Chris Jager is a freelance security consultant who is always looking for interesting projects related to NERC CIP or ICS cybersecurity. In this four-part guest post series, he goes over changes to the NERC CIP standards and challenges facing the industry as they wrestle with compliance in a changing threat landscape.
In Part 1, I gave a basic overview of the NERC CIP standards to help set the stage for the remaining posts. The rest of the series will focus on Version 5, with Part 2 showing where this new version maps to the current threat landscape.
The word “threat” has a different meaning if you are discussing national security, energy supply, resilience, finance, or any other number of functional areas in which utilities participate. One blog post can’t begin to cover the entirety of the threat spectrum, so I’ll be using a couple of illustrative examples from a utility’s perspective.
Given the imprecise nature in which penalties are both assessed and publicly disclosed, it is difficult to give an accurate dollar figure that utilities have paid for NERC CIP violations broken down by requirement. That said, a review of publicly disclosed fines can be instructive.
As of March 1, 2013, there were 1,669 published violations of the NERC CIP standards. There are currently 1,651 unique Registered Entities on NERC’s compliance registry, though not all of them are in scope for NERC CIP. While there is risk in reading too much into these numbers given clustering and the nature of the penalty settlement process, it is fair to say that the threat of regulatory penalties is ever present and there are more than enough to go around.
Regulated companies are currently required to internally monitor for compliance violations and self-report any potential findings for adjudication. The regulatory strata also conducts spot-checks, audits, and investigations. These “attack vectors”, if you will, are numerous, well documented, and ever present. Similarly, the impacts of a successful “attack” are easily quantified.
It is yet to be seen how NERC CIP Version 5 will be audited. If history is a guide, utility security resources may still be heavily weighted to the quantifiable risk of managing regulatory exposure over the largely unquantifiable risk of a security breach or persistent network intrusion. FERC, NERC, and the Regional Entities can make significant progress toward securing the industry by following through on tempering their approach.
I won’t go into anecdotes of capital projects being scrapped, retooled, or delayed in order to avoid assets being scoped for NERC CIP as not all of those decisions were the right ones to make. Regardless of the wisdom of these decisions, putting a dollar amount on the effect the regulations have had is a fool’s errand. Similar anecdotes around increasing the attack surface of a given asset – say a GPS clock or other single function device – through replacement in order to close a Technical Feasibility Exception (TFE) are also impossible to quantify.
Pipeline Phishing Campaign
At their core, the NERC CIP standards are scoped to the secure operation of Bulk Electric System (BES) assets. However, many natural gas owners and operators are also electric utilities. Given this reality, and the fact that many utilities – particularly the medium and small companies – often only have budget for either security or security compliance, it makes sense to look at this attack campaign through the eyes of the NERC CIP Version 5 standards.
In May of 2012, news outlets began reporting on an attack campaign that targeted natural gas pipeline companies. These reports stated the initial attack vector was spearphishing and that malware was subsequently dropped onto company networks. This malware was designed to give the attackers a persistent presence on the corporate networks of the pipeline companies. According to the news reports, the purpose of this campaign was to steal various information from the natural gas pipeline companies including intellectual property, design documents, and other operational data.
While NERC CIP Version 5 does contain requirements to protect certain information, those protections are limited to information related to BES assets. What’s more, there are no explicit information protection requirements other than to have an information protection program of some kind. Similarly, there is no definition of what constitutes information that warrants protection and the regulated entities are left to their own devices in that regard. There are tangential requirements around information protection related to access revocation and training embedded within CIP-004-5, but information protection baselines are nowhere to be found anywhere in version 5 of the NERC CIP standards.
This lack of clarity has led to implementation problems in the past with various requirements in previous versions of the standards. Regulated utilities are left to guess at what a compliant approach is, let alone an effective one.
The news reports also stated that the alerts issued by DHS were some of the most detailed seen at the time and included a variety of indicators of potential compromise. Additionally, the alerts reportedly contained a request to let any observed activity go unchallenged unless the business or operations were at risk of a direct negative impact from that activity.