If you
haven’t read the excellent SANS/E-ISAC analysis of
the Ukraine attack, I recommend you do so. They do a great job of drawing out
the appropriate cyber security lessons learned. I can’t add to what they say
regarding cyber practices, but I do see two lessons that can be learned
regarding cyber regulation for the grid, beyond what I pointed out in this
recent post.
Distribution
As I think
most people know now, the substations that were attacked in the Ukraine were
distribution substations, not transmission. They would therefore not have been
subject to CIP. NERC and FERC don’t have any authority over distribution
assets; the state Public Utility Commissions do. In fact, even though a few of
the states have taken initial steps (including this
recent order by the New Jersey BPU) toward cyber regulations for utilities that
operate in their state, there is certainly no current national cyber regulation
of distribution assets. But the question arises: Should there be such
regulation?[i]
I must admit
my initial reaction on learning that the Ukraine substations were distribution
ones was to assert
– rather breathlessly – that distribution substations pose a point of attack
for the entire grid (i.e. both transmission and distribution), the implication
being that they need to be regulated in something like the same way that CIP regulates
transmission.
However, a
NERC professional for whom I have a lot of respect organized a call with
one of her colleagues to discuss my implication that distribution poses a “soft
underbelly” to the transmission grid (also known as the BES). These two people
pointed out two important points:
- There is no significant cyber integration among
distribution and transmission substations, either within a particular
utility or certainly on a regional or nationwide basis. I already knew
this, since I realized that most substations still have no data
communications other than serial, and that is only with their immediate
control center. Distribution substations are even more likely to be purely
serially connected than transmission ones. Some parties
have pushed the idea that there is a huge flat routable network – or even
the public Internet itself – that connects a large portion of US grid
assets; this is the stuff of fantasy.
- Even more importantly, there is no purely electrical means
by which a disturbance on the distribution grid would automatically
propagate to the transmission grid; this is what I didn’t understand
previously. My friends pointed out that outages happen all the time, for
lots of reasons. Utilities live and die according to how quickly they can
restore power after outages. But a distribution outage is not the same as a
cascading transmission outage, since it doesn’t automatically propagate to
other areas.[ii]
So my main
takeaway from when my friends staged this “intervention” (my word, not theirs)
is that the Ukraine attack, even though it did cause widespread temporary
outages (restored within a few hours), is qualitatively as well as
quantitatively different from the attack everyone fears in North America: an
attack on the Bulk Electric System that causes a cascading outage, leading to a
blackout of a large area for an extended period of time. And the former won’t
ever lead to the latter.
On the other
hand, neither I nor my friends believe that there shouldn’t be any cyber regulation
of the distribution grid. After all, even the few hours that some 800,000
people in the Ukraine were blacked out had to be tremendously expensive, for
the people and for the economy. But it is important to understand that the
reason for doing this is different from the reason for regulating BES security.
The Enterprise
As you are
well aware, NERC CIP – as other NERC standards – is completely asset-focused.
While its purpose is to protect the BES as a whole, it does this entirely
through protecting the most important assets that comprise the BES, especially
generating stations, transmission substations, and control centers. This is
demonstrated by the fact that CIP v5 only applies to cyber assets located at
one of six asset types listed in CIP-002-5.1 R1, and that there are no
protections that apply to the IT network, which is usually as big or bigger
than the OT network.
For the
non-CIP NERC standards, this asset focus isn’t a problem, because it doesn’t
leave out very much (if anything at all) that’s important. After all, those
standards are all about what happens on the grid; other areas of the company
such as Accounting have no impact at all on things like grid stability and
resiliency.
This mindset
has clearly been applied to NERC CIP as well. That is, the only thing that
matters currently in CIP are OT cyber assets. I think almost everyone involved
with CIP will tell you proudly that the IT network is simply out of scope, and
CIP can’t be expected to apply to that. I would have told you the same thing if
you’d ask me this question last year.
But should the
IT network be out of scope? Look at the Ukraine attack: It all started with
well-crafted phishing emails that were opened by people who only had access to
the IT network. Their systems were infected with malware, and the attackers
used them as a stepping stone to the systems they were really aiming at: the
workstations of engineers with OT network access. The attackers weren’t
concerned about preserving the IT/OT boundary, so they attacked IT systems
first because they knew they had a much better chance of succeeding than if
they spent months or years trying to directly access the substation relays,
which were the ultimate target.
This is why I
believe that IT networks of NERC entities should be in scope for NERC CIP – but
not for the prescriptive CIP we all know and (some of us) love. You may have
begun to notice that in just about every post
nowadays I’m beating the drum of moving CIP to a risk-based format, something
like CIP-014: the entity gets an assessment of their risks and vulnerabilities,
they develop a plan to address those vulnerabilities on a risk-prioritized
basis, and they execute the plan. Were this to be the framework for CIP, I
would absolutely argue that the assessment should include all cyber threats and vulnerabilities faced by the entity, not just
those that are found only in OT assets. And the prioritization of the elements
of the cyber security plan should be based on risks to the entire enterprise,
not just those faced strictly by the OT network. As Ukraine showed, the
enterprise needs to be protected as a whole. If IT is compromised, OT will
inevitably follow.
The views and opinions expressed here are my own and don’t
necessarily represent the views or opinions of Deloitte Advisory.
[i]
It is important to keep this question separate from the question whether
distribution assets are vulnerable to cyber attack. I am sure utilities are
currently providing appropriate cyber protection to most of their distribution
substations. But the idea of mandatory national standards is that they would
ensure a certain minimum level of protection is achieved for all distribution
assets, just as CIP is there to ensure a (higher) minimum level of protection
for BES assets. Just to give you an idea of the numbers involved, I know one
utility has about 60 Medium impact substations, but they have 1,100
substations that are Low impact transmission substations or purely distribution
ones. I don’t know the exact breakdown, but I’m sure a big majority of those are
purely distribution.
[ii]
I believe that the only mechanism by which a large loss of load could impact
the transmission grid would be through the fact that a lot of generation would
trip out as a result. But I don’t believe this in itself would then lead to a
cascading outage. There could conceivably be a way in which a cyber attack,
combined with this large load loss, would lead to a widespread transmission
outage, but for the moment I’m only discussing purely electrical events. I know
of no real dispute that there needs to be cyber protection for the distribution
grid, to protect both against an attack causing loss of load and against the remote possibility of a combined cyber/physical attack - which could conceivably lead to a cascading outage on the BES.
No comments:
Post a Comment