Tuesday, August 4, 2020

Guidance for vendors in NERC CIP environments Part II


If you're looking for my pandemic posts, go here.

In the first part of this post, I discussed the new NERC CIP recommendations for vendors to the power industry, written by Tim Conway of SANS. I said I thought the document was good as far as it goes, but it completely ignores CIP-013-1 R1.1 and just focuses on R1.2. I pointed out a way that vendors who are smart about R1.1 can actually turn that knowledge to their advantage. Doing this will help a vendor avoid a problem that other vendors are going to face: being hit with questionnaires that ask some questions that are close to irrelevant for Bulk Electric System purposes, and will waste the time of both the vendors and the utilities that ask them in the first place.

R1.1 simply tells the NERC entity to “identify and assess” supply chain cybersecurity risks to the BES. It provides little to no guidance on where the entity should look for these risks. In Part I, I described briefly how I have identified these risks, working with my electric utility clients.

Now I would like to focus on a few risks that are quite real for vendors to the power industry. In fact, large numbers of vendors have been reported – by DHS and the Wall Street Journal respectively – to have already been penetrated by the Russians, who are trying to use them as stepping stones into electric utilities (it seems the Russians have succeeded in penetrating utilities in at least some of these cases, but there has never been any further investigation of these stories).  

The first two risks have to do with penetration of a vendor’s own remote access systems (i.e. their systems used to facilitate remote access to the vendor’s network by their own employees and contractors, not remote access to utility networks). As I discussed in more detail in this recent post, a set of four DHS presentations in late August 2018 stated that at least 200 entities had been penetrated in an extensive Russian campaign to penetrate vendors through their remote access systems, and through there to penetrate their utility customers; you can read Rebecca Smith’s WSJ report on the first presentation, which set off a firestorm in the press worldwide.

Since DHS denied within days that any utilities had been penetrated (while still allowing the original presentation to be given two more times the next week, oddly enough), this means that at least 200 vendors have had their remote access systems penetrated by the Russians. Since the Russians demonstrated in the Ukraine and elsewhere that they’re quite adept at gaining a foothold in an organization’s network and lying low for months, this means they might try at any time to launch an attack on utilities, if they haven’t done so already.

Here are the two main risks that I see leading to or arising from this situation:

1.      The risk that a vendor doesn’t have proper controls on its own remote access system, especially multi-factor authentication. The DHS presentation made clear that many vendors didn’t have MFA.
2.      The risk that the workstation(s) a vendor uses for Interactive Remote Access or system-to-system access to a utility’s systems are networked with other systems at the vendor’s site, leading to the likelihood that they will be discovered and penetrated if other systems are.

These are two risks that IMO a NERC entity should identify as part of their CIP-013 R1.1 risk identification process. The entity should assess these risks by asking their vendors these two questions in their questionnaires:

1.      Do you require multi-factor authentication for remote access to your network(s)?
2.      Are any workstations used for Interactive Remote Access or system-to-system remote access on a separate network from your other networks? Does accessing these systems require separate authentication from access to your other networks?

As I pointed out in my last post, a vendor to the power industry should consider developing their own questionnaire, including these two questions, and answering the questions proactively. Then submit it to their electric utility customers as a way of pre-empting what could conceivably be a questionnaire with hundreds of questions, many of which address risks that don’t apply in an OT environment like the BES.

A third risk has to do with phishing. In January 2019, Rebecca Smith and Rob Barry of the WSJ published an article providing extensive detail on Russian phishing attacks on power industry vendors; this article said that at least four utilities had been penetrated in those attacks.[i] The attackers again used the same vehicle they’d used to penetrate the vendor, in order to penetrate their utility customers: they sent phishing emails to those customers, which of course came directly from the email accounts of vendor employees.

The main risk indicated by this article is that the vendor doesn’t have a good anti-phishing program in place, which includes regular training for employees on recognizing phishing emails, along with periodic use of test emails to identify employees who need more training. A question that corresponds to this risk is “Do you have in place an anti-phishing program that includes regular training for employees on recognizing phishing emails, along with periodic use of test emails to identify employees who need more training?”

Again, a vendor wishing to be proactive could answer this question and let their utility customers see their response. Of course, if the real answer to this question is “No, we don’t have this program in place now”, that is an excellent cue that the vendor needs to put one in place, so that they can truthfully answer the question affirmatively (this applies to all other questions on the questionnaire as well – the questionnaire really becomes a self-assessment for the vendor).


Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC. If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com.

Are you hot at work – or should be – on getting ready for CIP-013-1 compliance on October 1? Here is my summary of what you need to do between now and then.


[i] The article itself is behind a paywall. You can read my post about it here. If you’re a subscriber to the WSJ or you want to sign up for a free trial, you can read the article here.

No comments:

Post a Comment