The mission of this group is to bring together utility professionals in the power industry who are in the thick of the digital utility transformation. 

WARNING: SIGN-IN

You need to be a member of Energy Central to access some features and content. Please or register to continue.

Post

More guidance for vendors (and entities!) in NERC CIP environments

In the first part of this post, I discussed the new NERC CIP recommendations for vendors to the power industry, written by Tim Conway of SANS. I said I thought the document was good as far as it goes, but it completely ignores CIP-013-1 R1.1 and just focuses on R1.2. I pointed out a way that vendors who are smart about R1.1 can actually turn that knowledge to their advantage. Doing this will help a vendor avoid a problem that other vendors are going to face: being hit with questionnaires that ask some questions that are close to irrelevant for Bulk Electric System purposes, and will waste the time of both the vendors and the utilities that ask them in the first place.

R1.1 simply tells the NERC entity to “identify and assess” supply chain cybersecurity risks to the BES. It provides little to no guidance on where the entity should look for these risks. In Part I, I described briefly how I have identified these risks, working with my electric utility clients.

Now I would like to focus on a few risks that are quite real for vendors to the power industry. In fact, large numbers of vendors have been reported – by DHS and the Wall Street Journal respectively – to have already been penetrated by the Russians, who are trying to use them as stepping stones into electric utilities (it seems the Russians have succeeded in penetrating utilities in at least some of these cases, but there has never been any further investigation of these stories).  

The first two risks have to do with penetration of a vendor’s own remote access systems (i.e. their systems used to facilitate remote access to the vendor’s network by their own employees and contractors, not remote access to utility networks). As I discussed in more detail in this recent post, a set of four DHS presentations in late August 2018 stated that at least 200 entities had been penetrated in an extensive Russian campaign to penetrate vendors through their remote access systems, and through there to penetrate their utility customers; you can read Rebecca Smith’s WSJ report on the first presentation, which set off a firestorm in the press worldwide.

Since DHS denied within days that any utilities had been penetrated (while still allowing the original presentation to be given two more times the next week, oddly enough), this means that at least 200 vendors have had their remote access systems penetrated by the Russians. Since the Russians demonstrated in the Ukraine and elsewhere that they’re quite adept at gaining a foothold in an organization’s network and lying low for months, this means they might try at any time to launch an attack on utilities, if they haven’t done so already.

Here are the two main risks that I see leading to or arising from this situation:

  1. The risk that a vendor doesn’t have proper controls on its own remote access system, especially multi-factor authentication. The DHS presentation made clear that many vendors didn’t have MFA.
  2. The risk that the workstation(s) a vendor uses for Interactive Remote Access or system-to-system access to a utility’s systems are networked with other systems at the vendor’s site, leading to the likelihood that they will be discovered and penetrated if other systems are.

These are two risks that IMO a NERC entity should identify as part of their CIP-013 R1.1 risk identification process. The entity should assess these risks by asking their vendors these two questions in their questionnaires:

  1. Do you require multi-factor authentication for remote access to your network(s)?
  2. Are any workstations used for Interactive Remote Access or system-to-system remote access on a separate network from your other networks? Does accessing these systems require separate authentication from access to your other networks?

As I pointed out in my last post, a vendor to the power industry should consider developing their own questionnaire, including these two questions, and answering the questions proactively. Then submit it to their electric utility customers as a way of pre-empting what could conceivably be a questionnaire with hundreds of questions, many of which address risks that don’t apply in an OT environment like the BES.

A third risk has to do with phishing. In January 2019, Rebecca Smith and Rob Barry of the WSJ published an article providing extensive detail on Russian phishing attacks on power industry vendors; this article said that at least four utilities had been penetrated in those attacks.[i] The attackers again used the same vehicle they’d used to penetrate the vendor, in order to penetrate their utility customers: they sent phishing emails to those customers, which of course came directly from the email accounts of vendor employees.

The main risk indicated by this article is that the vendor doesn’t have a good anti-phishing program in place, which includes regular training for employees on recognizing phishing emails, along with periodic use of test emails to identify employees who need more training. A question that corresponds to this risk is “Do you have in place an anti-phishing program that includes regular training for employees on recognizing phishing emails, along with periodic use of test emails to identify employees who need more training?”

Again, a vendor wishing to be proactive could answer this question and let their utility customers see their response. Of course, if the real answer to this question is “No, we don’t have this program in place now”, that is an excellent cue that the vendor needs to put one in place, so that they can truthfully answer the question affirmatively (this applies to all other questions on the questionnaire as well – the questionnaire really becomes a self-assessment for the vendor).

 

Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC. If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com.

Are you hot at work – or should be – on getting ready for CIP-013-1 compliance on October 1? Here is my summary of what you need to do between now and then.

 

 


[i] The article itself is behind a paywall. You can read my post about it here. If you’re a subscriber to the WSJ, or you want to sign up for a free trial, you can read the article here.

Tom Alrich's picture

Thank Tom for the Post!

Energy Central contributors share their experience and insights for the benefit of other Members (like you). Please show them your appreciation by leaving a comment, 'liking' this post, or following this Member.

Discussions

Matt Chester's picture
Matt Chester on Aug 5, 2020 4:20 pm GMT

a vendor to the power industry should consider developing their own questionnaire, including these two questions, and answering the questions proactively. Then submit it to their electric utility customers as a way of pre-empting what could conceivably be a questionnaire with hundreds of questions, many of which address risks that don’t apply in an OT environment like the BES

As these ideas and issues develop, one question I often wonder-- do you think utilities have the necessary skills and knowledge in house to develop these types of plans, or is there going to be a large movement to bring in some outside experts to make sure it's done right?

Tom Alrich's picture
Tom Alrich on Aug 5, 2020 4:39 pm GMT

The easy answer: Since that's my business, I hope they do reach out to outside experts! 

Realistically, this is a process that every utility could do on their own, if the right people had the available time (and this does require a lot of time). I see my job as greatly expediting the process, since I've already done most of the required steps for other clients (and the steps aren't very different, no matter the size or type of utility). They would otherwise need to figure them out from scratch.

Richard Brooks's picture
Richard Brooks on Aug 5, 2020 4:31 pm GMT

Tom, it's great to see you posting your thoughts and insights on Energy Central. EC has achieved significant momentum as the go to forum for all up to date Energy matters. For those who may not know Tom:

- He is the undisputed expert on NERC CIP-013, that many utilities rely on for guidance

- He has been a very helpful mentor to me in helping me understand the nuances and vagaries of NERC CIP-013 semantics.

- I  believe the EC Community will benefit from Tom's contributions

- You will see his influence during the 8/12 PowerSession presentation; I reached out to Tom for insights/feedback.

Please join me in welcoming Tom as an author on Energy Central.

Tom Alrich's picture
Tom Alrich on Aug 5, 2020 4:34 pm GMT

Thanks, Richard. I'm looking forward to your webinar!

Audra Drazga's picture
Audra Drazga on Aug 7, 2020 1:28 pm GMT

Tom,

Welcome to the community!  Glad to have your insights!  

Audra

Get Published - Build a Following

The Energy Central Power Industry Network is based on one core idea - power industry professionals helping each other and advancing the industry by sharing and learning from each other.

If you have an experience or insight to share or have learned something from a conference or seminar, your peers and colleagues on Energy Central want to hear about it. It's also easy to share a link to an article you've liked or an industry resource that you think would be helpful.

                 Learn more about posting on Energy Central »