Tom Alrich's Blog

Friday, August 31, 2018

The Sweet Smell of Success

In yesterday’s post, the latest but probably not the last in a series of posts stemming from some (either intentionally or unintentionally) misleading information that DHS recently put out about Russian cyberattacks on the US power grid, I said “…the utilities have done a wonderful job of resisting the concerted Russian attack so far – and perhaps they should all be given the Medal of Freedom for that. After all, after two years of pounding the utilities (and IPPs) from every direction, the most the Russians were able to come up with was a compromise of two wind turbines, with a likely total rated capacity of no more than 3 MW.”

Always having been a numbers guy, I decided to quantify how big the Russian success really was. So I divided 3 MW, the total generation penetrated[i] by the Russians, by 10.2 gigawatts (billion watts), the total 2016 summer generation capacity in the US.[ii] I ominously announce that the (at least) two-year Russian campaign to penetrate the US power grid has directly compromised a grand total of (drumroll, please) .0000294117647 percent of total US generation capacity! I’ll pause here so you can absorb the magnitude of this disaster, and perhaps start inquiring about immigration visas to New Zealand. Better to get out now, before the rest of the US population realizes the peril they’re in….

OK, if you’re still with me now, you realize that the Russian campaign has so far been a dismal failure by any stretch of the imagination (well, maybe not any stretch of the imagination. There seem to be a few very imaginative people who think otherwise). Instead of talking about the laughably inadequate cyber defenses of US utilities, we should be talking about honoring the utilities for standing like Horatius at the Bridge, guarding their fellow citizens (and legal immigrants, of course) against the oncoming enemy army. This is a great success story.

Of course, I’m certainly not saying that the utilities have found the key to permanent cyber security, and they can now recline on their couches while good-looking Roman citizens feed grapes into their mouths. In particular, the DHS briefings made it very clear that the Russian attacks are continuing and that supply chain is the preferred vector for attacks, at least in the near future. The briefings also made it far from clear – but you could find this if you pull their statements apart very carefully – that the electric power vendor community definitely has weak cyber defenses, underlining the need for even better[iii] supply chain security.

Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC.

If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com. Please keep in mind that if you’re a NERC entity, Tom Alrich LLC can help you with NERC CIP issues or challenges like what is discussed in this post – especially on compliance with CIP-013. And if you’re a security vendor to the power industry, TALLC can help you by developing marketing materials, delivering webinars, etc. To discuss any of this, you can email me at the same address.

[i] Meaning the control systems controlling that generation were accessed, even though the attackers didn’t take any action to shut it down. I get the 3 MW from my assumption that the average wind turbine has a capacity of 1.5 MW. That might be a little low or a little high, but it obviously doesn't change my argument.

[ii] Since our concern here is really the total available power supply, not just that part generated in the US, we should really add imports from Canada. The US imported 72 Terawatt-hours of electricity from Canada, but trying to transform that into a number that could be compared with total US generation would be very hard, and above my pay grade. I’ll just stick with total US generation, since that’s certainly large enough to make my point.

[iii] One thing I noted about the DHS briefing and report: It sounded like the only way that supply chain attacks on utilities and IPPs could bear fruit is through remote access to OT systems. There are lots of other vectors for supply chain attacks: infected patches, watering hole attacks, tampering with products en route to the customer, etc. These all need to be protected against.

Thursday, August 30, 2018

The story that refuses to die

I’ve written five posts on the July Wall Street Journal story that essentially said the Apocalypse was just around the corner in the US, because hundreds of utility control centers have been penetrated by the Russians - where they’re lying in wait for the signal from the Kremlin to put the US in darkness for perhaps years. The story was based on one reporter’s confused understanding of a briefing that DHS (the NCCIC, specifically) gave, regarding a huge multi-year campaign by Russian government-sponsored hackers to penetrate the US grid.

Unfortunately, the reporter’s confusion was aided and abetted by the DHS presenters’ language in the briefing, which was either deliberately misleading or recklessly worded. Since the briefings, there have been a couple statements by DHS. The first one pointed out that only one small generation facility was actually penetrated; the second statement narrowed that even further, saying that only two wind turbines were penetrated. My unprintable reaction to hearing these two statements was summarized in this post and in the note I appended to it less than a week later. I then wrote a long post attempting to thoroughly debunk the claims, and followed it up with a polite suggestion to DHS that they make a real effort to clear up this story – like a press release stating that, while US utilities need to keep up and even increase their cyber defenses, there is no imminent (or even remotely likely) threat of the Russians shutting down the US grid through cyber means.

You will be astounded to hear that DHS didn’t take me up on my suggestion. So guess what? Today, a longtime industry observer called my attention to this press release on Senator Ed Markey’s website. Sen. Markey is one of the Senators most concerned with cyber security issues, and has introduced a number of bills proposing cyber measures. He obviously has never been told that the WSJ story isn’t to be believed.

This press release announces that the Senator has sent queries to fourteen utilities (ten investor-owned and four Federal power-marketing agencies like TVA and BPA) and four agencies (DoE, DHS, FERC and NERC). Why is he sending these? Sure enough, the third sentence refers to the WSJ article and states “in 2016 and 2017, hackers backed by the Russian government successfully penetrated the U.S. electric grid through hundreds of power companies and third-party vendors”.

The query asks 1) if the utilities have been penetrated (of course, the answer to this question will be resoundingly “No”); 2) what measures the utilities are taking to avoid being penetrated; and 3) how they’re mitigating three particular vulnerabilities.

Of course, this is all good clean fun; I’m not suggesting the Senator shouldn’t be asking these questions, even though answering the second and third questions will require a lot of work on the part of the utilities (all ultimately paid by the ratepayers, to be sure). But I really wish DHS would set him straight and say:

a) We exaggerated some things in our briefings, and the WSJ reporter got a little carried away when she wrote the article. Furthermore, we didn’t immediately make any clarification, which allowed the story to get widely established in the popular press as well as in the cyber security community. Now it seems to have been accepted as fact throughout the country, including Congress. Our two subsequent narrow clarifications got very little attention, mainly because we didn’t make an effort to get the word out beyond the immediate small audiences. We still haven’t (for whatever reason) forcefully addressed the wildly inaccurate statements in the original WSJ article, which are at the root of this madness.

b) We seem not to be trying to actually squelch this story, but at the same time we’d like you to know that the whole premises of your query are completely wrong.

c) This isn’t to say it’s a bad idea to ask the utilities what they’re doing to protect the grid – you’ll certainly receive volumes of information in response (although if you expect the utilities to send you information about vulnerabilities and counter-measures, you’re going to have to be able to provide iron-clad assurances that it will be safe – which will be hard to do, by the way. You may have to settle for some more general assertions without details).

d) But in place of premising your query on the idea that the grid has been thoroughly compromised, you might instead premise it by saying the utilities have done a wonderful job of resisting the concerted Russian attack so far – and perhaps they should all be given the Medal of Freedom for that. After all, after two years of pounding the utilities (and IPPs) from every direction, the most the Russians were able to come up with was a compromise of two wind turbines, with a likely total rated capacity of no more than 3 MW. Whoever is in charge of this operation should be dreading the day he gets a phone call from his boss: “Boris, please clean out your desk and come into my office, so we can discuss just exactly what we’ve achieved with all this money you’ve spent trying to penetrate the US power grid.”

Affectionately,

DHS

If I were DHS, I would store some of the above letter as boilerplate, since they’ll need it often in the coming months and years - as it’s clear nothing (or nobody) is going to kill this story. I wouldn’t be surprised if, in one or two years’ time, this story starts to appear in history textbooks, so eighth graders can learn that the electricity supply they depend on to maintain their entire lifestyle will most likely disappear at any minute, leaving them to finish their short, miserable lives in darkness, cold and hunger. Such is the power of the press!

One other note: There’s a guy at the top of the government who gets very excited about stories in which it looks like the press has made a big mistake. If he knew about this story, he would be convinced that it’s another plot by the liberal media to undermine him, were it not for one inconvenient fact: The news outlet that wrote the story isn’t normally considered part of the liberal media.[i] That spoils the whole narrative.

Thank God for small favors.

Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC.

[i] Truth be told, the Wall Street Journal is really two papers: The news people are very much un-ideological and are normally determined to follow the truth wherever it leads (and in fact, I believe the WSJ has the best cyber reporting of any major US newspaper. The confusion in the article in question is related to a lack of understanding of the electric power industry and how it operates, not of cyber security). On the other hand, the editorial page is very much old-school conservative. I’d love to attend one of their office holiday parties.

Sunday, August 26, 2018

A Great Article

A friend of mine sent me this link today, and I found it to be a very good read. Of course, I’ve known about how NotPetya happened, and I knew that it had caused widespread damage, especially to Maersk – although I didn’t know the details. But I think it teaches three important lessons.

The first lesson is fairly simple: Be sure to back up your domain controllers! The second is much more far-reaching: We need to start holding nation-states legally liable for cyber attacks – of course, this means Russia in the current case, but Iran, North Korea and China have also attacked the US with cyber weapons. The US did impose sanctions on Russia for this (although as the article points out, the message was muddled since the sanctions were attributed to several Russian transgressions, not just NotPetya), but sanctions don’t address the problem of liability.

Maersk says it lost $250-300 million due to NotPetya, but the article points out that some Maersk employees state anonymously that the real cost must have been much larger (Merck said it lost $870 million. Of course, Merck is a public company and has to report accurate numbers. Maersk is privately owned, although it has 87,000 registered shareholders. Presumably they have been told the real cost). The article describes the huge payments to customers that Maersk made to make up for at least some of the costs and losses they incurred. Then it goes on to point out that other groups of people incurred big losses as well, but they received no monetary compensation. The example used is the many trucking companies that lost money due to having picked up loads bound for the Maersk terminals but not being able to deliver them when the terminals shut down because of the systems outage; however, there are certainly many more third-party victims. The article points to a White House assessment that supposedly estimated the total damages (worldwide, I believe) at more than $10 billion.

Of course, there are (and will be) the usual lawsuits, etc. against Russia by the many victims, and I’m sure at least some of those will bear some fruit many years from now. But this doesn’t seem to be sufficient deterrent since, as we well know, Russia continues to target US elections and the electric power industry. How about this?

We label Russia’s actions an act of war;
We order immediate freezing or seizure of Russian government assets (and perhaps private assets of individuals that the US intelligence agencies have already identified as doing the bidding of the Russian government in these matters – i.e. some of the oligarchs), sufficient to pay all of the documented losses incurred by any US citizens or companies; and
Within a year, if the Russian government hasn’t demonstrated that NotPetya wasn’t their fault, those assets are liquidated to compensate those losses.

If a car driven by a Russian embassy employee hits my car while on an urgent government errand, I will be entitled to compensation from the Russian government. Yet when Russia recklessly launches a cyber attack on the Ukraine as part of their undeclared war on that country, knowing full well that it will spread elsewhere (and, as the article points out, spreading outside the Ukraine was probably one of the goals of the attack – in order to damage Ukraine’s reputation as a safe place to do business), there is no compensation for its victims unless they spend a lot of time and money pursuing lawsuits. This isn’t right.

(And while we’re at it, where is the compensation for the families of the victims of the shooting down of Malaysian Airlines flight 17 over the Ukraine in July, 2012? Sure, a commission finally concluded last year that a Russian launcher loaned to the Russian-backed rebels in the Ukraine brought the plane down. And there are now various lawsuits going on against Russia. So maybe in 5-10 years the families of those victims – those still alive - will be compensated in some way. But a member of the Duma - the Russian parliament - admitted 1-2 weeks after the incident that Russia was at fault.[i] I think Russian aircraft should have been immediately banned from all international airspace until full compensation was paid to all victims. And it’s still not too late to do that)

The third lesson is this: There should be some sort of mandatory cyber security regulation on all critical infrastructure, not just the electric power industry. I’ve always thought of the power industry as unique, because of the great harm that a serious attack on the grid would cause to lots of people. And it’s indisputable that a grid cyberattack would cause more harm than an attack on any other CI industry.

But the Maersk attack did cause a huge amount of damage to a lot of entities and people other than Maersk. And it’s pretty clear that Maersk didn’t take some of the basic measures that the power industry now takes for granted. The most important of these is separation of the IT and OT networks. Since the disturbance began on what should have been the IT network, a proper separation would most likely have prevented this from spreading to their operational systems.[ii] Another is – of course – regular patching, since Microsoft had patched the primary vulnerability that NotPetya exploited.

So am I advocating that the current NERC CIP standards be applied to all CI industries? Of course not. But I am advocating that a flexible format for mandatory cyber security standards be developed, which would apply to all CI industries, to greater (electric power) or lesser (say, food and agriculture) degree.[iii]

And this is a note to the huge surge of Russian readers I had during my posts on the DHS briefings and news stores on the Russia cyberattacks on the power industry[iv]: Please let your boss Mr. P know that the world isn’t going to stand by much longer and pretend that Russian cyberattacks are just one of those hazards like storms that we all have to live with. There’s some amount of pressure that will get him to stop. We obviously haven’t reached that point yet, so we need to try harder.

Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC.

[i] As described in this Wikipedia article.

[ii] I realize that separating IT and OT networks would probably be a lot harder for Maersk, since there are so many IT-type documents – orders, bills of lading, invoices – that play an actual role in the OT processes. Separation of IT and OT would probably have prevented the Target breach of 2013 as well, but again it would be much harder to separate the two in a retail environment.

[iii] Of course, describing this format is the end goal of the book I am currently working on.

[iv] It seems those readers have almost entirely left me, not that I’m shedding bitter tears about that. So if you happen to know who they were, please drop them a friendly email suggesting they read this post.

Friday, August 24, 2018

What’s the SDT up to nowadays?

The CIP Modifications Standards Drafting Team seems to have about eight different pots cooking on the stove now. I wrote in July about their new direction on virtualization – which by the way might in the process produce some much-needed reform in the whole structure of the CIP standards; and if you own a Control Center you are probably familiar with the current drafting and balloting on CIP-012. But someone who follows what the SDT is doing much more closely than I can is Mike Johnson.

Yesterday, Mike put up two posts related to the revised standards posted for comment and balloting by the SDT earlier this week. The first post is about CIP-003-8 (yes, folks, just after FERC approved CIP-003 version 7, now we’re up to version 8!). This is because, when FERC approved CIP-003-7, they pointed out that the new requirement for Transient Cyber Assets used at Low impact assets just required, for TCA and RM owned by a third party like a vendor, that the Responsible Entity review the controls the third party had in place to prevent malware; it didn’t require the RE to do anything if the review revealed the third party didn’t have adequate controls in place to prevent malware.

Of course, the idea that any NERC entity (either a Responsible or an Irresponsible Entity) would not take any action if they decided a particular vendor wasn’t doing a good job to prevent their own devices from infecting the entity’s systems is pretty far-fetched. But FERC wanted an abundance of caution, so they ordered this deficiency be corrected. That was done by adding Section 5.2.2 to Attachment 1, which reads “For any method used pursuant to 5.2.1, Responsible Entities shall determine whether any additional mitigation actions are necessary and implement such actions prior to connecting the Transient Cyber Asset.”

The second post is about CIP-002-6. This might be surprising to those who haven’t been following Mike’s blog closely. The original reason for amending CIP-002-5 was to revise criterion 2.12 of Attachment 1, which specifies which Control Centers owned by Transmission Owners should be classified as Medium impact. You may know that this change was approved by 93% of the ballots in May. So why does there need to be another ballot for CIP-002-6? The reason is that, as Mike explains in his second post from yesterday, it was announced in June that FAC-010-3 would be retired (no word on whether a gold watch will be presented). One consequence of this is that two terms from that standard will be changed. Since those terms are currently referred to in criteria 2.6 and 2.9 of Attachment 1, those criteria needed to be changed to reflect this.

Mike also provides some good advice on how to cast ballots (which he has included in previous posts as well).

Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC.

Tuesday, August 21, 2018

Back to CIP-014

In July, I wrote a post describing an email discussion I’d had with an auditor about CIP-014. It was actually a rehash of a disagreement we’d had last fall (which I don’t think I ever wrote about in this blog) regarding this post from last December. The subject of both disagreements was CIP-014, the CIP standard for physical security of key substations, drawn up in the wake of the Metcalf attack in 2012, in which some large transformers were fired on and disabled at a key substation in Silicon Valley.

Here is the essence of both disagreements: In the December post, I described how, in their CIP-014 audit last year, a utility was given a PNC (potential non-compliance) finding because their physical security plan prepared for compliance with CIP-014 R5 didn’t specifically provide protections for transformers. The utility argued that all of the wording in CIP-014 applies to protecting the substation as a whole, not to particular pieces of equipment located in the substation. The auditor, in his July email to me (prompted by another post, although not related to CIP-014), argued that it would be reasonable to assume that CIP-014 was about more than just protecting the substation as a whole, since the Metcalf attack had been on transformers, not the whole substation.

Note from Tom, later on 8/21: The person in charge of CIP compliance at the utility in question just read the post and emailed me that their reasoning for only protecting on the level of the entire substation wasn't based on the fact that this is what the requirement said, but on the fact that their own engineering study had found that, if any subset of the equipment were destroyed, there wouldn't be the kind of BES impact ("instability, uncontrolled separation, or Cascading within an Interconnection") that is required for the substation to be in scope for CIP-014 in the first place. So if they tried to protect individual pieces of equipment, they wouldn't actually be doing anything that would result in greater protection for the BES itself. However, the auditor would have none of that argument. He wanted the transformers protected, period.

I didn’t contest that it was reasonable to expect the utility to include protection of transformers in their physical security plan, but I did contest the idea that they could be found in violation of the requirement, since that says nothing about anything except protecting the substation as a whole.

After that post, I got an email from Ross Johnson of Capital Power in Edmonton, Alberta (which by the way is a really beautiful city, especially if you visit in the warmer months!). Ross said:

I was on the CIP-014 SDT, and we saw the substation fence line as a component in the protection of what was inside - not the only part worth protecting. When we talked about protecting the substation, we also talked about protecting the most important components within, and considered that all part and parcel of the substation proper.

I don’t understand the logic of saying that because Metcalf transformers were shot up that any solution that didn’t protect the transformers from gunfire was inadequate. That’s why we put the term ‘geographic proximity’ in R4.2 (Prior history of attacks on similar facilities taking into account the frequency, geographic proximity, and severity of past physical security related events). Substations far away from threats of this kind should have that fact weighed and considered in their R4.

I live in Canada, and gun crimes are exceedingly rare. Other than the odd power-pole transformer, gunfire attacks on electricity sector infrastructure are almost unheard of, and have never approached the scale of Metcalf. Most of our large substations are in isolated or rural areas, and many have never, ever, had an attack of any kind - even theft by copper thieves. To demand that they pay millions of dollars to protect infrastructure from a crime that happened a couple of thousand miles away in a different culture with a vastly different threat profile seems difficult to justify given the more modest demands of the standard.

If the intent of the standard was to armour transformers to protect them from gunfire, then it would have stated that.

Now, I have always been against taking the recollections of drafting team members as something that can shed light on the meaning of a CIP requirement, so I’m not trying to say that Ross’s word should be taken as the preferred interpretation of a CIP-014 requirement. But in this case, we have an argument about what should be implied in the wording of a requirement. Ross says it would be wrong to draw the implication that transformers need to be protected, since CIP-014 R4.2 says the entity should consider (in the threat and vulnerability assessment that forms the basis for the physical security plan in R5): “Prior history of attack on similar facilities taking into account the frequency, geographic proximity, and severity of past physical security related events”.

In other words, the entity needs to consider threats that are clearly relevant for the substation in question. One of the bases for identifying those threats is incidents that are likely to occur in the particular geography of the substation. Ross pointed out in a subsequent email that “in Canada, some of our assets are protected by 400 miles of grizzly bears…” Clearly, ballistic attacks on transformers aren’t what keeps Ross awake at night.

On the other hand, Ross is also saying that, even though the strict wording of the requirements in CIP-014 says nothing about protecting the Facilities (e.g. transformers, circuit breakers, etc.) located within the substation, it would be wrong to say that the only threats that need to be protected against are those that affect the entire substation – this isn’t in the strict wording of the requirements, either.

What are the lessons to be learned from this whole discussion? They are:

The utility shouldn’t have been given a PNC for not addressing threats to transformers in their physical security plan, since there is nothing in the strict language of the requirements that mandates the entity should do anything more than protect the whole substation.
On the other hand, the utility certainly should have been given an Area of Concern (which isn’t a violation, of course) for this. That is what a second utility (also discussed in the December post) received. They were also cited for not specifically addressing the threat of ballistic attack on transformers.
Any mandatory standards regime needs to have procedures by which compliance can be verified. In the case of the NERC CIP regime, compliance is verified by audits – did they do X or didn’t they do X? Because this is the case, future plan-based requirements (and all of the important CIP requirements drafted since CIP version 5 have been plan-based. This has quickly become recognized as the only type of requirement that makes sense in the CIP context – since prescriptive requirements simply don’t work well) should all include some guide to the threats that need to be identified and mitigated in the plan; they can’t just say something like “identify all the threats that apply to your environment and mitigate them” – which is essentially what CIP-014 says, as well as CIP-013.[i]
My poster child for a good plan-based requirement is CIP-010 R4, where Attachment 1 (which is called out by the requirement and thus is incorporated into it by reference) describes (at a high level) a number of threats that must be included in the plan (although the term used is risks, not threats. While I think risks is a workable term, I think threats is a better one in this context, for several reasons). I think all future drafting teams would do well to emulate this requirement when they draw up new plan-based requirements (or even revise existing ones. Since it’s likely that FERC will order some changes when they approve CIP-013, and since this means there will have to be another version, I would recommend that the SDT look to CIP-010 R4 inspiration on how they can make the standard auditable, since the primary requirement, R1.1, isn’t auditable as it stands now).
Ultimately, there will need to be a different compliance verification process for the CIP standards (and I believe the current audit-based process is fine for the O&P standards, although if anyone thinks differently I’d love to hear about it), which will be designed for plan-based requirements. It will need to include a) review by the Region of the entity’s plan before it is implemented, so that the entity can make any needed modifications before it is put in place; b) review by the Region of the entity’s implementation of that plan, so that any big mistakes can be corrected, rather than be allowed to fester (with attendant security vulnerabilities) until the next audit; and c) compliance guidance by the Regions (indeed, by NERC itself) being not only allowed but encouraged.
Unfortunately, until this new compliance verification process is actually implemented (and I’m not naïve enough to think this is likely to happen in the next few years), there will continue to be lots of disputes like the CIP-014 disputes I’ve been discussing. The auditors will always have their ideas about what needs to be in a plan, and in many cases that will differ from what the utility believes. There is no way to settle these disputes, except by simply agreeing that no violations can be assessed for anything that isn’t in the strict language of the requirement, although certainly Areas of Concern are appropriate. As more plan-based requirements are written on the model of CIP-010 R4, these requirements will be more auditable. However, the real solution is a different compliance verification process for the CIP standards.
Even though plan-based CIP requirements should include a list of types of threats that need to be considered in the plan, it should be up to the entity to determine exactly which threats belong in their plan. In Ross Johnson’s neighborhood, high-powered rifles are much less likely to be used in crimes than they are south of the 49th parallel, so that particular threat might be discounted. On the other hand, threats related to cold weather and snow might pose greater risk in northern Alberta than they do in Silicon Valley.
There should be some central body – composed of SME’s from NERC entities, NERC and the Regions, FERC (at least as observers), and perhaps representatives of the general power-using public – charged with developing and regularly updating a list of threats that must be considered in CIP-013 and CIP-014 plans (CIP-013 requires updating the plan every 15 months. CIP-014 requires more or less continual evaluation of new physical threats to substations). Of course, in many cases an entity will decide not to include a particular threat in their plan because it doesn’t apply to them; but in any case the entity will need to document why they did this.[ii] The reason this is needed is that it shouldn’t be left up to individual utilities – no matter how large or small – to comb through all the reports of cyber threats and mitigations worldwide, and determine which ones pose serious risks in North America and which ones don’t. There needs to be a central, regularly-updated list, although it will be up to the individual entities to determine which threats specifically apply to them.

Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC.

[i] I want to point out that I’m not blaming either the CIP-013 or CIP-014 drafting teams for this situation. They were both given very tight deadlines by FERC, one year in the case of CIP-013 and three months in the case of CIP-014. In these time periods, they had to develop, ballot, re-ballot, re-re-ballot, and get NERC BoT approval for the new standard. They didn’t have time to include language in the requirements that would have taken a long time to draft, or that would have sparked a lot of controversy. A lesson learned for FERC is to be very careful about assigning deadlines for new standards, because it often doesn’t seem to work out very well.

[ii] I am writing a book on how the NERC CIP standards – as well as the compliance regime built around them – could be rewritten to eliminate five big current problems with CIP. One of my recommendations is that there be a central body that reviews and publishes a list of all cyber threats to the BES (and perhaps physical threats as well), as well as mitigation measures for those threats. In addition, this body would meet regularly to review new threats as well as mitigation measures, and update the list at least annually. The NERC entities would be required to a) determine which threats on the list pose the biggest risks in their environment and b) mitigate those threats.

Monday, August 13, 2018

Is CIP-013 R1.1 auditable? No. Does this mean you’re off the hook? No.

In this recent story about the Russian hacking from E&E News last week, I was quoted as saying “..it's not clear whether the federal rules on supply chain vulnerabilities can be effective..” Of course, this was referring to CIP-013, which came up in this story since the Russian attacks were (and are) all coming through the supply chain.

I was referring here to something I brought up in this post from April, when I pointed out that R1.1 is probably not auditable because it simply requires that the entity develop a supply chain cyber security risk management plan - the requirement doesn’t provide any information about the risks that should be addressed in that plan. I pointed to CIP-010 R4 as an example (definitely the best so far) of a plan-based requirement that does provide high-level criteria for what should be addressed in the plan (these are provided in Attachment 1, which is called out in the requirement itself and is therefore part of the requirement. That is important – Attachment 1 isn’t just some sort of guidance, but is part of the requirement).

In the April post, I noted that R1.1 simply requires the entity to develop a supply chain cyber security risk management plan; it says nothing about what that plan should contain[i]. I originally thought this was a good idea because of its purity: After all, cyber security is about risk management. The best way to deal with cyber threats is to put together a risk management plan, since there is no way anybody could ever write a set of prescriptive requirements (whether or not they’re mandatory) that would make the entity perfectly secure. The best that can be done is for the entity to assess the risks and develop a plan to mitigate the highest risks[ii] (this is what R1.1 requires the entity to do, although unfortunately the SDT left out the word “mitigate”. But the whole standard makes no sense if that word isn’t assumed to be in R1.1).

However, I later came to realize that, given NERC’s prescriptive auditing process, requiring an entity just to develop a plan, without saying what has to be in it, is a recipe for having a non-auditable requirement. Either a) the auditors will decide what they think should be in your plan and then try to hold you in violation if your plan doesn’t agree with their ideas, or b) the auditors will simply give everyone a pass as long as the plan is at least halfway credible. This is why R1.1 is unauditable.

I think b) is a much more likely scenario for what will happen with CIP-013 R1.1. So this leaves the entity (that would be you, Dear Reader) with two choices:

You can develop a minimal R1.1 plan, perhaps just addressing the six items in R1.2 (since we already know they have to be in the plan - for a recipe on how to do this, go to my April post). This will make your CIP-013 compliance job much easier. And even though it’s likely your auditor will berate you – and most likely issue an Area of Concern - for not having developed much of a plan, you can still sleep at night, knowing that he or she won’t be able to give you a PNC for this (and if they do, it won’t hold up); or
You can Do the Right Thing (to quote the title of a great Spike Lee movie) and actually develop a real supply chain cyber security risk management plan. This will probably put you at greater compliance risk, since if you list a risk in the plan, you will have to take steps to mitigate it. And if you don’t do a good job of mitigation, you can probably still be held in violation of R2, even though you wouldn’t be in violation of R1.1 (i.e., NERC can’t audit the plan itself, but it can audit whether or not you actually did what you said you’d do in the plan).

So which course do I recommend? Door Number 1, the easier path which may allow you to leave at 5:00 now and then? Or Door Number 2, the hard path, where you’ll have to really sit down and think about what your supply chain cyber risks are and how you will mitigate the most important risks - and then, if you don’t mitigate them to the auditor’s taste, you might well receive a PNC for violating R2?

I’m sure you can guess which door I’m advocating you should take: It’s Door Number 2. Why do I say this? All you have to do is read this post on the Russian attacks. Even though it turns out DHS greatly exaggerated the success of those attacks, that doesn’t change the most important lesson to be learned from them: Supply chain security is the number one problem for the electric power industry (and probably for most other industries as well). The attacks described by DHS (both in their briefings, and in their excellent Alert from March) were all supply chain attacks. They’ve been going on for a couple years and will most likely continue, despite the increased scrutiny after DHS’ briefings. And if you want to see the damage that a supply chain attack can cause, you just need to look at two: the Target breach of 2013 and last year’s NotPetya malware.

In almost any other question of CIP compliance, I will always take the position that the entity’s job is to design procedures and policies that provide minimal compliance with the requirements. Most of the currently-enforced CIP requirements are prescriptive, and of course all CIP requirements – as all NERC requirements in general – are audited in a very prescriptive, did-they-do-it-or-didn’t-they fashion. Even if your organization might feel that good security practice is to go beyond what a particular requirement mandates, you definitely don’t want to design CIP compliance procedures that go beyond the requirement. If you do, you’re simply inviting compliance risk.[iii]

However, for a plan-based requirement, and especially one that explicitly allows the entity to consider risk, as is the case with CIP-013, this position doesn’t apply. The whole idea of developing a plan to manage risk is that you need to allocate the resources you have (staff time and money) in a way that will mitigate the most risk possible – i.e. you need to allocate your resources so that they get the most bang for the buck.

This requires considering all the major threats (which in the case of CIP-013 are supply chain cyber threats), then ranking them by the degree of risk they pose to the BES (remember, that is what risk means in any NERC standard. It’s always risk to the BES, not to the individual entity). Then you need to go through the list, starting at the top, and decide how much in the way or resources to allocate to mitigating each risk. When you feel you have mitigated the important risks, you stop.[iv] In my opinion, that is how you develop a risk management plan.

I hope to start doing some posts in the near future that elaborate on – at a high level – the steps you need to take to develop a plan for CIP-013 R1.1. If you are with a NERC entity or a vendor that is looking for a more in-depth discussion in order to start preparing for CIP-013 compliance, ask me about my free workshop offer, described in this post.

Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC.

[i] R1.2 lists six items – they are risk mitigations, rather than risks themselves – that should be included in the plan. That isn’t because these are the six actions that the SDT decided were the most important supply chain security risks to mitigate. The six items are there because FERC specifically called for them in Order 829, which ordered NERC to develop the standard in the first place. The R1.1 supply chain cyber security risk management plan needs to include these six items, but only including them doesn’t give you a good plan.

[ii] If you’re wondering how a small utility might have the resources and know-how to conduct this whole risk-management exercise by themselves, so am I! Of course, since CIP-013-1 only applies to High and Medium impact assets – and since most of the organizations that own these assets probably do have at least some resources and know-how in this area – I don’t see this as an immediate problem for CIP-013. But for the future when Lows are included in CIP-013 in some way (and FERC might order this when they approve CIP-013-1), this will be a big issue. I would hope NRECA, EPSA, EEI and APPA could step up and help their smaller members in this process.

[iii] Of course, I’m not saying that you should limit the steps you actually take in any particular area of cyber security to the strict wording of the CIP requirement. For example, suppose you think that CIP-010 R1 doesn’t do a good enough job of capturing what an organization like yours should be doing for configuration management of BES Cyber Systems. You should definitely do whatever more you think is necessary; but just make sure not to include that in your actual compliance procedures for CIP-010 R1.

[iv] Of course, I’m glossing over the fact that it’s possible you may run out of budget before you have sufficiently mitigated the most important risks. When you see that is happening (and hopefully you’ll see it during the planning phase, not at the end of the implementation phase), you should try to get the additional resources needed to mitigate all the important risks. But if you don’t get those resources and you have to leave some important risk unmitigated, you will at least know that you mitigated the most risk possible with the resources you had - since you mitigated the different supply chain threats in the order of the risk they posed.

Wednesday, August 8, 2018

What should DHS do?

I have had a number of email conversations brought on by my recent posts on DHS’ briefings on the Russian hacking campaign against the power industry, and on some very misleading statements made in the briefings – as well as wildly exaggerated press reports afterwards. They have all come down to DHS. Here is the problem:

The Russians have obviously been conducting – for a couple years, it seems – a large-scale, sustained cyber attack on US utilities and IPPs; that attack is ongoing.
DHS has done a great job of thoroughly investigating what is going on, and explaining it all in great detail. In doing so, they have made it very clear that the power industry needs to focus on supply chain security much more heavily now, since these attacks are currently coming primarily through that vector.
However, some of the speakers at their recent briefings gave very misleading information about the results of this hacking, implying that it’s possible and even likely that the Russians have a lasting presence inside networks in utility control centers, where they’re just waiting for the signal to start messing with the US power grid and cause a major outage.
After the first of these briefings, a reporter from the Wall Street Journal wrote an article that said that about 200 “utility control rooms” had been penetrated by the Russians. Of course, if that were really the case, it would literally constitute a national emergency, not just because we all might be in the dark for a while, but because we might then be forced to consider a military response.
The same week as the first briefing, two DHS spokespeople clarified in meetings that no, it was just one very small generating asset whose control network had been penetrated – and then it turned out that even that was an exaggeration, since it was really two turbines in a wind farm with probably hundreds of turbines. Yet there was no effort to counter the news reports – these walk backs were heard only by a small group of industry people.
Even worse, the same WSJ reporter came out with another story on Tuesday, which seemed to indicate that she hadn’t heard either of the walk backs. And it seemed from her story that one person at DHS was still peddling the idea that there had been widespread penetration of the US grid. I was charitable and thought that she and the DHS person both simply didn’t understand the terms that were being used, as well as some particular facts about the structure of the US power industry. My post yesterday tried to explicate these mysteries, in my usual mind-numbing detail.

So the fact is that we have a major national news source (actually two, since the New York Times put out their own article on Friday, which I discussed in this post. The sentence that I quote toward the beginning of that post is even more alarming than anything the WSJ report said) saying there is a true national emergency, and still DHS isn’t stepping up with something like a press release - or even better a press conference - to calm things down. They need to explain what really happened, while at the same time pointing out that there is a real supply chain threat to the grid – and I will be fine if they say that the industry isn’t doing enough to counter supply chain threats, as well as that the new CIP standard for supply chain security will likely prove pretty ineffective, unless NERC or somebody steps up and tries to fix this situation (this is the topic of what I hope will be my next blog post, although I won’t rule out some new development that will require a new post on the Russian story).

DHS needs to do something. Now.

Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC.