I always
look forward to EnergySec’s Weekly Update
newsletter. I have almost never failed to find a few very interesting nuggets
in it that I hadn’t seen anywhere else. So I wasn’t particularly surprised to find
something I hadn’t seen anywhere in a recent newsletter: a link to a press
release from a group called the Foundation for Resilient Societies (which I
had never heard of). This press release, which quotes Joe Weiss, a well-known
consultant in the area of control systems security (and who I wrote about
previously in this
post), uses the recent Ukrainian
cyber attack to point to the fact that the CIP standards specifically don’t
apply to “communications networks” between Electronic Security Perimeters[i].
The second
paragraph of the press release states the problem: “Ten years after Congress
passed a law with the intent of protecting the U.S. electric grid from
cyberattack, electric utilities increasingly rely on the public internet for
critical communications, including those between grid control rooms and
transformer substations. As a result, foreign governments have been able to
implant malware into the U.S. electric grid. Worse yet, no current or proposed
federal regulation requires encryption or other cyber-protection of grid
communications with substations.”
There are
three main assertions in this paragraph. They form the basis for the entire
press release.
- Electric utilities use the public internet for
communications between “control rooms[ii]”
and substations.
- Because of this, “foreign governments have been able to
implant malware” into the grid. Note this seems to say explicitly that the
“OT” networks of electric utilities have been compromised. The press
release implies that the Black Energy malware that is suspected of being
involved in the Ukraine attack is at least one of the types of malware
referred to. So Black Energy is most likely infecting the US grid!
- If the NERC CIP standards or other regulations required
encryption of “grid communications with substations,” these dangers might
be mitigated. But they don’t require it.
The words
“As a result” in the paragraph quoted above imply there is a causal
relationship between items 1 and 2. That is, because electric utilities are
using the public internet for substation communications, malware has made its
way into the US grid. On the face of it, this wouldn’t be surprising, since
almost any unencrypted traffic traversing the public internet will most likely
quickly become infested with all sorts of malware.
There is one
main problem with the first assertion: It’s completely false. I know of no
electric utility that uses the public internet to communicate with its
substations, encrypted or otherwise. The communications channel is always
private (whether carrier-owned or utility-owned), often serial or Frame Relay. Where
does this assertion come from? Were it true, it would be quite scary. But it
isn’t.
And where
does the second assertion come from – that malware has infected the grid as a
result of attacks on substation communications? I have never heard of any
successful cyber attack on substation communications. Given this fact, it is
very hard to understand how 2 could be true. But if it nevertheless is true,
where is the evidence?
The third
assertion is true: NERC CIP specifically excludes communications between ESPs from
being in scope. However, FERC, in their recent Order 822,
ordered NERC to develop a new standard or requirements protecting communications
between control centers. In the same Order (paragraph 57) FERC stated that they
did not currently see the need to include communications with substations in
these new requirements.
The press
release seems to be advocating that FERC order that communications between
control centers and substations be encrypted. While there would be a lot of
problems with doing this[iii], this
isn’t to say that it would never be a good idea to encrypt substation
communications. But the threat requiring this step needs to be identified. Simply
waving our arms and making assertions without any evidence for them doesn’t
help.[iv]
The views and opinions expressed here are my own and don’t
necessarily represent the views or opinions of Deloitte Advisory.
[i]
This exemption is stated in Section 4.2.3.2 in each of the CIP v5 and v6
standards.
[ii]
NERC calls these “Control Centers”, not control rooms.
[iii]
One concern is that serial communications probably can’t be encrypted in any
useful way; they probably still constitute the majority of substation
communications, and that majority would undoubtedly grow if encryption were
required for substation communications. This is because utilities would remove
routable communications and go back to serial. The other concern is latency,
since many operations at substations need to be executed at sub second speeds,
and encryption will often impose an unacceptable time lag.
[iv]
There is one way in which the Ukrainian
incident points to a deficiency in cyber regulations in North America: It is
apparent that the substations attacked were Distribution ones, not
Transmission. This means NERC CIP would never have applied to them in the first
place. As I pointed out in this
post, I believe that ultimately there will need to be cyber regulations that
apply to the entire grid, not just Transmission. As I also pointed out, doing
this will pose a very difficult political problem.
This story appeared in Smart Grid News today. I put a comment on it, saying about what I said above. It's here: http://www.smartgridnews.com/story/big-mistake-ferc-cybersecurity-ruling-omits-secure-communications/2016-01-26
ReplyDelete