On February 23, 2016 I gave the keynote at the National Academy of Science, Engineering, and Medicine’s Government-University-Industry Research Roundtable on control system cyber security. I mentioned that the children’s book - The Emperor Wears No Clothes - reflects the current regulatory and industry thinking about cyber security of the electric grid.
On February 25, 2016 DHS ICS-CERT issued an Alert on the cyber-attack against Ukrainian critical infrastructure. The Alert emphasized that organizations should isolate ICS networks from any untrusted networks, especially the Internet. According to the DHS ICS CERT Monitor dated May-June 2015, “Some asset owners may have missed the memo about disconnecting control system from the Internet. Our recent experience in responding to organizations compromised during the BlackEnergy malware campaign continues to bring to light this major cybersecurity issue—Internet connected industrial control systems get compromised. All infected victims of the BlackEnergy campaign had their control system directly facing the Internet without properly implemented security measures. The BlackEnergy campaign took advantage of Internet connected ICS by exploiting previously unknown vulnerabilities in those devices in order to download malware directly into the control environment. Once inside the network, the threat actors added remote access tools, along with other capabilities to steal credentials and collect data about the network. With this level of access, the threat actor would have the capability to manipulate the control system.” Obviously many end-users and system integrators have disregarded such advice as evidenced by Project Shine’s tally of over two million direct Internet connections to ICS systems and devices and the DHS disclosure. A similar statement can be made of many vendors judging by the continued enthusiasm for the industrial Internet of things.
The DHS Alert stated that the attackers rendered serial-to-Ethernet devices at substations inoperable by corrupting their firmware. In addition, the attackers reportedly scheduled disconnects for server Uninterruptable Power Supplies (UPS) via the UPS remote management interface. As identified in Project Shine, many serial-to-Ethernet converters and UPS remote management interfaces are directly connected to the Internet. However, neither serial-to-Ethernet converters or UPS remote management systems are directly included in NERC CIP or NEI-0809/Regulatory Guide 5.71 scope.
The affected Ukrainian companies believe that the attackers acquired legitimate credentials prior to the cyber-attack to facilitate remote access. As Jake Brodsky pointed out, “securing an ICS network with a VPN is pointless if the keys aren't also secured.” As the knowledge was gathered using BlackEnergy, it becomes critical to the US as BlackEnergy malware is in the US grids (see above) and there is no NERC CIP or NEI-0809/Regulatory Guide 5.71 requirement to remove this (or any other) malware.
All of the affected Ukrainian substations were low-level transmission or distribution. Consequently, those substations would be out-of-scope for the NERC CIPs. However, the initial NERC (ES-ISAC) response stated: “There is no credible evidence that the incident could affect North American grid operations and no plans to modify existing regulations or guidance based on this incident.” Unless you believe in the book, The Emperor Wears No Clothes, it has been amply demonstrated in the Ukraine and by the DHS disclosure that existing regulations and guidance are inadequate to protect the US grid. Why hasn’t NERC changed their message? The grid is obviously at risk. Where is FERC? Nuclear plants are also at risk. Where is the NRC?