One of the most pernicious aspects of the far-reaching and potentially devastating SolarWinds supply chain hack is that it successfully evaded detection for at least ten months by hiding inside seemingly normal software operations. The hack of SolarWinds\u2019 Orion product enabled Russian actors to embed surveillance malware into widely used management software. It pushed the so-called SUNBURST malware deep into public and private networks using the invisibility cloak of ordinary activity, causing no harm or disruption as it silently operated.The SolarWinds hack is largely considered a turbo-charged nation-state espionage campaign. \u00a0Most experts, however, won\u2019t rule out that out the possibility that the Russian intelligence team behind the breach weren\u2019t also paving the way for attacks that could damage operations. One of the biggest concerns about the hack\u2019s impact is how it affected the nation\u2019s power grid.New regulations aimed at spotting attempted compromises in the power grid that don\u2019t cause damage, like SolarWinds, went into effect on January 1, 2021. It\u2019s not at all clear that the new requirements will help the energy industry spot these kinds of attacks.Power companies likely compromised by SolarWindsEarly reports indicate that more than a dozen unnamed critical infrastructure companies in the electric, oil and manufacturing industries ran the tainted malware, along with three critical infrastructure OEM (original equipment manufacturing) suppliers. Some of the infections spread beyond ordinary IT infrastructure into the infected companies' operational technology or industrial control components. The Department of Homeland Security\u2019s Cybersecurity and Infrastructure Security Agency (CISA) issued an alert last month saying infrastructure entities were \u201ccompromised\u201d by the SolarWinds hack.New NERC cybersecurity standard expands report requirementsNew requirements from the North American Electric Reliability Corporation (NERC) are embodied in the NERC CIP-008-6 standard. (CIP stands for critical infrastructure protection). The 008-6 standard follows a set of other relatively new cybersecurity requirements, CIP-007-6.Consistent with an order by the Federal Energy Regulatory Commission (FERC), the new standard requires relevant bulk power entities to report not only actual compromises of bulk electric systems but also, for the first time, \u201cattempts to compromise\u201d those systems. All cybersecurity incidents, whether actual compromises or attempts to comprise, have to be reported to the DHS Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), now known as National Cybersecurity and Communications Integration Center (NCCIC), as well as the Electricity Information Sharing and Analysis Center (E-ISAC).The addition of the reportable attempted compromises is a big deal that someday could capture SolarWinds-type of infections early on, but when that day might arrive is unclear. That\u2019s because NERC rescinded implementation guidance that defines an \u201cattempt to compromise,\u201d a near-miss that causes no damage to operations, with only a vague explanation that \u201csome statements are inappropriate for implementation guidance.\u201dLack of guidance leaves grey area for reportingIn the past, the only reported incidents were situations where \u201cyou break some threshold, which is the destruction of the bulk electric system power operations,\u201d Patrick Miller, US coordinator for the Industrial Cyber Security Center, tells CSO. \u201cNow you\u2019ve got to report things that maybe didn\u2019t make it through but were attempts to do so.\u201dAccording to Miller, the big challenge for utilities is the \u201cambiguous grey area\u201d around what constitutes an \u201cattempt,\u201d particularly given the rescinded guidance that spells out the definitions. \u201cWhat does an attempt look like?\u201d Miller asks. \u201cIf someone is driving down the street and looking at your house, they\u2019re casing things\u2026is that an attempt? Or is it when they actually go on your property, is that an attempt? Or when they actually turn the doorknob? Is that an attempt? Or when they pick a lock? Is that an attempt?\u201dWithout clear-cut guidance, utilities could do one of two things. \u201cThey\u2019re only going to report things that are clear attacks, the intent was there, it was very obvious, you maybe even got some outside help, or maybe it\u2019s something the FBI notified you about,\u201d Miller says. Or they\u2019re going to say, \u201cI don\u2019t know what an attempt is, so I\u2019m going to send you everything, and you\u2019re going to figure it out.\u201d\u201cWe haven\u2019t had much guidance as to what qualifies as an attempt, so it\u2019s going to be a mixed bag as to what gets reported and what doesn\u2019t,\u201d Miller says.Rescinded guidance might be followed anywayOne industrial control system (ICS) cybersecurity expert, Chris Sistrunk of FireEye\u2019s Mandiant division, believes that even though NERC yanked its guidance, it\u2019s likely that relevant power companies will rely on it anyway for defining attempts to compromise. He also predicts that the relevant power entities will likely report SolarWinds-delivered malware as an attempt to compromise. \u201cAccording to FireEye analysis, the SUNBURST backdoor (or any backdoor) is, at face value, an attempt to compromise, so the utility must determine if it was used to attempt to compromise applicable grid assets,\u201d he tells CSO. (The intricate NERC requirements apply only to certain grid assets.)FireEye, which first discovered the SolarWinds backdoor, \u201ccannot confirm that power utility networks were impacted. To our knowledge, there has been no impact to grid operations due to the SolarWinds attack,\u201d Sistrunk says. However, he acknowledged that \u201cit\u2019s plausible that utility companies use SolarWinds software, especially for IT networks.\u201dLack of clarity hampers new standard\u2019s effectivenessAlthough most ICS security experts see the new NERC requirement as a positive step forward, the lack of clear-cut guidance will no doubt likely hamper its effectiveness. \u201cWe don\u2019t really have any way to determine what the information input is. It could be everything, or it could be only what is determined by the FBI as a legitimate attack attempt. It makes it difficult for them to get this right from both a security and a compliance perspective,\u201d Miller says.Miller thinks it could be 18 to 24 months before it becomes clear what power companies should be reporting under the new standard. Even once the bulk power system entities gain clarity about what they are reporting, the old electric industry adage that compliance does not equal security should still rule the day.\u201cCompliance standards are a minimum requirement, and implementation guidelines are meant to serve as best practices,\u201d Sistrunk says. \u201cAttackers are constantly improving and evolving, so we as defenders have to be diligent and improve as well. Defense in depth is always the best approach. As always, security is an iterative process, never a one and done.\u201dAnother wrinkle: These new requirements apply only to relevant bulk power entities, not the last-mile electricity providers, Miller warns. \u201cIf you took the lights out in Los Angeles, that would not be a reportable cybersecurity incident because that\u2019s distribution, that\u2019s the last mile, that\u2019s not the bulk electric system, which is really just the transmission lines and the big generators,\u201d he says.However, he hopes that the massive influx of data on attempted compromises provides enough contextual information for the NCCIC or other designated entity in CISA to provide at least some help to the grid's distribution component. \u201cI suspect that [CISA] can help with the distribution side and say \u2018hey we\u2019re seeing these things, these activities are happening, you have these systems, you might want to check it out,\u2019\u201d Miller says.