Is This An Issue?
2020 started off with a bang in the world of energy-related cybersecurity. A pipeline in the United States was shut down as a result of a ransomware incident.1 In this particular case, the natural gas supplier saw an attack that began as a spear-phishing email. Eventually, it compromised human-machine interfaces, data historians and polling servers on the OT network, having come across via the IT network.2
In the wake of the incident, which was one of many that have occurred over time, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) issued an alert that showed some of the flaws in the natural gas provider’s security. The vulnerabilities included human factors; a failure to have cybersecurity and related training as part of the emergency response plan and too much focus on only physical security.3 Also exposed was a lack of segmentation between the IT and OT networks.4
Overall, a lack of knowledge seemed to be the biggest factor, and the CISA made the following recommendations: network segmentation, multi-factor authentication, regular data backups, least privilege access policies, anti-phishing filters, AV, whitelisting, traffic filtering and regular patching.5 CISA also suggested any critical infrastructure providers should add cyber-knowledge to any training.
But most organizations are okay, right?
This is a critical issue for several reasons. The first, as reported in a study conducted by Allianz, is that 54% of critical infrastructure suppliers had reported attempts by hackers to control systems, and 40% experienced attempts to shut down systems.6 This represented a 20% increase at that time, and numbers suggest that the increases have continued. In other words, these are real threats that are happening on a regular basis. Today’s threats can turn into attacks very quickly.
Secondly, confidence in critical infrastructure is essential, especially for the public who relies upon critical infrastructure. While the US to date has largely been spared from these kinds of attacks, Polish Airline LOT had to ground planes after a DDoS attack, and national power grids in Israel and the Ukraine were the victims of major cyber-attacks that required the grids to be shut down to prevent the spread of a virus.7 One attack in the United States occurred on the Bowman Avenue Dam in New York, in which Iranian hackers took control of the floodgates.8 Nation state attackers are very real threats.
The write-up with the study went so far as to include this ‘nightmare scenario’ of what an attack would look like:
During a particularly harsh winter, a group of hacktivists spreads panic by bringing down the US power grid. Millions of homes and businesses are plunged into darkness, communications are cut, banks go offline, hospitals close and air traffic is grounded.
Anyone could easily imagine what such a scenario would mean, and how quickly the confidence in a local utility or even a wider scale attack would alter reality.
The reality is that critical infrastructure information systems are complex. On a simple level there are traditional information technology systems and industrial control systems, like Supervisory Control And Data Acquisition (SCADA) systems and IoT. The traditional information technology systems are often more well protected, because they are easy to protect in any cases and often viewed as easier to breach than control systems. That said, many of the hacking attempts have been seeking not data, but control of those key systems.
A more recent report, compiled by Utility Dive, revealed that 37% of the 566 utilities surveyed had not fully implemented their plans around cybersecurity.9 At the same time 84% of the utilities felt well prepared for a cyber attack and 78% had instituted organization wide digital hygiene programs.10 Optimism was high, but yet the respondents felt that cybersecurity was the 4th most important topic on their plates, and 38% admitted to a failure in implementing cybersecurity programs to deal with third-party vendors.11 Which leads to our last section…
So what about NERC CIP?
The North American Reliability Corporation’s Critical Infrastructure Protection (NERC CIP) is the standard most utilities strive to achieve with regards to their cybersecurity, amongst other topics. 2020 is a big year, as there have been several recent updates and more coming to NERC CIP. The key deadline to remember is July, when several updates come into effect.
For those that aren’t familiar with NERC, it’s a non-profit quasi-governmental agency that sets the CIP standards. CIP is a general protection standard meaning it spans topics beyond just cybersecurity. Companies covered include utilities and other companies involved with critical infrastructure including the vendors that support utilities and operations like ports.
Most recently there was a deadline on January 1st of 2020 pertaining to CIP-003-7 on Security Management Controls. Next on deck are updates to two categories and a de novo category around supply chain cybersecurity risk. First off is CIP-005-6, pertaining to Electronic Security Perimeter. Then its CIP-010-3 regarding Configuration Change Management and Vulnerability Assessments. These both represent changes to existing policies. Lastly is the new policy, CIP-013-1, which implements Supply Chain Risk Management.
CIP 005-6 Cybersecurity — Electronic Security Perimeter
This section defines fairly detailed rules for firewalls, DMZs, and network segmentation requirements for protected assets. Added requirements center around the implementation of CIP-005-6 parts R2.2.4 and R2.2.5, which stipulate that they must have methods for determining how many active vendor remote access sessions they have at any given time and a way to disable these sessions.
Many general remote access solutions don’t differentiate between internal and vendor sessions and don’t allow granular management and control over individual sessions. If you have one of these systems or no system at all and are just using VPN connections, you will have to develop some custom controls to monitor this activity and manually pull the reports you need to show compliance. Implementing a vendor management system that focuses on third-party access can help you isolate and track vendor sessions separate from internal sessions and make this job a whole lot easier.12
CIP 010-3 Cybersecurity — Configuration Change Management and Vulnerability Assessments
These controls are designed to prevent unauthorized changes to systems and also stipulate regular vulnerability assessments and tests to make sure systems are not susceptible to such modifications. There are a number of elements to this section, but the only changes that will be made for July 2020 implementation are R1.1.6, R1.6.1, and R126.96.36.199, which require you to verify the identity of any software you use in your supply chain and its integrity. This can be done by checking hashes and having processes for software downloads that stipulate known sites, checking certificates, and more. Most of this is fairly easy to implement unless you have a large software development operation. Some software development tools will do some of this for you as well.13
CIP 013-1 Cybersecurity — Supply Chain Risk Management
This adds a new section to the CIP standards and probably represents the area that’s least implemented in full by covered entities. It details the development and deployment of a formal supply chain risk management program. An astonishingly large number of organizations don’t have a written program to track third-party risk, even those managing a large population of vendors doing critical tasks. Section 1.2 describes the various requirements you must have for vendors and supply chain partners, including notifications of breaches on their end, onboarding and offboarding of their users in your systems, and software integrity verification.
Finally, it all has to be reviewed and signed off on by the enterprise’s CIP Senior Manager at least every 15 months, with documentation of compliance per the R2 and R3 rules. While this may seem like a lot of things to get done, there are many technology solutions out there that can help get technical controls in place, such a Vendor Privileged Access Management (VPAM), and various vendor risk assessment platforms and exchanges to do risk assessments. The key is getting started with your program policy and procedure documents, for which there are many templates available on the Internet and consultants willing to put them together for you.14
These updates are the last for the next two years, with another batch expected in July of 2022. Implementing these will be a big step, especially the new requirements around vendor supply chain and cybersecurity. If you’d like to know more please reach out to us and we can help you with an assessment.