In
conjunction with one of my colleagues at Deloitte, I have been thinking about
what will be required for the new supply chain security
standard.
One of the first questions that came up was what assets and cyber assets will
be in scope for it.
Up until
now, there has been an (almost) invisible wall guarding the NERC CIP standards:
The standards just apply to devices and systems that contribute to the NERC
entity’s control of Bulk Electric System assets (these are now commonly
referred to as OT assets, although that term has only come into widespread use
in the last couple of years). These devices were called Critical Cyber Assets in
CIP v1-v4 and BES Cyber Systems in CIP v5 and v6.
On the other
side of that wall are the IT assets, which are not at all in scope for CIP.
These are all the systems – financial, personnel, etc. – whose purpose is
simply running the business of the entity, not directly impacting the BES. Even
IT systems that are used to remotely access OT systems – HMIs, etc. –are not
directly subject to CIP requirements, since the remote access controls in
CIP-005-5.1 R2 only apply to the Intermediate Systems that allow these IT
systems (and others) to access OT devices. But the actual devices used for
remote access are completely out of scope for CIP, whether located in the
corporate offices next to the control center or in Uzbekistan.
Of course,
all of the CIP v5 and v6 standards now in effect only apply to BES Cyber
Systems (and related devices like Protected Cyber Assets, EACMS, etc). But what
about the new supply chain security standard that FERC just
ordered?
Does that just apply to BCS as well?
Strictly
speaking, there is no way the new standard could apply to BES Cyber Systems. A
BCS is a device that is already purchased and in place; only then can it (more
correctly, its components) meet the definition of BES Cyber Asset. By
definition, the supply chain refers to what happens to devices before they even
reach the NERC entity; so strictly speaking, the standard can’t apply to BCS.
However, I don’t think this is a huge issue. Maybe the drafting team for the
new standard can invent a term like “Intended BCS” for devices that are still
in the supply chain, but are intended to be implemented as BCS.
The bigger
question is, will the standard have to apply to more than just “Intended BCS”?
In particular, is it possible that the new cyber security standard will in some
way have to apply to IT, as well as OT, systems? I ask this mainly because the
Ukraine attack was primarily facilitated through the IT network. It began with
a phishing attack that compromised certain IT systems, and spread until the
entire IT network was compromised. Once the HMIs that the engineers used to
monitor and control the relays in the substations were compromised, it was an
easy step to use those to attack the relays themselves. So – with no reference
to the current Presidential campaign – just building a “wall” between IT and OT
will ultimately fail to keep out a group that is determined to get through it.
Now, I am
certainly not recommending that the supply chain standard should apply equally
to IT and OT! However, whether it does or doesn’t isn’t my call, but FERC’s. So
what did FERC say in Order 829 that can shed light on what they’re looking for?
Do they want the scope of the new standard to be limited to BCS and “Intended
BCS”, or do they want it expanded to at least some IT assets?
I reread the
Order with this question in mind. When I reached paragraph 24 (page 16), I saw
“With regard to concerns that the NOPR’s use of the term ‘industrial control
system’ signals the Commission’s intent to address issues beyond the CIP
Reliability Standards or cybersecurity controls, we clarify that our directive
is only intended to address the protection of hardware, software, and computing
and networking services associated with bulk electric system operations from
supply chain-related cybersecurity threats and vulnerabilities.” This seems to
be fairly clear: only systems associated with BES operations are in scope.
These will be BES Cyber Systems and other systems already in scope for CIP.
I continued
through the document and came to the meat of FERC’s argument, where they
discuss the four objectives they want the new standard to meet. In the
discussions of three of the objectives, BES Cyber Systems are explicitly mentioned;
clearly FERC had OT in mind for these objectives. But when I came to the title
of the third section (paragraph 56, page 40), I noticed something different. The
title reads “Information Systems Planning and Procurement”. In this section,
the focus is on “Information Systems”. In fact, there is no mention of BCS at
all in this section.
Was FERC
just sloppy in their language? Did they really mean BCS when they said
Information Systems? I don’t think so. BCS, and OT assets in general, are control systems, not information
systems. Control systems may contain information, but if so that is incidental
to their real purpose. I am especially convinced that FERC meant what they said
by the fact that they illustrated their point (paragraph 57) by pointing to
Black Energy, the malware that enabled the attackers in the Ukraine to take
control of the IT network. Black Energy did all of its damage on the IT
network. As far as I know, it was never spread to the OT networks. Of course,
it enabled the attack by allowing the remote attackers to take complete control
of an HMI that had direct access into the OT network. But Black Energy didn’t
actually spread to the substations, as far as I know.
In
discussing Black Energy, FERC points (in paragraph 57) to four steps that utilities
should take to reduce the risk of propagation of the malware.
[i] They don’t
say anything about those steps only needing to be taken on the OT network.
Obviously, had these steps been followed just on the OT network by the
utilities attacked in the Ukraine, it wouldn’t have prevented the attack; they
also needed to be followed on the IT network. In fact, since all four of the
recommendations are already mandated for the OT network by the existing CIP
standards, there would be no reason to repeat that mandate in the new supply
chain standard. Therefore, FERC must have had the IT network in mind when they
made those recommendations.
I am not
going to say definitely that FERC wants the new supply chain standard (or at
least the requirements that implement the third objective) to apply to IT
systems as well as OT. But I do say that the SDT will have to figure out FERC’s
intentions on this.
The Bigger Question
The bigger
question is whether the CIP standards in general should address IT as well as
OT assets. Would you like my opinion on this question? I didn’t think so, but I’ll
give it to you anyway:
- I think it is a delusion to believe that operational
assets can be secured solely by protecting OT networks. As I have just
pointed out, the IT networks of the utilities in the Ukraine that were
hacked were compromised long before the full attack. In fact, it seems the
attackers had full run of those networks for many months. That is why they
were able to find and compromise the HMIs that had access to the substation
relays. It is true that the specific attack last December could have been
prevented with two-factor authentication (and probably a jump host) for
remote access to the relays. But with the IT networks so thoroughly
compromised, it would have been only a matter of time before the attackers
figured out another way to get to the relays (here’s one: Certain
engineers receive a well-crafted email from their bosses’ accounts, saying
that at such a time on this day, certain circuit breakers should be
opened).
- However, I definitely do not advocate that the current
prescriptive CIP framework should be extended to IT assets! Rather, I am
now advocating
that the CIP standards be written in what I call a threat-based approach
(which others call risk-based). Essentially, that approach starts with the
premise that no entity has an unlimited amount of funds to spend on cyber
security. They need to assess all of the threats they face, and develop a
plan that prioritizes action on the most important threats. These threats
may be to OT assets or to IT assets; the question is simply how much of a danger
each threat poses to the reliable operation of the BES.[ii]
In other words, the risk of malware propagating to OT systems (through say
improper use of USB sticks) will be compared with the risk of IT network
users clicking on phishing emails (which, of course, is how the Ukraine
attacks started). If these are both considered important threats, the
entity will be required to address them both. If one or the other is considered less
important, it will be pushed down the list and may or may not get addressed
(at least not as thoroughly as a threat that is near the top of the list).
- I think it is close to certain that the new supply chain
standard will not be a prescriptive one. It would be a nightmare if a
utility had to take specific measures (and document them, of course!) for
each of its suppliers and systems purchased, which could obviously number
in the hundreds or thousands. FERC makes it quite clear in the Order that
they don’t want this.
- But does this mean I advocate including IT assets in the
new standard? If there were time to think of a proper framework for doing
that, I would. But this is a big task. If IT assets are now in scope, the
BES Cyber System concept will need to be modified or thrown out. If NERC
had a couple years to develop this standard (as they asked for in their
comments to the NOPR last year), I would say it would be good to do this
(the expanded asset identification framework could then form the basis for
all of the CIP standards, when they are rewritten as non-prescriptive
ones). But as I pointed out in my post after the Order (referenced at the
beginning of this post), FERC is effectively giving NERC only 4-6 months
to develop the new standards; having to invent a new, more inclusive,
framework for asset identification might itself take that much time. So I
don’t advocate that the new SDT take on this particular task; and for that
reason, I don’t advocate that the new standard include IT assets.
However, my
preferences don’t matter. FERC may be saying that at least some IT assets need
to be included in the scope of the new supply chain standard. It will be up to
the new SDT to decide whether this is actually what FERC is asking for. They
they’ll have to figure out how to do it.
The views and opinions expressed here are my own and don’t
necessarily represent the views or opinions of Deloitte Advisory.
[i]
These recommendations were from the ICS-CERT.
[ii]
So threats to the normal functions of “purely IT” systems like HR or customer
service will not be considered; while they might have a significant impact on
the utility financially, they will not impact the BES. However, if a machine in
say HR could be compromised with malware like Black Energy, which could then easily
spread to machines that
do have an
operational impact, that would be considered a threat to the BES.