post series, he goes over changes to the NERC CIP standards and challenges facing the industry as they wrestle with compliance in a changing threat landscape.
In Part 1, I gave a basic overview of the NERC CIP standards to help set the stage for the remaining posts. The rest of the series will focus on Version 5, with Part 2 showing where this new version maps to the current threat landscape.
The word “threat” has a different meaning if you are discussing national security, energy supply, resilience, finance, or any other number of functional areas in which utilities participate. One blog post can’t begin to cover the entirety of the threat spectrum, so I’ll be using a couple of illustrative examples from a utility’s perspective.
Given the imprecise nature in which penalties are both assessed and publicly disclosed, it is difficult to give an accurate dollar figure that utilities have paid for NERC CIP violations broken down by requirement. That said, a review of publicly disclosed fines can be instructive.
As of March 1, 2013, there were 1,669 published violations of the NERC CIP standards. There are currently 1,651 unique Registered Entities on NERC’s compliance registry, though not all of them are in scope for NERC CIP. While there is risk in reading too much into these numbers given clustering and the nature of the penalty settlement process, it is fair to say that the threat of regulatory penalties is ever present and there are more than enough to go around.
Regulated companies are currently required to internally monitor for compliance violations and self-report any potential findings for adjudication. The regulatory strata also conducts spot-checks, audits, and investigations. These “attack vectors”, if you will, are numerous, well documented, and ever present. Similarly, the impacts of a successful “attack” are easily quantified.
It is yet to be seen how NERC CIP Version 5 will be audited. If history is a guide, utility security resources may still be heavily weighted to the quantifiable risk of managing regulatory exposure over the largely unquantifiable risk of a security breach or persistent network intrusion. FERC, NERC, and the Regional Entities can make significant progress toward securing the industry by following through on tempering their approach.
I won’t go into anecdotes of capital projects being scrapped, retooled, or delayed in order to avoid assets being scoped for NERC CIP as not all of those decisions were the right ones to make. Regardless of the wisdom of these decisions, putting a dollar amount on the effect the regulations have had is a fool’s errand. Similar anecdotes around increasing the attack surface of a given asset – say a GPS clock or other single function device – through replacement in order to close a Technical Feasibility Exception (TFE) are also impossible to quantify.
Pipeline Phishing Campaign
At their core, the NERC CIP standards are scoped to the secure operation of Bulk Electric System (BES) assets. However, many natural gas owners and operators are also electric utilities. Given this reality, and the fact that many utilities – particularly the medium and small companies – often only have budget for either security or security compliance, it makes sense to look at this attack campaign through the eyes of the NERC CIP Version 5 standards.
In May of 2012, news outlets began reporting on an attack campaign that targeted natural gas pipeline companies. These reports stated the initial attack vector was spearphishing and that malware was subsequently dropped onto company networks. This malware was designed to give the attackers a persistent presence on the corporate networks of the pipeline companies. According to the news reports, the purpose of this campaign was to steal various information from the natural gas pipeline companies including intellectual property, design documents, and other operational data.
While NERC CIP Version 5 does contain requirements to protect certain information, those protections are limited to information related to BES assets. What’s more, there are no explicit information protection requirements other than to have an information protection program of some kind. Similarly, there is no definition of what constitutes information that warrants protection and the regulated entities are left to their own devices in that regard. There are tangential requirements around information protection related to access revocation and training embedded within CIP-004-5, but information protection baselines are nowhere to be found anywhere in version 5 of the NERC CIP standards.
This lack of clarity has led to implementation problems in the past with various requirements in previous versions of the standards. Regulated utilities are left to guess at what a compliant approach is, let alone an effective one.
The news reports also stated that the alerts issued by DHS were some of the most detailed seen at the time and included a variety of indicators of potential compromise. Additionally, the alerts reportedly contained a request to let any observed activity go unchallenged unless the business or operations were at risk of a direct negative impact from that activity.
With regards to the detection of indicators of compromise, Version 5 does provide a modicum of improvement over previous iterations of the NERC CIP standards. Specifically, CIP-005-5 R1.5 adds a new requirement to perform “malicious communication” detection for network perimeters. However, this requirement only applies to a small subset a BES assets – high impact systems only, unless at a Control Center where medium impact systems are in scope. According to all published news sources, this attack campaign did not target the actual control systems at the affected companies. Therefore, if a utility aligned their security spend solely to the requirements within the standards, they would not have the capability to do network-level detection of the published indicators.
Protections afforded at the host level through requirements in CIP-007-5 do not require anomaly detection of any kind and, instead, focus on the detection of malicious code execution. I’m not going to get into the pros and cons of signature-based anti-virus versus application whitelisting here, but code prevention tools are not the right tool for this particular detective job. Again, it is important to keep in mind that the NERC CIP standards are scoped to BES assets. This means that sifting through systems for specific files/configurations will need to be an ad hoc event or pre-seeded by implementing non-regulated controls.
While a dedicated, well-resourced, and motivated adversary will certainly do whatever it takes to succeed in their goals, it still makes sense to gain a better understanding as to what sort of public exposures the utility might have. Many times, the pre-attack phase of a given campaign will consist of reconnaissance activity of open source and/or leaked information. This will typically include internet searches of job boards, industry community sites, vendor sites, and other information stores that may have metadata that can inform the attack.
In the case of spearphishing, the attacker is often looking for information on staff and their associated roles within the company, the kind of technology that is being operated, and the likely intersection of the two. This will allow them to have a higher degree of assurance in success when performing more invasive reconnaissance or when delivering the initial attack and subsequent pivot into other areas of the organization.
There are no provisions in the standards to perform any sort of passive external risk assessment. Utilities should be doing this kind of recon on their own. To be clear, there won’t be anything that can be done to reduce existing exposure risk as utilities need to assume what is already out there has been reviewed by any number of variously skilled adversaries. However, they can inform risk identification and security awareness programs with that information. They should ask questions like “What kinds of information do my EMS engineering staff expose in their online resumes?”, “Do vendors have screenshots, site photos, or other non-public information about my installation on their site?”, etc. In other words, what does the world know about them?
Information that can aid an adversary in launching a successful spearphishing campaign should ultimately be considered for inclusion in a utility’s information protection program. Whether or not it should be included as part of a CIP-011-1 program or live in a separate program is something that each utility needs to decide. Whatever decision is made, make no mistake on this next point.
Utility staff and other privileged agents are assets. They can be attacked just like any other and information about them that can degrade the utility’s security posture must either be protected or, at minimum, identified for use as input to other security controls. Keep in mind that personnel have certain privacy rights – particularly in their non-company data stores such as social media – and those must be respected.
Finally, there have been a number of publicly disclosed breaches at electric utilities. These are run of the mill data loss/leak events that you can find just about anywhere and utilities are no special snowflake in this regard. Typically, these leaks occur on the corporate side of the house and center around customer records or other Personally Identifying Information (PII).
At the risk of having the broken record shatter, the NERC CIP standards are scoped solely to BES assets. If a utility aligns their security spend to point-in-time snapshots of a given regulation, they will not be prepared to handle this kind of event and the impact costs can be quite high.
In addition to remediation items such as credit reporting services and outreach costs for affected customers in the case of a billing system breach, there are reputational impacts that can be hard to quantify. Expect state and local regulators to take interest and, in some cases, launch a formal investigation. This is especially true for states that have PII security and breach reporting laws on the books.
Further impacts may include public disclosure to investors through SEC reporting requirements, additional scrutiny during rate cases, and hyper-reactive disciplinary employee turnover at any level of the organization.
In short, while there appears to be improvement in some areas, NERC CIP Version 5 is not aligned to combating today’s threats with the possible exception being that of punitive regulatory sanctions. This is to be expected this version was designed to complete the work identified in FERC Order 706, issued in January of 2008 – over five years ago. Chiefly, that work was to take the standards from a first run effort and begin to align them with a NIST SP800-53 style of approach.
Part 3 of this 4 part series will go over control classes that were omitted in this version of the standards.
Image by epSos.de