Thursday, April 7, 2016

NERC CIP and the Ukraine Attack

Ted Guttierez of SANS wrote a good blog post on March 24 entitled “Ukrainian Grid Attack: How NERC CIP-like Measures Might Have Helped”.  The post takes a very sensible approach. It doesn’t ask if CIP could have “prevented” the attack (which of course is a nonsensical question), but it does ask whether having measures in place like those found in CIP v5 would have lessened the risk of the attack. Since I agree with everything Ted says, I won’t repeat his arguments here.

Ted’s conclusion is that, if the Ukrainian utilities that were subject to the attacks had been taking measures similar to those required by NERC CIP, the likelihood of the attacks succeeding would have been much less.[i] The important conclusion he draws from this is that NERC CIP, for all its problems, is actually increasing the cyber security of the North American Bulk Electric System.[ii]

I completely agree with this conclusion, which tracks what I’ve said previously. However, I no longer think the most important question is whether CIP improves security; there is no doubt that it does. The more important questions relate to the cost:

  1. Are the benefits conferred by NERC CIP commensurate with the costs of compliance, when looked at from a North American-wide basis?
  2. Are the large sums that are being spent on NERC CIP compliance resulting in diminished cyber security spending in other areas, that might benefit grid security even more?
  3. Is there another approach to cyber regulation of the grid that would yield greater cyber security while costing no more than NERC CIP does currently?

The answers to the first two questions, in my opinion, are respectively No and Yes. For an explanation of why I say that, see this post (specifically, the section that is titled “Second Consideration..”). In that post, I “answered” the third question by pointing to my presentation at Digital Bond’s S4 conference in January, which unfortunately is still only available by emailing me (, since the videos of the presentations haven’t been made available yet.

But I won’t keep you in suspense for what I’m advocating as the answer to the third question. I think a risk-based approach is the only one that makes sense for cyber regulation. CIP is a set of prescriptive standards because all NERC standards are prescriptive; but I think our experience with CIP so far shows that prescriptive is the wrong approach for cyber security standards. Two examples of risk-based security standards that can serve as partial models for what I’m advocating are CIP-014 and the new cyber security regulations for New Jersey utilities published by the Board of Public Utilities.

The views and opinions expressed here are my own and don’t necessarily represent the views or opinions of Deloitte Advisory.

[i] He does note at the outset that the Ukrainian attack was against the electric distribution system. Since CIP applies to the Bulk Electric System (i.e. the transmission grid), this means that technically CIP wouldn’t have prevented the attack. So he essentially rephrases his original question to assume that it applies to an “in-scope (for CIP) control center controlling in-scope substations”.

[ii] He also concludes that it would be good for owners of North American distribution assets to implement measures similar to CIP. While I think there should be some sort of standard cyber security regulations for the distribution sector across the US (and the New Jersey regulations linked at the end of this post wouldn’t be a bad model for the other states), I don’t think that just focusing on assets – whether distribution or BES (as in CIP) – is the right approach. You have to look at the whole enterprise. In the Ukraine, the initial attacks came from phishing emails sent to people on the administrative side. They clicked on the attachments, and the attackers used their desktops to attack workstations of people who had access to the OT networks. True, the OT assets – especially substation networks – would have been better protected if measures like those in CIP v5 had been in place. But anti-phishing measures on the IT network would also have made an attack much less likely to succeed, and IT networks don’t count as “assets” for CIP.

1 comment:

  1. Hi Tom and thanks for mentioning my blog. I've been giving the cost vs. benefit a lot of thought too. I was recently asked if expanding the applicability to include more transmission assets as Medium Impact and to also include more distribution assets under the NERC CIP umbrella was the answer. My response was that there has to be a better way - NERC CIP comes with a high overhead burden of documentation and processes that would be too much for smaller entities to absorb. I'm not a corporate tax expert, but I wonder if tax credits as incentive to expand cyber security education and the implementation of essential technologies for both the corporate and ICS environments would be a better approach. One mistake we can't afford is to convince ourselves that "it can't happen here" - we have to learn from the Ukrainian event and do an honest evaluation of our risk.