US bulk energy providers must now report attempted breaches

One of the most pernicious aspects of the far-reaching and potentially devastating SolarWinds supply chain hack is that it successfully evaded detection for at least ten months by hiding inside seemingly normal software operations. The hack of SolarWinds’ Orion product enabled Russian actors to embed surveillance malware into widely used management software. It pushed the so-called SUNBURST malware deep into public and private networks using the invisibility cloak of ordinary activity, causing no harm or disruption as it silently operated.

The SolarWinds hack is largely considered a turbo-charged nation-state espionage campaign.  Most experts, however, won’t rule out that out the possibility that the Russian intelligence team behind the breach weren’t also paving the way for attacks that could damage operations. One of the biggest concerns about the hack’s impact is how it affected the nation’s power grid.

New regulations aimed at spotting attempted compromises in the power grid that don’t cause damage, like SolarWinds, went into effect on January 1, 2021. It’s not at all clear that the new requirements will help the energy industry spot these kinds of attacks.

Power companies likely compromised by SolarWinds

Early reports indicate that more than a dozen unnamed critical infrastructure companies in the electric, oil and manufacturing industries ran the tainted malware, along with three critical infrastructure OEM (original equipment manufacturing) suppliers. Some of the infections spread beyond ordinary IT infrastructure into the infected companies’ operational technology or industrial control components. The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) issued an alert last month saying infrastructure entities were “compromised” by the SolarWinds hack.

New NERC cybersecurity standard expands report requirements

New requirements from the North American Electric Reliability Corporation (NERC) are embodied in the NERC CIP-008-6 standard. (CIP stands for critical infrastructure protection). The 008-6 standard follows a set of other relatively new cybersecurity requirements, CIP-007-6.

Consistent with an order by the Federal Energy Regulatory Commission (FERC), the new standard requires relevant bulk power entities to report not only actual compromises of bulk electric systems but also, for the first time, “attempts to compromise” those systems. All cybersecurity incidents, whether actual compromises or attempts to comprise, have to be reported to the DHS Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), now known as National Cybersecurity and Communications Integration Center (NCCIC), as well as the Electricity Information Sharing and Analysis Center (E-ISAC).

The addition of the reportable attempted compromises is a big deal that someday could capture SolarWinds-type of infections early on, but when that day might arrive is unclear. That’s because NERC rescinded implementation guidance that defines an “attempt to compromise,” a near-miss that causes no damage to operations, with only a vague explanation that “some statements are inappropriate for implementation guidance.”

Lack of guidance leaves grey area for reporting

In the past, the only reported incidents were situations where “you break some threshold, which is the destruction of the bulk electric system power operations,” Patrick Miller, US coordinator for the Industrial Cyber Security Center, tells CSO. “Now you’ve got to report things that maybe didn’t make it through but were attempts to do so.”

According to Miller, the big challenge for utilities is the “ambiguous grey area” around what constitutes an “attempt,” particularly given the rescinded guidance that spells out the definitions. “What does an attempt look like?” Miller asks. “If someone is driving down the street and looking at your house, they’re casing things…is that an attempt? Or is it when they actually go on your property, is that an attempt? Or when they actually turn the doorknob? Is that an attempt? Or when they pick a lock? Is that an attempt?”

Without clear-cut guidance, utilities could do one of two things. “They’re only going to report things that are clear attacks, the intent was there, it was very obvious, you maybe even got some outside help, or maybe it’s something the FBI notified you about,” Miller says. Or they’re going to say, “I don’t know what an attempt is, so I’m going to send you everything, and you’re going to figure it out.”

“We haven’t had much guidance as to what qualifies as an attempt, so it’s going to be a mixed bag as to what gets reported and what doesn’t,” Miller says.

Rescinded guidance might be followed anyway

One industrial control system (ICS) cybersecurity expert, Chris Sistrunk of FireEye’s Mandiant division, believes that even though NERC yanked its guidance, it’s likely that relevant power companies will rely on it anyway for defining attempts to compromise. He also predicts that the relevant power entities will likely report SolarWinds-delivered malware as an attempt to compromise. “According to FireEye analysis, the SUNBURST backdoor (or any backdoor) is, at face value, an attempt to compromise, so the utility must determine if it was used to attempt to compromise applicable grid assets,” he tells CSO. (The intricate NERC requirements apply only to certain grid assets.)

FireEye, which first discovered the SolarWinds backdoor, “cannot confirm that power utility networks were impacted. To our knowledge, there has been no impact to grid operations due to the SolarWinds attack,” Sistrunk says. However, he acknowledged that “it’s plausible that utility companies use SolarWinds software, especially for IT networks.”

Lack of clarity hampers new standard’s effectiveness

Although most ICS security experts see the new NERC requirement as a positive step forward, the lack of clear-cut guidance will no doubt likely hamper its effectiveness. “We don’t really have any way to determine what the information input is. It could be everything, or it could be only what is determined by the FBI as a legitimate attack attempt. It makes it difficult for them to get this right from both a security and a compliance perspective,” Miller says.

Miller thinks it could be 18 to 24 months before it becomes clear what power companies should be reporting under the new standard. Even once the bulk power system entities gain clarity about what they are reporting, the old electric industry adage that compliance does not equal security should still rule the day.

“Compliance standards are a minimum requirement, and implementation guidelines are meant to serve as best practices,” Sistrunk says. “Attackers are constantly improving and evolving, so we as defenders have to be diligent and improve as well. Defense in depth is always the best approach. As always, security is an iterative process, never a one and done.”

Another wrinkle: These new requirements apply only to relevant bulk power entities, not the last-mile electricity providers, Miller warns. “If you took the lights out in Los Angeles, that would not be a reportable cybersecurity incident because that’s distribution, that’s the last mile, that’s not the bulk electric system, which is really just the transmission lines and the big generators,” he says.

However, he hopes that the massive influx of data on attempted compromises provides enough contextual information for the NCCIC or other designated entity in CISA to provide at least some help to the grid’s distribution component. “I suspect that [CISA] can help with the distribution side and say ‘hey we’re seeing these things, these activities are happening, you have these systems, you might want to check it out,’” Miller says.