Yesterday, someone asked me whether I knew any electric utilities that had been impacted – especially on the OT side of the house - by the bungled CrowdStrike update two weeks ago. I hadn’t heard of any, of course, but I wondered if compliance with the NERC CIP standards would have protected NERC entities that are subject to compliance with them. Of course, the reason the update caused so much damage was because it was intended to be installed by default.
I immediately thought of CIP-005 R2, which prohibits Interactive
Remote Access (IRA) into an Electronic Security Perimeter (ESP) that doesn’t
come through an Intermediate System (“jump host”). That would prevent a remote
technician from accessing a system in the ESP without authorization by the NERC
entity, but it doesn’t prevent “machine-to-machine” remote access, since that is
specifically excluded from the IRA definition. So, I answered no: Even though
no electric utilities were impacted on the OT side (as far as I know), that can’t
be credited to NERC CIP.
However, I later ran this same question by Kevin Perry,
former Chief CIP Auditor for SPP Regional Entity (now retired). He pointed out something I
hadn’t even considered: that CIP-007 Requirement R3 Part R3.3 requires NERC
entities with high and/or medium impact BES Cyber Systems to “For those methods
identified in Part 3.1 that use signatures or patterns, have a process for the
update of the signatures or patterns. The process must address testing and
installing the signatures or patterns.”
Part 3.1 reads, “Deploy method(s) to deter, detect, or
prevent malicious code.” CrowdStrike’s Falcon Sensor software, whose update
caused the outages, certainly meets that definition. This means that NERC entities
were required to test the update before installing it. Of course, I doubt any
of them was even able to test the update (or had received it), before they
heard the news and discarded the update. But the mere fact that electric
utilities (and hopefully most operators of critical infrastructure) didn’t
allow automatic updates was what saved them on that day.
Of course, even a big outage in an electric utility’s Control
Center would probably not have caused anybody’s lights to go out, since Control
Centers always have fully redundant backups and the utility is required (by one
of the NERC Operations and Planning standards, not the NERC CIP standards) to
practice failovers annually. But this shows you that NERC CIP has so far
achieved its purpose of protecting the power grid against cyberattacks, since there
still hasn’t been a power outage in North America that was caused by a cyberattack
(meaning that squirrels and chipmunks retain their gold medals for causing the
most outages. Way to go, Alvin!).
Are you a vendor of current or
future cloud-based services or software that would like to figure out an
appropriate strategy for selling to customers subject to NERC CIP compliance? Or
are you a NERC entity that is struggling to understand what your current
options are regarding cloud-based software and services? Please drop me an
email so we can set up a time to discuss this!
Any opinions expressed in this
blog post are strictly mine and are not necessarily shared by any of the
clients of Tom Alrich LLC. If you would like to comment on what you have
read here, I would love to hear from you. Please email me at tom@tomalrich.com.
No comments:
Post a Comment