Kevin Perry,
retired Chief CIP Auditor of the SPP Regional Entity, sent me today a link to
this article
about a breach at Airbus in which a lot of technical data was exfiltrated,
presumably to China. By the way, I love this wonderful formula for success:
stealing your way to technical competence. I don’t know why I didn’t think of
that earlier in life, when it might have done me some good.
Of course,
this breach came through the supply chain, in fact through multiple vendors.
The attackers were able to penetrate the suppliers’ networks (evidently not too
hard to do), and were able to get remote access to VPNs connecting the
suppliers to Airbus (of course, it’s highly unlikely the VPNs were also
protected with multi-factor authentication).
And in case
you might be inclined to dismiss this attack as not too relevant to critical
infrastructure - since of course it was data, not operations, that were
affected - I want to point you to the last paragraph of the article, which
noted that a debilitating malware outbreak at a key supplier this year had an
impact on Airbus’ production (this is one downside of just-in-time procurement,
of course).
Whenever a
NERC entity (or really any organization) hears about an attack on another
company, the question to ask is: What is the threat that’s the basis of this
attack, and how can we mitigate it ourselves? This question applies especially
to CIP-013 entities, since R1.1 requires you to “identify and assess” supply
chain security risks (although I prefer “threats”, following NIST 800-30) to
the BES? Here’s one you should identify!
The threat
is that a supplier’s network will be penetrated by a malicious third party (or
by a rogue insider), and they will be able to gain access to your network through
vendor communications channels to your environment. Moreover, it doesn’t matter
that much whether it’s your IT or your OT network that’s penetrated. If your IT
network is owned by someone like the Chinese, they will ultimately figure out a
way to get into the OT network - as in the first Ukraine attack, when the
Russians were in the Ukrainian utilities’ IT networks for many months before
they realized the HMIs for their substations were placed on the IT network.
This was of course a gift to the Russians due to poor security practices by the
utilities, but if a nation-state attacker is in your IT network long enough,
they will very
probably find a way into your OT network.
Of course,
this is the second case in two posts
where there’s a threat to utilities (or any organization) that results from
penetration of a supplier’s network by the bad guys. In my last post, the
threat was that the bad guys will penetrate the development or manufacturing
environment of a supplier and substitute a hardware or software component that
contains malware. This time, it’s that they’ll utilize the supplier’s access to
your network to penetrate your ESP and cause havoc.
In my
opinion, NERC entities should strongly consider mitigating threats that result
from penetration of suppliers’ (and vendors’)
networks as part of their CIP-013 plans. These aren’t idle threats, of course.
Keep in mind that last summer DHS raised
the alarm in a webinar that at least 200 suppliers to the power industry had
been penetrated by the Russians, and that the attackers had success in
penetrating power industry players that way (although that part was walked back by
DHS two days later. But that walkback was contradicted
by statements that had been made in a second DHS webinar that very morning. Moreover,
DHS walked back the first walkback a week later - at a briefing in front of
Mike Pence, Rick Perry and Kirstjen Nielsen, at the time Secretary of DHS - with
a new story that was incompatible with the previous ones. I heard a third
walkback at a meeting in McLean, VA last September. And to top it off, when I
questioned a DHS official during a meeting at the RSA Conference this March, he
started stammering out a bunch of strange excuses for this and for not
investigating the Worldwide
Threat Assessment. I haven’t had time to discuss this odd evening yet, but a
reporter from Dark Reading did write
about it, without knowing my name. Does it seem there might be something
strange going on at DHS?).
And don’t
forget the Wall Street Journal article
from January, which detailed how the Russians are using phishing emails to
penetrate supplier networks, and through them utilities. So it’s very important
to take steps to make sure your suppliers are themselves following good
security practices. How do you do this? There are lots of ways. Contract
language is one, but hardly the only one. RFP terms and questions are another.
I think
vendor questionnaires are an excellent tool, since they not only provide you
with information on what your supplier is doing, but they let the supplier know
what steps you think they should be taking. And having annual “security reviews”
with important suppliers allows you and the supplier to freely exchange
information about your security practices, as well as your mutual security
objectives. The best thing about these is they shift the discussion from an
adversarial one to a partnership, where you’re working with them to secure both
of your environments.
Any opinions expressed in this blog post are strictly mine
and are not necessarily shared by any of the clients of Tom Alrich LLC.
If you would like to comment on what you have read here, I
would love to hear from you. Please email me at tom@tomalrich.com. Please keep in mind that
if you’re a NERC entity, Tom Alrich LLC can help you with NERC CIP issues or
challenges like what is discussed in this post – especially on compliance with
CIP-013. My offer of a free
webinar on CIP-013, specifically for your organization, has received a great
response, and remains open to NERC entities and vendors of hardware or software
components of BES Cyber Systems. To discuss this, you can email me at the same
address.
No comments:
Post a Comment