In my post
yesterday, my second on Wannacry, I was addressing the emergency patches made
available on Friday for Windows XP, Vista and Server 2003 – all out-of-support
operating systems. While I had already published
a “Public Service Announcement” on the need to apply that patch on all systems at
High and Medium impact assets in scope for CIP, an auditor had emailed me to
point out that, for security not compliance reasons, the patch should be
applied to all devices on the OT network that run one of the three old OS; this
includes devices found in Low impact assets, Distribution substations and generating
plants that are below the threshold for inclusion in the BES. The auditor’s
reasoning for suggesting this was good: Just because these devices aren’t
directly networked with Cyber Assets in scope for CIP (if they were directly
networked, they’d at least be PCAs), if they become infected with Wannacry they
will still pose a substantial risk to the BES.
Of course, many
NERC entities will argue that they already have great defenses protecting their
networks subject to CIP – those in High and Medium impact Control Centers, and
in Medium impact substations and generating stations – from their networks that
aren’t subject to CIP. And I’m sure this is almost always the case, to a large
degree due to CIP, which does require thorough separation of ESPs from other
networks. But this didn’t deter the auditor from still advocating (coming as
close to “requiring” as he could) that the discontinued OS’s on non-ESP
networks also should be patched.
And the
reason for this is simple: There is no such thing as a 100% effective security
measure. For a threat as serious as the one posed by Wannacry, however small
the chance that it could spread from say a distribution substation to a High
impact Control Center, almost any security measure would be justified to
prevent that from happening.
But if this
is the case, why aren’t these other systems subject to CIP? If there’s even a small
chance that they could be the vector for an attack like Wannacry that could
lead to a serious event on the Bulk Electric System, shouldn’t there be at
least some protections (e.g. patching, in the event of a serious threat like
Wannacry) that would apply to them?
Or to use
another attack as an example, the Ukraine attacks in December 2015 didn’t
originate on the OT network; they started with phishing emails opened by people
who had no connection at all to actual operations. Yet by opening these emails,
these people inadvertently made it possible for the attackers to have free rein
of the IT network and search diligently for a way to get into the OT network –
which they inevitably found.
As I’ve said
before,
I do think IT assets need to be included in CIP in some way. I also believe
that non-CIP OT assets (such as the ones discussed above with reference to
patching) should also be included. More generally, I think that every cyber
asset either owned or controlled by the NERC entity should be included in scope
for CIP. But there are a few caveats to that:
- I certainly don’t want these new assets to be treated as
BES Cyber Systems or Protected Cyber Assets. This would impose a huge
burden on NERC entities, for a much-less-than-proportional benefit.
- The only way the new assets should be included is if CIP –
and the enforcement regime that goes with it – is totally rewritten, along
the lines of the six principles I discussed in this
post.
- My fifth principle is “Mitigations need to apply to all
assets and cyber assets in the entity’s control, although the degree of
mitigation required will depend on the risk that misuse or loss of the
particular asset or cyber asset poses to the process being protected.” In
practice, I think there need to be at least two categories[i]
of cyber assets in scope: direct and indirect impact. Direct impact cyber
assets are those whose loss or misuse would immediately impact the BES;
these are essentially BCS, but I would of course change the definition to
fix some of the current problems. Indirect impact cyber assets are those
that can never themselves directly impact the BES but can facilitate an
attacker, as happened in the Ukraine (and as would have happened had any
utilities been compromised by WannaCry – since their OT networks aren’t
connected to the Internet, the initial infection would have been on the IT
network). Essentially, all systems on the IT network, as well as systems
at Low impact BES assets and at Distribution assets, would fall into this
category.[ii]
As I said in my Wannacry post from Friday, I’m
now leaning more to the idea of having a separate agency - within probably DHS
- regulate cyber security of critical infrastructure. This includes the power
industry, oil and gas pipelines, water systems, chemical plants, etc. I’m not
doing this to punish NERC, but because I believe there will be a lot of
advantages to having one regulator overseeing all of these industries, as
opposed to separate regulators for each one. For one thing, there would be a
lot of synergies, since the similarities among critical infrastructure in these
industries are much greater than the differences between them (for example, if
you look at my six principles, you’ll see they don’t refer to power at all).
For another, I think the power industry, which has had by far the most
experience with cyber regulation, would be in a good position to share their lessons
learned with the others.
The views and opinions expressed here are my own and don’t
necessarily represent the views or opinions of Deloitte.
[i][i] Note these
categories don’t have anything to do with the High, Medium and Low impact
categories in the current CIP v5/6/7 (and soon 8!). As I pointed out it seems
like 50 times a few years ago when I was digging into the swamp known as
CIP-002-5.1 R1 and Attachment 1, those are really not categories of BES Cyber
Systems (even though they are identified as such in the requirement); they’re
categories of BES assets (substations, etc). I think I first pointed
this out when FERC issued their NOPR saying they’d approve CIP v5 in April
2013 (see footnote vii as well as my response to the first comment at the end
of the post).
[ii]
I’m not ruling out the possibility that there might need to be other categories,
or sub-categories of these two.
No comments:
Post a Comment