Tom Alrich's Blog: October 2019

Thursday, October 31, 2019

The full story of the March grid event

This morning, Blake Sobczak of E&E News published a story about the March grid event that definitely qualifies as the first publicly-acknowledged successful grid cyberattack in the US. We knew most of the details already, except for the name of the company involved. But Blake had filed a FOIA request, and now we know the name as well: SPower, which says they’re the large private wind developer in the US.

Some people have tried to tell me that, since this may not have been specifically targeted at the power industry, it doesn’t qualify as a grid attack. But a grid attack doesn’t have to be targeted at the grid. This one didn’t seem to have any direct impact other than loss of visibility for a number of 5-minute periods. But it could obviously have been more serious in another context.

Speaking of another context, soon I expect to post a story about an event that was originally characterized as just malware on the IT network, but – from what I recently heard - seems to have led to a much more serious loss of visibility in a large EMS system. In fact, this should probably count as the first successful grid cyberattack, since it happened last year.

Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC.

If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com. Please keep in mind that if you’re a NERC entity, Tom Alrich LLC can help you with NERC CIP issues or challenges like what is discussed in this post – especially on compliance with CIP-013. My offer of a free webinar on CIP-013, specifically for your organization, remains open to NERC entities and vendors of hardware or software components for BES Cyber Systems. To discuss this, you can email me at the same address.

Wednesday, October 30, 2019

An ex-auditor makes a point about CIP-013 plans

In my post on Monday, I suggested that any NERC entity who has to comply with CIP-013-1 by July 1, 2020 submit their R1 plan to their Region to review by March of next year. The reason for this suggestion is that many regions won’t want to review plans after the compliance date, and it’s important to get it in to them in time to make sure it gets reviewed – since there will presumably be a lot of other entities with the same idea.

Kevin Perry, former Chief CIP Auditor of SPP RE, emailed and pointed out to me that March might well be too late. For one, the auditors have day jobs to do, and given the likely crush of entities wanting plan review, it’s very possible they won’t be able to review all of the plans by July 1. But even more importantly, you want to have enough time to make whatever changes the auditor suggested, before the compliance date. So I’m going back to my original suggestion that you should aim to submit your plan to your Region by January. And if you can’t make that date, do your best.

However, as I said in Monday’s post, I think the Regions that tell you they can’t review your CIP-013 plan after the compliance date don’t understand that the principle of auditor independence shouldn’t apply to a standard that requires you simply to develop and implement a supply chain cyber security risk management plan – a requirement (R1.1) that provides just about zero guidance (in the requirement itself, which is of course the only “guidance” that counts in NERC – i.e. is binding on both auditor and entity) on what should be in the plan.

However, this isn’t necessarily a problem with CIP 13. The problem is with most of the other CIP requirements, which are prescriptive and create the illusion that it’s possible to mitigate cybersecurity risks in the same way that you address electric operational risks. The latter are based on the laws of physics, which – as far as I know – don’t change from year to year or entity to entity. Cyber risks, on the other hand, can never be specified to any degree of rigor, which is why prescriptive requirements make very little sense in cyber. For the same reason, IMHO auditor independence also doesn’t make sense when it comes to CIP. And it especially doesn’t make any sense when it comes to CIP-013, since the standard doesn’t prescribe anything in particular.

This, by the way, is partially a statement of what I’ll be talking about in my webinar on Nov. 7. You might want to check it out.

Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC.

Tuesday, October 29, 2019

My webinar next week

As a reminder, next week I will be doing a webinar entitled “How can we regulate cybersecurity for critical energy infrastructure?” I described the webinar in some detail in this post. Essentially, it discusses how I would design cyber regulations for any critical energy infrastructure, not just the power grid – but that is informed by what I and the industry have learned from ten years of compliance with the NERC CIP standards.

What I will advocate is of course a huge change from most of CIP now. But guess what? Even though it will be a big change, I’m convinced it not only should happen, but will happen. And probably within a few years. I think the forces pushing for change are probably stronger than any of us realize now.

The webinar will be from 12 to 1 PM EST on November 7. You can register here. If you can’t make it, you’ll receive an email afterwards with a link to the recording. I hope to “see” you there!

Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC.

Monday, October 28, 2019

What I said at GridSecCon: Don’t be your own jailer!

As I described last week, I was moderator for a panel on supply chain security last Wednesday at GridSecCon 2019, which went very well. Like the five panelists, I’d prepared beforehand a four-minute discussion of a relevant topic – the one I chose was the important role that vendor questionnaires can play in a utility’s supply chain cyber security risk management program. However, based on conversations I’d had so far during the conference (which echoed some I’d had previously), I decided there was a more important topic I’d like to address – so that was what I talked about. I published my prepared remarks in the last post, and now I’d like to discuss what I actually said.

This topic is about CIP-013 compliance. What do you need to do to comply? The standard is very clear. You need to:

For R1, develop a supply chain cyber security risk management plan, which includes “identifying and assessing” supply chain cyber risks to BES Cyber Systems (the plan must include the six mitigations listed in R1.2, but of course they’re not the only risks you need to identify);
For R2, implement that plan; and
For R3, review and if necessary revise the plan every 15 months.

This is all CIP-013 says, and since the only official guidance document (the Implementation Guidance drawn up by the SDT) is simply a summary of good practices but doesn’t prescribe anything, these three items are all that’s prescribed by CIP-013.

Since I started writing about CIP-013, I’ve noted that it’s very nice to have a standard whose requirements don’t prescribe any particular actions at all, but only set out an objective – supply chain cyber security risk management – and require the entity to decide for itself the best plan for achieving that objective. However, I realized early on that this was probably giving entities and auditors too much freedom; it would be better if there were some “criteria” for what should be in the plan, baked into the standard itself.

And by “criteria”, I mean a set of areas of risk that the plan must address – for example, the risk areas of insecure equipment delivery, unpatched vulnerabilities in procured software, compromised vendor remote access, etc. If CIP-013 just included the eight or ten most important of these areas and required the entity to address important risks in each area (or document why there aren’t any risks that are important to them, in a particular area), this would give the entity something to hang their hat on when developing their plan. And just as importantly, it would give the auditors something to hang their hats on when auditing the plans – i.e. did the entity address each of the risk areas?

However, there aren’t any criteria like this in CIP-013-1. Maybe the new SDT drafting CIP-013-2 will decide to include these (I hope they do, and I intend to talk with them about doing so) in that version; but that’s at least three years away from implementation.

Which brings me to the subject of my talk at GridSecCon: In the absence of any prescribed content for the plan developed in R1.1, many entities seem to be talking themselves into the idea that there must be some hidden agenda in CIP-013 that probably only auditors know. They expect that the auditors will descend like zombies on Halloween to distribute PNC findings for CIP-013 to NERC entities when audits come around. The entity may protest “Hey, that’s not in the standard!” But the auditor will cackle fiendishly and say “You may not think so, but look here…if you take every other word of R1.1 and read them backwards and upside down, you’ll get the clear meaning of R1.1. It’s too bad you didn’t know that…” as they smile broadly and malevolently.

The problem is that NERC entities are so used to being beaten over the head with the need to detect all of the open and hidden meanings in prescriptive requirements like CIP-007 R2, they can’t believe that CIP-013 R1.1 really allows them to identify and mitigate whatever risks they think are important; as long as they don't decide that there are no supply chain risks that they need to address (or just one or two), they'll be compliant. Meanwhile, the utility down the street will identify and mitigate a different set of risks and guess what? They’ll be compliant, too. Telling an experienced (and battle-scarred) CIP compliance person that they really have this freedom now is something like telling a civil engineer that all the equations he/she has learned are wrong, and any bridge he tries to build will be fine, no matter what formula he/she uses. It's disconcerting, to say the least.

I believe this is why so many entities have said to me things like “I think we’ll actually end up having to comply with (name the standard, such as NIST 800-161 or 800-171), and our vendors will have to comply with (say, NIST 800-53, ISO 27001, etc.)” or “I’m sure the next version of CIP-013 will have a lot of prescriptive requirements in it.” They just can’t believe that R1.1 really means what it says.

A number of years ago in Illinois, there was a case of a man who had been put in prison as a teenager and more or less forgotten about – and then was released in his 70’s or something like that. He took one look at this great world of freedom that he’d never really lived in, and he asked to be put back in prison. He just couldn’t handle the freedom he was being given (I am sure there have been cases like this elsewhere).

This is a good analogy for what some NERC entities are doing: Faced with a vast open field where they can finally decide for themselves what risks they want to address in CIP-013 and which they don’t want to (instead of a vast thicket of prescriptive requirements, like they’re used to for CIP), they have decided (at least for now) to hunker down and construct a prison around themselves. This way, they’ll be back in the old prescriptive NERC CIP compliance environment that they’re used to. They certainly don’t love it, but at least they understand it.

I have two things to say to these people. First, there certainly are concrete steps an entity must take in order to comply with CIP-013. None of them are in any way hidden, although one or two are only visible if you look at NERC’s most recent Evidence Request Spreadsheet. I hope to have a post out on what is actually required for CIP-013 compliance soon.

Second, you have an option you never had with previous CIP standards: Some of the NERC Regions (and I hope it will eventually be all of them) have said they will be glad to review your CIP-013 plan before 7/1/20. I recommend every entity that has to comply with CIP-013-1 (i.e. any entity with High and/or Medium impact assets) take advantage of this opportunity.

However, I certainly don’t recommend you wait until – say – June to submit your plan for review; you’re likely to be told by your Region “Sorry, we’ve had so many CIP-013 plans submitted to us, that we have to turn away any further plans.” And that will be it. I would try to get your plan in by March at the latest, and earlier if you can. I personally think there’s no good reason why the Regions shouldn’t feel comfortable reviewing your plan after 7/1/20, but my guess is a misplaced concern about Auditor Independence will drive most – although maybe not all – of them to stop doing this on the compliance date.

There’s something else that would definitely ease a lot of people’s anxiety about how CIP-013 will be audited: a widely accepted set of criteria for what should be in the plan, which could guide the entities as they develop their plans and the auditors as they audit them. Of course, it would be best if this had been included in CIP-013-1 from the start, but it wasn’t.[i] As I said above, I will suggest to the new SDT that they try to include that in the next version, but that’s three years away at best.

I still have hopes that some industry group will develop a set of criteria for the plan. The model they could follow is CIP-010-2 R4 Attachment 1. This sets forth a set of areas of risk (posed by Transient Cyber Assets and Removable Media) that need to be addressed in the entity’s plan for managing the risk[ii], as well as suggestions for mitigations that might be used in addressing each of these areas. It wouldn’t be that hard.

You could say that the CIPC Supply Chain Working Group is doing this now. We’ve already put out a set of four-page guidelines addressing several areas of risk, including Provenance, Secure Equipment Delivery, Vendor Risk Management, and Open Source Software[iii]. However, I don’t think there’s time or energy enough for the group to address all major areas of supply chain risk in similar detail, which would probably require 10-20 additional documents.

Will anybody step up to do this? I hope so. Stay tuned.

Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC.

[i] I’d love to say at this point that I’d fiercely advocated for this during the development of CIP-013 (I attended a few of the onsite SDT meetings, and other phone meetings), but I’d be lying if I did so. I had no more idea than anyone else that having criteria for what should be in the plans was a good idea. But even if I had known this, it’s not likely I would have been able to convince the SDT they should do this. Remember, they were under a really strict timeline.

FERC’s Order 829 gave NERC just one year to develop the standard, get it approved by the NERC ballot body and the NERC Board of Trustees, and send it to FERC for their approval. This was over the strenuous objections of Commissioner LaFleur (who recently retired from FERC), who said this wasn’t enough (I agreed with her). And guess what? It wasn’t enough. The SDT just had to concentrate on putting together a draft of CIP-013 (and also additional parts to CIP-005 R2 and CIP-010 R1) that would pass a ballot (I believe that on the first ballot, the draft of CIP-013 received a whopping nine percent yes votes. And since a 2/3 majority is required for passage, this was an indication that this wasn’t going to be easy!). My suggesting that the SDT should really take a step back and think about making the standard more understandable and auditable, even though this might take a couple of ballots to work out, would have been met with gales of laughter, if not outright tar and feathers.

[ii] The word “risk” isn’t used in this requirement or in Attachment 1, but I contend the concept of risk management is inherent in any requirement to develop a “plan” or “program” to achieve a particular objective. For that matter, CIP-007-6 R3 and CIP-011-2 R1 are also risk-based requirements, even though they never use that word, either. CIP-013 is the first NERC standard that states that risk management is required. This isn’t an accident, either. FERC made clear in Order 829 that they wanted the new supply chain standard to be risk-based; they knew that trying to do it in the traditional NERC prescriptive format would be a disaster.

[iii] There’s also a paper on Supply Chain Risk Management Lifecycle, which sets out a general methodology for developing a supply chain cyber security risk management plan, such as the one required by CIP-013 R1.1.

Thursday, October 24, 2019

What I planned to discuss at GridSecCon

The panel I moderated on supply chain security yesterday at GridSecCon was very successful. All of the panelists had very interesting things to say, and the audience asked some great questions – most of which we were able to answer during our allotted hour. Since I hate the idea that everything that was said has just evaporated into the ether, I am going to ask all of the panelists to summarize what they said – both in their initial short presentations and in response to questions. I will publish what they send to me within a couple weeks (but I really hope the E-ISAC will look into recording panels and presentations next year, and making them available on the web site. Slides are always posted, but panelists are only allowed one slide apiece).

I gave each of the panelists (including me) four minutes up front for their presentations – in order to leave as much time as possible for Q&A. I said we each should choose a topic (or two) that the audience wouldn’t already know about. I didn’t want to waste time on having each panelist discuss their organization and describe how committed they are to grid security, so I stated up front that all of their organizations (SEL, INL, OSISoft, Hydro Quebec, and NERC) are very committed to grid security and doing all they can to achieve that end – and that includes Tom Alrich, LLC! I gave them all a chance to disagree with that statement, but none of them did, for some reason.

For my four minutes, I had prepared a discussion of vendor questionnaires, which I think is a very important topic for supply chain security and CIP-013 compliance. However, during conversations at GridSecCon as well as before, I realized there was something more important I’d like to say, specifically regarding CIP-013 compliance – so I switched to that. I will do a post on what I actually said next week, but here is what I intended to say:

My topic is supplier or vendor security questionnaires. I believe these are a very important tool for supply chain cyber risk management – and they’re often overlooked. These are questionnaires that an entity sends to its vendors or suppliers on a regular basis (hopefully at least annually).

My guess is that most supplier questionnaires are mainly used for the purpose of deciding whether to buy from the supplier in the first place, or whether to drop them if their level of security changes for the worse.

That’s certainly a worthy initial goal, but as we all know, supplier relationships in this industry often go on for decades (if not centuries), and they’re never terminated lightly. So the important question is: There are a lot of security risks that a supplier could pose for our BES Cyber Systems. For this particular supplier, which of these risks do you need to worry about - and perhaps take additional mitigations to protect yourself from - and which risks has the supplier already sufficiently mitigated, so that you don’t have to take additional steps to mitigate them?

This means the question isn’t “Does this supplier have good or bad security?” It’s “Which supply chain risks has this supplier mitigated, and which ones haven’t they mitigated?” A properly-designed questionnaire can elicit this information.

The questions in the questionnaire need to be specific to particular threats, like “What measures do you have in place to monitor your network for unusual activity?” You will assign the vendor or supplier a risk score for each threat, not just one overall score. For example, if the supplier has a good SIEM system and they’re managing it well, they’ve probably sufficiently mitigated this threat, and you will probably give them a low risk score for the threat.

But if they answer “Why would we want to monitor our network? We’ve never had a breach?”, that’s a red flag that they haven’t mitigated the risk at all. They would probably receive a high risk score for this threat. You need to have a documented process for evaluating the supplier’s answers to these questions. This is needed for overall consistency, but also for protection against lawsuits from losing suppliers in RFPs – especially if you work for a public entity subject to FOIA requests.

You’ll use the risk scores to guide your risk remediation efforts with the supplier. Armed with these scores, you can have a conversation with the supplier about what they’re doing well and what they’re not doing well, and suggest steps they can take to improve their scores. You may also use the scores to determine terms to include the next time you renew their contract.

The risk scores will be most helpful when you’re doing a procurement risk assessment, at the beginning of each procurement. NERC’s most recent Evidence Request Tool makes clear that CIP 13 audits will look at individual procurements. You’ll need to show evidence that you conducted a risk assessment, taking into account the threats you have identified as important to mitigate.

You’ll need to show that you’ve considered all of these threats in your procurement risk assessment. If a supplier or vendor has low risk scores for some of these threats, this means they’ve already mitigated those threats, and you don’t need to consider these further in your assessment. On the other hand, if they have high or medium scores for other threats, you do need to consider those threats – and you will probably need to identify additional mitigations that you or the supplier can take to reduce the residual risk in this procurement.

For example, if you believe a software supplier has security problems in their development environment and there’s a non-zero probability that malware or a backdoor may have been planted in their software, you might ask them to conduct a code review or do a full vulnerability assessment before sending you the software. Or you – the NERC entity - might take extra steps to look for vulnerabilities and backdoors before you install their software. Or you might do both.

Saturday, October 19, 2019

A couple of great articles

Blake Sobczak of E&E News publishes an excellent weekly newsletter on current cyber developments in energy, which I recommend you all sign up for. The newsletter is free to anyone, and you can sign up for it here.

The feature article in this week’s newsletter, which you can find here, makes a very good point: Whenever there’s a power outage of any magnitude, the utility (or governmental entity) in question will almost immediately reassure everyone that this wasn’t a cyberattack. But how could they possibly know that so quickly? Especially since attackers are getting better all the time at hiding their tracks.

And speaking of hiding their tracks, I also highly recommend you read the Wired magazine article linked just below Blake’s story. It’s about the Olympic Destroyer malware, which came very close to fulfilling its billing: destroying the 2018 Winter Olympics in South Korea.

I found it to be a really terrific story for three reasons: First, the attack was fiendishly well-designed, and the attackers made it almost completely impossible to trace where they came from. Second, it’s a great whodunit, describing how the author finally nailed down the nation-state that was responsible for the attack (and it’s probably not the one that would first come to mind for an attack on South Korea).

And third, given the nature and ferocity of the attack – which occurred literally at the beginning of the opening ceremony – the fact that it ended up having only minimal impact on the ceremony or the Games was due to excellent preparation beforehand by the team running the technology effort, and even more importantly to an amazing response to an attack that crippled all nine of the Games’ domain controllers. Because they were all fatally compromised, the team had to rebuild them all from scratch, and disconnect the entire Games from the internet while they did so. Yet they did that by the next morning, and very few attendees or staff even knew how close the Games came to being cancelled outright.

Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC.

Thursday, October 17, 2019

You too can waste BIG money on CIP-013 compliance! (part two)

Part one of this series used the example of EEI’s way-over-the-top supply chain security contract terms (and how one big IOU almost made the mistake of trying to use them!) to show how a NERC entity can impose huge unnecessary costs on itself (in this case, costs to their legal staff) in the name of CIP-013 compliance. However, it turns out I way understated the over-the-topness of this document.

The problem I discussed in the first post was that EEI’s language went far beyond what was needed for compliance with CIP-013 R1.2.5 and addressed a number of other threats, besides the one that R1.2.5 requires the entity to mitigate. Of course, there’s nothing wrong with going beyond what is strictly required – in fact, R1.1 requires that you do go beyond the six (really eight) threats in R1.2.5, and “identify and assess” other threats as well. As I’ve discussed in several posts, this means the entity needs to identify other threats, then decide for itself which ones it will mitigate (and that decision can be based on cost, which is the first time you’ve been allowed to make such decisions in NERC CIP).

But the point is that you need to decide for yourself (i.e. for your organization) what supply chain risks you’ll mitigate in CIP-013; you don’t want to have the decision made for you by somebody at EEI who thought it would be kinda nice to insert some extra contract language. As I pointed out in the post, every term you include in a contract is going to require a lot of lawyer time to respond to vendor requests to modify that language; negotiate on what acceptable language is; get approval for this exception, etc. etc. And if there are 100 vendors this applies to, you might conceivably have to do this for a large number of those – and that is for every term that you put in the contract.

In my post I identified four unneeded terms included in the EEI language, and I estimated that there are at least 50 total unneeded terms in the whole document, although that’s probably low. But let’s say that, for each of those 50 terms, 20 vendors out of the 100 will object to the language and try to get it modified (as I also pointed out in my last post, this is what the vendor’s lawyers are paid to do. They’re there to reduce the vendor’s contract compliance burden, and they’ll reflexively object to almost anything. In fact, 20 out of 100 might be a low estimate for the number that would object to a term). And assume a lawyer will need to spend at least 10 hours dealing with each objection (again, probably low). 20 vendors X 50 terms X 10 hours means you’ll be investing 10,000 legal hours, if you seriously try to implement all of the unneeded terms in the EEI document. And let’s say they get paid $100 an hour fully burdened (probably that’s low, of course).

So this is $1 million to implement the unneeded language in the EEI document (on top of what you’d spend to implement the language that is needed, although see my comment below about relying on contract language as a last resort for vendor risk mitigation, never as a first resort). And God help you if you have a problem down the road with a vendor and you decide you need to audit their compliance with these terms – which keep in mind aren’t needed for compliance in the first place.

But there’s another cost – perhaps more serious – in tying up so many lawyers for so much time, which the lawyer who prompted the first post brought up in her email: negotiating with all of these vendors will take lawyers away from their other work like approving contracts. So this will delay all procurements (she estimated 2-3 months, which would be huge in itself. But I’m sure she was thinking of just a small number of unneeded terms, not at least 50, like I see). And that is going to have an impact on BES reliability, as well as all the other functions of your organization.

Of course, since there are a number of threats your organization will decide to mitigate in CIP-013, you will probably need to address at least some of these in contract language (although I always think of contract language as the last resort. If you can get the vendor to agree to do something by email or verbally, why not go with that for now? If six months later you find out they haven’t kept their promise, then you can move to contract language. But you should never reflexively decide up front that you have to have contract terms for every threat you’ve decided to mitigate, and for every vendor). But the point is to only do that for the threats that matter to you, not the ones that are in your contract just because someone at EEI thought it would be cool to throw some extra terms in their document.

And there’s another big potential cause of wasted legal effort in CIP-013 compliance: Inserting language that addresses threats that are irrelevant for CIP-013. Remember, CIP-013 deals with threats to the BES – which specifically means control systems (ICS). The number – and magnitude – of threats to control systems is dwarfed by the number of threats that target IT systems. And when you look at expected loss from an IT attack, the difference is even greater. There have only been two documented cyber attacks on control systems that caused loss of load – both for short periods of time. On the other hand, just one attack on IT systems, NotPetya, caused an estimated $10 billion in damage worldwide.

When you look at a document like NIST 800-53 or NIST 800-161, probably 80-90% of the threats described don’t apply to ICS. That’s because IT systems are valuable because they hold or use valuable information; control systems are valuable because they control important processes. Concerns like data privacy, protection of intellectual property, non-repudiation, separation of duties, etc. – none of these are at all relevant to ICS.

That’s why it was disheartening to see that EEI included a whole section of contract language about encryption (p. 13). Encryption has nothing to do with ICS security. Unless you’ve decided that your ICS are a wonderful place to store your Protected Health Information or your customer credit cards, the only information you need to protect on ICS is information on the configuration of the devices themselves. And God forbid you should encrypt it! That would be a wonderful way to make your BCS totally unreliable (“I’m sorry about the outage, ma’am. You see, our PKI had a glitch today and our control systems couldn’t verify any of the certs they needed to decrypt their configuration information. We’re pretty sure we’ll have you up and running by say next Thursday. What’s that you say, ma’am? Where do you want me to put my PKI?).

And besides the reliability impact of including encryption in your ICS, you’ll have the legal time impact: There are about 8 terms related to cryptography X 20 vendors X 10 hours per vendor is 1600 lawyer hours. Times $100/hr. makes a $160,000 cost just for dealing with the cryptography terms.

But the EEI document has an even bigger source of potential cost in it that frankly makes everything I’ve discussed so far look like small potatoes indeed. At various places in the document, they refer to NIST publications as kind of a shorthand for listing out a bunch of other contract terms (in other words, the vendor has to read the references, then decide for itself how they’ll actually comply with those terms. Of course, this is all in the contract, meaning they’ll in theory be hung out to dry legally if they don’t interpret the NIST references to your taste. Come to think of it, that sounds a lot like some other cybersecurity standards for critical infrastructure that I’ve heard about – I forget the name right now, or perhaps I’ve repressed it. What could possibly go wrong with this?).

For example, one term in the EEI document is:

(d) Contractor shall implement a vulnerability detection and remediation program consistent with NIST Special Publication 800-53 Rev. 4 RA-5, SA-11, and SI-2, as may be amended.

Let’s look at just one of these references, SI-2. Here is the control itself:

SI-2 FLAW REMEDIATION

Control: The organization:

a. Identifies, reports, and corrects information system flaws;

b. Tests software and firmware updates related to flaw remediation for effectiveness and potential side effects before installation;

c. Installs security-relevant software and firmware updates within [Assignment: organization-defined time period] of the release of the updates; and

d. Incorporates flaw remediation into the organizational configuration management process.

How many individual controls are included in this? I’d say about 10 or 12. So these are effectively 10 or 12 more terms for the contract. And this is just one reference, of say about 20-25 in the EEI document. If they all have 10 or 12 terms in them, then that’s between 200 and 300 more terms that are being added. And since the $1 million cost estimate above was just for 50 terms, we’re talking about $4-6 million in additional cost for including the NIST terms.

But there’s more. On page 15 of the EEI document, under Contractor Cybersecurity Policy, there’s this paragraph:

Contractor will provide to Company the Contractor’s cybersecurity policy, which shall be consistent with NIST Special Publication 800-53 (Rev. 4) as may be amended. Contractor will implement and comply with that cybersecurity policy. Any changes to Contractor’s cybersecurity policy as applied to products and services provided to Company under this Agreement and Company Information that are inconsistent with the security requirements of NIST Special Publication 800-53 (Rev. 4) as may be amended shall be subject to review and approval by Company prior to implementation by Contractor.

So now we’re saying that the vendor’s cybersecurity policy must be consistent with the whole of NIST 800-53, which runs 462 pages in the PDF that I have (and here we’re not just talking about the controls in Appendix F. We’re talking about the entire 800-53 program), and the slightest deviation from that policy needs to be reviewed and approved by your lawyers. And of course, this goes for all of your say 100 vendors subject to CIP-013 (and one entity estimated to me that they had in the hundreds of vendors of BCS hardware and software).

At this point, we start asking questions about what the liquidation value of the utility would be, since obviously it will have to stop wasting money generating, transmitting and distributing electric power and just focus all of its resources on what’s important: implementing and enforcing the EEI contract language!

I just looked at the EEI document to see if it was released on April 1. But no, it was released in March. Too bad. That would have explained a lot.

Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC.

Monday, October 14, 2019

The mother of all supply chain attacks

I’ve known Matt Miller for a long time. He spent 28 years at the Western Area Power Administration, retiring as VP of Risk Management and Reliability Compliance. He is currently with Dakota Consulting. He pointed out to me today that our government perpetrated perhaps the greatest supply chain attack of all time, which played a role in the fall of the Soviet Union. While I knew the US was behind the huge Russian pipeline explosion in 1982 and that it was because of a backdoor the US had planted in pipeline equipment, I didn’t realize this wasn’t an isolated attack, but part of an extensive campaign – whose main purpose wasn’t to cause damage per se, but to undermine the Soviets’ confidence in their shiny new infrastructure, a lot of which they had stolen from the US.

Of course, the Soviets’ big mistake was that they wanted to save a few rubles by stealing the technology they needed rather than purchasing it fair and square, which they could surely have done (as Lenin said, “When it comes time to hang the capitalists, they’ll be glad to sell us the rope”). So one lesson for the power industry is not to steal the technology you want to use; you can’t very well sue your “vendors” if what they sell you doesn’t work, or more importantly blows up.

However, the real lesson is that there can be very bad stuff hidden in what you buy to run the grid. But you already knew that…

Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC.

If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com. Please keep in mind that if you’re a NERC entity, Tom Alrich LLC can help you with NERC CIP issues or challenges like what is discussed in this post – especially on compliance with CIP-013. My offer of a free webinar on CIP-013, specifically for your organization remains open to NERC entities and vendors of hardware or software components of BES Cyber Systems. To discuss this, you can email me at the same address.

Friday, October 11, 2019

You too can waste BIG money on CIP-013 compliance! (part one)

I’ve been working almost full time on CIP-013 compliance since the beginning of this year, and I’ve always been very concerned about making sure that clients carefully target their supply chain risk mitigation efforts, so they don’t waste money.

Believe it or not, wasting money on CIP-013 compliance is really a new concern in the NERC CIP world. When complying with the prescriptive CIP requirements (with CIP-007 R2 and CIP-010 R1 being the poster children for that), waste really isn’t the question. You are required to do certain things at certain times, and you need to invest whatever it costs to be assured that you’re doing the right things and you’re doing them at the right times. If you pass the audit for a particular requirement, not a single penny that you spent on compliance with that requirement was wasted. If you don’t pass, the whole amount you spent was wasted.

But CIP-013 is very different, of course. R1.1 requires you to “identify and assess” supply chain security risks, and then (implicitly) requires you to mitigate the most important of those risks (since there’s no way any entity could ever mitigate all, or even a significant fraction of its supply chain security risks). But, other than the fact that you need to include in your plan the six risks (really 8) mandated by R1.2.1-R1.2.6, CIP-013 provides no further guidance on:

What risks you should identify, or even how you should go about identifying risks;
How you should decide, of the risks you’ve identified, which ones to mitigate and which to accept; and
To what degree you should mitigate each risk. Should you apply so many mitigations that the risk level asymptotically approaches zero? Or should you just do a pro forma mitigation of each risk (such as simply sending an email to each vendor giving them a list of things you’d like them to do, with no effort later on to verify that they’re actually doing it), which will in fact mitigate almost no real risk?

But just because there isn’t any guidance from NERC on these questions[i] doesn’t mean you shouldn’t think about them. Granted, you can’t be held in violation if you don’t address them, but your goal should be more than compliance: It should be making sure that, no matter what amount of resources (staff time and funds) you have available to you for CIP-013 compliance, you are using them as efficiently and effectively as possible. Because after all, supply chain risks are probably the fastest growing set of risks in cybersecurity today (just ask the Russians, who are routing close to 100% - if not 100% - of their attacks on the US electric power grid through vendors). You (and the BES) can’t afford to waste resources in this effort, especially if you don’t have adequate resources to begin with (and raise your hand if you have all the resources you need for supply chain security…yup, I didn’t think I’d see any hands).

I see three main ways in which a NERC entity can waste resources on CIP-013 compliance:

Scatter their resources on partially mitigating a lot of supply chain security threats (probably without realizing they’re doing that), without actually mitigating any of them (and I define mitigation to be lowering the level of risk posed by a particular threat from medium or high to low, for a particular vendor, product or service).
Pour resources into over-mitigating a small number of threats, while barely addressing other threats at all, even though they may pose the same – or even a higher – level of risk.
Devote resources to mitigating risks that don’t even apply to BES Cyber Systems.

However, while I’ve been sure for a long time that it’s possible to waste serious money on CIP-013 compliance, until fairly recently I struggled to identify what was the most likely way this might happen. Then, a month or so ago, a lawyer with a very large IOU contacted me about a problem she had – and voila! In one document I found great examples of all three ways to waste money. Moreover, it’s a document that is likely to be put into practice by a number of large NERC entities.

The document is EEI’s “Model Procurement Contract Language Addressing Cybersecurity Supply Chain Risk”. EEI released it in March, and while I certainly looked at it at the time, I admit that it didn’t make much of an impression on me, good or bad. However, the lawyer said her team was working on procurement language for CIP-013 compliance, and she was being asked to base that procurement language on this document. She said she thought the document was kind of “over the top” and would require her to devote a lot of resources to CIP-013 contracts, as well as delay procurements by months. She wondered if I agreed with her opinion.

So for the first time, I went through the EEI document in detail, and I came to the realization: While some parts of the document are OK and might even be worthwhile examples to follow, others would require a huge effort and lots of resources to implement properly. In fact, the document provides great examples of all three wasteful practices listed above. Before I elaborate on that statement, here’s a little background on the document.

As I’ve already pointed out, CIP-013 R1.1 requires NERC entities to identify and assess supply chain cyber security risks, but it doesn’t provide direct guidance on what risks should be considered, or even where they can be found. However, R1.2.1 – R1.2.6 state six mitigations that must be included in your plan (and since R1.2.5 and R1.2.6 include two mitigations each, it’s really eight in total). With a little wordsmithing, you can “go behind” each of these mitigations, to identify the threats they’re intended to mitigate (I prefer the term threat to risk, since what is needed here is simply a statement of something bad that can happen, not referring to its likelihood and impact. When you later consider likelihood and impact to determine the risk posed by the threat, then it becomes a risk. This approach is consonant with NIST 800-30, although I’ll admit I didn’t develop it based on that).

For example, R1.2.1 reads “Notification by the vendor of vendor-identified incidents related to the products or services provided to the Responsible Entity that pose cyber security risk to the Responsible Entity.” The threat behind this mitigation can be found by inverting the wording: “A vendor won’t notify the Responsible Entity of an incident related to products or services it provides to the RE. Because the RE doesn’t know about this incident, it isn’t able to take adequate steps to mitigate the risk(s) to the BES that were revealed by the incident. This leads to a compromise of a BCS and damage to the BES.” Note that your statement of a threat for CIP-013 should always end with an adverse impact on the BES. If you can’t think of a BES impact for this threat, then you shouldn’t be considering it under CIP-013 (although you might consider it in your supply chain cyber security risk management plan for IT systems).

When you consider supply chain threats in general for CIP-013 plan, you need to include the eight R1.2 threats in the plan, regardless of whether you would do that if they weren’t mandatory. Fortunately, all of the R1.2 threats are important ones, so they would almost all probably make the cut anyway. This means that you need to describe in your plan how you will mitigate each of the R1.2 threats.

There are various tools you can use for supply chain risk mitigation. One tool is RFP language; you can include risk mitigation measures as deliverables of the RFP itself. Another is vendor questionnaires, in which you ask the vendor to describe how they have mitigated each of the vendor (or supplier) threats; you can then use their responses to develop a risk score for each threat, for each vendor. These let you precisely target your procurement mitigations, instead of basing them on an overall vendor risk score, which applies to all threats and requires the same mitigations for any vendor with the same overall score.

Of course, contract language is another tool for mitigating vendor risk, and the EEI document lays out what they think is appropriate language for mitigating the eight R1.2.1 – R1.2.6 threats. I do want to mention that simply getting the vendor to agree to contract language doesn’t in itself mitigate any risk; you need to take some steps to verify they’re doing what they promised to do – just like you would do if the vendor makes their promise in a letter, an email, or simply a phone call.

So how will adapting the EEI contract language as your own lead to your wasting money? Let’s start with the first way described in item A above: scattering your resources among a wide variety of supply chain risks, and not mitigating any of them very well.

You may notice a contradiction here: I’m saying the EEI document encourages you to waste your resources by addressing a wide variety of supply chain threats, yet I also said the document was developed to provide contract language specifically for the eight threats implied in R1.2.1 through R1.2.6. Which is it?

The problem is that the people who wrote the EEI document included a lot of language that addresses threats other than those included in R1.2. For example, R1.2.5 requires mitigation of two, and only two, threats: a) the threat that a malicious third party will intercept a patch while you're downloading it from a trusted site and insert a malware-laden substitute; and b) the threat that you will download inauthentic software or patches, either from a fake site that's a good facsimile of the trusted site or from the trusted site itself, which has been compromised - with inauthentic patches inserted – by a third party.

However, EEI's language for R1.2.5 includes this:

Contractor shall identify the country (or countries) of origin of the procured product and its components (including hardware, software, and firmware). Contractor will identify the countries where the development, manufacturing, maintenance, and service for the product are provided. Contractor will notify Company of changes in the list of countries where product maintenance or other services are provided in support of the procured product. This notification shall occur 180 days prior to initiating a change in the list of countries.

This one paragraph (and there are many more like it throughout the document) identifies four threats that are different from the two threats that are the subject of R1.2.5. These threats are:

a) A supplier will provide the entity with a product or product component that has been manufactured or developed in a suspect foreign country.

b) A product that is shipped back to the supplier for service will in fact be serviced in a suspect country.

c) Even though a supplier has informed the entity of the country(ies) where service is performed and they were acceptable to the NERC entity, the supplier will in fact send a product to a different country that is a suspect one (“Oh, we forgot to tell you. We normally ship our products to Japan for service, but because we got a great deal this one time, we sent your product to North Korea instead. Hope you don’t mind…”).

d) The supplier will notify the entity of an upcoming change in service countries, from an acceptable country to an unacceptable one, close to the date when that change is effective, when it will be too late for the entity to do anything about it.

Now, I’m not disputing that all of these threats might be worth addressing in contract language (or with other mitigation tools). But the NERC entity needs to identify the threats it wants to mitigate at the beginning of the CIP-013 process, when they “identify and assess” risks in compliance with R1.1 - EEI shouldn't have made this choice for the entity. I’m sure that whoever wrote the EEI document didn’t understand that they were addressing a lot more threats than advertised, but that’s exactly what they did (I haven’t counted them, but I’m sure there are at least 50 threats addressed in EEI’s language, that don’t have anything to do with the R1.2 threats that are the ostensible object of this document).

You might ask “Why is it such a big deal if you have a bunch of other threats addressed in your contract? Maybe the supplier will actually take them seriously; maybe they won’t. But there’s no harm in just including them.” To be honest, I might have said something like that, before my email conversation with the lawyer. She said “What I don’t want to do is overburden the procurement process with unnecessary language, or have to evaluate the acceptability of each and every deviation proposed by a vendor. That might add months to the procurement process.”

From experience, she knows that the supplier’s lawyers will always try to minimize the compliance burden on their employer, by proposing deviations from the entity’s proposed language – after all, that’s what they’re paid to do. There will almost inevitably be a back-and-forth between the two sides, until they have arrived at an acceptable term (or the NERC entity has been convinced to remove the term altogether). This will have to be done for every term. Again, if the term is there to mitigate a threat that the entity has decided is important to mitigate, that’s fine. It’s worth the lawyers’ time (and the delay in the procurement process) to do this negotiation. But I really don’t believe your lawyers will be too happy when they’re asked to negotiate terms relating to threats that you don’t think are important enough to mitigate in the first place!

And the lawyer didn’t mention another big cost to having superfluous language in your contract: You need to take steps to verify that the supplier is actually keeping their promises. This doesn’t mean you have to do an expensive audit of each supplier. I think a questionnaire is fine for this purpose, as long as it was made clear in the RFP or contract that the supplier will need to fill out a security questionnaire at some regular interval.

But keep in mind that there is a cost to the supplier for every question they answer. Since it’s very unlikely that the person answering the questions will have all of the answers at their fingertips, they will have to spend a lot of time trying to find the right person to answer each question, asking the question multiple times if they’re very busy, etc. While it’s not likely that the supplier will tell you they’re just too busy to answer your questionnaire and they wish you good luck with the next sucker…er, supplier…that you choose to buy from, you can be sure that, especially if your questionnaire has lots of questions, you’ll sooner or later pay the price for this in one way or the other. Plus, you will need to evaluate the supplier’s response to every question in the questionnaire, and that requires a lot of valuable time on your end.

Similarly to the case with the lawyers, if you’re sure that every question in the questionnaire is precisely targeted to identify how the supplier has mitigated a threat that you’ve decided you need to mitigate, this cost should be acceptable to you, since the questionnaire is the best way to determine what steps the supplier has taken to mitigate each threat. But if you have a bunch of questions that are only there because of some language that you blindly copied from the EEI document into your contract, you’re once again wasting your resources.

In part 2 of this post, I’ll address even more exciting ways that the EEI document can help you waste money! Please try to contain your excitement.

Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC.

If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com. Please keep in mind that if you’re a NERC entity, Tom Alrich LLC can help you with NERC CIP issues or challenges like what is discussed in this post – especially on compliance with CIP-013. My offer of a free webinar on CIP-013, specifically for your organization, has received a great response, and remains open to NERC entities and vendors of hardware or software components of BES Cyber Systems. To discuss this, you can email me at the same address.

[i] One of the five white papers recently published on NERC’s web site by the Supply Chain Working Group of the NERC CIP Committee discusses these issues, but doesn’t constitute compliance guidance (as the disclaimer says at the beginning of the paper). It’s the one called “Supply Chain Cyber Security Risk Management Lifecycle”.

Thursday, October 10, 2019

Hardware supply chain attacks aren’t fantasy!

Just now, I opened up a Wired magazine online story on hardware hacking through the supply chain, and was pleased – although not surprised – to see that Monta Elkins of FoxGuard (who has been featured in this blog at least a couple of times, most recently here) is the subject of the story, discussing how he planted a $200 chip on a Cisco firewall to enable a remote attacker to essentially gain control of the firewall.

The big point of the article is that, while most people probably think a hardware supply chain attack – as in the SuperMicro attack that was the subject of a Bloomberg article last year (which is now the subject of a lot of doubt) - would require the resources of a nation-state to pull off, it could be done by someone like Monta (not that there is anyone like Monta, of course!) with a miniscule budget.

But even that isn’t the most interesting conclusion from the article. That is found in Monta’s sentence that closes the article: "If I can do this, someone with hundreds of millions in their budget has been doing this for a while." In other words, not only could it be done at scale by a number of organizations (mostly state-sponsored, of course), it probably is being done, and has been for some time.

Have a nice day!

Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC.

If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com. Please keep in mind that if you’re a NERC entity, Tom Alrich LLC can help you with NERC CIP issues or challenges like what is discussed in this post – especially on compliance with CIP-013. My offer of a free webinar on CIP-013, specifically for your organization, has received a great response, and remains open to NERC entities and vendors of hardware or software components of BES Cyber Systems. To discuss this, you can email me at the same address.

Monday, October 7, 2019

Upcoming webinar: How can we regulate cybersecurity for critical energy infrastructure?

I will be conducting a webinar on November 7, 2019 from noon to 1:00 PM Eastern time, with the above title. The webinar is sponsored by Henry Stewart Publications in the UK, who solicited and published an article of mine titled “How can we effectively regulate grid security?” in their publication Cybersecurity: A Peer-Reviewed Journal early this year; I described that article in this blog post. While that journal doesn’t publish its contents on the web, if you would like to read the article, you can email me and I’ll send you a (perfectly legal) proof copy of it (of course, it’s a good publication and you might want to subscribe. If you do, I’m sure you would receive the edition with my article).

The article identifies five serious problems that I’ve identified with the NERC CIP standards; I’ve been writing about these problems for years, but I had never discussed them all in one place. The article did that, and also briefly described how I would address those problems if given the chance to completely rewrite the CIP standards. The webinar will differ from the article in two ways:

First, the focus will be how I would write cybersecurity standards for any critical energy infrastructure (CEI), not just the power grid. Of course, the most serious effort to date to regulate cybersecurity for CEI to date – anywhere in the world – is NERC CIP, and I will constantly be referring to the lessons that have been learned from the CIP experience.

Second, since I first wrote the article in May 2018, I’ve come to realize there’s a sixth serious problem with CIP that needs to be addressed. In fact, I now think it’s probably the most serious problem of all, and its importance will keep growing in coming years. Not to keep you in suspense, that problem is the fact that NERC entities can’t put BES Cyber Systems in the cloud. Of course, information about BCS, known as BCSI, is now being put in the cloud by many entities, and that activity will without doubt be “legalized” in CIP in a couple of years. But a NERC entity that put a Medium or High impact BES Cyber System itself in the cloud – e.g. outsourced SCADA – would find itself being cited for a violation of just about every CIP requirement.

In fact, addressing this sixth problem isn’t just another “checklist item” that must be addressed in a different framework for CEI cybersecurity standards; it will literally have to be baked into the foundation of those standards. The standards will need to address both cloud and physical systems at their core, and it can’t be simply through an adjunct that will bolt a cloud-based framework onto a physical systems-based framework (as some have suggested as a solution to incorporating cloud-based BCS into CIP).

I hope you’ll join me for this. The signup link is here.

Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC.

If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com. Please keep in mind that if you’re a NERC entity, Tom Alrich LLC can help you with NERC CIP issues or challenges like what is discussed in this post – especially on compliance with CIP-013. My offer of a free webinar on CIP-013, specifically for your organization, has received a great response, and remains open to NERC entities and vendors of hardware or software components of BES Cyber Systems. To discuss this, you can email me at the same address.