If you're
looking for my pandemic posts, go here.
In the first
part of this post, I discussed the new NERC CIP recommendations for vendors
to the power industry, written by Tim Conway of SANS. I said I thought the
document was good as far as it goes, but it completely ignores CIP-013-1 R1.1
and just focuses on R1.2. I pointed out a way that vendors who are smart about
R1.1 can actually turn that knowledge to their advantage. Doing this will help
a vendor avoid a problem that other vendors are going to face: being hit with
questionnaires that ask some questions that are close to irrelevant for Bulk
Electric System purposes, and will waste the time of both the vendors and the
utilities that ask them in the first place.
R1.1 simply
tells the NERC entity to “identify and assess” supply chain cybersecurity risks
to the BES. It provides little to no guidance on where the entity should look
for these risks. In Part I, I described briefly how I have identified these risks,
working with my electric utility clients.
Now I would
like to focus on a few risks that are quite real for vendors to the power
industry. In fact, large numbers of vendors have been reported – by DHS and the
Wall Street Journal respectively – to have already been penetrated by
the Russians, who are trying to use them as stepping stones into electric
utilities (it seems the Russians have succeeded in penetrating utilities in at
least some of these cases, but there has never been any further investigation
of these stories).
The first two
risks have to do with penetration of a vendor’s own remote access systems (i.e.
their systems used to facilitate remote access to the vendor’s network by their
own employees and contractors, not remote access to utility networks). As I
discussed in more detail in this
recent post, a set of four DHS presentations in late August 2018 stated that at
least 200 entities had been penetrated in an extensive Russian campaign to penetrate
vendors through their remote access systems, and through there to penetrate
their utility customers; you can read Rebecca Smith’s WSJ report
on the first presentation, which set off a firestorm in the press worldwide.
Since DHS
denied within days that any utilities had been penetrated (while still allowing
the original presentation to be given two more times the next week, oddly
enough), this means that at least 200 vendors have had their remote access
systems penetrated by the Russians. Since the Russians demonstrated in the
Ukraine and elsewhere that they’re quite adept at gaining a foothold in an
organization’s network and lying low for months, this means they might try at
any time to launch an attack on utilities, if they haven’t done so already.
Here are the
two main risks that I see leading to or arising from this situation:
1.
The risk that a vendor doesn’t have proper
controls on its own remote access system, especially multi-factor
authentication. The DHS presentation made clear that many vendors didn’t have
MFA.
2.
The risk that the workstation(s) a vendor uses
for Interactive Remote Access or system-to-system access to a utility’s systems
are networked with other systems at the vendor’s site, leading to the likelihood
that they will be discovered and penetrated if other systems are.
These are
two risks that IMO a NERC entity should identify as part of their CIP-013 R1.1
risk identification process. The entity should assess these risks by asking
their vendors these two questions in their questionnaires:
1.
Do you require multi-factor authentication for
remote access to your network(s)?
2.
Are any workstations used for Interactive Remote
Access or system-to-system remote access on a separate network from your other
networks? Does accessing these systems require separate authentication from
access to your other networks?
As I pointed
out in my last post, a vendor to the power industry should consider developing
their own questionnaire, including these two questions, and answering the
questions proactively. Then submit it to their electric utility customers as a
way of pre-empting what could conceivably be a questionnaire with hundreds of
questions, many of which address risks that don’t apply in an OT environment
like the BES.
A third risk
has to do with phishing. In January 2019, Rebecca Smith and Rob Barry of the WSJ
published an article providing extensive detail on Russian phishing attacks on
power industry vendors; this article said that at least four utilities had been
penetrated in those attacks.[i]
The attackers again used the same vehicle they’d used to penetrate the vendor,
in order to penetrate their utility customers: they sent phishing emails to those
customers, which of course came directly from the email accounts of vendor
employees.
The main risk
indicated by this article is that the vendor doesn’t have a good anti-phishing program
in place, which includes regular training for employees on recognizing phishing
emails, along with periodic use of test emails to identify employees who need
more training. A question that corresponds to this risk is “Do you have in
place an anti-phishing program that includes regular training for employees on
recognizing phishing emails, along with periodic use of test emails to identify
employees who need more training?”
Again, a
vendor wishing to be proactive could answer this question and let their utility
customers see their response. Of course, if the real answer to this question is
“No, we don’t have this program in place now”, that is an excellent cue that the
vendor needs to put one in place, so that they can truthfully answer the question
affirmatively (this applies to all other questions on the questionnaire as well
– the questionnaire really becomes a self-assessment for the vendor).
Any opinions expressed in this blog post are strictly mine
and are not necessarily shared by any of the clients of Tom Alrich LLC. If you would like to comment
on what you have read here, I would love to hear from you. Please email me at
tom@tomalrich.com.
Are you hot at work – or should be – on getting ready for
CIP-013-1 compliance on October 1? Here is my summary of what you need to do between now and then.
No comments:
Post a Comment