Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

3/23/2020
09:00 AM
By Tony Howlett, CISO, SecureLink
By Tony Howlett, CISO, SecureLink
Sponsored Article
100%
0%

NERC Updates May Force Utility Companies into Better Cybersecurity

Once implemented, these upcoming regulations will ensure electrical utilities are safer from cyber threats, especially those brought in by third parties.

Breaches and incidents at utility and other energy-related companies have been rising faster than an electric bill in a Texas summer. In 2019, a power plant in Ukraine was attacked and the power went out in the area for about an hour due to the problems it caused. And in February 2020, a gas pipeline in the US was shut down for two days after an ransomware incident. According to a study done by Allianz, 54% of critical infrastructure providers report attacks that attempted to control systems. 

All signs point to attacks not abating anytime soon. These sites make great targets for ransomware groups looking for critical infrastructure that cannot afford to be down. They are also targeted by cyberterrorists and nation-state actors looking to create real-world mayhem out of digital efforts. One would think this would be a wake-up call for utilities to get serious about cybersecurity efforts. However, according to the "State of the Electric Utility 2020" report from Utility Dive, 37% of U.S. utility companies have not completely implemented their cybersecurity programs.

NERC Updates Are Coming 
Nothing lights a fire under a regulated industry faster than a regulation change that could bring fines or sanctions. Upcoming updates to the cybersecurity portions of North American Reliability Corporation's (NERC) Critical Infrastructure Protection (CIP) rules have many utilities and other covered companies scrambling to figure out the implications for their cybersecurity programs and to implement any necessary solutions. Sorting through the various elements of NERC regulations and rules can be confusing and frustrating; they are often highly technical in nature, and they use a lot of acronyms. It doesn't help that some of the terms they use are the same as IT terms, such as EAP and LEAP.

Understanding New Rules and Regulations
NERC is a nonprofit quasi-governmental agency that sets forth the standards for CIP. Much of this standard refers to non-cyber functions of the electric generation business, but given the incursion of automation technology and connectivity in most plants now, more elements are being added all the time to deal with cybersecurity, and this latest batch is no exception.

Having just gotten past the January 1, 2020, effective date of CIP 003-7 on Security Management Controls, companies now will have to make sure they are ready for the July rules. These changes focus on updates to the security perimeter requirements and change control all while introducing a new category of controls, CIP 013-1, which covers supply chain risk. Here is an overview of the changed or added sections with key takeaways on each. 

CIP 005-6 Cybersecurity — Electronic Security Perimeter
This section defines fairly detailed rules for firewalls, DMZs, and network segmentation requirements for protected assets. Added requirements center around the implementation of CIP-005-6 parts R2.2.4 and R2.2.5, which stipulate that they must have methods for determining how many active vendor remote access sessions they have at any given time and a way to disable these sessions. 

Many general remote access solutions don't differentiate between internal and vendor sessions and don't allow granular management and control over individual sessions. If you have one of these systems or no system at all and are just using VPN connections, you will have to develop some custom controls to monitor this activity and manually pull the reports you need to show compliance. Implementing a vendor management system that focuses on third-party access can help you isolate and track vendor sessions separate from internal sessions and make this job a whole lot easier. 

CIP 010-3 Cybersecurity — Configuration Change Management and Vulnerability Assessments
These controls are designed to prevent unauthorized changes to systems and also stipulate regular vulnerability assessments and tests to make sure systems are not susceptible to such modifications. There are a number of elements to this section, but the only changes that will be made for July 2020 implementation are R1.1.6, R1.6.1, and R1.1.6.2, which require you to verify the identity of any software you use in your supply chain and its integrity. This can be done by checking hashes and having processes for software downloads that stipulate known sites, checking certificates, and more. Most of this is fairly easy to implement, unless you have a large software development operation. Some software development tools will do some of this for you as well. 

CIP 013-1 Cybersecurity — Supply Chain Risk Management
This adds a new section to the CIP standards and probably represents the area that's least implemented in full by covered entities. It details the development and deployment of a formal supply chain risk management program. An astonishingly large number of organizations don't have a written program to track third-party risk, even those managing a large population of vendors doing critical tasks. Section 1.2 describes the various requirements you must have for vendors and supply chain partners, including notifications of breaches on their end, onboarding and offboarding of their users in your systems, and software integrity verification. 

Finally, it all has to be reviewed and signed off on by the enterprise's CIP Senior Manager at least every 15 months, with documentation of compliance per the R2 and R3 rules. While this may seem like a lot of things to get done, there are many technology solutions out there that can help get technical controls in place, such a Vendor Privileged Access Management (VPAM), and various vendor risk assessment platforms and exchanges to do risk assessments. The key is getting started with your program policy and procedure documents, for which there are many templates available on the Internet and consultants willing to put them together for you. 

Are You Prepared for the Updates?

Hopefully, these new rules are the "burning bridge" that get electrical utilities moving toward full implementations of cybersecurity programs that include all the contemporary best practices that NIST and other standards expect. It may be a race to the finish, but once implemented, these regulations will make sure electrical utilities are safer from cyber threats, especially ones brought in by third parties. And for utility IT security departments pressed to get all this in place by July, they can rest easy for a while after that. After July 2020, the next NERC CIP updates that include cyber controls are in July 2022. 

NERC Resources:

About the Author: Tony Howlett, CISO, SecureLink
Tony Howlett is a published author and speaker on various security, compliance, and technology topics. He serves as President of (ISC)2 Austin Chapter and is an Advisory Board Member of GIAC/SANS. He is a certified AWS Solutions Architect and holds CISSP, GNSA certifications, and a B.B.A. in Management Information Systems. Tony is currently the CISO at SecureLink.

 

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
zentrusted
100%
0%
zentrusted,
User Rank: Apprentice
3/24/2020 | 12:28:27 PM
A Bit Confusing, Indeed...
I spent some time this morning reviewing the referenced standards. They seem to be much too prescriptive, and much of the work done reinvents the wheel (discussing firewall best practices, training standards, etc.). The focus should be on the unique aspects of the sector which make cyber challenging, not 58 pages on cybersecurity controls (while incident response only gets 25). I agree this sector warrants high attention but disagree with thier approach so far...

Secondly, this industry reminds me of the healthcare sector 10 years ago...who is supposed to be helping these entites interpret and implement this guidance? Expertise is limited - greenfield for new jobs (and consulting contracts)?
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
State of Cybersecurity Incident Response
State of Cybersecurity Incident Response
Data breaches and regulations have forced organizations to pay closer attention to the security incident response function. However, security leaders may be overestimating their ability to detect and respond to security incidents. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-5292
PUBLISHED: 2020-03-31
Leantime before versions 2.0.15 and 2.1-beta3 has a SQL Injection vulnerability. The impact is high. Malicious users/attackers can execute arbitrary SQL queries negatively affecting the confidentiality, integrity, and availability of the site. Attackers can exfiltrate data like the users' and admini...
CVE-2020-7009
PUBLISHED: 2020-03-31
Elasticsearch versions from 6.7.0 to 6.8.7 and 7.0.0 to 7.6.1 contain a privilege escalation flaw if an attacker is able to create API keys. An attacker who is able to generate an API key can perform a series of steps that result in an API key being generated with elevated privileges.
CVE-2019-13495
PUBLISHED: 2020-03-31
In firmware version 4.50 of Zyxel XGS2210-52HP, multiple stored cross-site scripting (XSS) issues allows remote authenticated users to inject arbitrary web script via an rpSys.html Name or Location field.
CVE-2020-5291
PUBLISHED: 2020-03-31
Bubblewrap (bwrap) before version 0.4.1, if installed in setuid mode and the kernel supports unprivileged user namespaces, then the `bwrap --userns2` option can be used to make the setuid process keep running as root while being traceable. This can in turn be used to gain root permissions. Note that...
CVE-2019-14905
PUBLISHED: 2020-03-31
A vulnerability was found in Ansible Engine versions 2.9.x before 2.9.3, 2.8.x before 2.8.8, 2.7.x before 2.7.16 and earlier, where in Ansible's nxos_file_copy module can be used to copy files to a flash or bootflash on NXOS devices. Malicious code could craft the filename parameter to perform OS co...