A Breach in the Wall?

In conjunction with one of my colleagues at Deloitte, I have been thinking about what will be required for the new supply chain security standard. One of the first questions that came up was what assets and cyber assets will be in scope for it.

Up until now, there has been an (almost) invisible wall guarding the NERC CIP standards: The standards just apply to devices and systems that contribute to the NERC entity’s control of Bulk Electric System assets (these are now commonly referred to as OT assets, although that term has only come into widespread use in the last couple of years). These devices were called Critical Cyber Assets in CIP v1-v4 and BES Cyber Systems in CIP v5 and v6.

On the other side of that wall are the IT assets, which are not at all in scope for CIP. These are all the systems – financial, personnel, etc. – whose purpose is simply running the business of the entity, not directly impacting the BES. Even IT systems that are used to remotely access OT systems – HMIs, etc. –are not directly subject to CIP requirements, since the remote access controls in CIP-005-5.1 R2 only apply to the Intermediate Systems that allow these IT systems (and others) to access OT devices. But the actual devices used for remote access are completely out of scope for CIP, whether located in the corporate offices next to the control center or in Uzbekistan.

Of course, all of the CIP v5 and v6 standards now in effect only apply to BES Cyber Systems (and related devices like Protected Cyber Assets, EACMS, etc). But what about the new supply chain security standard that FERC just ordered? Does that just apply to BCS as well?

Strictly speaking, there is no way the new standard could apply to BES Cyber Systems. A BCS is a device that is already purchased and in place; only then can it (more correctly, its components) meet the definition of BES Cyber Asset. By definition, the supply chain refers to what happens to devices before they even reach the NERC entity; so strictly speaking, the standard can’t apply to BCS. However, I don’t think this is a huge issue. Maybe the drafting team for the new standard can invent a term like “Intended BCS” for devices that are still in the supply chain, but are intended to be implemented as BCS.

The bigger question is, will the standard have to apply to more than just “Intended BCS”? In particular, is it possible that the new cyber security standard will in some way have to apply to IT, as well as OT, systems? I ask this mainly because the Ukraine attack was primarily facilitated through the IT network. It began with a phishing attack that compromised certain IT systems, and spread until the entire IT network was compromised. Once the HMIs that the engineers used to monitor and control the relays in the substations were compromised, it was an easy step to use those to attack the relays themselves. So – with no reference to the current Presidential campaign – just building a “wall” between IT and OT will ultimately fail to keep out a group that is determined to get through it.

Now, I am certainly not recommending that the supply chain standard should apply equally to IT and OT! However, whether it does or doesn’t isn’t my call, but FERC’s. So what did FERC say in Order 829 that can shed light on what they’re looking for? Do they want the scope of the new standard to be limited to BCS and “Intended BCS”, or do they want it expanded to at least some IT assets?

I reread the Order with this question in mind. When I reached paragraph 24 (page 16), I saw “With regard to concerns that the NOPR’s use of the term ‘industrial control system’ signals the Commission’s intent to address issues beyond the CIP Reliability Standards or cybersecurity controls, we clarify that our directive is only intended to address the protection of hardware, software, and computing and networking services associated with bulk electric system operations from supply chain-related cybersecurity threats and vulnerabilities.” This seems to be fairly clear: only systems associated with BES operations are in scope. These will be BES Cyber Systems and other systems already in scope for CIP.

I continued through the document and came to the meat of FERC’s argument, where they discuss the four objectives they want the new standard to meet. In the discussions of three of the objectives, BES Cyber Systems are explicitly mentioned; clearly FERC had OT in mind for these objectives. But when I came to the title of the third section (paragraph 56, page 40), I noticed something different. The title reads “Information Systems Planning and Procurement”. In this section, the focus is on “Information Systems”. In fact, there is no mention of BCS at all in this section.

Was FERC just sloppy in their language? Did they really mean BCS when they said Information Systems? I don’t think so. BCS, and OT assets in general, are control systems, not information systems. Control systems may contain information, but if so that is incidental to their real purpose. I am especially convinced that FERC meant what they said by the fact that they illustrated their point (paragraph 57) by pointing to Black Energy, the malware that enabled the attackers in the Ukraine to take control of the IT network. Black Energy did all of its damage on the IT network. As far as I know, it was never spread to the OT networks. Of course, it enabled the attack by allowing the remote attackers to take complete control of an HMI that had direct access into the OT network. But Black Energy didn’t actually spread to the substations, as far as I know.

In discussing Black Energy, FERC points (in paragraph 57) to four steps that utilities should take to reduce the risk of propagation of the malware.[i] They don’t say anything about those steps only needing to be taken on the OT network. Obviously, had these steps been followed just on the OT network by the utilities attacked in the Ukraine, it wouldn’t have prevented the attack; they also needed to be followed on the IT network. In fact, since all four of the recommendations are already mandated for the OT network by the existing CIP standards, there would be no reason to repeat that mandate in the new supply chain standard. Therefore, FERC must have had the IT network in mind when they made those recommendations.

I am not going to say definitely that FERC wants the new supply chain standard (or at least the requirements that implement the third objective) to apply to IT systems as well as OT. But I do say that the SDT will have to figure out FERC’s intentions on this.

The Bigger Question

The bigger question is whether the CIP standards in general should address IT as well as OT assets. Would you like my opinion on this question? I didn’t think so, but I’ll give it to you anyway:

1. I think it is a delusion to believe that operational assets can be secured solely by protecting OT networks. As I have just pointed out, the IT networks of the utilities in the Ukraine that were hacked were compromised long before the full attack. In fact, it seems the attackers had full run of those networks for many months. That is why they were able to find and compromise the HMIs that had access to the substation relays. It is true that the specific attack last December could have been prevented with two-factor authentication (and probably a jump host) for remote access to the relays. But with the IT networks so thoroughly compromised, it would have been only a matter of time before the attackers figured out another way to get to the relays (here’s one: Certain engineers receive a well-crafted email from their bosses’ accounts, saying that at such a time on this day, certain circuit breakers should be opened).
2. However, I definitely do not advocate that the current prescriptive CIP framework should be extended to IT assets! Rather, I am now advocating that the CIP standards be written in what I call a threat-based approach (which others call risk-based). Essentially, that approach starts with the premise that no entity has an unlimited amount of funds to spend on cyber security. They need to assess all of the threats they face, and develop a plan that prioritizes action on the most important threats. These threats may be to OT assets or to IT assets; the question is simply how much of a danger each threat poses to the reliable operation of the BES.[ii] In other words, the risk of malware propagating to OT systems (through say improper use of USB sticks) will be compared with the risk of IT network users clicking on phishing emails (which, of course, is how the Ukraine attacks started). If these are both considered important threats, the entity will be required to address them both.  If one or the other is considered less important, it will be pushed down the list and may or may not get addressed (at least not as thoroughly as a threat that is near the top of the list).
3. I think it is close to certain that the new supply chain standard will not be a prescriptive one. It would be a nightmare if a utility had to take specific measures (and document them, of course!) for each of its suppliers and systems purchased, which could obviously number in the hundreds or thousands. FERC makes it quite clear in the Order that they don’t want this.
4. But does this mean I advocate including IT assets in the new standard? If there were time to think of a proper framework for doing that, I would. But this is a big task. If IT assets are now in scope, the BES Cyber System concept will need to be modified or thrown out. If NERC had a couple years to develop this standard (as they asked for in their comments to the NOPR last year), I would say it would be good to do this (the expanded asset identification framework could then form the basis for all of the CIP standards, when they are rewritten as non-prescriptive ones). But as I pointed out in my post after the Order (referenced at the beginning of this post), FERC is effectively giving NERC only 4-6 months to develop the new standards; having to invent a new, more inclusive, framework for asset identification might itself take that much time. So I don’t advocate that the new SDT take on this particular task; and for that reason, I don’t advocate that the new standard include IT assets.

However, my preferences don’t matter. FERC may be saying that at least some IT assets need to be included in the scope of the new supply chain standard. It will be up to the new SDT to decide whether this is actually what FERC is asking for. They they’ll have to figure out how to do it.

The views and opinions expressed here are my own and don’t necessarily represent the views or opinions of Deloitte Advisory.

---

[i] These recommendations were from the ICS-CERT.

[ii] So threats to the normal functions of “purely IT” systems like HR or customer service will not be considered; while they might have a significant impact on the utility financially, they will not impact the BES. However, if a machine in say HR could be compromised with malware like Black Energy, which could then easily spread to machines that do have an operational impact, that would be considered a threat to the BES.