Ted
Guttierez of SANS wrote a good blog
post on March 24 entitled “Ukrainian Grid Attack: How NERC CIP-like
Measures Might Have Helped”. The post
takes a very sensible approach. It doesn’t ask if CIP could have “prevented”
the attack (which of course is a nonsensical question), but it does ask whether
having measures in place like those found in CIP v5 would have lessened the
risk of the attack. Since I agree with everything Ted says, I won’t repeat his
arguments here.
Ted’s
conclusion is that, if the Ukrainian utilities that were subject to the attacks
had been taking measures similar to those required by NERC CIP, the likelihood
of the attacks succeeding would have been much less.[i] The
important conclusion he draws from this is that NERC CIP, for all its problems,
is actually increasing the cyber security of the North American Bulk Electric
System.[ii]
I completely
agree with this conclusion, which tracks what I’ve said previously.
However, I no longer think the most important question is whether CIP improves
security; there is no doubt that it does. The more important questions relate
to the cost:
- Are the benefits conferred by NERC CIP commensurate with
the costs of compliance, when looked at from a North American-wide basis?
- Are the large sums that are being spent on NERC CIP
compliance resulting in diminished cyber security spending in other areas,
that might benefit grid security even more?
- Is there another approach to cyber regulation of the grid
that would yield greater cyber security while costing no more than NERC
CIP does currently?
The answers
to the first two questions, in my opinion, are respectively No and Yes. For an
explanation of why I say that, see this
post (specifically, the section that is titled “Second Consideration..”). In that
post, I “answered” the third question by pointing to my presentation at Digital
Bond’s S4 conference in January, which unfortunately is still only available by
emailing me (talrich@deloitte.com),
since the videos of the presentations haven’t been made available yet.
But I won’t
keep you in suspense for what I’m advocating as the answer to the third
question. I think a risk-based approach is the only one that makes sense for
cyber regulation. CIP is a set of prescriptive standards because all NERC
standards are prescriptive; but I think our experience with CIP so far shows
that prescriptive is the wrong approach for cyber security standards. Two
examples of risk-based security standards that can serve as partial models for
what I’m advocating are CIP-014 and the new cyber security regulations
for New Jersey utilities published by the Board of Public Utilities.
The views and opinions expressed here are my own and don’t
necessarily represent the views or opinions of Deloitte Advisory.
[i]
He does note at the outset that the Ukrainian attack was against the electric
distribution system. Since CIP applies to the Bulk Electric System (i.e. the
transmission grid), this means that technically CIP wouldn’t have prevented the
attack. So he essentially rephrases his original question to assume that it
applies to an “in-scope (for CIP) control center controlling in-scope
substations”.
[ii]
He also concludes that it would be good for owners of North American
distribution assets to implement measures similar to CIP. While I think there
should be some sort of standard cyber security regulations for the distribution
sector across the US (and the New Jersey regulations linked at the end of this
post wouldn’t be a bad model for the other states), I don’t think that just
focusing on assets – whether distribution or BES (as in CIP) – is the right
approach. You have to look at the whole enterprise. In the Ukraine, the initial
attacks came from phishing emails sent to people on the administrative side.
They clicked on the attachments, and the attackers used their desktops to
attack workstations of people who had access to the OT networks. True, the OT
assets – especially substation networks – would have been better protected if measures
like those in CIP v5 had been in place. But anti-phishing measures on the IT
network would also have made an attack much less likely to succeed, and IT
networks don’t count as “assets” for CIP.
Hi Tom and thanks for mentioning my blog. I've been giving the cost vs. benefit a lot of thought too. I was recently asked if expanding the applicability to include more transmission assets as Medium Impact and to also include more distribution assets under the NERC CIP umbrella was the answer. My response was that there has to be a better way - NERC CIP comes with a high overhead burden of documentation and processes that would be too much for smaller entities to absorb. I'm not a corporate tax expert, but I wonder if tax credits as incentive to expand cyber security education and the implementation of essential technologies for both the corporate and ICS environments would be a better approach. One mistake we can't afford is to convince ourselves that "it can't happen here" - we have to learn from the Ukrainian event and do an honest evaluation of our risk.
ReplyDelete