Friday, August 2, 2024

Did NERC CIP compliance protect utilities from the CrowdStrike update?

Yesterday, someone asked me whether I knew any electric utilities that had been impacted – especially on the OT side of the house - by the bungled CrowdStrike update two weeks ago. I hadn’t heard of any, of course, but I wondered if compliance with the NERC CIP standards would have protected NERC entities that are subject to compliance with them. Of course, the reason the update caused so much damage was because it was intended to be installed by default.

I immediately thought of CIP-005 R2, which prohibits Interactive Remote Access (IRA) into an Electronic Security Perimeter (ESP) that doesn’t come through an Intermediate System (“jump host”). That would prevent a remote technician from accessing a system in the ESP without authorization by the NERC entity, but it doesn’t prevent “machine-to-machine” remote access, since that is specifically excluded from the IRA definition. So, I answered no: Even though no electric utilities were impacted on the OT side (as far as I know), that can’t be credited to NERC CIP.

However, I later ran this same question by Kevin Perry, former Chief CIP Auditor for SPP Regional Entity (now retired). He pointed out something I hadn’t even considered: that CIP-007 Requirement R3 Part R3.3 requires NERC entities with high and/or medium impact BES Cyber Systems to “For those methods identified in Part 3.1 that use signatures or patterns, have a process for the update of the signatures or patterns. The process must address testing and installing the signatures or patterns.”

Part 3.1 reads, “Deploy method(s) to deter, detect, or prevent malicious code.” CrowdStrike’s Falcon Sensor software, whose update caused the outages, certainly meets that definition. This means that NERC entities were required to test the update before installing it. Of course, I doubt any of them was even able to test the update (or had received it), before they heard the news and discarded the update. But the mere fact that electric utilities (and hopefully most operators of critical infrastructure) didn’t allow automatic updates was what saved them on that day.

Of course, even a big outage in an electric utility’s Control Center would probably not have caused anybody’s lights to go out, since Control Centers always have fully redundant backups and the utility is required (by one of the NERC Operations and Planning standards, not the NERC CIP standards) to practice failovers annually. But this shows you that NERC CIP has so far achieved its purpose of protecting the power grid against cyberattacks, since there still hasn’t been a power outage in North America that was caused by a cyberattack (meaning that squirrels and chipmunks retain their gold medals for causing the most outages. Way to go, Alvin!).

Are you a vendor of current or future cloud-based services or software that would like to figure out an appropriate strategy for selling to customers subject to NERC CIP compliance? Or are you a NERC entity that is struggling to understand what your current options are regarding cloud-based software and services? Please drop me an email so we can set up a time to discuss this!

Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC. If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com.

 

No comments:

Post a Comment